====================================== Sat, 04 Jun 2016 - Debian 8.5 released ====================================== ========================================================================= [Date: Sat, 04 Jun 2016 12:26:37 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libreoffice-zotero-integration | 4.0.22-1 | all xul-ext-zotero | 4.0.22-1 | all zotero-standalone | 4.0.22-1 | all zotero-standalone-build | 4.0.22-1 | source Closed bugs: 821343 ------------------- Reason ------------------- RoQA; unusable in jessie ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:28:01 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: lyz | 2.1.5-3-g895ff3a-1 | source xul-ext-lyz | 2.1.5-3-g895ff3a-1 | all Closed bugs: 824345 ------------------- Reason ------------------- RoQA; broken, dependency zotero-standalone-build removed ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:29:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mediawiki-extensions-math | 2:1.0+git20120528-8 | all mediawiki-math | 2:1.0+git20120528-8 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x mediawiki-math-texvc | 2:1.0+git20120528-8 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 825308 ------------------- Reason ------------------- RoST; depends on mediawiki, to be removed ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:30:08 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mediawiki | 1:1.19.20+dfsg-2.3 | source, all mediawiki-classes | 1:1.19.20+dfsg-2.3 | all Closed bugs: 825127 ------------------- Reason ------------------- RoST; unsupported ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:50:40 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: fusionforge-plugin-mediawiki | 5.3.2+20141104-3+deb8u1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:53:12 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cyrus-caldav | 2.4.17+caldav~beta10-18 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by cyrus-imapd-2.4) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 13:01:16 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cyrus-caldav-2.4 | 2.4.17+caldav~beta10-18 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 13:06:52 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: pepperflashplugin-nonfree | 1.8.1 | i386 ------------------- Reason ------------------- RoQA; outdated crap ---------------------------------------------- ========================================================================= atheme-services (6.0.11-2+deb8u1) jessie-security; urgency=high . * add patch to fix CVE-2016-4478 autofs (5.0.8-2+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Remove macro debugging prints from macro_setenv (Closes: #755019) bareos (14.2.1+20141017gitc6c5b56-3+deb8u2) jessie; urgency=medium . * Fix GnuTLS backend initialization. (Closes: #819807) - Backport upstream commits in d/patches/fix-tls-backend-initalization * Add autopkgtests for TLS. * Add breaks-testbed to all tests. * Fix TLS negotiation for passive filedaemons. - Backport upstream commit in d/patches/fix-tls-passive-fds base-files (8+deb8u5) stable; urgency=low . * Changed /etc/debian_version to 8.5, for Debian 8.5 point release. botan1.10 (1.10.8-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2015-5726: Fix crash in BER decoder. * CVE-2015-5727: Fix excess memory allocation in BER decoder. * CVE-2015-7827: Fix PKCS #1 v1.5 decoding was not constant time. * CVE-2016-2194: Fix infinite loop in modulur square root algorithm. * CVE-2016-2195: Fix Heap overflow on invalid ECC point. * CVE-2016-2849: Use constant time modular inverse algorithm to avoid possible side channel attack against ECDSA. cgit (0.10.2.git2.0.1-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1899: Reflected XSS and header injection in mimetype query string (Closes: #812411) * CVE-2016-1900: Stored cross site scripting and header injection in filename parameter (Closes: #812411) * CVE-2016-1901: Integer overflow resulting in buffer overflow (Closes: #812411) * filters: apply HTML escaping. Addresses cross-site scripting vulnerability in via the txt2html filter. chromium-browser (50.0.2661.94-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen. - CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih Matar. - CVE-2016-1662: Use-after-free in extensions. Credit to Rob Wu. - CVE-2016-1663: Use-after-free in Blink’s V8 bindings. Credit to anonymous. - CVE-2016-1664: Address bar spoofing. Credit to Wadih Matar. - CVE-2016-1665: Information leak in V8. Credit to gksgudtjr456. - CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (50.0.2661.75-2) unstable; urgency=medium . * Fix problem with linking to ffmpeg (closes: #821154). - Thanks to Sebastian Ramacher. chromium-browser (50.0.2661.75-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous. - CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han. - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. - CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen. - CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu. - CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera. - CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso. - CVE-2015-1659: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (50.0.2661.75-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous. - CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han. - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. - CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen. - CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu. - CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera. - CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso. - CVE-2015-1659: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (49.0.2623.108-2) experimental; urgency=medium . * Build packages for armhf (closes: #799939). chromium-browser (49.0.2623.108-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu. - CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. - CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. - CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt. - CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives. chrony (1.30-2+deb8u2) jessie; urgency=medium . * Fix CVE-2016-1567: Restrict authentication of server/peer to specified key. (Closes: #812923) . * debian/postrm: - Remove /var/lib/chrony on purge only. (Closes: #568492) . * debian/logrotate: - Rework postrotate script. (Closes: #763542) clamav (0.99.2+dfsg-0+deb8u1) stable; urgency=medium . * Import new Upstream. * Drop AllowSupplementaryGroups option which is default now (Closes: #822444). * Let the LSB init script have more consistent output. Patch by Guillem Jover (Closes: #823074). * Ensure the users of PRIVATE symbols (clamd + freshclam) do not fall behind a upstream version (Closes: #824485). * also remove bytecode.cld on purge clamav (0.99.1+dfsg-1) unstable; urgency=medium . [ Scott Kitterman ] * Update version guards for pid file checks in clamav-daemon and clamav- freshclam to account for squeeze-lts upload that did not include the related change * Bump standards version to 3.9.7 without further change * Bump debhelper minimum version requirement to 9 to match compat * Drop squeeze related work-arounds now that squeeze-lts is no longer supported - Strip llvm from the upstream tarball in Files-Excluded to make it more compatct (system llvm is always used now) - Clean up debian/rules by removing squeeze specific configuration and work arounds . [ Adriano Rafael Gomes ] * Brazilian Portuguese debconf templates translation (Closes: #816956). . [ Sebastian Andrzej Siewior ] * Import new upstream * Drop patches applied upstream: - add-LLVM-3.6-support.patch - libclamav-yara-avoid-unaliged-access-to-64bit-variab.patch * add new clamd.conf options. * update symbol version for cl_retflevel due to CL_FLEVEL change. * use a https:// prefix in VCS-* links and for the homepage. * use "hardening=+all" for building. * fixup typos in copyright file * exclude .zip files dh_strip_nondeterminism because it currently breaks them. This `repairs' the .zip files in clamav-testfiles. * Update pid checks clamav-daemon and clamav-freshclam match lower than 0.99 version (to catch the upgrade path). * Apply malloc() check, from clamav's bugzilla #11524, #11526, #11529 clamav (0.99+dfsg-2) unstable; urgency=medium . * Use compat 9 and drop clamav-dbg in favour of dbgsym. * use libtfm-dev instead of in-tree copy and drop all tfm related patches. * Add libclamav-yara-avoid-unaliged-access-to-64bit-variab.patch to get the testsuite passed on sparc. It also seem avoid invalid loads on ARMv5 cpus. clamav (0.99+dfsg-1) unstable; urgency=medium . * Import final release of 0.99 * suggest libclamunrar7 instead of libclamunrar6 cyrus-imapd-2.4 (2.4.17+nocaldav-0~deb8u1) jessie; urgency=medium . * [CVE-2015-8077,CVE-2015-8077,CVE-2015-8078]: fix urlfetch range handling flaw in Cyrus IMAP * Remove the experimental caldav support * Replication got unbroken with caldav support removal (Closes: #799724) * Always disable SSLv3 and TLS compression * Workaround subshell losing variables in while loop (Closes: #803976) * Don't fail when database type disappears, just warn the user (Closes: #803965) debian-edu (1.812+deb8u1) jessie; urgency=medium . [ Mike Gabriel ] * Add libdns-mdns to tasks/desktop-other and tasks/main-server (together with avahi-daemon) to make CUPS browsing really functional. This makes automatic printer discovery via CUPS browsing work on multicast-enabled networks. (Closes: #791995). Also add avahi-discover, mdns-scan, avahi-autoipd and kdnssd to tasks/main-server as suggested packages. debian-edu-config (1.818+deb8u1) jessie; urgency=low . [ Petter Reinholdtsen ] * Translation updates: - Updated Brazilian Portuguese translation for debconf questions (Closes: #785467). Translated by Adriano Rafael Gomes. . [ Mike Gabriel ] * Add quotes around DNs when evoking kadmin.local in gosa-create and gosa-create-host. (Closes: #792042). * debian-edu-fsautoresize: Always use mapper names instead of kernel names when detecting supported mount points. (Closes: #800651). Thanks to Wolfgang Schweer and Giorgio Pioda. * gosa-sync: Test if a given user account actually is a Kerberos account. If not, don't try to set the Kerberos password for this account. (Closes: #798435). * gosa-sync: Fix escaping double quotes and semicolons. (Closes: #794000). * exim4 mainserver configuration: Allow Debian Edu clients on the default Debian Edu network to directly send mails to the main server (by white- listing the 10./8 network). This fixes console mailing and system mails on Debian Edu clients (Closes: #794602). * Set configVersion="Managed-by-Debian-Edu" in gosa.conf. (Closes: #794189). This requires gosa (>= 2.7.4+reloaded2-1+deb8u2~) to be installed on the main server. * wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and for hosts being in the .local domain. (Closes: #803911). * GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/ unlocking the Kerberos part of user accounts. (Closes: #804207). * Adapt to a code injection prevention fix in GOsa (starting with Debian package gosa 2.7.4+reloaded2-1+deb8u2): Don't mention the sambaHashHook parameter in gosa.conf anymore (as hashed passwords now have to be base64 encoded). Already existing gosa.conf files on deployed servers should drop the sambaHashHook from the gosa.conf file, as well, once gosa is updated to the above referenced GOsa version. * CUPS: Do hostname lookups, so https redirects are done to the FQDN of the CUPS server instead of to its IP address. (Closes: #805402). * Improve gosa-lock-user, gosa-unlock-user: When logging success/failure, differentiate between non-existent and non-kerberized accounts. * Don't create home dir and Kerberos principal for GOsa user template account. (Closes: #815040). . [ Wolfgang Schweer ] * Adjust tools/subnet-change for squid3. (Closes: #800654) * Fix XML syntax error in gosa.conf. (Closes: #820551). * Add script sbin/debian-edu-nscd-netgroup-cache (workaround for #791562). debian-edu-doc (1.6~20160528+deb8u1) jessie; urgency=medium . [ Holger Levsen ] * Update Debian Edu Jessie and Wheezy manuals from the wiki. * Update debian/copyright from the wiki using the update-copyright target. . [ Wolfgang Schweer ] * Adjust Danish po file to fix building the Jessie PDF manual. . [ Jessie Manual translation updates ] * Norwegian Bokmål: Ingrid Yrvin. * German: Wolfgang Schweer. * Dutch: Frans Spiesschaert. * Italian: Claudio Carboncini. * Danish: Joe Hansen. * French: Cédric Boutillier. . [ Wheezy Manual translation updates ] * Norwegian Bokmål: Ingrid Yrvin. debian-edu-doc (1.6~20150704~8+edu0) unstable; urgency=medium . [ Holger Levsen ] * Update Debian Edu Jessie and Wheezy manuals from the wiki. . [ Jessie Manual translation updates ] * German: Wolfgang Schweer. * Italian: Claudio Carboncini. * Dutch: Frans Spiesschaert. * Norwegian Bokmål: Petter Reinholdtsen, Ingrid Yrvin. * Danish: Joe Dalton. * French: Cédric Boutillier. . [ Wheezy Manual translation updates ] * German: Wolfgang Schweer. * Dutch: Frans Spiesschaert. * Norwegian Bokmål: Petter Reinholdtsen, Ingrid Yrvin. . [ Rosegarden Manual updates ] * Norwegian Bokmål: Ingrid Yrvin. . [ Audacity Manual updates ] * Norwegian Bokmål: Ingrid Yrvin. debian-edu-install (1.821+deb8u1) jessie; urgency=medium . * Update version number to 8+edu0 in preparation of our first Jessie release. debian-installer (20150422+deb8u4) jessie; urgency=medium . [ Steve McIntyre ] * Add sata-modules for arm64 - some machines do have SATA CD debian-installer-netboot-images (20150422+deb8u4) jessie; urgency=medium . [ Didier Raboud ] * Swap the d-i Built-Using with the installer fetching, to fail on version mismatches earlier (Closes: #819586). . [ Cyril Brulebois ] * Update to 20150422+deb8u4 images, from jessie-proposed-updates didiwiki (0.5-11+deb8u2) jessie-security; urgency=high . * debian/patches: - 91_check_page_path.patch: updated patch to correct restrictive behavior, rendering pages beginning with non alpha-numeric UTF-8 characters, such as "à", inaccessible. Thank you Sergio Gelato for your report and help! (Closes: #818708) dpkg (1.17.27) jessie; urgency=medium . [ Guillem Jover ] * Add more Conflicts for removed packages expecting dpkg to ship install-info. Namely ada-mode and octave2.1-info. Closes: #783657 Thanks to Andreas Beckmann . * Remove trailing space before handling blank line dot-separator in Dpkg::Control::HashCore. Regression introduced in dpkg 1.17.25. Reported by Jakub Wilk . Closes: #789580 * Only use the SHELL environment variable for interactive shells. Closes: #788819 * Move tar option --no-recursion before -T in dpkg-deb. With tar > 1.28 the --no-recursion option is now positional, and needs to be passed before the -T option, otherwise the tarball will end up with duplicated entries. Thanks to Richard Purdie . Closes: #807940 * Initialize Config-Version also for packages previously in triggers-pending state, otherwise we end up not passing the previously configured version to «postinst configure», which might consider this a first install instead of an upgrade. Closes: #801156 * Fix memory leak in dpkg infodb format upgrade logic. * Fix physical file offset comparison in dpkg. Closes: #808912 Thanks to Yuri Gribov . * Add kfreebsd-armhf support to ostable and triplettable. Closes: #796283 Thanks to Steven Chamberlain . * Add NIOS2 support to cputable. Thanks to Marek Vasut . * Build system: - Set PERL5LIB globally for the test suite to the local modules directory, to avoid using the system modules. Regression introduced in dpkg 1.17.8. Reported by Jérémy Bobbio . Closes: #801329 - When sys_siglist is defined in the system, try to use NSIG as we cannot compute the array size with sizeof(). If NSIG is missing fallback to 32 items. Prompted by Igor Pashev . . [ Updated scripts translations ] * German (Helge Kreutzmann). (Various fixes) . [ Updated manpages translations ] * German (Helge Kreutzmann). (Various fixes) enigmail (2:1.8.2-4~deb8u1) jessie-security; urgency=high . * Upload requested by security team. enigmail (2:1.8.2-4~deb7u1) wheezy-security; urgency=high . * Upload requested by security team. enigmail (2:1.8.2-3) unstable; urgency=medium . * Reproducibility: - make build date use $SOURCE_DATE_EPOCH when available - sort keys for perl-generated .dtd files enigmail (2:1.8.2-2) unstable; urgency=medium . * upload to unstable. enigmail (2:1.8.2-1) experimental; urgency=medium . * New upstream release. * More strongly encourage the use of gnupg2 in Depends and Recommends; enigmail 1.9 will make gnupg 2.x a requirement. enigmail (2:1.8.2~beta3-1) experimental; urgency=medium . * New upstream beta release. enigmail (2:1.8.1-1) experimental; urgency=medium . * New upstream release. enigmail (2:1.8-1) experimental; urgency=medium . * New Upstream Release. * move from autotools-dev to dh-autoreconf evince (3.14.1-2+deb8u1) stable; urgency=medium . [ Jason Crain ] * Add reload-page-count.patch. Fix crash when document has pages removed and is reloaded. Update the end page index when the document is reloaded. (Closes: #805276) * Add check-load-job-success.patch. Fix crash in recent documents view when a recent document fails to load. Check whether a document's load job failed before creating it's thumbnail. (Closes: #762719) expat (2.1.0-6+deb8u2) jessie-security; urgency=high . * Avoid relying on undefined behavior in CVE-2015-1283 fix. * Apply upstream patch to fix the root cause of CVE-2016-0718 and CVE-2016-0719 vulnerabilities. ext4magic (0.3.2-2+deb8u1) stable; urgency=medium . * debian/patches/fix-recover-examine.patch: added as a temporary work around to fix an issue which makes impossible to recover or examine Ext4 filesystems. Thanks to Roberto Maar , the ext4magic upstream. (Closes: #802089) fusionforge (5.3.2+20141104-3+deb8u2) jessie; urgency=medium . * Disable Mediawiki plugin, since Mediawiki itself is going out of support in Jessie. gitolite3 (3.6.1-2+deb8u1) stable; urgency=medium . * Bug fix: "Git-annex-shell not working", thanks to risca (Closes: #819941). Enable repository paths without '~/'. Cherry picked from upstream commit, 276cf761de0522a19b0312f4466fc497a2a38b5f glusterfs (3.5.2-2+deb8u2) jessie-proposed-updates; urgency=medium . * Add missing glusterd hook script to glusterfs-server package. Closes: #824823 gosa (2.7.4+reloaded2-1+deb8u2) jessie; urgency=medium . [ Mike Gabriel ] * debian/patches: + Add 1009_fix-insertDhcp-icon-in-dhcp-section-overview.patch. Fix label stripping in GOsa²'s image() function. This fixes displaying the insertDhcp* icon in the DHCP service plugin. (Closes: #794117). + Add 2009_allow-Debian-blends-to-override-gosa-conf.patch. Allow Debian blends to provide their own version of gosa.conf and not get bugged by GOsa's notification message on gosa.conf template changes. Debian blends using GOsa (e.g., Edu, LAN) must handle gosa.conf updates themselves. (Closes: #794118). + Add 0004_fix-get-post.patch. Fix transferral of POST variables. + Add 1010_fix-entry-removal-in-mail-plugin.patch. Fix entry deletion of items in "alternatives addresses" and "forward messages to non-group members" for group mail objects. (LP:#1307483). + Add 0005_fix-password-expiry-status.patch. Fix expiration status for passwords if shadowMax is used in POSIX/shadow accounts. + Add 1011_define-isPluginModified.patch. Fix undefined property error for non-defined usertags::$isPluginModified. (Closes: #794690). + Add 1012_allow-one-level-domains-in-email-addresses.patch. Allow one-level domains in email addresses (such as @intern, as used in Debian Edu by default). (Closes: #794738). . [ Holger Levsen ] * Fixup PHP syntax in 1010_fix-entry-removal-in-mail-plugin.patch. See #796823 for the details. * Cherry-picked from 2.7.4+reloaded2-6 from Mike Gabriel: + Add 0006_code-injection-in-samba-hash-generation.patch, 0007_update-sambaHashHook-description.patch. Fix potential code injection issue in Samba hash generation. (CVE-2015-8771) + Update 1004_fix-typos-in-man-pages.patch due to cherry-picking 0007_update-sambaHashHook-description.patch from upstream. gpa (0.9.5-2+deb8u1) jessie; urgency=high . * Add patch fixing checks of dialog return values (Closes: #820342) groovy (1.8.6-4+deb8u1) stable; urgency=high . * Fix remote execution of untrusted code and possible DoS vulnerability. (CVE-2015-3253) (Closes: #793397). hexchat (2.10.1-1+deb8u1) jessie; urgency=medium . * Security Update: verify hostnames when ssl is in use - debian/patches/ssl_verify_hostnames.patch - CVE-2013-7449 (Closes: #818009) hivex (1.3.10-2+deb8u2) jessie; urgency=medium . * Fix ruby-hivex installation (Closes: #819261) icedove (38.8.0-1~deb8u1) stable-security; urgency=medium . [ Guido Günther ] * [ee8dd49] Clarify relation between icedove and the calendar extensions (Closes: #809017) . [ Christoph Goehre ] * [bac2d5b] Imported Upstream version 38.8.0 - MFSA 2016-36 aka CVE-2016-1979 - MFSA 2016-39 aka CVE-2016-2807, CVE-2016-2805 icedove (38.7.2-1) unstable; urgency=medium . * [397cd7a] Imported Upstream version 38.7.2 icedove (38.7.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [cb9c003] Imported Upstream version 38.7.0 * [7273cb9] bump up standards version to 3.9.7 (no changes needed) . [ Carsten Schoenert ] * [0341a8c] debian/control: switch URI for the Vcs fields to https icedove (38.7.0-1~deb8u3) jessie; urgency=medium . * Non-maintainer upload. * Try to fix the build on mips: disable jit. Per the iceweasel changelog, only mipsel is supported. icedove (38.7.0-1~deb8u2) jessie; urgency=medium . * Non-maintainer upload: steal arm build fixes from the firefox package. . [ Mike Hommey ] * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. icedove (38.7.0-1~deb8u1) stable-security; urgency=medium . * [cb9c003] Imported Upstream version 38.7.0 - MFSA 2016-16 aka CVE-2016-1952 - MFSA 2016-17 aka CVE-2016-1954 - MFSA 2016-20 aka CVE-2016-1957 - MFSA 2016-23 aka CVE-2016-1960 - MFSA 2016-24 aka CVE-2016-1961 - MFSA 2016-27 aka CVE-2016-1964 - MFSA 2016-31 aka CVE-2016-1966 - MFSA 2016-34 aka CVE-2016-1974 - MFSA 2016-35 aka CVE-2016-1950 - MFSA 2016-37 aka CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802 icedove (38.7.0-1~deb7u1) oldstable-security; urgency=medium . * [cb9c003] Imported Upstream version 38.7.0 - MFSA 2016-16 aka CVE-2016-1952 - MFSA 2016-17 aka CVE-2016-1954 - MFSA 2016-20 aka CVE-2016-1957 - MFSA 2016-23 aka CVE-2016-1960 - MFSA 2016-24 aka CVE-2016-1961 - MFSA 2016-27 aka CVE-2016-1964 - MFSA 2016-31 aka CVE-2016-1966 - MFSA 2016-34 aka CVE-2016-1974 - MFSA 2016-35 aka CVE-2016-1950 - MFSA 2016-37 aka CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802 icedove (38.6.0-1) unstable; urgency=medium . [ Guido Günther ] * [195730d] Clarify relation between icedove and the calendar extensions (Closes: #809017) . [ Christoph Goehre ] * [988ce5b] Imported Upstream version 38.6.0 * [6763f6f] debian/source.filter: remove evil-licensed jshint.js (Closes: #813053) icedove (38.6.0-1~deb8u1) stable-security; urgency=medium . * [988ce5b] Imported Upstream version 38.6.0 - MFSA 2015-150 aka CVE-2015-7575 - MFSA 2016-01 aka CVE-2016-1930 - MFSA 2016-03 aka CVE-2016-1935 - MFSA 2016-14 aka CVE-2016-1523 icedove (38.6.0-1~deb7u1) oldstable-security; urgency=medium . * [988ce5b] Imported Upstream version 38.6.0 - MFSA 2015-150 aka CVE-2015-7575 - MFSA 2016-01 aka CVE-2016-1930 - MFSA 2016-03 aka CVE-2016-1935 - MFSA 2016-14 aka CVE-2016-1523 icedove (38.5.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [6d45b0b] Imported Upstream version 38.5.0 * [316798f] debian/rules: split override_dh_install into arch and indep section (Closes: #806047) . [ Carsten Schoenert ] * [5b3cb7a] add myself to the uploaders icedove (38.5.0-1~deb8u1) stable-security; urgency=medium . * [6d45b0b] Imported Upstream version 38.5.0 - MFSA 2015-134 aka CVE-2015-7201 - MFSA 2015-139 aka CVE-2015-7212 - MFSA 2015-145 aka CVE-2015-7205 - MFSA 2015-146 aka CVE-2015-7213 - MFSA 2015-149 aka CVE-2015-7214 icedove (38.5.0-1~deb7u1) oldstable-security; urgency=medium . * [6d45b0b] Imported Upstream version 38.5.0 - MFSA 2015-134 aka CVE-2015-7201 - MFSA 2015-139 aka CVE-2015-7212 - MFSA 2015-145 aka CVE-2015-7205 - MFSA 2015-146 aka CVE-2015-7213 - MFSA 2015-149 aka CVE-2015-7214 icedove (38.4.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [754392e] Imported Upstream version 38.4.0 * [ef4b733] debian/watch: adjust download url . [ Carsten Schoenert ] * [f3f5455] lintian: remove icedove.menu file due CTTE#741573 icedove (38.4.0-1~deb8u1) stable-security; urgency=medium . * [754392e] Imported Upstream version 38.4.0 - MFSA 2015-116 aka CVE-2015-4513 - MFSA 2015-122 aka CVE-2015-7188 - MFSA 2015-123 aka CVE-2015-7189 - MFSA 2015-127 aka CVE-2015-7193 - MFSA 2015-128 aka CVE-2015-7194 - MFSA 2015-131 aka CVE-2015-7198, CVE-2015-7199, CVE-2015-7200 - MFSA 2015-132 aka CVE-2015-7197 - MFSA 2015-133 aka CVE-2015-7181, CVE-2015-7182, CVE-2015-7183 icedove (38.4.0-1~deb7u1) oldstable-security; urgency=medium . * [754392e] Imported Upstream version 38.4.0 - MFSA 2015-116 aka CVE-2015-4513 - MFSA 2015-122 aka CVE-2015-7188 - MFSA 2015-123 aka CVE-2015-7189 - MFSA 2015-127 aka CVE-2015-7193 - MFSA 2015-128 aka CVE-2015-7194 - MFSA 2015-131 aka CVE-2015-7198, CVE-2015-7199, CVE-2015-7200 - MFSA 2015-132 aka CVE-2015-7197 - MFSA 2015-133 aka CVE-2015-7181, CVE-2015-7182, CVE-2015-7183 * [2a139f9] debian/rules: build with gcc 4.7 icedove (38.3.0-2) unstable; urgency=medium . * [c988747] Add unminified jquery and jquery-ui files with the exact version as used by upstream thunderbird. We don't want to use the minified versions mozilla ships and can't use what is currently packaged in Jessie or Stretch since these are too recent. (Closes: #802281) icedove (38.3.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [0f8b6a4] Imported Upstream version 38.3.0 * [566273a] debian/copyright: fixup's and update icedove (38.3.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [0f8b6a4] Imported Upstream version 38.3.0 * [1c01f2a] rebuild patch queue from patch-queue branch added patches: - debian-hacks/changing-the-default-search-engine.patch - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patch - reproducible/Generate-sorted-libical-header-list - jessie-security/decrease-SQLVERSION-to-jessie-version.patch - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch removed patches: - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - iceowl/adjust-calendar-google-provider-to-Google-Calendar-A.patch - iceowl/get-rid-of-subdir-shim-in-gdata-provider.patch - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch - porting-armhf/FTBFS-armhf-fixing-ARM-CPU-detection.patch * [8de7b23] Revert "debian/rules: move some gdata modules into 'shim' subdir" * [8d744ab] debian/rules: be more flexible on *.xpi files * [fbf3c49] d/icedove.install: mozilla-xremote-client was removed * [b92379b] debian/control: increase package versions * [8f37331] lintian: adding one more source override * [b52a791] lintian: adding new override for the icedove package * [cb23f5e] icedove branding: adopt upstream changes * [33712e9] debian/control: increase b-d versions * [9b536a7] debian/control: adding new package to Breaks field * [ed27ae0] mozconfig.default: adding some explicit configure options * [fabbf70] complete rewrite of copyright information * [a82b740] switching to libgstreamer1.0* * [a872e7b] debian/rules: setting MOZ_BUILD_DATE explicitly * [7f4711f] debian/copyright: more minor updates to the copyright file * [4288e0b] debian/rules: adding switch for no icedove-dbg build * [1e5040f] debian/control: icedove is now recommending iceowl-extension * [f76c02a] adding release related information * [7aae173] debian/vendor.js: adjusting WhatNew link to more dedicated URL * [08ef111] mozconfig.default: don't use icu from system * [d909565] debian/iceowl-extension.lintian-overrides: remove file * [7d730ac] debian/source.lintian-overrides: adding new entries * [8ca9fa4] debian/icedove-dev.links: adding some extra links * [18fd52b] debian/icedove.lintian-overrides: adding more overrides * [9c0a259] debian/mozconfig.default: switch to use internal libs * [5b0a7d6] debian/mozconfig.default: order arch in alphabetical order * [68b5122] debian/rules: remove more dev-libs before linking * [5e8c3d2] debian/copyright: fixup's and update * [1ae0cc6] debian/control: adjust Build-Depends due usage of internal libs * [644e9e4] debian/source.filter: adopt filter list from master . [ Christoph Goehre ] * [e6dc2df] debian/NEWS: adding notes around new security changes * [b573ec6] add missing epoch in libnss3-dev build depends * [39e5656] lintian: fix spelling error in debian/README.Debian * [ff339ce] Add unminified jquery and jquery-ui files (Closes: #802281) . [ Dominik George ] * [0515ab0] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) icedove (38.3.0-1~deb7u1) oldstable-security; urgency=medium . [ Carsten Schoenert ] * [0f8b6a4] Imported Upstream version 38.3.0 * [911052d] rebuild patch queue from patch-queue branch added patches: - debian-hacks/changing-the-default-search-engine.patch - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - porting-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - porting/ppc-fix-divide-page-size-in-jemalloc.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patch - reproducible/generate-sorted-output-while-header-creation.patch - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch modified patches: - debian-hacks/remove-non-free-W3C-icon-valid.png.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch - wheezy-security/sqlite-dev-revert-version-to-3.7.13.patch deleted patches: - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - iceowl/adjust-calendar-google-provider-to-Google-Calendar-A.patch - iceowl/get-rid-of-subdir-shim-in-gdata-provider.patch - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch * [590a0df] Revert "debian/rules: move some gdata modules into 'shim' subdir" * [9b0e68b] lintian: adding one more source override * [f914904] lintian: adding new override for the icedove package * [63bd065] icedove branding: adopt upstream changes * [b2d897c] debian/control: adding new package to Breaks field * [2113754] mozconfig.default: adding some explicit configure options * [b1ae394] complete rewrite of copyright information * [98a5a00] debian/rules: setting MOZ_BUILD_DATE explicitly * [c1e3dae] debian/copyright: more minor updates to the copyright file * [bddd498] debian/rules: adding switch for no icedove-dbg build * [68981d0] debian/control: icedove is now recommending iceowl-extension * [5c9665c] adding release related information * [1e683cd] debian/vendor.js: adjusting WhatNew link to more dedicated URL * [1e449ff] mozconfig.default: don't use icu from system * [18160f3] debian/iceowl-extension.lintian-overrides: remove file * [76d32d8] debian/source.lintian-overrides: adding new entries * [48c6c84] debian/icedove-dev.links: adding some extra links * [fb1f375] debian/icedove.lintian-overrides: adding more overrides * [10d441d] debian/mozconfig.default: order arch in alphabetical order * [b600d0a] debian/copyright: fixup's and update * [e72dc60] debian/source.filter: adopt filter list from master * [96ec240] debian/rules: be more flexible on *.xpi files . [ Christoph Goehre ] * [f3764f5] debian/NEWS: adding notes around new security changes * [65d5220] debian/rules: fix icedove-dbg build switch * [27d8f5f] lintian: fix spelling error in debian/README.Debian * [64c635a] Add unminified jquery and jquery-ui files (Closes: #802281) . [ Dominik George ] * [bb837cd] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) icedove (38.2.0-2) unstable; urgency=medium . * [8bcb08b] relax optimize to -O1 on s390x (Closes: #797551) * [6aa0915] debian/rules: Disable jit on mips (Closes: #797548) icedove (38.2.0-1) unstable; urgency=medium . * [d46d5f6] rebuild patch queue from patch-queue branch added patches: - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch icedove (38.2.0-1~stretch) stretch; urgency=medium . [ Carsten Schoenert ] * [05b245f] Imported Upstream version 38.2.0 (Closes: #796323) - MFSA 2015-59 aka CVE-2015-2724, CVE-2015-2725, CVE-2015-2726 - MFSA 2015-63 aka CVE-2015-2731 - MFSA 2015-66 aka CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740 - MFSA 2015-70 aka CVE-2015-4000 - MFSA 2015-71 aka CVE-2015-2721 - MFSA 2015-65 aka CVE-2015-2741 - MFSA 2015-79 aka CVE-2015-4474 * [43c8195] rebuild patch queue from patch-queue branch * [c75bdad] debian/control: increase B-D on libnss3-dev * [942bcbe] debian/iceowl-extension.lintian-overrides: remove file * [7131e4d] debian/source.lintian-overrides: adding new entries * [8882360] mozconfig.default: don't use icu from system icedove (38.1.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3d27760] Imported Upstream version 38.1.0 (Closes: #790651) * [2cb6cd7] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - reproducible/Generate-sorted-libical-header-list (Closes: #794456) icedove (38.0.1-1) unstable; urgency=medium . [ Carsten Schoenert ] * [5acef6a] debian/gbp.conf: adopt new upstream branch * [6f88792] Imported Upstream version 38.0.1 (Closes: #358680, #472601, #634316, #691176, #751786, #777908) * [18bba9d] debian/gbp.conf: respect new git-buildpackage behaviour * [26bbdac] rebuild patch queue from patch-queue branch added patches: - debian-hacks/changing-the-default-search-engine.patch (Closes: #780595) - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patc deleted patches: - debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch * [71938b9] debian/rules: setting MOZ_BUILD_DATE explicitly * [e50d708] debian/copyright: more minor updates to the copyright file * [b232895] debian/rules: adding switch for no icedove-dbg build * [bcc15aa] debian/control: icedove is now recommending iceowl-extension * [564a19e] adding release related information * [2ec0053] debian/vendor.js: adjusting WhatNew link to more dedicated URL . [ Christoph Goehre ] * [a9c25b6] lintian: fix spelling error in debian/README.Debian * [2cc2c07] debian/rules: fix icedove-dbg build switch . icedove (38.0~b5-1) experimental; urgency=medium . [ Carsten Schoenert ] * [7e3cab4] Imported Upstream version 38.0~b5 * [3edbafc] Revert "debian/control: remove build-dep on libnotify-dev" * [5e69bab] debian/control: increase b-d versions * [6e6ae36] rebuild patch queue from patch-queue branch added patches: - debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch obsolete patches (fixed in Debian): - adopting-SQLITE3-version.patch * [ac7b760] mozconfig.default: adding some explicit configure options * [81fd6e6] complete rewrite of copyright information * [327dd45] switching to libgstreamer1.0* . [ Christoph Goehre ] * [9877ea3] lintian: add override for libpng . icedove (38.0~b2-1) experimental; urgency=medium . [ Carsten Schoenert ] * [b08d966] debian/source.filter: modifying file list to ignore * [88fd018] Imported Upstream version 38.0~b2 * [e9da8f8] icedove branding: adopt upstream changes * [3610daa] debian/control: increase b-d versions * [950fae7] rebuild patch queue from patch-queue branch modified patches: - system-libs/Allow-to-build-against-system-libffi.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch obsolete patches (fixed upstream): - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch * [1820d7c] debian/control: adding xul-ext-compactheader to Breaks field . [ Dominik George ] * [4181126] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) . icedove (36.0~b1-2) experimental; urgency=medium . * [26c0027] rebuild patch queue from patch-queue branch added patches: - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - porting/ppc-fix-divide-page-size-in-jemalloc.patch (Closes: #780404) . icedove (36.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [68112a3] Imported Upstream version 36.0~b1 * [3120361] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch modified patches: - debian-hacks/Strip-version-number.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/correcting-file-inclusion-for-kfreebsd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [ee185a2] d/icedove.install: mozilla-xremote-client was removed * [64adc44] debian/source.filter: modifying file list to ignore * [dbdd152] debian/control: increase package versions * [fb3307c] lintian: adding one more source override * [2a07495] lintian: adding new override for the icedove package * [38c21ad] debian/README.Debian: adding note around HTTPS Everythere (Closes: #774790) . [ Christoph Goehre ] * [3dce89c] debian/icedove.desktop: correct StartupWMClass to 'Icedove' (Closes: #773876) * [deb3f58] debian/icedove.desktop: add MimeType text/calendar (Closes: #762190) * [4dd96fe] rebuild patch queue from patch-queue branch added patches: - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - p-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch (Closes: #772933) modified patches: - p-kfree-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS-systems.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [373ed05] add missing epoch in libnss3-dev build depends . icedove (34.0~b1-2) experimental; urgency=low . [ Carsten Schoenert ] * [7a4edc4] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch . icedove (34.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [1be8ab1] debian/source.filter: more files to ignore * [66e6488] debian/README.source: adjust description for beta versions * [e63d375] Imported Upstream version 34.0~b1 (Closes: #770180) * [1cb54d2] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch * [ad29bb1] debian/rules: be more flexible on *.xpi files * [b055e78] debian/NEWS: fixing default SSL/TLS behavior description * [d64a847] debian/NEWS: adding notes around new security changes . icedove (33.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [5029c8b] debian/source.filter: more files to ignore * [d4b03d9] README.source: let's use xz while creating the orig.tar.xz * [ebd442f] debian/gbp.conf: some instructions for git-dch * [cc594ea] Imported Upstream version 33.0~b1 * [23b57cf] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - debian-hacks/pass-OS_LDFLAGS-to-all-ldap-libraries.patch modified patches: - debian-hacks/Strip-version-number.patch - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - obsolete patches (fixed upstream): - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - porting-alpha/fix-FTBFS-on-alpha.patch * [a5a2a1b] adding additional config options for hppa and ppc64 Both platforms failing on running xpcshell. . [ Christoph Goehre ] * [5a0ba43] linitan: bump up standards version to 3.9.6 * [aaca6a7] debian/NEWS: adding note around increased default TLS version 1.2 (Closes: #761245) . icedove (32.0~b1-1) experimental; urgency=low . [ Christoph Goehre ] * [65ad797] icedove.postinst: remove obsolete symlink handling . [ Carsten Schoenert ] * [baef95a] debian/gbp.conf: adopting experimental branch * [8384eee] Imported Upstream version 32.0~b1 * [75145f3] rebuild patch queue from patch-queue branch modified patches: - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - debian-hacks/remove-non-free-W3C-icon-valid.png.patch obsolete patches (fixed upstream): - porting-armel/fix-skia-for-ARMv4.patch . [ Christoph Goehre ] * [51c3cee] cleanup branding patch icedove (38.0~b5-1) experimental; urgency=medium . [ Carsten Schoenert ] * [7e3cab4] Imported Upstream version 38.0~b5 * [3edbafc] Revert "debian/control: remove build-dep on libnotify-dev" * [5e69bab] debian/control: increase b-d versions * [6e6ae36] rebuild patch queue from patch-queue branch added patches: - debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch obsolete patches (fixed in Debian): - adopting-SQLITE3-version.patch * [ac7b760] mozconfig.default: adding some explicit configure options * [81fd6e6] complete rewrite of copyright information * [327dd45] switching to libgstreamer1.0* . [ Christoph Goehre ] * [9877ea3] lintian: add override for libpng icedove (38.0~b2-1) experimental; urgency=medium . [ Carsten Schoenert ] * [b08d966] debian/source.filter: modifying file list to ignore * [88fd018] Imported Upstream version 38.0~b2 * [e9da8f8] icedove branding: adopt upstream changes * [3610daa] debian/control: increase b-d versions * [950fae7] rebuild patch queue from patch-queue branch modified patches: - system-libs/Allow-to-build-against-system-libffi.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch obsolete patches (fixed upstream): - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch * [1820d7c] debian/control: adding xul-ext-compactheader to Breaks field . [ Dominik George ] * [4181126] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) icedove (36.0~b1-2) experimental; urgency=medium . * [26c0027] rebuild patch queue from patch-queue branch added patches: - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - porting/ppc-fix-divide-page-size-in-jemalloc.patch (Closes: #780404) icedove (36.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [68112a3] Imported Upstream version 36.0~b1 * [3120361] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch modified patches: - debian-hacks/Strip-version-number.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/correcting-file-inclusion-for-kfreebsd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [ee185a2] d/icedove.install: mozilla-xremote-client was removed * [64adc44] debian/source.filter: modifying file list to ignore * [dbdd152] debian/control: increase package versions * [fb3307c] lintian: adding one more source override * [2a07495] lintian: adding new override for the icedove package * [38c21ad] debian/README.Debian: adding note around HTTPS Everythere (Closes: #774790) . [ Christoph Goehre ] * [3dce89c] debian/icedove.desktop: correct StartupWMClass to 'Icedove' (Closes: #773876) * [deb3f58] debian/icedove.desktop: add MimeType text/calendar (Closes: #762190) * [4dd96fe] rebuild patch queue from patch-queue branch added patches: - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - p-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch (Closes: #772933) modified patches: - p-kfree-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS-systems.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [373ed05] add missing epoch in libnss3-dev build depends icedove (34.0~b1-2) experimental; urgency=low . [ Carsten Schoenert ] * [7a4edc4] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch icedove (34.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [1be8ab1] debian/source.filter: more files to ignore * [66e6488] debian/README.source: adjust description for beta versions * [e63d375] Imported Upstream version 34.0~b1 (Closes: #770180) * [1cb54d2] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch * [ad29bb1] debian/rules: be more flexible on *.xpi files * [b055e78] debian/NEWS: fixing default SSL/TLS behavior description * [d64a847] debian/NEWS: adding notes around new security changes icedove (33.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [5029c8b] debian/source.filter: more files to ignore * [d4b03d9] README.source: let's use xz while creating the orig.tar.xz * [ebd442f] debian/gbp.conf: some instructions for git-dch * [cc594ea] Imported Upstream version 33.0~b1 * [23b57cf] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - debian-hacks/pass-OS_LDFLAGS-to-all-ldap-libraries.patch modified patches: - debian-hacks/Strip-version-number.patch - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - obsolete patches (fixed upstream): - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - porting-alpha/fix-FTBFS-on-alpha.patch * [a5a2a1b] adding additional config options for hppa and ppc64 Both platforms failing on running xpcshell. . [ Christoph Goehre ] * [5a0ba43] linitan: bump up standards version to 3.9.6 * [aaca6a7] debian/NEWS: adding note around increased default TLS version 1.2 (Closes: #761245) icedove (32.0~b1-1) experimental; urgency=low . [ Christoph Goehre ] * [65ad797] icedove.postinst: remove obsolete symlink handling . [ Carsten Schoenert ] * [baef95a] debian/gbp.conf: adopting experimental branch * [8384eee] Imported Upstream version 32.0~b1 * [75145f3] rebuild patch queue from patch-queue branch modified patches: - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - debian-hacks/remove-non-free-W3C-icon-valid.png.patch obsolete patches (fixed upstream): - porting-armel/fix-skia-for-ARMv4.patch . [ Christoph Goehre ] * [51c3cee] cleanup branding patch icedove (31.8.0-1~deb8u1+kbsd11) jessie-kfreebsd; urgency=medium . * Import nss/kbsd patch from nss package icedove-l10n (1:38.0.1-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [fef2b1f] Imported Upstream version 38.0.1 * [3f34092] icedove-l10n-fi: replace myspell-fi with xul-ext-mozvoikko (Closes: #792367) . [ Christoph Goehre ] * [384dc4f] adjust icedove depends >= 38.0~ and icedove << 39 icedove-l10n (1:38.0.1-1~deb7u1) oldstable-security; urgency=medium . [ Carsten Schoenert ] * [fef2b1f] Imported Upstream version 38.0.1 * [c3d1a0b] icedove-l10n-fi: replace myspell-fi with xul-ext-mozvoikko (Closes: #792367) . [ Christoph Goehre ] * [31a9a5b] adjust icedove depends >= 38.0~ and icedove << 39 icedove-l10n (1:38.0~b2-1) experimental; urgency=medium . * [3978e11] debian/gbp.conf: correct upstream-branch assignment * [3f3a36e] Imported Upstream version 38.0~b2 * [c06cb1f] rebuild patch queue from patch-queue branch * [4693943] adjust icedove depends >= 38.0~ and icedove << 39 icedove-l10n (1:36.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [ae1ec3e] debian/c-u-t: adding new helper script (cherry-picked from master) * [97c472d] Imported Upstream version 36.0~b1 * [c5d70b5] rebuild patch queue from patch-queue branch * [fd71069] adjust icedove depends >= 36.0~ and icedove << 37 icedove-l10n (1:34.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [dba229d] Imported Upstream version 34.0~b1 * [17f58e7] rebuild patch queue from patch-queue branch * [b66c03a] adjust icedove depends >= 34.0~ and icedove << 35 * [312f280] debian/control: fix recommends for icedove-l10n-sr (Closes: #767635) icedove-l10n (1:33.0~b1-1) experimental; urgency=low . * [90dac17] Imported Upstream version 33.0~b1 * [4aa4a4c] rebuild patch queue from patch-queue branch * [3cdac77] adjust icedove depends >= 33.0~ and icedove << 34 * [313729d] linitan: bump up standards version to 3.9.6 icedove-l10n (1:32.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [32b4f8e] Imported Upstream version 32.0~b1 * [8bc4841] rebuild patch queue from patch-queue branch * [920724e] adjust icedove depends >= 32.0~ and icedove << 33 icedtea-web (1.5.3-1) jessie; urgency=medium . * New upstream release, fixes CVE-2015-5235 and CVE-2015-5234 icedtea-web (1.5.2-1.1) unstable; urgency=medium . * Non-maintainer upload. * Fix alternatives handling in icedtea-netx.postinst.in (closes: #778631). icedtea-web (1.5.2-1) unstable; urgency=medium . * IcedTea-Web 1.5.2 release. icedtea-web (1.5.2~rc1-1) unstable; urgency=medium . * IcedTea-Web 1.5.2 release candidate 1. - RH1095311, PR574 - Build fix for JDK9 (references class sun.misc.Ref removed in OpenJDK 9). - RH1154177 - decoded file needed from cache. - fixed NPE in https dialog. - empty codebase behaves as ".". * Remove the support for OpenJDK 8, breaks for OpenJDK 7, when 8 is not installed. Closes: #759226. LP: #1363785. icedtea-web (1.5.1-1) unstable; urgency=medium . * IcedTea-Web 1.5.1 release. * Build for ppc64 and ppc64el. * Add build support for OpenJDK 8 (Emmanuel Bourg). Closes: #751173. iceowl-l10n (4.0.0.1-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [7e5fbca] Imported Upstream version 4.0.0.1 . [ Christoph Goehre ] * [9aae603] rebuild patch queue from patch-queue branch * [1ea3c92] debian/rules: disable language check for stable security * [a0dc6a8] adjusting iceowl-extension deps iceowl-l10n (3.8~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [04148a7] Imported Upstream version 3.8~b1 * [f37ada5] rebuild patch queue from patch-queue branch * [4517e52] adjusting iceowl-extension deps iceowl-l10n (3.6~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [fdb2f58] Imported Upstream version 3.6~b1 * [b34a916] adjusting iceowl-extension deps iceowl-l10n (3.5~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [7de1625] Imported Upstream version 3.5~b1 * [ad9c17b] debian/c-u-t: remove once more bashism * [5bbf3f7] adjusting iceowl-extension deps * [52e0970] linitan: bump up standards version to 3.9.6 iceowl-l10n (3.4~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [911db09] Imported Upstream version 3.4~b1 - added new languages: Finnish, Scottisch Galic, Indonesian, Lithuanian, Bokmaal (Norway), Punjabi (India), Portuguese, Albanian, Turkish, Ukrainian - removed languages: Bulgarian, Korean, Croatian * [7956683] debian/control*: removing various iceowl-l10n-* * [068e2d7] debian/control*: adding iceowl-l10n-fi * [ced4b41] debian/control*: adding iceowl-l10n-gd * [3071f62] debian/control*: adding iceowl-l10n-id * [7c566da] debian/control*: adding iceowl-l10n-lt * [7a13341] debian/control*: adding iceowl-l10n-sq * [40efed1] debian/control*: adding iceowl-l10n-tr * [b311af1] debian/control*: adding iceowl-l10n-uk * [1f4ba33] debian/control*: adding iceowl-l10n-nb-no * [0d29b2d] debian/control*: adding iceowl-l10n-pa-in * [5bf4729] debian/control*: adding iceowl-l10n-pt-pt * [d04527c] adjusting iceowl-extension deps iceweasel (38.8.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,44,47}, also known as: CVE-2016-2807, CVE-2016-2805, CVE-2016-2814, CVE-2016-2808. iceweasel (38.8.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,44,47}, also known as: CVE-2016-2807, CVE-2016-2805, CVE-2016-2814, CVE-2016-2808. ikiwiki (3.20141016.3) jessie-security; urgency=high . [ Simon McVittie ] * img: stop ImageMagick trying to be clever if filenames contain a colon, avoiding mis-processing * HTML-escape error messages, in one case avoiding potential cross-site scripting (OVE-20160505-0012) * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714: - img: force common Web formats to be interpreted according to extension, so that "allowed_attachments: '*.jpg'" does what one might expect - img: restrict to JPEG, PNG and GIF images by default, again mitigating CVE-2016-3714 and similar vulnerabilities - img: check that the magic number matches what we would expect from the extension before giving common formats to ImageMagick . [ Joey Hess ] * img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser, which is supported by all commonly used browsers these days. SVG scaling by img directives has subtly changed; where before size=wxh would preserve aspect ratio, this cannot be done when passing them through and so specifying both a width and height can change the SVG's aspect ratio. imagemagick (8:6.8.9.9-5+deb8u2) jessie-security; urgency=high . * ImageTragick: The coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT are disabled via policy.xml file, since they are vulnerable to code injection. This mitigates CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, and CVE-2016-3718. Since ImageMagick reverts to its internal SVG renderer (which uses MVG coder) if Inkscape or RSVG is not used, the option --with-rsvg is included. Closes: 823542. In addition, some other actions were taken with respect to these vulnerabilities: - Drop the PLT/Gnuplot decoder, which was vulnerable to command injection. - Some sanitization for input filenames in http/https delegates is added. - Indirect filename are now authorized by policy. - Indirect reads with label:@ are prevented. - Less secure coders (such as MVG, TEXT, and MSL) require explicit reference in the filename (e.g. mvg:my-graph.mvg). imlib2 (1.4.6-2+deb8u2) jessie-security; urgency=high . * Fix divide-by-zero on 2x1 ellipse as per CVE-2011-5326 (Closes: #639414) * Fix integer overflow as per CVE-2014-9771 (Closes: #820206) * Fix off-by-one OOB read as per CVE-2016-3993 (Closes: #819818) * Fix out-of-bounds read in the GIF loader as per CVE-2016-3994 (Closes: #785369) * Fix integer overflow as per CVE-2016-4024 (Closes: #821732) imlib2 (1.4.6-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2014-9762: Fix segmentation fault on images without colormap. * CVE-2014-9763: Prevent division-by-zero crashes. * CVE-2014-9764: Fix segfault when opening specially crafted input with feh. initramfs-tools (0.120+deb8u2) jessie; urgency=medium . * [7863219] hook-functions: Include drivers/nvme in block driver modules (Closes: #807000) * [fcef753] hook-functions: Create ORDER files even if there are no valid scripts (Closes: #814965) jansson (2.7-1+deb8u1) jessie-security; urgency=high . * Fix stack exhaustion when parsing JSON as per CVE-2016-4425 (Closes: #823238) kamailio (4.2.0-2+deb8u1) jessie-security; urgency=medium . * CVE-2016-2385 lhasa (0.2.0+git3fe46-1+deb8u1) jessie-security; urgency=high . * Security update. Includes a fix for TALOS-CAN-0095: an integer underflow vulnerability in the code for doing LZH level 3 header decodes. Thanks go to Marcin Noga and Regina Wilson of Cisco TALOS for reporting this vulnerability. libarchive (3.1.2-11+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1541: heap-based buffer overflow due to improper input validation (Closes: #823893) libcrypto++ (5.6.1-6+deb8u2) jessie; urgency=medium . * Fix CVE-2016-3995, Rijndael timing attack counter measure. libdatetime-timezone-perl (1:1.75-2+2016d) jessie; urgency=medium . * Update to Olson database version 2016d. Add patch debian/patches/olson-2016d, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Russia and Venezuela. libebml (1.3.0-2+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Add CVE-2015-8789.patch. Fix use-after-free vulnerability in the EbmlMaster::Read function. * Add CVE-2015-8790.patch. Fix EbmlUnicodeString::UpdateFromUTF8 function that allowed context-dependent attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string. * Add CVE-2015-8791.patch. Fix EbmlElement::ReadCodedSizeValue function that allowed context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id. libgd2 (2.1.0-5+deb8u3) jessie-security; urgency=high . * [CVE-2015-8877]: Fix gdImageScaleTwoPass memory leak * Upstream patches: + Fixed memory overrun bug in gdImageScaleTwoPass + Fix for segfaults on gdImageScale with most interpolation modes libgd2 (2.1.0-5+deb8u2) jessie-security; urgency=high . * [CVE-2015-8874]: Stack consumption vulnerability in GD allows remote attackers to cause a denial of service via a crafted imagefilltoborder call (Closes: #824627) libgd2 (2.1.0-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3074: Signedness vulnerability causing heap overflow (Closes: #822242) libidn (1.29-1+deb8u1) jessie-security; urgency=high . [ Alessandro Ghedini ] * Fix out-of-bounds read on invalid UTF-8 input as per CVE-2015-2059 . [ Brian May ] * Skip info generation libksba (1.3.2-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Do not abort on decoder stack overflow (CVE-2016-4353) * Fix integer overflow in the BER decoder (CVE-2016-4354 CVE-2016-4355) * Fix encoding of invalid utf-8 strings in dn.c (CVE-2016-4356) * Fix an OOB read access in _ksba_dn_to_str * Fix possible read access beyond the buffer (CVE-2016-4579) libndp (1.4-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3698: Improper input validation and origin check during reception of NDP messages libpam-sshauth (0.3.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-4422: local root privilege escalation. Return PAM_AUTH_ERR when a system user. This prevents the pam module from returning success without asking for authentication credentials. Thanks to Vagrant Cascadian libreoffice (1:4.3.3-2+deb8u4) jessie; urgency=medium . * debian/patches/ppc64el-jdk-paths.diff: fix ppc64el FTBFS due to changed OpenJDK paths, thanks Slavek Banko (closes: #819375) . * debian/rules: - fix logic to not install sound files (closes: #780497) libreoffice (1:4.3.3-2+deb8u3) jessie-security; urgency=high . * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro TabRack Buffer Overflow Vulnerability" * debian/patches/V-pxk0pgyk9d.diff: fix "LibreOffice Writer Lotus Word Pro 'ReadRootData' Buffer Overflow Vulnerability" * debian/patches/V-mgylorku1q.diff: fix "LibreOffice Writer Lotus Word Pro Bullet Buffer Overflow Vulnerability" (CVE-2016-0794) * debian/patches/V-a7vjdei7l7.diff: fix "LibreOffice Writer Lotus Word Pro 'TocSuperLayout' Buffer Overflow Vulnerability" (CVE-2016-0795) libreoffice (1:4.3.3-2+deb8u3~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . * debian/rules: - comment out some conditionals and they don't exactly do what we want on wheezy-backports and use hardcoded values - fix coinmp conditional, use internal one on wheezy... - use internal icu - see https://bugs.freedesktop.org/show_bug.cgi?id=82229#c38 * debian/rules, debian/shlibs.local.coin: add shlibs.local.coin to override all the internal coin dynamic libraries.... * debian/shlibs.override.icu: update to actual current SOVERSION * debian/rules, debian/shlibs.override.libc: revert libc hack again * debian/patches/icu-icudata-link-fix-armhf.diff: fix internal icu build on armhf ("stolen" from icu package) librsvg (2.40.5-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. Thanks to Brian May for the preliminary work. * state: Store mask as reference (CVE-2016-4348) * state: Look up clip path lazily * rsvg: Add rsvg_acquire_node() (CVE-2015-7558 CVE-2016-4347) libtasn1-6 (4.2-3+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-4008: infinite loop while parsing DER certificates libxstream-java (1.4.7-2+deb8u1) jessie-security; urgency=high . * Security update: - CVE-2016-3674: XML external entity injection vulnerability (Closes: #819455) linux (3.16.7-ckt25-2) jessie; urgency=medium . * Revert "drm/radeon: hold reference to fences in radeon_sa_bo_new" (Closes: #819881) * Revert "drm/radeon: call hpd_irq_event on resume", reported to cause regressions (crash/hang) on some systems * Revert "usb: hub: do not clear BOS field during reset device" (Closes: #820176) linux (3.16.7-ckt25-2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt25-2) jessie; urgency=medium . * Revert "drm/radeon: hold reference to fences in radeon_sa_bo_new" (Closes: #819881) * Revert "drm/radeon: call hpd_irq_event on resume", reported to cause regressions (crash/hang) on some systems * Revert "usb: hub: do not clear BOS field during reset device" (Closes: #820176) lvm2 (2.02.111-2.2+deb8u1) jessie; urgency=medium . * Set default pid directory to /run. (closes: #783120) mathematica-fonts (17+deb8u1) jessie; urgency=medium . * Adopt the package. * New upstream release (10). + Version 7 is no longer downloadable (closes: #789211) + Server-side fonts are no longer included (closes: #573479) + Neither is a copy of Bitstream Vera (closes: #670216) * Drop README.Debian, it talked about type1 X integration. * Add missing Depends: wget (closes: #817820). mercurial (3.1.2-2+deb8u3) jessie-security; urgency=high . * CVE-2016-3105: + convert: pass absolute paths to git mercurial (3.1.2-2+deb8u2) jessie-security; urgency=high . * CVE-2016-3630: + parsers: fix list sizing rounding error + parsers: detect short records * CVE-2016-3068: + subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols * CVE-2016-3069: + convert: add new, non-clowny interface for shelling out to git + convert: rewrite calls to Git to use the new shelling mechanism + convert: dead code removal - old git calling functions + convert: rewrite gitpipe to use common.commandline + convert: test for shell injection in git calls Closes: #819504 mysql-5.5 (5.5.49-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.5.49 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html - CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0666 CVE-2016-2047 (Closes: #821100) nam (1.15-3.1~deb8u1) stable; urgency=medium . * Non-maintainer upload. (Closes: #784433) * debian/control: - set tcl-dev and tk-dev to '>=8.6'. * debian/patches: - init_tcltk_with_stub.diff unused. Commented (#) in series file. nginx (1.6.2-5+deb8u1) jessie-security; urgency=high . [ Christos Trochalakis ] * Fixes multiple resolver CVEs, CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 Closes: #812806 nginx (1.6.2-5+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for jessie-backports. . nginx (1.6.2-5+deb8u1) jessie-security; urgency=high . [ Christos Trochalakis ] * Fixes multiple resolver CVEs, CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 Closes: #812806 nginx (1.6.2-5+a.exp1) experimental; urgency=medium . [ Christos Trochakis ] * debian/patches/ + Backport upstream patch from 1.7.8 fixing spdy delays. ngspice (26-1.1~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . ngspice (26-1.1) unstable; urgency=medium . * Non-maintainer upload. * Run lyx with a temporary -userdir to not rely on $HOME, thanks to Johann Klammer. (Closes: #813119) nlpsolver (0.9~beta1-10+deb8u1) jessie; urgency=medium . * add missing Depends: on libreoffice-java-common (closes: #728792) nmap (6.47-3+deb8u2) jessie; urgency=medium . * Fix versioned Breaks/Depends for ndiff (Closes: #825528) nmap (6.47-3+deb8u1) jessie; urgency=medium . * Added upstream patch to deal with unuseable socks proxy (Closes: #773817) * Apply patch by Jan Nordholz to ignore unenumerable interfaces (Closes: #821913) * Moved ndiff.py from zenmap to ndiff, added versioned Breaks/Replaces (Closes: #789776, #789897) oar (2.5.4-2+deb8u1) jessie-security; urgency=high . [ Pierre Neyron ] * Add patch: fix a vulnerability in the oarsh command (CVE-2016-1235; Closes: #819952) opam (1.2.0-1+deb8u1) jessie; urgency=medium . * Stop using insecure and no-check-certificate flags when fetching files using wget and curl (Closes: #818081). openafs (1.6.9-2+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-8312: afs: pioctl kernel memory overrun * CVE-2016-2860: group creation by foreign users openjdk-7 (7u101-2.6.6-2~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. openjdk-7 (7u101-2.6.6-1) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.6 (based on 7u101): * Security fixes - S8129952, CVE-2016-0686: Ensure thread consistency - S8132051, CVE-2016-0687: Better byte behavior - S8138593, CVE-2016-0695: Make DSA more fair - S8139008: Better state table management - S8143167, CVE-2016-3425: Better buffering of XML strings - S8144430, CVE-2016-3427: Improve JMX connections - S8146494: Better ligature substitution - S8146498: Better device table adjustments * debian/patches/jdk-8152335-improve-methodhandle-consistency.patch: removed, fix is upstream since 2.6.5 . [ Matthias Klose ] * Fix handling of /usr/lib/jvm/*/jre/lib/zi if internal tzdata is used (Andreas Beckmann). Closes: #821858. openjdk-7 (7u101-2.6.6-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u95-2.6.4-3) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * SECURITY UPDATE: Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets. - d/p/jdk-8152335-improve-methodhandle-consistency.patch: S8152335, CVE-2016-0636: Improve MethodHandle consistency . [ Matthias Klose ] * Use internal tzdata for builds in stretch, unstable, experimental. Closes: #818308. openjdk-7 (7u95-2.6.4-2) experimental; urgency=medium . * Upload to experimental. openjdk-7 (7u95-2.6.4-1) unstable; urgency=high . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.4 (based on 7u95): * Security fixes - S8059054, CVE-2016-0402: Better URL processing - S8130710, CVE-2016-0448: Better attributes processing - S8132210: Reinforce JMX collector internals - S8132988: Better printing dialogues - S8133962, CVE-2016-0466: More general limits - S8137060: JMX memory management improvements - S8139012: Better font substitutions - S8139017, CVE-2016-0483: More stable image decoding - S8140543, CVE-2016-0494: Arrange font actions - S8143185: Cleanup for handling proxies - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays - S8144773, CVE-2015-7575: Further reduce use of MD5 (SLOTH) * debian/patches/it-debian-build-flags.diff: refreshed * debian/patches/it-set-compiler.diff: refreshed * debian/patches/it-use-quilt.diff: refreshed * debian/patches/it-jamvm-2.0.diff: refreshed * debian/patches/icedtea-pretend-memory.diff: refreshed * debian/patches/fix_extra_flags-default.diff: refreshed * debian/patches/zero-sparc.diff: refreshed . [ Matthias Klose ] * Remove obsolete IcedTea configure options. * Fix build failure on squeeze (Thorsten Glaser). Closes: #809205. * Don't run the test on mips, still having stone age buildd hardware and empty promises to fix these issues since 2010. openjdk-7 (7u95-2.6.4-1~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-7 (7u91-2.6.3-3) unstable; urgency=medium . * Fix stripping packages (use bash instead of expr substring). * openjdk-jre-headless: Add dependency on the package containing the mountpoint binary. Closes: #803717. * openjdk-7-jdk: Fix typo in sdk provides. Closes: #803150. * Build using giflib 5. openjdk-7 (7u91-2.6.3-2) unstable; urgency=medium . * Enable sparc64 for hotspot (John Paul Adrian Glaubitz). * Add debian/patches/sparc-libproc-fix.diff to include missing headers on sparc64 (David Matthew Mattli). Closes: #805846. openjdk-7 (7u91-2.6.3-1) unstable; urgency=medium . [ Tiago Stürmer Daitx ] * Icedtea release 2.6.3 (based on 7u91): * Security fixes - S8142882, CVE-2015-4871: rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed openssh (1:6.7p1-5+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes openssl (1.0.1t-1+deb8u2) jessie; urgency=medium . * add Update-S-MIME-certificates.patch to update expired certificates to pass the test suite openssl (1.0.1t-1+deb8u1) jessie; urgency=medium . [ Sebastian Andrzej Siewior ] * Update to 1.0.1t stable release (drop applied patches and refresh existing ones). - Use alternate trust chains part of 1.0.1n (Closes: #774882). - Use correct digest when exporting keying material (Closes: #807057) - Fix CVE-2015-3197 (not affected, SSLv2 disabled) - Fix CVE-2015-1793 (1.0.1n+ is affected and last upload was k) openssl (1.0.1k-3+deb8u5) jessie-security; urgency=medium . * Fix CVE-2016-2105 * Fix CVE-2016-2106 * Fix CVE-2016-2107 * Fix CVE-2016-2108 * Fix CVE-2016-2109 * Fix CVE-2016-2176 openvswitch (2.3.0+git20140819-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2074: Buffer overflow for crafted MPLS packets optipng (0.7.5-1+deb8u1) jessie-security; urgency=medium . * CVE-2016-2191 ovito (2.3.3-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * No-change rebuild against botan1.10. pdns (3.4.1-4+deb8u5) jessie-security; urgency=high . * Non-maintainer upload. * No-change rebuild against botan1.10. pepperflashplugin-nonfree (1.8.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Update Google public key. Closes: #823005. * Remove 32 bit support. Closes: #816848. perl (5.20.2-3+deb8u5) jessie; urgency=medium . * Apply patch from Niko Tyni fixing debugperl crashes with XS modules (Closes: #816280) * [SECURITY] CVE-2015-8853 fix regexp engine hang on illegal UTF8 input (Closes: #821848) * Fix UTF8-related regexp engine crash (Closes: #820328) * Apply selected bug-fix patches taken from 5.20.3 (Closes: #822336) - /usr/share/doc/perl/perldebdelta.pod describes the changes in more detail php5 (5.6.20+dfsg-0+deb8u1) jessie-security; urgency=medium . * Imported Upstream version 5.6.20+dfsg * Rebase patches on top of 5.6.20+dfsg release php5 (5.6.19+dfsg-2) unstable; urgency=medium . * Return /usr/share/php to the default include_path that got dropped when we stopped building PEAR from this source package (Closes: #817769) php5 (5.6.19+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.19+dfsg * Rebase patches on top of 5.6.19+dfsg release * Stop building php-pear from src:php5 sources poppler (0.26.5-2+deb8u1) jessie-security; urgency=medium . * Backport upstream commit b3425dd3261679958cd56c0f71995c15d2124433 to fix a crash on invalid files, reported also as CVE-2015-8868; patch upstream_Do-not-crash-on-invalid-files.patch. (Closes: #822578) postgresql-9.1 (9.1.22-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.21-0+deb8u1) jessie; urgency=medium . * New upstream version, relevant PL/Perl change: + Correctly handle empty arrays in plperl_ref_from_pg_array. postgresql-9.1 (9.1.21-0+deb7u1) wheezy; urgency=medium . * New upstream bugfix release. postgresql-9.4 (9.4.8-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. postgresql-9.4 (9.4.7-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. * Remove obsolete .bzr-builddeb/default.conf. postgresql-9.4 (9.4.7-0+deb8u1~bpo70+2) wheezy-backports; urgency=low . * Fix alignment issue in contrib/test_decoding only visible on sparc. Thanks to Andres Freund and Tom Lane for patches. * Update branch in Vcs-Git field. postgresql-9.4 (9.4.7-0+deb8u1~bpo70+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . postgresql-9.4 (9.4.7-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. * Remove obsolete .bzr-builddeb/default.conf. postgresql-9.4 (9.4.6-0+deb8u1) jessie-security; urgency=medium . * New upstream version. + Fix infinite loops and buffer-overrun problems in regular expressions. Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) + Fix privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCs) for PL/Java will now be modifiable only by the database superuser. (CVE-2016-0766) + Users will need to reindex any jsonb_path_ops indexes they have created, in order to fix a persistent issue with missing index entries. postgresql-9.4 (9.4.6-0+deb8u1~bpo70+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . postgresql-9.4 (9.4.6-0+deb8u1) jessie-security; urgency=medium . * New upstream version. + Fix infinite loops and buffer-overrun problems in regular expressions. Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) + Fix privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCs) for PL/Java will now be modifiable only by the database superuser. (CVE-2016-0766) + Users will need to reindex any jsonb_path_ops indexes they have created, in order to fix a persistent issue with missing index entries. postgresql-9.4 (9.4.5-2) unstable; urgency=medium . * 64-pg_upgrade-sockdir: Fix off-by-one error in max path length. * 90-libmxl-808325: Work around regression in libxml2 2.9.3+dfsg1-1 which provides less context in error messages, breaking the xml regression tests. Analysis by Niko Tyni, thanks! (Closes: #808325) postgresql-9.4 (9.4.5-1) unstable; urgency=medium . * New upstream version. . + Guard against stack overflows in json parsing (Oskari Saarenmaa) . If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289) . + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) . Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) . * debian/rules: Call dh without --parallel, it's not supported upstream. python-django (1.7.7-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2512: Prevented spoofing is_safe_url() with basic auth. Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. (Closes: #816434) * is_safe_url() crashes with a byestring URL on Python 2. Fixes a regression introduced by the original fix for CVE-2016-2512. * CVE-2016-2513: Fixed user enumeration timing attack during login (Closes: #816434) * Add Build-Depends on python-mock and python3-mock qemu (1:2.1+dfsg-12+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3710: Banked access to VGA memory (VBE) uses inconsistent bounds checks * CVE-2016-3712: potential integer overflow or OOB read access issues qtcreator (3.2.1+dfsg-7+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * No-change rebuild against botan1.10. quota (4.01-8+deb8u1) jessie-proposed-updates; urgency=medium . * Change invocation of quota services, so systemd takes over most of the work. Only the initial check is still performed by the service file provide by quota. (Closes: #753939, #788963) redmine (3.0~20140825-8~deb8u3) jessie; urgency=medium . * gemfile-adjustments.patch: load all database drivers for all Redmine instances (Closes: #819815) softhsm (1.3.7-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * No-change rebuild against botan1.10. srtp (1.4.5~20130609~dfsg-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Add CVE-2015-6360.patch. Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. (Closes: #807698) subversion (1.8.10-6+deb8u4) jessie-security; urgency=high . + patches/CVE-2016-2167: svnserve/sasl may authenticate users using the wrong realm + patches/CVE-2016-2168: Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE authorization check swift-plugin-s3 (1.7-5+deb8u1) jessie-security; urgency=high . * CVE-2015-8466: replay attack - date/date header unvalidated (Closes: #822688) tardiff (0.1-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add fix for shell command injection via tar filename itself. This fix is as well part of the CVE-2015-0857 assignment but was previously missed. tardiff (0.1-2+deb8u1) jessie-security; urgency=high . * Add patch to fix miscalculated statistics. (Closes: #802098) * Add patches to fix two security issues: + CVE-2015-0857: shell command injection through file names + CVE-2015-0858: /tmp race condition in handling temporary directory Issues found and reported by Rainer Müller and Florian Weimer. Additional necessary changes: + Add new run-time dependency on libtext-diff-perl. tklib (0.6-1+deb8u1) stable; urgency=medium . * Fixed typo in Plotchart version which prevented its loading. tomcat6 (6.0.45+dfsg-1~deb8u1) jessie-security; urgency=high . * Imported Upstream version 6.0.45+dfsg. Fixes all current known security vulnerabilities in the source package. Users were not directly affected since we only build the servlet API and documentation. This update simplifies upgrades from Wheezy. tomcat6 (6.0.45+dfsg-1~deb7u1) wheezy-security; urgency=high . * Team upload. * The full list of changes between 6.0.35 (the version previously available in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html * This update fixes the following security issues: - CVE-2014-0033: prevent remote attackers from conducting session fixation attacks via crafted URLs. - CVE-2014-0119: Fix not properly constraining class loader that accesses the XML parser used with an XSLT stylesheet which allowed remote attackers to read arbitrary files via crafted web applications. - CVE-2014-0099: Fix integer overflow in java/org/apache/tomcat/util/buf/Ascii.java. - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote attackers to bypass security-manager restrictions. - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2013-4590: prevent "Tomcat internals" information leaks. - CVE-2013-4322: prevent remote attackers from doing denial of service attacks. - CVE-2013-4286: reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. - Avoid CVE-2013-1571 when generating Javadoc. * CVE-2014-0227.patch: - Add error flag to allow subsequent attempts at reading after an error to fail fast. * CVE-2014-0230: Add support for maxSwallowSize. * CVE-2014-7810: - Fix potential BeanELResolver issue when running under a security manager. Some classes may not be accessible but may have accessible interfaces. * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 processes redirects before considering security constraints and Filters. * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list which allows remote authenticated users to bypass intended SecurityManager restrictions. * CVE-2016-0714: The session-persistence implementation in Apache Tomcat before 6.0.45 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions. * CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. * CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Drop the following patches. Applied upstream. - 0011-CVE-2012-0022-regression-fix.patch - 0012-CVE-2012-3544.patch - 0014-CVE-2012-4534.patch - 0015-CVE-2012-4431.patch - 0016-CVE-2012-3546.patch - 0017-CVE-2013-2067.patch - cve-2012-2733.patch - cve-2012-3439.patch - CVE-2014-0227.patch - CVE-2014-0230.patch - CVE-2014-7810-1.patch - CVE-2014-7810-2.patch - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch tomcat6 (6.0.45-1~deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS team. * Backport version 6.0.45 to Squeeze-LTS. The full list of changes between 6.0.41 (the version previously available in Squeeze-LTS) and 6.0.45 can be seen in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html * This update fixes the following security vulnerabilities: - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 processes redirects before considering security constraints and Filters. - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list which allows remote authenticated users to bypass intended SecurityManager restrictions. - CVE-2016-0714: The session-persistence implementation in Apache Tomcat before 6.0.45 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions. - CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. - CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Drop the following patches. They were applied upstream. - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch. - CVE-2014-0227.patch. - CVE-2014-0230.patch. - CVE-2014-7810-1.patch. - CVE-2014-7810-2.patch. tomcat6 (6.0.41-4) unstable; urgency=medium . * Removed the timstamp from the Javadoc of the Servlet API to make the build reproducible tomcat7 (7.0.56-3+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. * Fix CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. * Fix CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. * Fix CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Fix CVE-2016-0706: Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. * Fix CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. * Fix CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. tzdata (2016d-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Caracas. Closes: #821147. - Asia/Magadan - Asia/Tomsk (new timezone). * Update translations from the sid package. tzdata (2016d-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Caracas. Closes: #821147. - Asia/Magadan - Asia/Tomsk (new timezone). * Update translations from the sid package. tzdata (2016c-1) unstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Santiago - Asia/Baku websvn (2.3.3-1.2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1236: XSS via directory or file in a repository containing XSS payload wireshark (1.12.1+g01b65bf-4+deb8u6) jessie-security; urgency=medium . * security fixes from Wireshark 1.12.11: - PKTC dissector crashes (CVE-2016-4080, CVE-2016-4079) - IAX2 dissector infinite loop (CVE-2016-4081) - Wireshark and TShark could exhaust the stack (CVE-2016-4006) - GSM CBCH dissector crash (CVE-2016-4082) - NCP dissector crash (CVE-2016-4085) wmforecast (0.8-1+deb8u1) jessie; urgency=medium . * debian/control - Update Maintainer and add Uploaders. * debian/patches/new_yahoo_api.patch - New patch; modifications to work with new Yahoo! weather API. Backported from upstream. xapian-core (1.2.19-1+deb8u1) stable; urgency=medium . * New patch increment-cursor-version-on-cancel-or-reopen.patch fixing possible database corruption, especially with recoll. (Closes: #808610) xarchiver (1:0.5.4-1+deb8u1) jessie; urgency=medium . * Add cancel-extraction-crash.patch. When using the "extract here" feature of Xarchiver's Thunar plugin, the attempt to cancel the extraction could crash the application or even the whole desktop session. (Closes: #802019) xen (4.4.1-9+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3158, CVE-2016-3159: broken AMD FPU FIP/FDP/FOP leak workaround * CVE-2016-3960: x86 shadow pagetables: address width overflow xerces-c (3.1.1-5.1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2099: Use-after-free in heap on specially crafted XML input (Closes: #823863) xscreensaver (5.30-1+deb8u2) jessie; urgency=medium . * Disable Easter egg about "outdated" version (closes: #819703) xymon (4.3.17-6+deb8u1) jessie-security; urgency=high . * Security update. Several issues were reported by Markus Krell: + Resolve buffer overflow when handling "config" file requests (CVE-2016-2054) + Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory (symlinks disallowed). Also, require that the initial filename end in '.cfg' by default. (CVE-2016-2055) + Resolve shell command injection vulnerability in useradm CGI (CVE-2016-2056) + Tighten permissions on the xymond BFQ used for message submission to restrict access to the xymon user and group. It is now 0620. (CVE-2016-2057) + Restrict javascript execution in current and historical status messages by the addition of appropriate Content-Security-Policy headers to prevent XSS attacks. (CVE-2016-2058) zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium . * Fix regression from ZF2015-08: binary data corruption * Backport security fix from 1.12.18: - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 http://framework.zend.com/security/advisory/ZF2016-01 ====================================== Sat, 02 Apr 2016 - Debian 8.4 released ====================================== ========================================================================= [Date: Sat, 02 Apr 2016 08:34:59 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: gnome-gmail | 1.8.3-1 | source, all Closed bugs: 814860 ------------------- Reason ------------------- RoM; broken ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 08:35:28 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: nautilus-pastebin | 0.7.1-1 | source, all Closed bugs: 815026 ------------------- Reason ------------------- RoM; unmaintained upstream ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 08:49:48 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libclamunrar6 | 0.98.5-1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by libclamunrar) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 08:50:36 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libclamav6 | 0.98.7+dfsg-0+deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by clamav) ---------------------------------------------- ========================================================================= activemq (5.6.0+dfsg1-4+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2015-5254: Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. amavisd-new (1:2.10.1-2~deb8u1) stable; urgency=medium . * Backport LC_ALL change to stable. amd64-microcode (2.20160316.1~deb8u1) stable; urgency=critical . * This is exactly the same release as 2.20160316.1 . amd64-microcode (2.20160316.1) unstable; urgency=critical . * Upstream release 20160316 built from linux-firmware: + Updated Microcodes: sig 0x00600f20, patch id 0x0600084f, 2016-01-25 + This microcode updates fixes a critical erratum on NMI handling introduced by microcode patch id 0x6000832 from the 20141028 update. The erratum is also present on microcode patch id 0x6000836. + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER AMD PILEDRIVER PROCESSORS, including: + AMD Opteron 3300, 4300, 6300 + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx) + AMD processors with family 21, model 2, stepping 0 * Robert Święcki, while fuzzing the kernel using the syzkaller tool, uncovered very strange behavior on an AMD FX-8320, later reproduced on other AMD Piledriver model 2, stepping 0 processors including the Opteron 6300. Robert discovered, using his proof-of-concept exploit code, that the incorrect behavior allows an unpriviledged attacker on an unpriviledged VM to corrupt the return stack of the host kernel's NMI handler. At best, this results in unpredictable host behavior. At worst, it allows for an unpriviledged user on unpriviledged VM to carry a sucessful host-kernel ring 0 code injection attack. * The erratum is timing-dependant, easily triggered by workloads that cause a high number of NMIs, such as running the "perf" tool. amd64-microcode (2.20160316.1~bpo70+1) wheezy-backports; urgency=critical . * Rebuild for jessie-backports (no changes). * This is the same package as 2.20160316.1 and 2.20160316.1~deb8u1. . amd64-microcode (2.20160316.1) unstable; urgency=critical . * Upstream release 20160316 built from linux-firmware: + Updated Microcodes: sig 0x00600f20, patch id 0x0600084f, 2016-01-25 + This microcode updates fixes a critical erratum on NMI handling introduced by microcode patch id 0x6000832 from the 20141028 update. The erratum is also present on microcode patch id 0x6000836. + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER AMD PILEDRIVER PROCESSORS, including: + AMD Opteron 3300, 4300, 6300 + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx) + AMD processors with family 21, model 2, stepping 0 * Robert Święcki, while fuzzing the kernel using the syzkaller tool, uncovered very strange behavior on an AMD FX-8320, later reproduced on other AMD Piledriver model 2, stepping 0 processors including the Opteron 6300. Robert discovered, using his proof-of-concept exploit code, that the incorrect behavior allows an unpriviledged attacker on an unpriviledged VM to corrupt the return stack of the host kernel's NMI handler. At best, this results in unpredictable host behavior. At worst, it allows for an unpriviledged user on unpriviledged VM to carry a sucessful host-kernel ring 0 code injection attack. * The erratum is timing-dependant, easily triggered by workloads that cause a high number of NMIs, such as running the "perf" tool. apt (1.0.9.8.3) jessie; urgency=medium . * apt-pkg/algorithms.cc: Avoid stack buffer overflow in KillList (Closes: #701069) aptdaemon (1.1.1-4+deb8u1) stable-proposed-updates; urgency=medium . * Non maintainer upload * Add CVE-2015-1323.patch to address CVE-2015-1323 - taken from 1.1.1-1ubuntu5.2 (Closes: #789162) ardour (1:2.8.16+git20131003+dfsg1-1~deb8u1) jessie; urgency=medium . * Repack to remove libs/pdb/dmalloc.cc. (Closes: #810754) * debian/patches/debian/patches/190_exclude_dmalloc.patch: Do not build dmalloc.cc. * debian/copyright: - Add libs/pdb/dmalloc.cc to Files-Excluded. - Remove libs/pdb/dmalloc.cc paragraph. base-files (8+deb8u4) stable; urgency=low . * Changed /etc/debian_version to 8.4, for Debian 8.4 point release. bind9 (1:9.9.5.dfsg-9+deb8u6) jessie-security; urgency=high . * Fix CVE-2016-1285: error parsing control channel input. * Fix CVE-2016-1286: error parsing DNAME resource records. bind9 (1:9.9.5.dfsg-9+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-8704: Specific APL data could trigger an INSIST in apl_42.c. A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c. bsh (2.0b4-15+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2016-2510. An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. cacti (0.8.8b+dfsg-8+deb8u4) jessie-security; urgency=high . * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php * CVE-2015-8604: Fix SQL Injection vulnerability in graphs_new.php cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium . * Fix CVE-2016-3190 chromium-browser (49.0.2623.108-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu. - CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. - CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. - CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt. - CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (49.0.2623.87-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-1643: Type confusion in Blink. Credit to cloudfuzzer. - CVE-2016-1644: Use-after-free in Blink. Credit to Atte Kettunen. - CVE-2016-1645: Out-of-bounds write in PDFium. chromium-browser (49.0.2623.87-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-1643: Type confusion in Blink. Credit to cloudfuzzer. - CVE-2016-1644: Use-after-free in Blink. Credit to Atte Kettunen. - CVE-2016-1645: Out-of-bounds write in PDFium. chromium-browser (49.0.2623.75-2) unstable; urgency=medium . * Update standards version. * Add libffi-dev build dependency. chromium-browser (49.0.2623.75-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski. - CVE-2016-1632: Bad cast in Extensions. Credit to anonymous. - CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu. - CVE-2016-1636: SRI Validation Bypass. Credit to ryan@cyph.com. - CVE-2015-8126: Out-of-bounds access in libpng. Credit to joerg.bornemann. - CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy. - CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu. - CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani. - CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan Herrera. - CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen. - CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in libv8 (version 4.9.385.26). * Set use_sysroot=0 to continue using system libraries. chromium-browser (49.0.2623.75-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski. - CVE-2016-1632: Bad cast in Extensions. Credit to anonymous. - CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu. - CVE-2016-1636: SRI Validation Bypass. Credit to ryan@cyph.com. - CVE-2015-8126: Out-of-bounds access in libpng. Credit to joerg.bornemann. - CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy. - CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu. - CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani. - CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan Herrera. - CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen. - CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in libv8 (version 4.9.385.26). * Add libffi-dev build dependency. * Set use_sysroot=0 to continue using system libraries. chromium-browser (48.0.2564.116-1) unstable; urgency=medium . * New stable security release: - CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous. - CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli. - CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn. - CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous. - CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives. - CVE-2016-1628: Out-of-bounds read in PDFium. Credit to anonymous. - CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous. chromium-browser (48.0.2564.116-1~deb8u1) jessie-security; urgency=medium . * New stable security release: - CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous. - CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli. - CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn. - CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous. - CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives. - CVE-2016-1628: Out-of-bounds read in PDFium. Credit to anonymous. - CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous. chromium-browser (48.0.2564.82-2) unstable; urgency=medium . * Build with gcc instead of clang. * Use ld.gold to avoid memory exhaustion while linking (closes: #812569). chromium-browser (48.0.2564.82-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-1612: Bad cast in V8. Credit to cloudfuzzer. - CVE-2016-1613: Use-after-free in PDFium. Credit to anonymous. - CVE-2016-1614: Information leak in Blink. Credit to Christoph Diehl. - CVE-2016-1615: Origin confusion in Omnibox. Credit to Ron Masas. - CVE-2016-1616: URL Spoofing. Credit to Luan Herrera. - CVE-2016-1617: History sniffing with HSTS and CSP. Credit to jenuis. - CVE-2016-1618: Weak random number generator in Blink. Credit to Aaron Toponce. - CVE-2016-1619: Out-of-bounds read in PDFium. Credit to Keve Nagy. - CVE-2016-1620: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch (currently 4.8.271.17). chromium-browser (48.0.2564.82-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-1612: Bad cast in V8. Credit to cloudfuzzer. - CVE-2016-1613: Use-after-free in PDFium. Credit to anonymous. - CVE-2016-1614: Information leak in Blink. Credit to Christoph Diehl. - CVE-2016-1615: Origin confusion in Omnibox. Credit to Ron Masas. - CVE-2016-1616: URL Spoofing. Credit to Luan Herrera. - CVE-2016-1617: History sniffing with HSTS and CSP. Credit to jenuis. - CVE-2016-1618: Weak random number generator in Blink. Credit to Aaron Toponce. - CVE-2016-1619: Out-of-bounds read in PDFium. Credit to Keve Nagy. - CVE-2016-1620: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch (currently 4.8.271.17). * Use ld.gold to avoid memory exhaustion while linking (closes: #812569). chromium-browser (48.0.2564.23-1) experimental; urgency=medium . * New upstream beta release. chromium-browser (47.0.2526.111-1) unstable; urgency=medium . * New upstream stable release: - Removes native_client/toolchain files introduced in the previous upstream version (closes: #807973) * Drop libssl-dev build dependency. * Migrate to dbgsym debug packages. * Recommend fonts-liberation (closes: #808106). chromium-browser (47.0.2526.80-3) unstable; urgency=medium . * Drop change to the fullscreen UI (closes: #808076). * Fix installation of the English language pak (closes: #808046). * Avoid symbol conflicts between the jpeg library embedded in pdfium and the system jpeg library (closes: #794031). chromium-browser (47.0.2526.80-2) unstable; urgency=medium . * Greatly simplify the arch:all build. * Don't hide the UI in fullscreen mode. * Ignore the GPU blacklist (closes: #802933). * Fix WMClass in the desktop launcher (closes: #803989). * Set the correct file name for the desktop launcher (closes: #806402). chromium-browser (47.0.2526.80-1) unstable; urgency=medium . * New upstream stable release: - Multiple vulnerabilities fixed in libv8 4.7.80.23. - CVE-2015-6788: Type confusion in extensions. Credit to anonymous. - CVE-2015-6789: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2015-6790: Escaping issue in saved pages. Credit to Inti De Ceukelaire. - CVE-2015-6791: Various fixes from internal audits, fuzzing and other initiatives. * Add support for ffmpeg 2.9 (closes: #803806). * Disable accelerated video decoding (closes: #804901). cinnamon-settings-daemon (2.2.4.repack-7+deb8u1) stable; urgency=medium . * Add debian/patches/csd-datetime-polkit-auth to fix a minor security bug. http://www.openwall.com/lists/oss-security/2015/10/28/3 clamav (0.99+dfsg-0+deb8u2) stable; urgency=medium . * Add libclamav-yara-avoid-unaliged-access-to-64bit-variab.patch to get the testsuite passed on sparc. It also seem avoid invalid loads on ARMv5 cpus. clamav (0.99+dfsg-0+deb8u1) stable; urgency=medium . [ Andreas Cadhalpun ] * Import final release of 0.99 * Drop patches included upstream: - Avoid-emitting-incremental-progress-messages.patch - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. * Drop patch numbers, because they cause too much diff noise. * Add patch to support LLVM 3.6. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Bump the version for the PidFile removal check in the clamav-daemon and clamav-freshclam postinst scripts (Closes: #767353) * Add database existence check also to clamav-daemon.socket. This works around systemd bug #775458. (Closes: #775112) . [ Sebastian Andrzej Siewior ] * suggest libclamunrar7 instead of libclamunrar6 * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * depend on libpcre3-dev, required for YARA support * add new PCRE related options postinst script for clamd * record new symbols in libclamav6.symbols * also remove debian/clamav-freshclam.prerm clean * Remove Fix-compiling-on-Hurd.patch included upstream. * Add patch to allow M suffix for PCREMaxFileSize as the config file suggests that this should be possible. * Cherry pick tfm-fix-compile-errors.patch from tfm upstream. * add a LFS safe fts() implementation from glibc clamav (0.99+dfsg-0+deb7u2) oldstable; urgency=medium . * Add libclamav-yara-avoid-unaliged-access-to-64bit-variab.patch to get the testsuite passed on sparc. It also seem avoid invalid loads on ARMv5 cpus. clamav (0.99+dfsg-0+deb7u1) oldstable; urgency=medium . [ Andreas Cadhalpun ] * Import final release of 0.99 * Drop patches included upstream: - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. * Drop patch numbers, because they cause too much diff noise. * Add patch to support LLVM 3.6. * Add patch to support system tomsfastmath. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Move the PidFile variable from the clamd/freshclam configuration files to the init scripts. This makes the init scripts more robust against misconfiguration and avoids error messages with systemd. (Closes: #767353) * Bump the version for the PidFile removal check in the clamav-daemon and clamav-freshclam postinst scripts (Closes: #767353) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. consistent with the other postinst scripts. . [ Sebastian Andrzej Siewior ] * suggest libclamunrar7 instead of libclamunrar6 * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * depend on libpcre3-dev, required for YARA support * add new PCRE related options postinst script for clamd * record new symbols in libclamav6.symbols * also remove debian/clamav-freshclam.prerm clean * Remove Fix-compiling-on-Hurd.patch included upstream. * Add patch to allow M suffix for PCREMaxFileSize as the config file suggests that this should be possible. * Cherry pick tfm-fix-compile-errors.patch from tfm upstream. * add a LFS safe fts() implementation from glibc * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. clamav (0.99+dfsg-0+deb6u1) squeeze-lts; urgency=medium . [ Andreas Cadhalpun ] * Import final release of 0.99 * Drop patches included upstream: - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. * Drop patch numbers, because they cause too much diff noise. * Add patch to support LLVM 3.6. * Add patch to support system tomsfastmath. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. consistent with the other postinst scripts. . [ Sebastian Andrzej Siewior ] * suggest libclamunrar7 instead of libclamunrar6 * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * depend on libpcre3-dev, required for YARA support * add new PCRE related options postinst script for clamd * record new symbols in libclamav6.symbols * also remove debian/clamav-freshclam.prerm clean * Remove Fix-compiling-on-Hurd.patch included upstream. * Add patch to allow M suffix for PCREMaxFileSize as the config file suggests that this should be possible. * Cherry pick tfm-fix-compile-errors.patch from tfm upstream. * add a LFS safe fts() implementation from glibc * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. . [ Scott Kitterman ] * Drop build-dep on llvm-dev since squeeze version is too old to use * Manually autoreconf since squeeze tools are too old for dh-autoreconf to be reliable clamav (0.99~rc2+dfsg-2) experimental; urgency=medium . * Drop LLVM usage on powerpc (it is broken since the v3.6 switch). clamav (0.99~rc2+dfsg-1) experimental; urgency=medium . [ Andreas Cadhalpun ] * Import first upstream release candidate for 0.99. * Drop patches included upstream: - Avoid-emitting-incremental-progress-messages.patch - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Disable Large File Support because it is incompatible with fts.h, which is required by the new upstream release. * Drop patches needing LFS: - libclamav-use-libmspack.patch - fix-ssize_t-size_t-off_t-printf-modifier.patch * Disable valgrind in the test suite again. It is too flaky. * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. . [ Sebastian Andrzej Siewior ] * add a LFS safe fts() implementation from glibc * bring back libmspack related patches (libclamav-use-libmspack.patch + fix-ssize_t-size_t-off_t-printf-modifier.patch) and -D_FILE_OFFSET_BITS=64 * fix a crash in clamdscan if file is passed via fd * Import second upstream release candidate for 0.99. clamav (0.99~beta1+dfsg-1) experimental; urgency=medium . * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * import new beta from upstream * depend on libpcre3-dev, required for YARA support * add new PCRE related options postist script for clamd * record new symbols in libclamav6.symbols * enable valgrind in the test suite and see how well it works across all architecures. clamav (0.98.7+dfsg-5) unstable; urgency=medium . [ Andreas Cadhalpun ] * Drop patch numbers, because they cause too much diff noise. * Fix use-pkg-config-to-determine-CHECK_LIBS.patch so that the tests actually get run again. . [ Sebastian Andrzej Siewior ] * Drop LLVM usage on powerpc (it is broken since the v3.6 switch). clamav (0.98.7+dfsg-4) unstable; urgency=medium . * Add patch to support LLVM 3.6. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Add patch to use pkg-config to determine CHECK_LIBS. The linker flags for check changed making the hardcoded flags useless. clamav (0.98.7+dfsg-3) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * add 0013-tfm-fix-compile-errors.patch and 0014-tfm-duct-tape-misscompile-on-armhf.patch to get it built on armhf with gcc-5. . [ Andreas Cadhalpun ] * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) clamav (0.98.7+dfsg-2) unstable; urgency=medium . [ Andreas Cadhalpun ] * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Bump the version for the PidFile removal check in the clamav-daemon and clamav-freshclam postinst scripts (Closes: #767353) * Add database existence check also to clamav-daemon.socket. This works around systemd bug #775458. (Closes: #775112) . [ Sebastian Andrzej Siewior ] * also remove debian/clamav-freshclam.prerm clean clamav (0.98.7+dfsg-1) unstable; urgency=high . [ Andreas Cadhalpun ] * Use SocketUser, SocketGroup and RemoveOnStop systemd socket options instead of using ExecStartPost and ExecStopPost for that. * Respect clamav-daemon's LocalSocket* options with the systemd unit by extending the clamav-daemon.socket file appropriately, when running dpkg-reconfigure clamav-daemon. (Closes: #783720) * Disable this extendend configuration, when handling the configuration file with debconf is disabled. * Disable clamav-daemon.socket in prerm script. . [ Sebastian Andrzej Siewior ] * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. claws-mail (3.11.1-3+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload (with maintainer approval) * Add range checks to functions converting between Japanese text encodings (CVE-2015-8614, CVE-2015-8708) conkeror (1.0~~pre-1+git141025-1+deb8u1) jessie; urgency=medium . * Cherry-pick 6906955e from upstream master branch to fix matching of module load error messages to work with Firefox 36 and later (including the ESR release 38.x in Debian Jessie). (Closes: #795597) cpio (2.11+dfsg-4.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2037: 1-byte out-of-bounds write (Closes: #812401) ctdb (2.5.4+debian0-4+deb8u1) jessie-security; urgency=high . * Fix CTDB behavior since CVE-2015-8543 (Closes: #813406) curl (7.38.0-4+deb8u3) jessie-security; urgency=medium . * Fix NTLM credentials not-checked for proxy connection re-use as per CVE-2016-0755 http://curl.haxx.se/docs/adv_20160127A.htm debian-installer-netboot-images (20150422+deb8u3.b1) jessie; urgency=medium . * Update to 20150422+deb8u3+b1 images, from jessie-proposed-updates didiwiki (0.5-11+deb8u1) jessie-security; urgency=high . * NMU by the Security Team; thanks to Ignace Mouzannar and Alexander Izmailov for providing the patch for CVE-2013-7448, correcting a major security issue allowing didiwiki to display any file on the filesystem. (Closes: #815111) didiwiki (0.5-11+deb7u1) wheezy-security; urgency=high . * NMU by the Security Team; thanks to Ignace Mouzannar and Alexander Izmailov for providing the patch for CVE-2013-7448, correcting a major security issue allowing didiwiki to display any file on the filesystem. (Closes: #815111) dolibarr (3.5.5+dfsg1-1+deb8u1) jessie; urgency=high . * Fix CVE-2016-1912 (Closes: #812496) * Fix CVE-2015-8685 (Closes: #812449) * Fix CVE-2015-3935 (Closes: #787762) drupal7 (7.32-1+deb8u6) stable-security; urgency=high . * Backported from 7.43 (plus minor needed bits from 7.36 and 7.30 in modules/file/file.module): SA-CORE-2016-001: Fixes several security vulnerabilities: + File upload access bypass and DoS + Brute force amplification attack via XML-RPC + Open redirect via path manipulation + Reflected file download + Wrong modes set on some user accounts setting saves + Information disclosure of email addresses CVE IDs not yet assigned ecryptfs-utils (103-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1572: privilege escalation by mounting over /proc/$pid. espeakup (1:0.71-19+deb8u1) jessie; urgency=medium . * espeakup-udeb.restart: - Make looking up available languages independent from file hierarchy, thus fixing all language (but de, en, fr, pt which were still working)... This also allows dropping special-casing nb into no. - Use portuguese for galician, since they are so close, and portuguese will always be better than english anyway. * synth.c: Fix looking up voices by language name. exactimage (0.8.9-7+deb8u2) jessie; urgency=high . * debian/patches: - Add Fix-CVE-2015-8366-Index-overflow-in-smal_decode_segment.patch, Fix CVE-2015-8366: Index overflow in smal_decode_segment exim4 (4.84.2-1) jessie-security; urgency=high . * New upstream security release. + Fix CVE-2016-1531, a local privilege escalation issue when perl_startup is used. + New options keep_environment/add_environment which are empty by default, i.e. any subprocesses start in a clean (empty) environment. + -C requires an absolute path. + Exim changes it's working directory to / right after startup. * Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new options. Set "keep_environment =" by default to avoid a runtime warning. Bump exim4-config Breaks to exim4-daemon-* (<< 4.84.2). * 89_01_only_warn_on_nonempty_environment.diff, 89_02_Store-the-initial-working-directory.diff: Upstream followups on the CVE fix (Thanks, Heiko Schlittermann!): + Runtime warning is only generated if (and only if) keep_environment is unset and environment is nonempty. + Store the initial working directory and make it available in the new expansion variable $initial_cwd. * Add NEWS entry to warn of potential breakage. fglrx-driver (1:15.9-4~deb8u2) jessie; urgency=medium . * libfglrx-amdxvba1: Add Breaks+Replaces: xvba-va-driver (<< 0.8.0-9+deb) since we now ship fglrx_drv_video.so and xvba_drv_video.so. (Closes: #813427) flash-kernel (3.35+deb8u3) stable; urgency=medium . [ Karsten Merker ] * Disable the use of modprobe and udevadm in the mtdblock() function while running the testsuite. . [ Ian Campbell ] * Use /dev/mtdN when flashing, rather than needlessly going through the mtdblock layer (which is problematic on some platforms/kernels). (Closes: #794265) . [ Uwe Kleine-König ] * use nandwrite when writing to nand flash. (Closes: #813995) fonts-sil-andika (1.004-2+deb8u2) stable; urgency=medium . * Correct conffile removal rule for /etc/fonts/conf.avail/65-andika.conf. Remove for packages before 1.004-2+deb8u2~. fonts-sil-andika (1.004-2+deb8u1) stable; urgency=low . * Backport fix from unstable. * really remove 65-andika.conf, Closes: #768232, #766055 delete d/links with useless symlink d/maintscript to remove 65-andika.conf fuse (2.9.3-15+deb8u2) jessie-security; urgency=high . * Fix permissions on cuse character device to be accessible by root only. gajim (0.16-1+deb8u1) jessie-security; urgency=high . * debian/patches/fix-cve-2015-8688.patch: backport a fix for CVE-2015-8688. giflib (4.1.6-11+deb8u1) stable-proposed-updates; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2015-7555: bail out if Width > SWidth. Cherry-picked upstream commit 179510be300bf11115e37528d79619b53c884a63 (Closes: #808704) git (1:2.1.4-2.1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix remote code execution via buffer overflows (CVE-2016-2315, CVE-2016-2324) (Closes: #818318) glibc (2.19-18+deb8u4) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fixes bug18240 failing with a timeout on machines with a lot of swap. * patches/any/cvs-grantpt-pty-owner.diff: new patch from upstream to improve granpt when /dev/pts is not mounted with the correct options. * rules.d/debhelper.mk: only install pt_chown when built. * sysdeps/linux.mk: don't build pt_chown (CVE-2013-2207). Closes: #717544. glibc (2.19-18+deb8u3) stable-security; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fix segmentation fault caused by passing out-of-range data to strftime() (CVE-2015-8776). Closes: #812445. - Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778). Closes: #812441. - Fix multiple unbounded stack allocations in catopen() (CVE-2015-8779). Closes: #812455. * patches/any/local-CVE-2015-7547.diff: new patch to fix glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547). gnome-shell-extension-weather (0~20151125.gitccaa1eb-1~deb8u1) jessie; urgency=medium . * New upstream snapshot. + Compatible with the new API of openweathermap.org. (Closes: #804505) + No need to manually enter an API key, since this release ships with a default one. This restores the behavior of the applet that was effective by the time of the jessie release. * Drop d/p/missing-api-key.patch. No longer needed, since this new release ships with a default API key. * d/copyright: reflect upstream changes. gnome-shell-extension-weather (0~20151023.git34aa242-1) unstable; urgency=medium . * New upstream snapshot. + Now warns about missing API key. (Closes: #801979) gnome-shell-extension-weather (0~20151003.git339ec8a-1) unstable; urgency=medium . * New upstream snapshot. * d/control: this release is compatible with GNOME 3.18. * d/copyright: reflect upstream changes. * d/NEWS: fix urgency of latest entry to make lintian happy. gnome-shell-extension-weather (0~20150615.git0162cf7-1) unstable; urgency=medium . * New upstream snapshot. Compatible with GNOME Shell 3.16. (Closes: #788789) gnupg (1.4.18-7+deb8u1) stable; urgency=medium . [ Jonathan McDowell ] * Import upstream bugfix for handling unknown subkey types (Closes: #787046) graphite2 (1.3.6-1~deb8u1) stable-security; urgency=high . * rebuild for stable-security * revert ddeb-migration graphite2 (1.3.5-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.5-1~deb8u1) stable-security; urgency=high . * rebuild for stable-security * revert ddeb-migration graphite2 (1.3.5-1~deb7u1) oldstable-security; urgency=high . * rebuild for oldstable-security * revert ddeb-migration * revert package rename to -3 and go back to -2.0.0 to avoid changing the package name (ABI compatibility is there). Also dd patch to revert back to .so.2.0.0 as SONAME. graphite2 (1.3.4-2) unstable; urgency=medium . * debian/patches/revert-collision-info-refactoring-to-fix-alignment.diff: add from upstream git, thanks Tim Eves (closes: #805323) * debian/patches/reproducible-build.diff: tell dblatex to use a static path to make build reproduceable, thanks Reiner Herrmann (closes: #807838) * use -DGRAPHITE2_NTRACING:BOOL=ON (instead of :bool=1) * fix Maintainer: * migrate from manual -dbg to ddeb graphite2 (1.3.4-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.3-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.2-4) unstable; urgency=medium . * upload to unstable . * add graphviz to B-D-I... graphite2 (1.3.2-3) experimental; urgency=medium . * don't run dh_auto_install when ./build/src/libgraphite2.so.3 doesn't exist (as for dh_auto_test) so that we don't run a graphite build after building the docs (as make install of course requires that). Install the docs manually using .install graphite2 (1.3.2-2) experimental; urgency=medium . * check for existence of ./build/src/libgraphite2.so.3 before running dh_auto_test to skip the tests on "all" builds where we don't build graphite at all. graphite2 (1.3.2-1) experimental; urgency=medium . * New upstream release . * use --parallel in dh_auto_build (not in docs build and tests; the former doesn't build with parallelism) * Standards-Versions: 3.9.1 -> 3.9.6, no changes needed graphite2 (1.3.0-2) experimental; urgency=medium . * backport fixes from http://hg.palaso.org/graphitedev/raw-rev/cfab7499b46b: - fix tests on !linux (closes: #79499) - increase test timeout from 10s to 120s to make them succeed on mips(el) graphite2 (1.3.0-1) experimental; urgency=medium . * New upstream release gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium . * CVE-2013-7447 (Closes: #799275) gummi (0.6.5-3+deb8u2) stable; urgency=medium . * no-predictable-tmpfiles.patch: use upstream fix (Closes: #812577). iceweasel (38.7.1esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. - Disables Graphite font shaping library. iceweasel (38.7.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{16-17,20-21,23-25,27-28,31,34-35,37}, also known as: CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1958, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1964, CVE-2016-1965, CVE-2016-1966, CVE-2016-1974, CVE-2016-1950, CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802. iceweasel (38.6.1esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-14, also known as CVE-2016-1523. iceweasel (38.6.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{01,03}, also known as: CVE-2016-1930, CVE-2016-1935. iceweasel (38.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. imagemagick (8:6.8.9.9-5+deb8u1) stable; urgency=medium . * Fix build on mips by printing progress (Closes: #770009). * Fix a few security bugs: - A DOS on specially crafted MIFF file. - A DOS on specially crafted Vicar file. - A DOS on specially crafted HDR file. - A DOs on specially crafted PDB file. - Fix a Null dereference in coders/png.c (LP: #1492881). - Fix a double free in coders/tga.c (LP: #1490362). - Avoid a DOS for RLE file. - Avoid a bufer overflow by using field limit in sprintf. - Avoid a stack overflow in fx handling. - Fixed size of memory allocation in RLE coder to avoid segfault (LP: #1496649). - Add extra checks to avoid out of bounds error when parsing the 8bim profile. (LP: #1496645). - Fixed memory leak when reading incorrect PSD files (closes: #811308) http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791 - Fix PixelColor off by one on i386.(closes: #811308) https://github.com/ImageMagick/ImageMagick/issues/54 - Fix out of bounds error in -splice operator. - Prevent null pointer access in magick/constitute.c (closes: #811308) https://github.com/ImageMagick/ImageMagick/pull/34 - Fix another memory leak in string handling. - Fix an integer overflow that can lead to a buffer overrun in the icon parsing code (LP: #1459747, closes: #806441) - Fix an integer overflow that can lead to a double free in pict parsing (LP: #1448803, closes: #806441). initramfs-tools (0.120+deb8u1) jessie; urgency=medium . [ Ben Hutchings ] * [c367d7d] scripts/functions: Use shell to create stamp file instead of 'touch' (Closes: #783291) * [d22b95b] update-initramfs: Run 'sync' after writing the initramfs (Closes: #783620) * [c22cefe] hook-functions: Add support for nvme devices with MODULES=dep (Closes: #785147) * [e0b23a1] hook-functions: Add support for LVM/LUKS on mmcblk and nvme devices with MODULES=dep (Closes: #747871, #810808) * [0e905aa] scripts/functions: Fix fsck display options (Closes: #781239) . [ Laurent Bigonville ] * [3c4b38a] Support fsck.mode= and fsck.repair= parameters as known by systemd-fsck (Closes: #783410, #792557) * [dcb0f0c] Run new panic scripts just before dropping to a shell (Closes: #602331) . [ Boris Egorov ] * [2c82cf4] mkinitramfs: fix bashism in script (Closes: #633582) . [ Andy Whitcroft ] * [97b664e] When adding i8042 also add psmouse as some keyboards are behind the mouse (Closes: #795839) . [ Salvatore Bonaccorso ] * [71e5b62] scripts/nfs: Check return value from nfs_mount_root_impl (Closes: #782641) inspircd (2.0.17-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * Reject replies to DNS PTR requests that contain invalid characters (CVE-2015-8702) installation-guide (20150423+deb8u2) jessie; urgency=medium . [ Martin Michlmayr ] * Added QNAP TS-109, TS-209, TS-409 and TS-409U as supporteded models again. jasper (1.900.1-debian1-2.4+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy() (Closes: #816625) * CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip() (Closes: #812978) * CVE-2016-2116: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf() (Closes: #816626) krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Verify decoded kadmin C strings [CVE-2015-8629] CVE-2015-8629: An authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database. (Closes: #813296) * Check for null kadm5 policy name [CVE-2015-8630] CVE-2015-8630: An authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying a null policy value but including KADM5_POLICY in the mask. (Closes: #813127) * Fix leaks in kadmin server stubs [CVE-2015-8631] CVE-2015-8631: An authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory. (Closes: #813126) libav (6:11.6-1~deb8u1) jessie-security; urgency=medium . * New upstream release fixing multiple security issues. - concat: disable by default (CVE-2016-1897, CVE-2016-1898) - aac_parser: add required padding for GetBitContext buffer - ac3_parser: add required padding for GetBitContext buffer - imc: add required padding for GetBitContext buffer - h263: Always check both dimensions - opusdec: properly handle mismatching configurations in multichannel streams - mov: Correctly allocate ctts_data - aac: Wait to know the channels before allocating frame - rtpdec_asf: Check memory allocation and free memory on error - jack: Check memory allocation - mov: Check memory allocation - mkv: Correctly report the latest packet had been flushed - aic: Fix slice size computation for widths multiples of 32 macroblocks - webp: Make sure enough bytes are available - g726: Do not crash on user mistake - bytestream2: set the reader to the end when reading more than available - vp7: bound checking in vp7_decode_frame_header - mux: Make sure that the data is actually written - file: properly forward errors from file_read() and file_write() - mmvideo: Make sure the rle does not write over the frame boundaries - opus: Buffer the samples from the correct offset - nut: Use the correct codec_tag when multiple are available - truemotion2: Fix the buffer check - mimic: Always return on failure - msnwc_tcp: Correctly report failure - rpza: Check the blocks left before processing one - dvdsubdec: Validate the RLE offsets - avi: Validate the stream-id for DV as well - mov: Use the correct type for size * debian/confflags: Force --disable-protocol=concat. * debian/patches/CVE-2016-2326.patch: avformat/asfenc: Check pts. (CVE-2016-2326) libav (6:11.4-2) unstable; urgency=medium . * debian/*.lintian-overrides: Use architecture specific overrides to fix arch-dependent files in M-A: same package. (Closes: #787406) * debian/changelog: Wrap some lines at 80 characters to make lintian happy. libav (6:11.4-1) unstable; urgency=high . [ Reinhard Tartler ] * Bumped urgency because of two security patches, see below * Imported Upstream version 11.4 - h264: Make sure reinit failures mark the context as not initialized (CVE-2015-3417) - msrle: Use FFABS to determine the frame size in msrle_decode_pal4 (CVE-2015-3395) - cavs: Remove an unneeded scratch buffer - configure: Disable i686 for i586 and lower CPUs (debian/783082) - mjpegenc: Fix JFIF header byte ordering (bug/808) - nut: Make sure to clean up on read_header failure - png: Set the color range as full range - avi: Validate sample_size - nut: Check chapter creation in decode_info_header - alac: Reject rice_limit 0 if compression is used - ape: Support _0000 files with nblock smaller than 64 - mux: Do not leave stale side data pointers in ff_interleave_add_packet() - avresample: Reallocate the internal buffer to the correct size (bug/825) - mpegts: Update the PSI/SI table only if the version change - rtsp: Make sure we don't write too many transport entries into a fixed-size array - rtpenc_jpeg: Handle case of picture dimensions not dividing by 8 - mov: Fix little endian audio detection - x86: Put COPY3_IF_LT under HAVE_6REGS (gentoo/541930) - roqvideoenc: set enc->avctx in roq_encode_init - mp3: Properly use AVCodecContext API - libvpx: Fix mixed use of av_malloc() and av_reallocp() - Revert "lavfi: always check av_expr_parse_and_eval() return value" - alsdec: only adapt order for positive max_order - alsdec: check sample pointer range in revert_channel_correlation - aacpsy: correct calculation of minath in psy_3gpp_init - alsdec: limit avctx->bits_per_raw_sample to 32 - aasc: return correct buffer size from aasc_decode_frame - matroskadec: fix crash when parsing invalid mkv - avconv: do not overwrite the stream codec context for streamcopy - webp: ensure that each transform is only used once - h264_ps: properly check cropping parameters against overflow - hevc: zero the correct variables on invalid crop parameters - hevc: make the crop sizes unsigned * drop 01-configure-disable-i686-for-i586 . [ Sebastian Ramacher ] * debian/control: - Remove obsolete Breaks, Replaces and Conflicts. - Fix description to make lintian happy. * debian/rules: - Remove dh_builddeb compression override. This is the default since dpkg 1.17.0. - Use dh_installdocs to install documentation. - Use dh_minstallman to install manpages. * debian/{libav-tools.links,rules}: De-duplicate documentation * debian/*.lintian-overrides: - Install non-fpic code lintian overrides only for i386 packages. * debian/source/lintian-overrides: Removed obsolete lintian override. * debian/*.doc-base: Add more doc-base registrations * debian/copyright: - Remove files that do no longer exist. - Update some copyright years. libclamunrar (0.99-0+deb8u1) stable; urgency=medium . [ Scott Kitterman ] * Correct debian/copyright to add missing copyright declarations/dates . [ Sebastian Andrzej Siewior ] * Bumped standards version to 3.9.6 (no changes required). * Import new upstream. This is required because clamav's major .so version changed. * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break * don't links against libpcre if available. libclamunrar (0.99-0+deb7u1) oldstable; urgency=medium . [ Scott Kitterman ] * Correct debian/copyright to add missing copyright declarations/dates . [ Sebastian Andrzej Siewior ] * Bumped standards version to 3.9.6 (no changes required). * Import new upstream. This is required because clamav's major .so version changed. * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break * don't link against libpcre if available. libclamunrar (0.99-0+deb6u1) squeeze-lts; urgency=medium . [ Scott Kitterman ] * Correct debian/copyright to add missing copyright declarations/dates * Manually autreconf and add as patch since dh-autoreconf in squeeze is too old. . [ Sebastian Andrzej Siewior ] * Bumped standards version to 3.9.6 (no changes required). * Import new upstream. This is required because clamav's major .so version changed. * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break * don't link against libpcre if available. libdatetime-timezone-perl (1:1.75-2+2016c) jessie; urgency=medium . * Update to Olson database version 2016c. Add patch debian/patches/olson-2016c, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Azerbaijan and Chile. libdatetime-timezone-perl (1:1.75-2+2016b) jessie; urgency=medium . * Update to Olson database version 2016b. Add patch debian/patches/olson-2016b, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Russia, Haiti, and Palestine. * Fix spelling of Chita in the previous changelog entry. Thanks to Stepan Golosunov for the bug report. (Closes: #813631) libdatetime-timezone-perl (1:1.75-2+2016a) jessie; urgency=medium . * Update to Olson database version 2016a. Add patch debian/patches/olson-2016a, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for the Cayman Islands, Iran, and Chrita, Russia. libgcrypt20 (1.6.3-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * ecc: input validation on ECDH * ecc: Constant-time multiplication for Weierstrass curve (CVE-2015-7511) libmatroska (1.4.1-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * CVE-2015-8792: Fix invalid memory access issue. (patch taken from the squeeze version) libotr (4.1.0-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2851: Integer overflow on 64-bit architectures when receiving 4GB messages librsvg (2.40.5-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file. libsndfile (1.0.25-9.1+deb8u1) jessie; urgency=medium . * Fix denial of service through division by zero (CVE-2014-9756) -> 03_file_io_divide_by_zero.diff (Closes: #804447) * Fix heap overflow in AIFF parser (CVE-2015-7805) -> 04_fix_aiff_heap_overflow.diff (Closes: #804445) libssh (0.6.3-4+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0739: Truncated Diffie-Hellman secret length (Closes: #815663) libssh2 (1.4.3-4.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0787: Truncated Difffie-Hellman secret length libvirt (1.2.9-9+deb8u2) jessie; urgency=medium . [ Philipp Hahn ] * [16e52e6] CVE-2015-5313: Don't allow allow '/' in filesystem volume (Closes: #808273) * [e69dd73] libvirt-daemon: Expect qemu-bridge-helper in /usr/lib/qemu like we fixed #790935 in sid. (Closes: #816602) . [ Guido Günther ] * [72db643] Allow autopkg tests to print to stderr libvirt (1.2.9-9+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Remaining changes: * [b46b754] Drop sheepdog support not available in Wheezy * [31a2113] Use libnl1 since libnetcf1 is linked against libnl1 in Wheezy. Also make sure we don't pickup up libnetcf-dev using libnl3. * [4ca4854] Make sure the cgroup update notice is also shown in backports * [c5a59dd] Drop version in polkit-1 dependency. This reintroduces CVE-2013-4311 since we don't have a recent enough polkit-1 in wheezy. * [4db6aaa] Disable xenlight support not available in wheezy * [314c4aa] Use libgcrpt/gnutls versions from wheezy * [c0f79f1] gbp.conf: use wheezy-backports * [d20e1f7] autopkgtest: Remove allow-stderr restriction not present in wheezy. Therefore drop "-x" so we don't print to stderr. . libvirt (1.2.9-9+deb8u2) jessie; urgency=medium . [ Philipp Hahn ] * [16e52e6] CVE-2015-5313: Don't allow allow '/' in filesystem volume (Closes: #808273) * [e69dd73] libvirt-daemon: Expect qemu-bridge-helper in /usr/lib/qemu like we fixed #790935 in sid. (Closes: #816602) . [ Guido Günther ] * [72db643] Allow autopkg tests to print to stderr . libvirt (1.2.9-9+deb8u1) jessie; urgency=medium . [ Guido Günther ] * [8e4cf5a] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm or kqemu. Thanks to Luke Faraone for the report (Closes: #786650) * [ad1ff0b] Adjust gbp.conf for jessie * [c830a54] Disable test suite due to libxml2 bug #781232 in jessie * [be70aec] Fix crash on live migration this supplements 07dbec0a64783f644854a22aa0355720f0328d17. Thanks to Eckebrecht von Pappenheim (Closes: #788171) . [ Felix Geyer ] * [9fb6c59] Allow access to libnl-3 configuration (Closes: #786652) . [ intrigeri ] * Allow-access-to-libnl-3-config-files.patch: revert changes that are unrelated to the bug this patch is meant to fix. . [ Daniel P. Berrange ] * [afae69a] Report original error when QMP probing fails with new QEMU (Closes: #780093) linux (3.16.7-ckt25-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt21 - irda: precedence bug in irlmp_seq_hb_idx() - macvtap: unbreak receiving of gro skb with frag list - RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv - stmmac: Correctly report PTP capabilities. - ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context. - sit: fix sit0 percpu double allocations - packet: race condition in packet_bind - net: avoid NULL deref in inet_ctl_sock_destroy() - net: fix a race in dst_release() - Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount - [x86] xen: Do not clip xen_e820_map to xen_e820_map_entries when sanitizing map - HID: core: Avoid uninitialized buffer access - [media] v4l2-compat-ioctl32: fix alignment for ARM64 - [armhf] net: mvneta: Fix CPU_MAP registers initialisation - mtd: mtdpart: fix add_mtd_partitions error path - [armel,armhf] 8426/1: dma-mapping: add missing range check in dma_mmap() - [armel,armhf] 8427/1: dma-mapping: add support for offset parameter in dma_mmap() - spi: ti-qspi: Fix data corruption seen on r/w stress test - lockd: create NSM handles per net namespace - Btrfs: fix file corruption and data loss after cloning inline extents - [armel,armhf] common: edma: Fix channel parameter for irq callbacks - [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints - ext4: fix potential use after free in __ext4_journal_stop - ext4: fix calculation of meta_bg descriptor backups - ext4, jbd2: ensure entering into panic after recording an error in superblock - vTPM: fix memory allocation flag for rtce buffer at kernel boot - spi: dw: explicitly free IRQ handler in dw_spi_remove_host() - media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish - Bluetooth: hidp: fix device disconnect on idle timeout - Bluetooth: ath3k: Add new AR3012 0930:021c id - Bluetooth: ath3k: Add support of AR3012 0cf3:817b device - spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word - ACPI: Use correct IRQ when uninstalling ACPI interrupt handler - [x86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after resume back - megaraid_sas: Do not use PAGE_SIZE for max_sectors - [s390x] KVM: SCA must not cross page boundaries - [arm64] Fix compat register mappings - can: Use correct type in sizeof() in nla_put() - mtd: blkdevs: fix potential deadlock + lockdep warnings - Revert "dm mpath: fix stalls when handling invalid ioctls" - [x86] drm/i915: add quirk to enable backlight on Dell Chromebook 11 (2015) - crypto: algif_hash - Only export and import on sockets with data - xtensa: fixes for configs without loop option - megaraid_sas : do not access user memory from IOCTL code - mac80211: fix divide by zero when NOA update - mac80211: allow null chandef in tracing - [x86] KVM: VMX: fix SMEP and SMAP without EPT - [armhf] thermal: exynos: Fix unbalanced regulator disable on probe failure - [x86] ALSA: hda - Apply pin fixup for HP ProBook 6550b - firewire: ohci: fix JMicron JMB38x IT context discovery - scsi: restart list search after unlock in scsi_remove_target - mm: slab: only move management objects off-slab for sizes larger than KMALLOC_MIN_SIZE - [x86] Input: elantech - add Fujitsu Lifebook U745 to force crc_enabled - proc: actually make proc_fd_permission() thread-friendly - [x86] setup: Extend low identity map to cover whole kernel range - [x86] setup: Fix low identity map for >= 2GB kernel range - [x86] cpu: Call verify_cpu() after having entered long mode too - Btrfs: fix race leading to incorrect item deletion when dropping extents - Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow - perf: Fix inherited events vs. tracepoint filters - scsi_sysfs: Fix queue_ramp_up_period return code - Btrfs: fix race when listing an inode's xattrs - [x86] ideapad-laptop: Add Lenovo Yoga 900 to no_hw_rfkill dmi list - [x86] storvsc: Don't set the SRB_FLAGS_QUEUE_ACTION_ENABLE flag - [x86] KVM: Defining missing x86 vectors - drivers: of: of_reserved_mem: fixup the alignment with CMA setup - drm/ast: Initialized data needed to map fbdev memory - FS-Cache: Increase reference of parent after registering, netfs success - FS-Cache: Don't override netfs's primary_index if registering failed - binfmt_elf: Don't clobber passed executable's file header - fs/pipe.c: return error code rather than 0 in pipe_write() - mac80211: fix driver RSSI event calculations - wm831x_power: Use IRQF_ONESHOT to request threaded IRQs - mwifiex: fix mwifiex_rdeeprom_read() - dmaengine: dw: convert to __ffs() - usb: ehci-orion: fix probe for !GENERIC_PHY - devres: fix a for loop bounds check - netfilter: remove dead code - ipv4: Fix ip_queue_xmit to pass sk into ip_local_out_sk - packet: fix match_fanout_group() - hsi: fix double kfree - hsi: omap_ssi_port: Prevent warning if cawake_gpio is not defined. - ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in - drm: Fix return value of drm_framebuffer_init() - ALSA: fireworks: use u32 type for be32_to_cpup() macro - ALSA: bebob: use correct type for __be32 data - tcp: apply Kern's check on RTTs used for congestion control - clk: versatile-icst: fix memory leak - mfd: twl6040: Fix deferred probe handling for clk32k - of/fdt: fix error checking for earlycon address - netfilter: nfnetlink: don't probe module if it exists - xprtrdma: Re-arm after missed events - ceph: fix message length computation - ipv6: fix tunnel error handling - perf trace: Fix documentation for -i - bonding: fix panic on non-ARPHRD_ETHER enslave failure - rtc: ds1307: Fix alarm programming for mcp794xx - TPM: Avoid reference to potentially freed memory - md/raid0: update queue parameter in a safer location. - md/raid0: apply base queue limits *before* disk_stack_limits - drm/radeon: add quirk for MSI R7 370 - drm/radeon: add quirk for ASUS R7 370 - drm/radeon: fix quirk for MSI R7 370 Armor 2X - tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c - fs/proc, core/debug: Don't expose absolute kernel addresses via wchan - ALSA: hda - Disable 64bit address for Creative HDA controllers - printk: prevent userland from spoofing kernel messages - FS-Cache: Handle a write to the page immediately beyond the EOF marker http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt22 - iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock - iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success - iio: ad5064: Fix ad5629/ad5669 shift - iio:ad7793: Fix ad7785 product ID - [x86] fpu: Fix 32-bit signal frame handling - iio: adc: xilinx: Fix VREFN scale - [x86] drm/i915: quirk backlight present on Macbook 4, 1 - USB: qcserial: Add support for Quectel EC20 Mini PCIe module - USB: serial: option: add support for Novatel MiFi USB620L - USB: ti_usb_3410_5052: Add Honeywell HGI80 ID - [x86] drm/i915: get runtime PM reference around GEM set_caching IOCTL - drm/radeon: unconditionally set sysfs_initialized - USB: qcserial: Fix support for HP lt4112 LTE/HSPA+ Gobi 4G Modem - [arm64] kernel: pause/unpause function graph tracer in cpu_suspend() - usb: dwc3: gadget: let us set lower max_speed - usb: chipidea: debug: disable usb irq while role switch - xhci: Workaround to get Intel xHCI reset working more reliably - xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices - [x86] cpu: Fix SMAP check in PVOPS environments - [arm64] restore bogomips information in /proc/cpuinfo - USB: option: add XS Stick W100-2 from 4G Systems - usblp: do not set TASK_INTERRUPTIBLE before lock - fat: fix fake_offset handling on error path - kernel/signal.c: unexport sigsuspend() - ocfs2: fix umask ignored issue - mmc: remove bondage between REQ_META and reliable write - packet: do skb_probe_transport_header when we actually have data - packet: only allow extra vlan len on ethernet devices - packet: fix tpacket_snd max frame len - sctp: translate host order to network order when setting a hmacid - net/mlx4_core: Avoid returning success in case of an error flow - usb: musb: core: fix order of arguments to ulpi write callback - FS-Cache: Add missing initialization of ret in cachefiles_write_page() - macvlan: fix leak in macvlan_handle_frame - packet: always probe for transport header - packet: infer protocol from ethernet header if unset - ip_tunnel: disable preemption when updating per-cpu tstats - snmp: Remove duplicate OUTMCAST stat increment - tcp: initialize tp->copied_seq in case of cross SYN connection - net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds - net: ipmr: fix static mfc/dev leaks on table destruction - net: ip6mr: fix static mfc/dev leaks on table destruction - ipv6: distinguish frag queues by device for multicast and link-local packets - ipv6: add complete rcu protection around np->opt - net/neighbour: fix crash at dumping device-agnostic proxy entries - ipv6: sctp: implement sctp_v6_destroy_sock() - xfs: allow inode allocations in post-growfs disk space (Closes: #802885) - ALSA: usb-audio: add packet size quirk for the Medeli DD305 - ALSA: usb-audio: prevent CH345 multiport output SysEx corruption - ALSA: usb-audio: work around CH345 input SysEx corruption - dm thin: restore requested 'error_if_no_space' setting on OODS to WRITE transition - dm: fix ioctl retry termination with signal - ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 - mac: validate mac_partition is within sector - ALSA: hda - Apply HP headphone fixups more generically - fix sysvfs symlinks - vfs: Make sendfile(2) killable even better - vfs: Avoid softlockups with sendfile(2) - nfs4: start callback_ident at idr 1 - ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3 - [arm64] KVM: Fix AArch32 to AArch64 register mapping - drm/radeon: make rv770_set_sw_state failures non-fatal - ALSA: hda - Fix noise on Gigabyte Z170X mobo - drm/radeon: make some dpm errors debug only - nfs: if we have no valid attrs, then don't declare the attribute cache valid - xen/gntdev: Grant maps should not be subject to NUMA balancing - iscsi-target: Fix rx_login_comp hang after login failure - target: Fix race for SCF_COMPARE_AND_WRITE_POST checking - target: fix COMPARE_AND_WRITE non zero SGL offset data corruption - [armel/kirkwood] dts: Fix QNAP TS219 power-off - netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse - netfilter: nf_tables: fix bogus warning in nft_data_uninit() - netfilter: ip6t_SYNPROXY: fix NULL pointer dereference - gre6: allow to update all parameters via rtnl - atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation - sctp: use the same clock as if sock source timestamps were on - sctp: update the netstamp_needed counter when copying sockets - ipv6: sctp: clone options to avoid use after free - vlan: Fix untag operations of stacked vlans with REORDER_HEADER off - skbuff: Fix offset error in skb_reorder_vlan_header - af_unix: Revert 'lock_interruptible' in stream receive code - ip6mr: call del_timer_sync() in ip6mr_free_table() - [x86] drm/i915: Disable PSMI sleep messages on all rings around context switches (Closes: #777231) - crypto: nx - Fix timing leak in GCM and CCM decryption - crypto: talitos - Fix timing leak in ESP ICV verification - ASoC: wm8962: correct addresses for HPF_C_0/1 - mac80211: mesh: fix call_rcu() usage - mac80211: ensure we don't update tx power on a non-running sdata - can: sja1000: clear interrupts on start - ring-buffer: Update read stamp with first real commit on page - block: Always check queue limits for cloned requests - Fix a memory leak in scsi_host_dev_release() - wan/x25: Fix use-after-free in x25_asy_open_tty() - mac80211: do not actively scan DFS channels - locking: Add WARN_ON_ONCE lock assertion - drm: Fix an unwanted master inheritance v2 - sched/core: Clear the root_domain cpumasks in init_rootdomain() - [x86] signal: Fix restart_syscall number for x32 tasks - isdn: Partially revert debug format string usage clean up - remoteproc: avoid stack overflow in debugfs file - [armhf] net: mvneta: add configuration for MBUS windows access protection - [armhf] net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG - [armhf] net: mvneta: fix bit assignment for RX packet irq enable - ipv4: igmp: Allow removing groups from a removed interface - sched/core: Remove false-positive warning from wake_up_process() - btrfs: fix signed overflows in btrfs_sync_file http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt23 - iio: fix some warning messages - USB: cp210x: Remove CP2110 ID from compatibility list - USB: cdc_acm: Ignore Infineon Flash Loader utility - USB: serial: Another Infineon flash loader USB ID - ext4: Fix handling of extended tv_sec - jbd2: Fix unreclaimed pages after truncate in data=journal mode - drm/ttm: Fixed a read/write lock imbalance - AHCI: Fix softreset failed issue of Port Multiplier - sata_sil: disable trim - usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter JMicron - staging: lustre: echo_copy.._lsm() dereferences userland pointers directly - irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB - usb: core : hub: Fix BOS 'NULL pointer' kernel panic - USB: whci-hcd: add check for dma mapping error - dm btree: fix leak of bufio-backed block in btree_split_sibling error path - SCSI: Fix NULL pointer dereference in runtime PM - perf: Fix PERF_EVENT_IOC_PERIOD deadlock - usb: xhci: fix config fail of FS hub behind a HS hub with MTT - ALSA: rme96: Fix unexpected volume reset after rate changes - ALSA: hda - Add inverted dmic for Packard Bell DOTS - virtio: fix memory leak of virtio ida cache layers - nfs4: limit callback decoding to received bytes - SUNRPC: Fix callback channel - IB/srp: Fix possible send queue overflow - ALSA: hda - Fixing speaker noise on the two latest thinkpad models - 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping - radeon/cik: Fix GFX IB test on Big-Endian - radeon: Fix VCE ring test for Big-Endian systems - radeon: Fix VCE IB test on Big-Endian systems - ALSA: hda - Fix noise problems on Thinkpad T440s - dm thin metadata: fix bug when taking a metadata snapshot - dm space map metadata: fix ref counting bug when bootstrapping a new space map - ipmi: move timer init to before irq is setup - dm btree: fix bufio buffer leaks in dm_btree_del() error path - vgaarb: fix signal handling in vga_get() - xhci: fix usb2 resume timing and races. - USB: add quirk for devices with broken LPM - [hppa] iommu: fix panic due to trying to allocate too large region - mm: hugetlb: fix hugepage memory leak caused by wrong reserve count - mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make any progress - mm: hugetlb: call huge_pte_alloc() only if ptep is null - drivers/base/memory.c: prohibit offlining of memory blocks with missing sections - ocfs2: fix SGID not inherited issue - usb: musb: USB_TI_CPPI41_DMA requires dmaengine support - efi: Disable interrupts around EFI calls, not in the epilog/prolog calls - [armhf] i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs - xen/events/fifo: Consume unprocessed events when a CPU dies - video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented - crypto: skcipher - Copy iv from desc even for 0-len walks - rfkill: copy the name into the rfkill struct - ses: Fix problems with simple enclosures - Revert "SCSI: Fix NULL pointer dereference in runtime PM" - ses: fix additional element traversal bug - powercap / RAPL: fix BIOS lock check - n_tty: Fix poll() after buffer-limited eof push read - tty: Fix GPF in flush_to_ldisc() - ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly - [armel,armhf] 8471/1: need to save/restore arm register(r11) when it is corrupted - ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd - spi: fix parent-device reference leak - dma-debug: Fix dma_debug_entry offset calculation - [powerpc*] powernv: Fix the overflow of OPAL message notifiers head array - [powerpc*] powernv: pr_warn_once on unsupported OPAL_MSG type - USB: ipaq.c: fix a timeout loop - USB: fix invalid memory access in hub_activate() - pinctrl: bcm2835: Fix initial value for direction_output - net: phy: mdio-mux: Check return value of mdiobus_alloc() - mISDN: fix a loop count - qlcnic: fix a timeout loop - ser_gigaset: fix deallocation of platform device structure - include/linux/mmdebug.h: should include linux/bug.h - [x86] drm/i915: Fix SRC_COPY width on 830/845g - vmstat: allocate vmstat_wq before it is used - [powerpc*] KVM: Book3S HV: Prohibit setting illegal transaction state in MSR - ASoC: wm8974: set cache type for regmap - [armhf] dts: imx6: Fix Ethernet PHY mode on Ventana boards - ALSA: hda - Set SKL+ hda controller power at freeze() and thaw() - [s390x] dis: Fix handling of format specifiers - [hppa] Fix syscall restarts - ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2) - ocfs2: fix BUG when calculate new backup super - mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() - net/mlx4_en: Remove dependency between timestamping capability and service_task - net/mlx4_en: Fix HW timestamp init issue upon system startup - ipv6/addrlabel: fix ip6addrlbl_get() - qlcnic: fix a loop exit condition better - genirq: Prevent chip buslock deadlock - ftrace/scripts: Fix incorrect use of sprintf in recordmcount - tracing: Fix setting of start_index in find_next() - [armhf] dts: vt8500: Add SDHC node to DTS file for WM8650 - [x86] mce: Ensure offline CPUs don't participate in rendezvous process - ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz - async_tx: use GFP_NOWAIT rather than GFP_IO - ftrace/module: Call clean up function when module init fails early - ASoC: Use nested lock for snd_soc_dapm_mutex_lock - net: filter: make JITs zero A for SKF_AD_ALU_XOR_X - net: possible use after free in dst_release - [x86] kvm: only channel 0 of the i8254 is linked to the HPET - firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6 http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt24 - drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c - veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. - sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close - connector: bump skb->users before callback invocation - unix: properly account for FDs passed over unix sockets - bridge: Only call /sbin/bridge-stp for the initial network namespace - vxlan: fix test which detect duplicate vxlan iface - net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory - tcp_yeah: don't set ssthresh below 2 - bonding: Prevent IPv6 link local address on enslaved devices - phonet: properly unshare skbs in phonet_rcv() - net: bpf: reject invalid shifts - ipv6: update skb->csum when CE mark is propagated - team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid - xen-netback: respect user provided max_queues - xen-netfront: respect user provided max_queues - xen-netfront: print correct number of queues - xen-netfront: update num_queues to real created - xfrm: dst_entries_init() per-net dst_ops - sctp: convert sack_needed and sack_generation to bits - sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING - nfs: Fix unused variable error - media: gspca: ov534/topro: prevent a division by 0 - media: media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode - [x86] KVM: expose MSR_TSC_AUX to userspace - [x86] KVM: correctly print #AC in traces - drm/radeon: call hpd_irq_event on resume - xhci: refuse loading if nousb is used - [arm64] Clear out any singlestep state on a ptrace detach operation - time: Avoid signed overflow in timekeeping_get_ns() - Bluetooth: Add support of Toshiba Broadcom based devices - rtlwifi: fix memory leak for USB device - wlcore/wl12xx: spi: fix oops on firmware load - EDAC: Fix the leak of mci->bus->name when bus_register fails - EDAC, mc_sysfs: Fix freeing bus' name - EDAC: Robustify workqueues destruction - [arm64] mm: ensure that the zero page is visible to the page table walker - [powerpc*] Make value-returning atomics fully ordered - [powerpc*] Make {cmp}xchg* and their atomic_ versions fully ordered - dm space map metadata: remove unused variable in brb_pop() - dm thin: fix race condition when destroying thin pool workqueue - futex: Drop refcount if requeue_pi() acquired the rtmutex - [arm64] mdscr_el1: avoid exposing DCC to userspace - [arm64] kernel: enforce pmuserenr_el0 initialization and restore - drm/radeon: clean up fujitsu quirks - mmc: sdio: Fix invalid vdd in voltage switch power cycle - mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off() - udf: limit the maximum number of indirect extents in a row - nfs: Fix race in __update_open_stateid() - USB: cp210x: add ID for ELV Marble Sound Board 1 - posix-clock: Fix return code on the poll method's error path - rtlwifi: rtl8192de: Fix incorrect module parameter descriptions - rtlwifi: rtl8192se: Fix module parameter initialization - rtlwifi: rtl8192ce: Fix handling of module parameters - rtlwifi: rtl8192cu: Add missing parameter setup - NFSv4: Don't perform cached access checks before we've OPENed the file - NFS: Fix attribute cache revalidation - bcache: fix a livelock when we cause a huge number of cache misses - bcache: Add a cond_resched() call to gc - bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device - bcache: fix a leak in bch_cached_dev_run() - bcache: unregister reboot notifier if bcache fails to unregister device - bcache: allows use of register in udev to avoid "device_busy" error. - bcache: prevent crash on changing writeback_running - bcache: Change refill_dirty() to always scan entire disk if necessary - wlcore/wl12xx: spi: fix NULL pointer dereference (Oops) - Input: i8042 - add Fujitsu Lifebook U745 to the nomux list - libxfs: pack the agfl header structure so XFS_AGFL_SIZE is correct - [x86] xen: don't reset vcpu_info on a cancelled suspend - udf: Prevent buffer overrun with multi-byte characters - udf: Check output buffer length when converting name to CS0 - PCI: Fix minimum allocation address overwrite - PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD - iwlwifi: update and fix 7265 series PCI IDs - locks: fix unlock when fcntl_setlk races with a close - ASoC: compress: Fix compress device direction check - dm snapshot: fix hung bios when copy error occurs - uml: fix hostfs mknod() - uml: flush stdout before forking - drm/nouveau/kms: take mode_config mutex in connector hotplug path - [x86] boot: Double BOOT_HEAP_SIZE to 64KB - [s390x] fix normalization bug in exception table sorting - xfs: inode recovery readahead can race with inode buffer creation - xfs: handle dquot buffer readahead in log recovery correctly - clocksource/drivers/vt8500: Increase the minimum delta - Input: elantech - mark protocols v2 and v3 as semi-mt - [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] - virtio_balloon: fix race by fill and leak - virtio_balloon: fix race between migration and ballooning - [hppa] Fix __ARCH_SI_PREAMBLE_SIZE - scripts/recordmcount.pl: support data in text section on powerpc - [powerpc*] module: Handle R_PPC64_ENTRY relocations - dmaengine: dw: fix cyclic transfer setup - dmaengine: dw: fix cyclic transfer callbacks - mmc: mmci: fix an ages old detection error - [sparc64] fix incorrect sign extension in sys_sparc64_personality - cifs: fix race between call_async() and reconnect() - cifs_dbg() outputs an uninitialized buffer in cifs_readdir() - dma-debug: switch check from _text to _stext - ocfs2/dlm: ignore cleaning the migration mle that is inuse - zram/zcomp: use GFP_NOIO to allocate streams - zram: try vmalloc() after kmalloc() - mm: soft-offline: check return value in second __get_any_page() call - memcg: only free spare array when readers are done - panic: release stale console lock to always get the logbuf printed out - kernel/panic.c: turn off locks debug before releasing console lock - printk: do cond_resched() between lines while outputting to consoles - ALSA: hda - Fix bass pin fixup for ASUS N550JX - crypto: af_alg - Disallow bind/setkey/... after accept(2) - crypto: af_alg - Fix socket double-free when accept fails - crypto: af_alg - Add nokey compatibility path - crypto: hash - Add crypto_ahash_has_setkey - crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey path - crypto: af_alg - Forbid bind(2) when nokey child sockets are present - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode - ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 - crypto: algif_skcipher - Load TX SG list after waiting - crypto: crc32c - Fix crc32c soft dependency - IB/qib: fix mcast detach when qp not attached - IB/qib: Support creating qps with GFP_NOIO flag - [x86] ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill dmi list - iscsi-target: Fix potential dead-lock during node acl delete - ALSA: timer: Handle disconnection more safely - ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock - [x86] ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list - [x86] drm/i915: avoid deadlock on failure paths in __intel_framebuffer_create() - [x86] drm/i915: On fb alloc failure, unref gem object where it gets refed - media: rc: allow rc modules to be loaded if rc-main is not a module - SCSI: initio: remove duplicate module device table - [arm64] clk: xgene: Fix divider with non-zero shift value - clk: st: avoid uninitialized variable use - ath9k_htc: check for underflow in ath9k_htc_rx_msg() - mtd: nand: fix ONFI parameter page layout - mtd: nand: denali: add missing nand_release() call in denali_remove() - mtd: nand: remove unused and buggy get_platform_nandchip() helper function - ALSA: fm801: propagate TUNER_ONLY bit when autodetected - pinctrl: bcm2835: Fix memory leak in error path - [x86] LDT: Print the real LDT base address - sysrq: Fix warning in sysrq generated crash. - kconfig: return 'false' instead of 'no' in bool function - [x86] perf: Fix filter_events() bug with event mappings - power: test_power: correctly handle empty writes - firmware: actually return NULL on failed request_firmware_nowait() - target: Fix a memory leak in target_dev_lba_map_store() - um: Fix build error and kconfig for i386 - ipv6: tcp: add rcu locking in tcp_v6_send_synack() - mmc: sd: limit SD card power limit according to cards capabilities - Btrfs: clean up an error code in btrfs_init_space_info() - bridge: fix lockdep addr_list_lock false positive splat - batman-adv: Avoid recursive call_rcu for batadv_bla_claim - batman-adv: Avoid recursive call_rcu for batadv_nc_node - batman-adv: fix potential TT client + orig-node memory leak - batman-adv: Drop immediate batadv_orig_ifinfo free function - batman-adv: Drop immediate batadv_neigh_node free function - batman-adv: Drop immediate neigh_ifinfo free function - batman-adv: Drop immediate batadv_hard_iface free function - batman-adv: Drop immediate orig_node free function - printk: help pr_debug and pr_devel to optimize out arguments - mmc: debugfs: correct wrong voltage value - IB/mlx4: Initialize hop_limit when creating address handle - net/mlx4: Remove unused macro - cifs: Ratelimit kernel log messages - HID: usbhid: fix recursive deadlock http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt25 - ASN.1: Fix non-match detection failure on data overrun - qeth: initialize net_device with carrier off - EVM: Use crypto_memneq() for digest comparisons - iio: adis_buffer: Fix out-of-bounds memory access - [powerpc*] KVM: Fix emulation of H_SET_DABR/X on POWER8 - [x86] irq: Call chip->irq_set_affinity in proper context - ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot() - usb: cdc-acm: handle unlinked urb in acm read callback - usb: cdc-acm: send zero packet for intel 7260 modem - cdc-acm:exclude Samsung phone 04e8:685d - usb: hub: do not clear BOS field during reset device - USB: cp210x: add ID for IAI USB to RS485 adaptor - USB: visor: fix null-deref at probe - USB: serial: option: Adding support for Telit LE922 - ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() - ALSA: seq: Degrade the error message for too many opens - USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable - USB: option: fix Cinterion AHxx enumeration - ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures - ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay - virtio_pci: fix use after free on release - ALSA: bebob: Use a signed return type for get_formation_index - [arm64] errata: Add -mpc-relative-literal-loads to build flags - [powerpc*] eeh: Fix PE location code - SCSI: fix crashes in sd and sr runtime PM - n_tty: Fix unsafe reference to "other" ldisc - staging/speakup: Use tty_ldisc_ref() for paste kworker - ALSA: dummy: Disable switching timer backend via sysfs - [x86] drm/vmwgfx: respect 'nomodeset' - [x86] mm/pat: Avoid truncation when converting cpa->numpages to address - perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed - perf hists: Fix HISTC_MEM_DCACHELINE width setting - [powerpc*] perf: Remove PPMU_HAS_SSLOT flag for Power8 - vmstat: explicitly schedule per-cpu work on the CPU we need it to run on - umount: Do not allow unmounting rootfs. - crypto: algif_skcipher - Require setkey before accept(2) - crypto: algif_skcipher - Add nokey compatibility path - crypto: algif_hash - Require setkey before accept(2) - crypto: skcipher - Add crypto_skcipher_has_setkey - crypto: algif_skcipher - Add key check exception for cipher_null - crypto: algif_hash - Remove custom release parent function - crypto: algif_skcipher - Remove custom release parent function - crypto: algif_hash - Fix race condition in hash_check_key - crypto: algif_skcipher - Fix race condition in skcipher_check_key - iio: add HAS_IOMEM dependency to VF610_ADC - iio: dac: mcp4725: set iio name property in sysfs - ASoC: rt5645: fix the shift bit of IN1 boost - cgroup: make sure a parent css isn't offlined before its children - PCI/AER: Flush workqueue on device remove to avoid use-after-free - libata: disable forced PORTS_IMPL for >= AHCI 1.3 - mac80211: Requeue work after scan complete for all VIF types. - rfkill: fix rfkill_fop_read wait_event usage - crypto: shash - Fix has_key setting - [x86] drm/i915/dp: fall back to 18 bpp when sink capability is unknown - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors - crypto: algif_hash - wait for crypto_ahash_init() to complete - iio: inkern: fix a NULL dereference on error - iio: pressure: mpl115: fix temperature offset sign - [x86] intel_scu_ipcutil: underflow in scu_reg_access() - ALSA: seq: Fix race at closing in virmidi driver - ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check - ALSA: pcm: Fix potential deadlock in OSS emulation - ALSA: seq: Fix yet another races among ALSA timer accesses - ALSA: timer: Code cleanup - ALSA: timer: Fix link corruption due to double start or stop - libata: fix sff host state machine locking while polling - [mips*] Fix buffer overflow in syscall_get_arguments() - cputime: Prevent 32bit overflow in time[val|spec]_to_cputime() - ASoC: dpcm: fix the BE state on hw_free - module: wrapper for symbol name. - ALSA: hda - Add fixup for Mac Mini 7,1 model - ALSA: rawmidi: Make snd_rawmidi_transmit() race-free - ALSA: rawmidi: Fix race at copying & updating the position - ALSA: seq: Fix lockdep warnings due to double mutex locks - drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration - radix-tree: fix race in gang lookup - [x86] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms - xhci: Fix list corruption in urb dequeue at host removal - media: tda1004x: only update the frontend properties if locked - ALSA: timer: Fix leftover link at closing - media: saa7134-alsa: Only frees registered sound cards - Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl - scsi_dh_rdac: always retry MODE SELECT on command lock violation - SCSI: Add Marvell Console to VPD blacklist - drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil - ALSA: hda - Fix static checker warning in patch_hdmi.c - Revert "ALSA: hda - Fix noise on Gigabyte Z170X mobo" - dump_stack: avoid potential deadlocks - mm, vmstat: fix wrong WQ sleep when memory reclaim doesn't make any progress - ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery cleanup - mm: replace vma_lock_anon_vma with anon_vma_lock_read/write - radix-tree: fix oops after radix_tree_iter_retry - crypto: user - lock crypto_alg_list on alg dump - serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485) - pty: fix possible use after free of tty->driver_data - pty: make sure super_block is still valid in final /dev/tty close - ALSA: hda - Fix speaker output from VAIO AiO machines - klist: fix starting point removed bug in klist iterators - ALSA: dummy: Implement timer backend switching more safely - ALSA: timer: Fix wrong instance passed to slave callbacks - [armel,armhf] 8517/1: ICST: avoid arithmetic overflow in icst_hz() - ALSA: timer: Fix race between stop and interrupt - ALSA: timer: Fix race at concurrent reads - [armhf] phy: twl4030-usb: Relase usb phy on unload - [x86] ahci: Intel DNV device IDs SATA - workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup - drm/radeon: hold reference to fences in radeon_sa_bo_new - [armel,armhf] 8519/1: ICST: try other dividends than 1 - btrfs: properly set the termination value of ctx->pos in readdir - net: phy: Fix phy_mac_interrupt() - af_unix: fix struct pid memory leak - pptp: fix illegal memory access caused by multiple bind()s - sctp: allow setting SCTP_SACK_IMMEDIATELY by the application - netlink: not trim skb for mmaped socket when dump - ipv6: fix a lockdep splat - sctp: translate network order to host order when users get a hmacid - IB/mlx5: Fix RC transport send queue overhead computation - [x86] drm/vmwgfx: Fix an fb unlocking bug - net: phy: fix PHY_RUNNING in phy_state_machine - net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS . [ Ben Hutchings ] * udeb: Add dm-service-time to multipath-modules (Closes: #806131) * net: Ignore ABI changes due to "ipv6: add complete rcu protection around np->opt", which don't appear to affect out-of-tree modules * crypto: {blk,giv}cipher: Set has_setkey (avoids regressing cryptsetup; see #815480) * net: Fix regression in ip_vti/ip6_vti in 3.16.7-ckt11 (Closes: #813594): - ip_vti/ip6_vti: Do not touch skb->mark on xmit - xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input - ip_vti/ip6_vti: Preserve skb->mark after rcv_cb call . [ Aurelien Jarno ] * [mips*] Add support for MIPS 5KE CPU. * [mips*] Backport math emulation fix from 4.5. linux (3.16.7-ckt20-1+deb8u4) jessie-security; urgency=high . * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) * aufs: Fix regression due to "mm: make sendfile(2) killable" (Closes: #812207) - tiny, extract a new func xino_fwrite_wkq() - XINO handles EINTR from the dying process * [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization (CVE-2016-2069) * [x86] mm: Improve switch_mm() barrier comments * pipe: limit the per-user amount of pages allocated in pipes (CVE-2013-4312) * iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812) * af_unix: Guard against other == sk in unix_dgram_sendmsg (regression in 3.16.7-ckt20-1+deb8u1) * Revert "workqueue: make sure delayed work run in local cpu" (regression in 3.16.7-ckt20) * ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-2384) * unix: correctly track in-flight fds in sending process user_struct (regression in 3.16.7-ckt20-1+deb8u3) (CVE-2016-2550) * USB: fix invalid memory access in hub_activate() (CVE-2015-8816) * ALSA: seq: Fix missing NULL check at remove_events ioctl (CVE-2016-2543) * ALSA: seq: Fix race at timer setup and close (CVE-2016-2544) * ALSA: timer: Fix double unlink of active_list (CVE-2016-2545) * ALSA: timer: Fix race among timer ioctls (CVE-2016-2546) * ALSA: timer: Harden slave timer list handling (CVE-2016-2547, CVE-2016-2548) * ALSA: hrtimer: Fix stall by hrtimer_cancel() (CVE-2016-2549) * AIO: properly check iovec sizes linux (3.16.7-ckt20-1+deb8u4~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut linux (3.16.7-ckt20-1+deb8u3) jessie-security; urgency=high . [ Ben Hutchings ] * usb: serial: visor: fix crash on detecting device without write_urbs (CVE-2015-7566) * sctp: Prevent soft lockup when sctp_accept() is called during a timeout event (CVE-2015-8767) * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723) . [ Salvatore Bonaccorso ] * unix: properly account for FDs passed over unix sockets (CVE-2013-4312) * KEYS: Fix keyring ref leak in join_session_keyring() (CVE-2016-0728) linux (3.16.7-ckt20-1+deb8u3~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt20-1+deb8u3) jessie-security; urgency=high . [ Ben Hutchings ] * usb: serial: visor: fix crash on detecting device without write_urbs (CVE-2015-7566) * sctp: Prevent soft lockup when sctp_accept() is called during a timeout event (CVE-2015-8767) * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723) . [ Salvatore Bonaccorso ] * unix: properly account for FDs passed over unix sockets (CVE-2013-4312) * KEYS: Fix keyring ref leak in join_session_keyring() (CVE-2016-0728) mariadb-10.0 (10.0.23-0+deb8u1) jessie-security; urgency=high . * New upstream release 10.0.23. Includes fixes for the following security vulnerabilities: - CVE-2016-2047 - CVE-2016-0616 - CVE-2016-0609 - CVE-2016-0608 - CVE-2016-0606 - CVE-2016-0600 - CVE-2016-0598 - CVE-2016-0597 - CVE-2016-0596 - CVE-2016-0546 - CVE-2016-0505 * Update TokuDB plugin install and copyright paths to match latest release done under Percona ownership mariadb-10.0 (10.0.22-6) unstable; urgency=low . * Add patches to make passwordless root login default on all new installs in all situations. Make auth_socket a built-in plugin. * Clean up previous passwordless root implementation so that it applies only to new installs and existing databases continue to operate with the passwords defined in their user tables * As disabled.def intrepreted test names in a special way, switch back to using --skip-test-list option * Make the watch file to make it better suited for the git-buildpackage workflow and remove call to uupdate mariadb-10.0 (10.0.22-5) unstable; urgency=low . * Fix non-working path of unstable-test in d/rules * Add unstable test for amd64 to fix reproducible builds mariadb-10.0 (10.0.22-4) unstable; urgency=low . * Upload to unstable mariadb-10.0 (10.0.22-4~exp1) experimental; urgency=low . * Rewrite unstable tests section in d/rules that was not working mariadb-10.0 (10.0.22-3) unstable; urgency=low . * Fix typo in d/rules * Extend list of unstable tests for arch mips, mipsel64 and alpha mariadb-10.0 (10.0.22-2) unstable; urgency=low . * Escape d/rules file correctly to avoid parse error. * Remove patches/os_sync_Free patch that is not intended for production use. mariadb-10.0 (10.0.22-2~exp2) experimental; urgency=low . [Alexander Barkov] * Backport patch from upstream to fix MDEV-9091: mysqld crashes on shutdown after running TokuDB tests on Ubuntu * Backport patch from upstream to fix MDEV-8692: prefschema test failures . [Otto Kekäläinen] * Replace old 'make test' structure with direct call on mysql-test-run and parallelize the test suite run in the Debian build. * Print in build log env info to help debug builds on different platforms. * Keep a list of unstable tests that are to be skipped on official builds. mariadb-10.0 (10.0.22-2~exp1) experimental; urgency=low . * Add diagnostics to find out the problem in os_sync_free() * Backport fix for TokuDB crashes in build tests on Launchpad and enable TokuDB builds mariadb-10.0 (10.0.22-1) unstable; urgency=low . [ Otto Kekäläinen ] * New upstream release. Includes fixes for the following security vulnerabilities (Closes: #802874): - CVE-2015-4802 - CVE-2015-4807 - CVE-2015-4815 - CVE-2015-4826 - CVE-2015-4830 - CVE-2015-4836 - CVE-2015-4858 - CVE-2015-4861 - CVE-2015-4870 - CVE-2015-4913 - CVE-2015-4792 * New release includes updated man pages (Closes: #779992) * Update the most recent patches with proper DEP-3 compliant headers * Add CVE IDs to previous changelog entries . [ Jean Weisbuch ] * Update mysqlreport to version 4.0 mongrel2 (1.9.1-6+deb8u1) jessie; urgency=medium . * Comment out failing test caused by an expired certificate. (Closes: Bug#804331) mozilla-devscripts (0.39+deb8u1) jessie; urgency=medium . * Update dh_xul-ext's substvar generation for the upcoming transitions in stable from iceweasel to firefox-esr, and from icedove to thunderbird. (Closes: ##818013, #818756) * Update test suite expected values accordingly. mysql-5.5 (5.5.47-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.5.47 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0546 CVE-2016-0505 CVE-2016-0596 CVE-2016-0597 CVE-2016-0616 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 (Closes: #811428) * fix-test-suite-failure-caused-by-arbitrary-date-in-the-future-patch is no longer needed, as bug is fixed in new Upstream version mysql-5.5 (5.5.47-0+deb7u1) wheezy-security; urgency=high . * Imported Upstream version 5.5.47 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0546 CVE-2016-0505 CVE-2016-0596 CVE-2016-0597 CVE-2016-0616 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 (Closes: #811428) * fix-test-suite-failure-caused-by-arbitrary-date-in-the-future-patch is no longer needed, as bug is fixed in new Upstream version mysql-5.5 (5.5.47-0+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * Merged from package proposed for wheezy by Lars Tangvald * New upstream version that fixes the following issues: - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0546 CVE-2016-0505 CVE-2016-0596 CVE-2016-0597 CVE-2016-0616 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 (Closes: #811428) * fix-test-suite-failure-caused-by-arbitrary-date-in-the-future-patch is no longer needed, as bug is fixed in new Upstream version nettle (2.7.1-5+deb8u1) stable; urgency=low . * Fix CVE-2015-8803, CVE-2015-8804, and CVE-2015-8805 (Closes: #813679). nss-pam-ldapd (0.9.4-3+deb8u1) stable; urgency=low . * fix-issues-withdaemonising.patch, avoid-signal-race.patch: patches to fix issues with daemonising nslcd and avoid a race condition in signal handling during start-up (closes: #759544) * ensure proper return code of init script (closes: #794686) * fix-ppolicy-expiration-warnings.patch: fix password policy expiration warnings (closes: #794068) openssl (1.0.1k-3+deb8u4) jessie-security; urgency=medium . * Fix CVE-2016-0797 * Fix CVE-2016-0798 * Fix CVE-2016-0799 * Fix CVE-2016-0702 * Fix CVE-2016-0705 * Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800) makes use of those, and SLOTH attack (CVE-2015-7575) can make use of them too. osmo (0.2.12-1+deb8u1) jessie; urgency=medium . * Add libarchive-i386.patch. Fix corrupt data backup on i386. Thanks to Christian Buchmüller for the report and Maxim Gordienko for the patch. (Closes: #813414) pagekite (0.5.6d-3+deb8u1) stable; urgency=low . * Add missing build dependency python-openssl to fix test failure (Closes: #790271). pcre3 (2:8.35-3.3+deb8u4) jessie; urgency=medium . * Non-maintainer upload. * Add 0001-Fixed-an-issue-with-nested-table-jumps.patch. Fixes issue with nested table jumps. (Closes: #819050) pcre3 (2:8.35-3.3+deb8u3) jessie; urgency=medium . * Non-maintainer upload. * Refresh CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch. Drop addition of "error text" for error ERR86 in pcre_compile.c. This change belongs to upstream revision 1481 (Give error for \x{} and \o{}). * Add 0001-Give-error-for-x-and-o.patch. Give error for \x{} and \o{}. * Add 0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch. CVE-2016-3191: workspace overflow for (*ACCEPT) with deeply nested parentheses. (Closes: #815921) * Add 0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch. CVE-2016-1283: heap buffer overflow in handling of duplicate named groups. (Closes: #809706) perl (5.20.2-3+deb8u4) jessie-security; urgency=high . * Work around a t/op/stat.t failure on GNU/kFreeBSD, possibly related to softupdates. Fix by Steven Chamberlain. (Closes: #796798) * [SECURITY] CVE-2016-2381 fix duplicate environment variable taint checking issue perl (5.20.2-3+deb8u3+kbsd1) jessie-kfreebsd; urgency=medium . * Porter upload. * Work around a t/op/stat.t failure on GNU/kFreeBSD, possibly related to softupdates. Fix by Steven Chamberlain. (Closes: #796798) pgplot5 (5.2.2-19+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Use multiarch path to zconf.h (Closes: #784743) (thanks to Edmund Grimley Evans and Vincent McIntyre) php-dompdf (0.6.1+dfsg-2+deb8u1) jessie; urgency=medium . * [22610bd] Add 0.6.2 hotfix patch which bundles CVE hotfixes from the upstream release. (Closes: #813849) . This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf [1]. Please read the new document and take appropriate measures to protect your systems. . This update addresses the following announced vulnerabilities: . * CVE-2014-5011 - Information Disclosure * CVE-2014-5012 - Denial Of Service Vector * CVE-2014-5013 - Remote Code Execution (complement of CVE-2014-2383) php-horde (5.2.1+debian0-2+deb8u3) jessie-security; urgency=high . * Fix CVE-2016-2228: XSS vulnerability in menu bar (Closes: #813573) php-horde-core (2.15.0+debian0-1+deb8u1) jessie-security; urgency=high . * CVE-2015-8807: Escape form value, fix XSS in Horde_Core_VarRenderer_Html (Closes: #813590) php-mail-mime (1.8.9-1+deb8u1) jessie; urgency=medium . * Add dependency on php-pear (Closes: #817828) php-net-ldap2 (2.0.12-1+deb8u1) jessie; urgency=medium . * Add Fix_Fatal_error_with_PEAR_1.10.0.patch (Closes: #812788) php5 (5.6.19+dfsg-0+deb8u1) jessie-security; urgency=medium . * Imported Upstream version 5.6.19+dfsg * Rebase patches on top of 5.6.19+dfsg release * Allow multiple whitespace in php5-fpm init script (Closes: #818102) . php5 (5.6.18+dfsg-0+deb8u1) jessie-security; urgency=medium . * Merge patch for ODBC bug fix varchars returning with length zero * Fix missing phpdbg sapi from the for loop that prevented the modules to be enabled for phpdbg SAPI * Fail gracefully when other PHP module is enabled in Apache2 * php5-maintscript-helper needs update for phpdbg * Imported Upstream version 5.6.18+dfsg * Rebase patches on top of 5.6.18 release * Revert PEAR version to last working version from PHP 5.6.14 (Closes: #812788) php5 (5.6.18+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.18+dfsg - Core: . Fixed bug #71039 (exec functions ignore length but look for NULL termination). . Fixed bug #71089 (No check to duplicate zend_extension). . Fixed bug #71201 (round() segfault on 64-bit builds). . Added support for new HTTP 451 code. . Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash). . Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input). . Fixed bug #71459 (Integer overflow in iptcembed()). - Apache2handler: . Fix >2G Content-Length headers in apache2handler. - FTP: . Implemented FR #55651 (Option to ignore the returned FTP PASV address). - Opcache: . Fixed bug #71127 (Define in auto_prepend_file is overwrite). . Fixed bug #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server). - Phar: . Fixed bug #71354 (Heap corruption in tar/zip/phar parser). . Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()). . Fixed bug #71488 (Stack overflow when decompressing tar archives). - Session: . Fixed bug #69111 (Crash in SessionHandler::read()). - SOAP: . Fixed bug #70979 (crash with bad soap request). - SPL: . Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading). - WDDX: . Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization). * Rebase patches on top of 5.6.18 release * Add support for libtool >= 2.4.6 ltmain.sh location php5 (5.6.17+dfsg-3) unstable; urgency=medium . * Fail gracefully when other PHP module is enabled in Apache2 * php5-maintscript-helper needs update for phpdbg to fix postinst failure php5 (5.6.17+dfsg-1) unstable; urgency=medium . * Build-Depend just on libpng-dev * Imported Upstream version 5.6.17+dfsg * Rebase patches on top of 5.6.17 release pidgin-otr (4.0.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2015-8833: Heap use-after-free issue during SMP. pillow (2.6.1-2+deb8u2) jessie-security; urgency=medium . * CVE-2016-0740 * Add hopper.pcd to test case added for CVE-2016-2533 pillow (2.6.1-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2016-0775: Fix buffer overflow in FliDecode.c (Closes: #813909) * CVE-2016-2533: Fix buffer overflow in PcdDecode.c. polarssl (1.3.9-2.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Backport patches for CVE-2015-5291 and CVE-2015-8036 (Closes: #801413) * Add simple smoke test postgresql-9.1 (9.1.20-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.20-0+deb7u1) wheezy-security; urgency=medium . * New upstream version. + Fix infinite loops and buffer-overrun problems in regular expressions. Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) + Fix privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCs) for PL/Java will now be modifiable only by the database superuser. (CVE-2016-0766) postgresql-common (165+deb8u1) jessie; urgency=medium . * pg_upgradecluster: Set default dynamic_shared_memory_type = mmap. (Closes: #784005, #812206) . This primarily avoids problems with upgrading existing clusters in a LXC container. As earlier PG versions did not have d_s_m_t, the upgraded postgresql.conf won't have this setting either, yielding the compiled-in default of 'posix' which doesn't work in LXC. Pick something else here to avoid that problem. Notably, it's important that this problem is fixed in pg_upgradecluster itself because working around the problem is hard as the upgrade will fail early without the possibility of manually fixing the config. (Newly created clusters do not have that problem because initdb probes for a method working in the given system.) . * t/040_upgrade.t: Skip testing pg_upgrade with datallowconn = f, it does not support that anymore as of May 2015. (Cherry-pick from master to allow testing the pg_upgradecluster fix) privoxy (3.0.21-7+deb8u1) jessie-security; urgency=high . * 40_CVE-2016-1982: Prevent invalid reads in case of corrupt chunk-encoded content. * 41_CVE-2016-1983: Remove empty Host headers in client requests. Previously they would result in invalid reads. prosody (0.9.7-2+deb8u3) jessie-security; urgency=high . * CVE-2016-0756: insecure dialback key generation/validation algorithm * Fix for regression introduced in the previous CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only. python-rsa (3.1.4-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * CVE-2016-1494: Possible signature forgery using Bleichenbacher'06 attack (Closes: #809980) qemu (1:2.1+dfsg-12+deb8u5a) jessie-security; urgency=high . * applied 3 patches from upstream to fix virtio-net possible remote DoS (Closes: #799452 CVE-2015-7295) * pcnet-add-check-to-validate-receive-data-size-CVE-2015-7504.patch (Closes: #806742, CVE-2015-7504) * pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch (Closes: #806741, CVE-2015-7512) * msix-implement-pba-write-but-read-only-CVE-2015-7549.patch (Closes: #808131, CVE-2015-7549) * eepro100-prevent-two-endless-loops-CVE-2015-8345.patch (Closes: #806373, CVE-2015-8345) * vnc-avoid-floating-point-exception-CVE-2015-8504.patch (Closes: #808130, CVE-2015-8504) * ehci-make-idt-processing-more-robust-CVE-2015-8558.patch (Closes: #808144, CVE-2015-8558) * two upstream patches from xsa-155 fixing unsafe shared memory access in xen (Closes: #809229, CVE-2015-8550) * net-ne2000-fix-bounds-check-in-ioport-operations-CVE-2015-8743.patch (Closes: #810519, CVE-2015-8743) * net-vmxnet3-avoid-memory-leakage-in-activate_device-[...].patch (Closes: #808145, CVE-2015-8567, CVE-2015-8568) * scsi-initialise-info-object-with-appropriate-size-CVE-2015-8613.patch (Closes: #809232, CVE-2015-8613) * vmxnet3-refine-l2-header-validation-CVE-2015-8744.patch (Closes: CVE-2015-8744) * vmxnet3-support-reading-IMR-registers-on-bar0-CVE-2015-8745.patch (Closes: CVE-2015-8745) * ide-ahci-reset-ncq-object-to-unused-on-error-CVE-2016-1568.patch (Closes: #810527, CVE-2016-1568) * fw_cfg-add-check-to-validate-current-entry-value-CVE-2016-1714.patch (Closes: CVE-2016-1714) * i386-avoid-null-pointer-dereference-CVE-2016-1922.patch (Closes: #811201, CVE-2016-1922) * e1000-eliminate-infinite-loops-on-out-of-bounds-start-CVE-2016-1981.patch (Closes: #812307, CVE-2016-1981) * hmp-fix-sendkey-out-of-bounds-write-CVE-2015-8619.patch (Closes: #809237, CVE-2015-8619) qemu (1:2.1+dfsg-12+deb8u5a~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports: - disable seccomp (not in wheezy) - build-depend on iasl|acpica-tools - s/python:any/python/ in build-depends . qemu (1:2.1+dfsg-12+deb8u5a) jessie-security; urgency=high . * applied 3 patches from upstream to fix virtio-net possible remote DoS (Closes: #799452 CVE-2015-7295) * pcnet-add-check-to-validate-receive-data-size-CVE-2015-7504.patch (Closes: #806742, CVE-2015-7504) * pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch (Closes: #806741, CVE-2015-7512) * msix-implement-pba-write-but-read-only-CVE-2015-7549.patch (Closes: #808131, CVE-2015-7549) * eepro100-prevent-two-endless-loops-CVE-2015-8345.patch (Closes: #806373, CVE-2015-8345) * vnc-avoid-floating-point-exception-CVE-2015-8504.patch (Closes: #808130, CVE-2015-8504) * ehci-make-idt-processing-more-robust-CVE-2015-8558.patch (Closes: #808144, CVE-2015-8558) * two upstream patches from xsa-155 fixing unsafe shared memory access in xen (Closes: #809229, CVE-2015-8550) * net-ne2000-fix-bounds-check-in-ioport-operations-CVE-2015-8743.patch (Closes: #810519, CVE-2015-8743) * net-vmxnet3-avoid-memory-leakage-in-activate_device-[...].patch (Closes: #808145, CVE-2015-8567, CVE-2015-8568) * scsi-initialise-info-object-with-appropriate-size-CVE-2015-8613.patch (Closes: #809232, CVE-2015-8613) * vmxnet3-refine-l2-header-validation-CVE-2015-8744.patch (Closes: CVE-2015-8744) * vmxnet3-support-reading-IMR-registers-on-bar0-CVE-2015-8745.patch (Closes: CVE-2015-8745) * ide-ahci-reset-ncq-object-to-unused-on-error-CVE-2016-1568.patch (Closes: #810527, CVE-2016-1568) * fw_cfg-add-check-to-validate-current-entry-value-CVE-2016-1714.patch (Closes: CVE-2016-1714) * i386-avoid-null-pointer-dereference-CVE-2016-1922.patch (Closes: #811201, CVE-2016-1922) * e1000-eliminate-infinite-loops-on-out-of-bounds-start-CVE-2016-1981.patch (Closes: #812307, CVE-2016-1981) * hmp-fix-sendkey-out-of-bounds-write-CVE-2015-8619.patch (Closes: #809237, CVE-2015-8619) qemu (1:2.1+dfsg-12+deb8u5) jessie-security; urgency=high . * applied 3 patches from upstream to fix virtio-net possible remote DoS (Closes: #799452 CVE-2015-7295) * pcnet-add-check-to-validate-receive-data-size-CVE-2015-7504.patch (Closes: #806742, CVE-2015-7504) * pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch (Closes: #806741, CVE-2015-7512) * msix-implement-pba-write-but-read-only-CVE-2015-7549.patch (Closes: #808131, CVE-2015-7549) * eepro100-prevent-two-endless-loops-CVE-2015-8345.patch (Closes: #806373, CVE-2015-8345) * vnc-avoid-floating-point-exception-CVE-2015-8504.patch (Closes: #808130, CVE-2015-8504) * ehci-make-idt-processing-more-robust-CVE-2015-8558.patch (Closes: #808144, CVE-2015-8558) * two upstream patches from xsa-155 fixing unsafe shared memory access in xen (Closes: #809229, CVE-2015-8550) * net-ne2000-fix-bounds-check-in-ioport-operations-CVE-2015-8743.patch (Closes: #810519, CVE-2015-8743) * net-vmxnet3-avoid-memory-leakage-in-activate_device-[...].patch (Closes: #808145, CVE-2015-8567, CVE-2015-8568) * scsi-initialise-info-object-with-appropriate-size-CVE-2015-8613.patch (Closes: #809232, CVE-2015-8613) * vmxnet3-refine-l2-header-validation-CVE-2015-8744.patch (Closes: CVE-2015-8744) * vmxnet3-support-reading-IMR-registers-on-bar0-CVE-2015-8745.patch (Closes: CVE-2015-8745) * ide-ahci-reset-ncq-object-to-unused-on-error-CVE-2016-1568.patch (Closes: #810527, CVE-2016-1568) * fw_cfg-add-check-to-validate-current-entry-value-CVE-2016-1714.patch (Closes: CVE-2016-1714) * i386-avoid-null-pointer-dereference-CVE-2016-1922.patch (Closes: #811201, CVE-2016-1922) quagga (0.99.23.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2342: VPNv4 NLRI parses memcpys to stack on unchecked length (Closes: #819179) radicale (0.9-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2015-8748 and CVE-2015-8747: Fix insecure path handling by sanitizing system paths and always making them absolute. Fix multifilesystem backend allowed access to arbitrary files on all platforms. (Closes: #809920) rails (2:4.1.8-1+deb8u2) jessie-security; urgency=high . * Security updates: - [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack - [CVE-2016-2097] Possible Information Leak Vulnerability in Action View. rails (2:4.1.8-1+deb8u1) jessie-security; urgency=high . * Security updates: - [CVE-2015-3227] Possible Denial of Service attack in Active Support (Closes: #790487) - [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode (Closes: #790486) - [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller. - [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack - [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record. - [CVE-2016-0752] Possible Information Leak Vulnerability in Action View - [CVE-2016-0753] Possible Input Validation Circumvention in Active Model - [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack rdesktop (1.8.2-3+deb8u1) jessie; urgency=medium . * Fix sigsegv while using credssp and kerberos without specifying domainname as argument (closes: #784634). redmine (3.0~20140825-8~deb8u2) jessie-security; urgency=high . * Security update. Includes fixes for the following vulnerabilities: - CVE-2015-8346: Data disclosure on the time logging form (Closes: #806376) - CVE-02015-8474: open redirect vulnerability (Closes: #807272) - CVE-2015-8473: Issues API may disclose changeset messages that are not visible (Closes: #807345) - CVE-2015-8537: Data disclosure in atom feed (Closes: #807826) roundup (1.4.20-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2014-6276: Disclosure of user hashed passwords roundup (1.4.20-1.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2014-6276: Disclosure of user hashed passwords rsnapshot (1.3.1-4+deb8u1) jessie; urgency=medium . * debian/patches/14_fix_rsh_args: fix regression on --rsh with args: Applied patch from Upstream to fix --rsh command line arguments with quotes. The --rsh=... argument to rsync was erroneously quoted when added to the @rsync_long_args_stack with options set. Thanks Jonas Genannt for the help. ruby-defaults (1:2.1.5+deb8u2) jessie; urgency=medium . * ruby: make the conflict on ruby-activesupport-2.3 versioned on (<< 2:4) to allow transitional package to be installed (Closes: #798712) ruby-standalone (0.5+deb8u1) jessie; urgency=medium . * Install `rubyX.Y` as a link to `ruby` so that binaries installed by bundler work. (Bundler forces Rubygems to use a shebang like `/usr/bin/env rubyX.Y`). ruby-tzinfo (1.1.0-2+deb8u1) jessie; urgency=medium . * Add debian/gbp.conf. * Add patch to load iso3166.tab and zone.tab as UTF-8 (Closes: #798348). s3ql (2.11.1+dfsg-3) jessie; urgency=medium . * Add support to upgrade from file systems created with the S3QL version in Debian Wheezy. Closes: #792685. samba (2:4.1.17+dfsg-2+deb8u2) jessie-security; urgency=high . * Add vfs_stat_smb_basename.diff; adds function required by cve_2015_7560.diff. * Add patch cve_2015_7560.diff, fixes: - CVE-2015-7560: Incorrect ACL get/set allowed on symlink path. * Add patch cve_2016_0771.diff, fixes: - CVE-2016-0771: Out-of-bounds read in internal DNS server. * Add patch root-share-path.patch, to fix regression sharing root directory introduced by fix for CVE-2015-5252. Closes: #812429 sane-backends (1.0.24-8+deb8u1) stable; urgency=medium . * Cherry-picked systemd handling from unstable (Closes: #791961): - Rewrite debian/saned@.service to prevent errors by network scanning. - New debian/sane-utils.links: + Add a link from /dev/null to /lib/systemd/system/saned.service to prevent start via fallback script /etc/init.d/saned. - Add year 2016 to debian/copyright. sitesummary (0.1.17+deb8u1) jessie; urgency=medium . * Backport RC fixes from unstable. . [ Dominik George ] * Fix hanging postinst script (Closes: #785214). * Fix dangling symlink in apache config after removal (Closes: #785215, #794606). spip (3.0.17-2+deb8u2) jessie-security; urgency=high . * Backport security fixes from 3.0.22 - PHP code injection - Objects injection via unserialize * Update security screen to 1.2.4 squid3 (3.4.8-6+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2571: better handling of huge response headers in src/http.cc squid3 (3.4.8-6+deb8u2~bpo70+1) wheezy-backports; urgency=medium . [ Luigi Gangitano ] * Rebuild for wheezy-backports. . squid3 (3.4.8-6+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2571: better handling of huge response headers in src/http.cc . squid3 (3.4.8-6+deb8u1) jessie-security; urgency=high . [ Luigi Gangitano ] * debian/patches/36-squid-3.4-13225.patch - Added upstream patch fixing Improper Protection of Alternate Path (Ref: SQUID-2015:2, CVE-2015-5400) (Closes: #793128) . squid3 (3.4.8-6) unstable; urgency=medium . [ Luigi Gangitano ] * debian/patches/31-squid-3.4-13199.patch - Added upstream patch fixing excessive CPU usage (Closes: #776461) . * debian/patches/32-squid-3.4-13210.patch - Added upstream patch fixing excessive CPU and memory usage in NTLM and Negotiate authentication helpers (Closes: #776463) . * debian/patches/33-squid-3.4-13211.patch - Added upstream patch fixing a possible replay vulnerability on Digest authentication (Closes: #776464) . * debian/patches/34-squid-3.4-13213.patch - Added upstream patch fixing incorrect security permissions for TOS/DiffServ packet marking (Closes: #776468) . * debian/patches/35-squid-3.4-13203.patch - Added upstream patch fixing squidclient unable to connect to host with both IPv4 and IPv6 addresses (Closes: #742425) stress (1.0.1-1+deb8u1) jessie; urgency=medium . * debian/rules: avoid to install info/dir.gz file. (Closes: #799717) subversion (1.8.10-6+deb8u3) jessie; urgency=medium . * patches/r1701440-kwallet-segfault: Fix segfault when using kwallet to store authentication information. (Closes: #736879) suckless-tools (40-1+deb8u1) stable-proposed-updates; urgency=medium . * Set myself as the maintainer. Package has already been adopted in unstable (ITA: #776482). * Patch slock to properly resize the cover window. The cover window now resizes correctly when new screens are added or the resolution is changed while the lock is active. * Add libxrandr-dev to build dependencies (needed by the above patch). sus (7.20160312~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . sus (7.20160312) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 changed; update checksum (Closes: #817819) * urgency=medium since susv4 is no longer installable * debian/control: - Bump Standards-Version to 3.9.7 (No changes needed) sus (7.20160107) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 changed; update checksum (Closes: #790535) | The chapters on m4 and expr seems to have been improved slightly * urgency=medium since susv4 is no longer installable systemd (215-17+deb8u4) stable; urgency=medium . [ Martin Pitt ] * debian/udev.prerm: Add missing "deconfigure" action. (Closes: #809744) * udev.postinst: Don't call addgroup with --quiet, so that if the "input" group already exists as a non-system group you get a sensible error message. Some broken tutorials forget the --system option. (Closes: #769948, LP: #1455956) * systemd.postinst: Drop the --quiet from the addgroup calls as well, same reason as above. (Closes: #762275) . [ Michael Biebl ] * Make sure all swap units are ordered before the swap target. This avoids that swap devices are being stopped prematurely during shutdown. (Closes: #805133) * Only skip the filesystem check for /usr if the /run/initramfs/fsck-usr flag file exists. Otherwise we break booting with dracut which uses systemd inside the initramfs. (Closes: #810748) * Fix --network-interface in systemd-nspawn to not fail when modifying an existing link. (Closes: #813696) tiff (4.0.3-12.3+deb8u1) jessie-security; urgency=high . * Backport upstream fixes for: - CVE-2015-8665 an out-of-bound read in TIFFRGBAImage interface (closes: #808968), - CVE-2015-8683 an out-of-bounds read in CIE Lab image format (closes: #809021), - CVE-2015-8781 out of bounds write at tif_luv.c:208, - CVE-2015-8782 potential out-of-bound writes in decode, - CVE-2015-8783 potential out-of-bound reads in case of short input data, - CVE-2015-8784 potential out-of-bound write in NeXTDecode(). tomcat7 (7.0.56-3+deb8u1) jessie-security; urgency=medium . * Fixed CVE-2014-7810: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. torbrowser-launcher (0.1.9-1+deb8u3) jessie; urgency=medium . * Add these patches backported from 0.2.3-1 and 0.2.4-1: - 0011-Fix-issue-with-detecting-language-fixes-220.patch to fix issue with detecting language (Closes: #753173) - 0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch - 0012a-Remove-certificate-pinning--github-issue-224.patch to avoid issues with upcoming certificate change, thus the minimum Tor Browser version was hard-coded in the release (Closes: #811499) For more info on patch 0012 and 0012a see https://github.com/micahflee/torbrowser-launcher/issues/229 - 0013-Prevent-signature-verification-attack-by-passing-bot.patch fixing CVE-2016-3180, for more info see https://github.com/micahflee/torbrowser-launcher/issues/229 - 0014-Prevent-attempts-at-directory-traversal-attacks-even.patch This is an improvement for patch 0012. - 0099-Bump-version-to-0.1.9-deb8u3.patch to bump version to 0.1.9+deb8u3 in share/torbrowser-launcher/version. tzdata (2016c-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Santiago - Asia/Baku tzdata (2016c-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Santiago - Asia/Baku tzdata (2016b-1) unstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Port-au-Prince - Asia/Gaza - Asia/Hebron * debian/rules: remove emdebian ifdefs. * debian/compat, debian/control, debian/rules: rewrite using dh and debhelper compatibility 9. * Update French debconf translation, by Christian Perrier. Closes: #814831. * Update Japanese debconf translation, by Takuma Yamada. Closes: #815386. * Drop the tzdata-java package. Closes: #814073. * debian/control: Update Standards-Version to 3.9.7, no changes. tzdata (2016b-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Cayman - America/Port-au-Prince - Asia/Chita - Asia/Gaza - Asia/Hebron - Asia/Tehran tzdata (2016b-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Cayman - America/Port-au-Prince - Asia/Chita - Asia/Gaza - Asia/Hebron - Asia/Tehran tzdata (2016a-1) unstable; urgency=medium . [ Aurelien Jarno ] * Add Vcs-Git and Vcs-Browser fields to debian/control. * New upstream version, affecting the following future time stamps: - America/Cayman - Asia/Chita - Asia Tehran * Change /etc/timezone into a symlink (closes: #803144) tzdata (2015g-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) unbound (1.4.22-3+deb8u1) jessie; urgency=medium . * iterator/iter_hints.c: Update hints for H.ROOT-SERVERS.NET (Closes: #815370) virtualbox (4.3.36-dfsg-1+deb8u1) jessie-security; urgency=medium . * New upstream bugfix release. - Addressed CVE-2016-0592, CVE-2016-0495, CVE-2015-8104, CVE-2015-7183, CVE-2015-5307 vsftpd (3.0.2-17+deb8u1) stable; urgency=medium . * Add patch debian/patches/0050-CVE-2015-1419.patch from 3.0.2-18: - Fix config option "deny_file" not always being handled correctly CVE-2015-1419 (Closes: #776922). * Add patch debian/patches/0055-set_default_listen.patch from 3.0.2-19: - Set the default value of tunable_listen to the same value of listen from the man page vsftpd.conf (Closes: #783077). * Add year 2015 to debian/copyright. websvn (2.3.3-1.2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team * Properly escape user-supplied input (CVE-2016-2511) whatmaps (0.0.9-1+deb8u1) stable-proposed-updates; urgency=medium . * [920f1dd] Respect jessie apache package rename (Closes: #791569) * [7c61790] Adjust gbp.conf for Jessie wireshark (1.12.1+g01b65bf-4+deb8u5) jessie-security; urgency=medium . * security fixes from Wireshark 1.12.10: - DNP dissector infinite loop (CVE-2016-2523) - RSL dissector crash (CVE-2016-2530 CVE-2016-2531) - LLRP dissector crash (CVE-2016-2532) - GSM A-bis OML dissector crash - ASN.1 BER dissector crashes * security fixes from Wireshark 1.12.9: - RSL dissector crash (CVE-2015-8731) wireshark (1.12.1+g01b65bf-4+deb8u4) jessie-security; urgency=high . * security fixes from Wireshark 1.12.8: - Pcapng file parser crash. Discovered by Dario Lombardo and Shannon Sabens.(CVE-2015-7830) * Enable all hardening flags * security fixes from Wireshark 1.12.9: - NBAP dissector crashes (CVE-2015-8711) - UMTS FP dissector crashes (CVE-2015-8712, CVE-2015-8713) - DCOM dissector crash (CVE-2015-8714) - AllJoyn dissector infinite loop (CVE-2015-8715) - T.38 dissector crash (CVE-2015-8716) - SDP dissector crash (CVE-2015-8717) - NLM dissector crash (CVE-2015-8718) - DNS dissector crash (CVE-2015-8719) - BER dissector crash (CVE-2015-8720) - Zlib decompression crash (CVE-2015-8721) - SCTP dissector crash (CVE-2015-8722) - 802.11 decryption crash (CVE-2015-8723, CVE-2015-8724) - DIAMETER dissector crash (CVE-2015-8725) - VeriWave file parser crashes (CVE-2015-8726) - RSVP dissector crash (CVE-2015-8727) - ANSI A & GSM A dissector crashes (CVE-2015-8728) - Ascend file parser crash (CVE-2015-8729) - NBAP dissector crash (CVE-2015-8730) - ZigBee ZCL dissector crash (CVE-2015-8732) - Sniffer file parser crash (CVE-2015-8733) wordpress (4.1+dfsg-1+deb8u8) jessie-security; urgency=high . * Changeset 36435 fixes SSRF for URLs CVE-2016-2222 * Changeset 36444 improved redirect checking CVE-2016-2221 * Closes: #813697 xdelta3 (3.0.8-dfsg-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix LZMA tests (Closes: #740284) * CVE-2014-9765: buffer overflow in main_get_appheader (Closes: #814067) xen (4.4.1-9+deb8u4) jessie-security; urgency=medium . * CVE-2015-8339 * CVE-2015-8340 * CVE-2015-8341 * CVE-2015-8550 * CVE-2015-8555 * CVE-2016-1570 * CVE-2016-1571 * CVE-2016-2270 * CVE-2016-2271 * XSA166 xerces-c (3.1.1-5.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0729: Buffer overlows during processing and error reporting xvba-video (0.8.0-9+deb8u1) jessie; urgency=medium . * xvba-va-driver as a separate package has been obsoleted by fglrx-driver 1:15.9, turn it into an empty metapackage. * Stop shipping fglrx_drv_video.so and xvba_drv_video.so. (Closes: #813427) * Bump Depends on libfglrx-amdxvba1 to (>= 1:15.9) which provides them. * This breaks compatibility with libfglrx-legacy-amdxvba1 (but that package exists only in wheezy-backports). ====================================== Sat, 23 Jan 2016 - Debian 8.3 released ====================================== ========================================================================= [Date: Sat, 23 Jan 2016 10:22:05 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceweasel-vimperator | 3.8.2-2 | all vimperator | 3.8.2-2 | source Closed bugs: 801617 ------------------- Reason ------------------- RoM; incompatible with newer iceweasel versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:22:57 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: core-network | 4.7-2 | source, all core-network-daemon | 4.7-2 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x core-network-gui | 4.7-2 | all Closed bugs: 803590 ------------------- Reason ------------------- RoST; security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:24:00 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: elasticsearch | 1.0.3+dfsg-5+deb8u1 | source, all Closed bugs: 805586 ------------------- Reason ------------------- RoST; no longer supported ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:24:24 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: googlecl | 0.9.13-2 | source, all Closed bugs: 806468 ------------------- Reason ------------------- RoM; broken due to relying on obsolete APIs ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:25:05 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnsgif | 0.0.1-1.1 | source libnsgif0 | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libnsgif0-dbg | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libnsgif0-dev | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 808436 ------------------- Reason ------------------- RoST; unmaintained, security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:25:49 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnsbmp | 0.0.1-1.1 | source libnsbmp0 | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libnsbmp0-dbg | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libnsbmp0-dev | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 808439 ------------------- Reason ------------------- RoST; unmaintained, security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:47:05 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: python3-yaql | 0.2.3-2 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= apache2 (2.4.10-10+deb8u4) jessie; urgency=medium . * Add versioned replaces/breaks for libapache2-mod-macro to apache2, for the config files in /etc. Closes: #806326 * Fix split-logfile to work with current perl. Closes: #803472 * Fix tests on deferred mpm switch. Add special casing for mpm_itk, which is not an mpm anymore, despite the name. Closes: #789914 Closes: #791902 * Fix secondary-init-script to not source the main init script with 'set -e'. Closes: #803177 apt (1.0.9.8.2) jessie; urgency=medium . [ David Kalnischkies ] * hide first pdiff merge failure debug message (Closes: 793444) * mark again deps of pkgs in APT::Never-MarkAuto-Sections as manual. Thanks to Raphaël Hertzog and Adam Conrad for detailed reports and initial patches (Closes: 793360) (LP: 1479207) . [ Julian Andres Klode ] * Do not parse Status fields from remote sources . [ Michael Vogt ] * Use xgettext --no-location in make update-pot apt-dater-host (1.0.0-2+deb8u1) stable; urgency=low . * Add patch 01-jessie-kernel-detection to fix Linux Kernel status detection with newer Jessie images. Thanks to Robert Bihlmeyer. Closes: #794630 apt-offline (1.5.1) jessie; urgency=medium . * [67c2ba5] Add python-apt to Depends. Thanks Paul Wise (Closes: #801502) arb (6.0.2-1+deb8u1) jessie; urgency=medium . * Skip compiler version check at all Closes: #793187 augeas (1.2.0-0.2+deb8u1) jessie-proposed-updates; urgency=medium . * Non-maintainer upload. . [ Yann Soubeyrand ] * Httpd lense: - Allow EOL comments after section tags (thanks Dominic Cleal from Red Hat for reporting the patch) (Closes: #802665) - Include /etc/apache2/conf-available directory (Closes: #764699) . [ Mattia Rizzolo ] * debian/patches/0003-Httpd-Allow-eol-comments-after-section-tags.patch: + Rewrite DEP-3 header. augeas (1.2.0-0.2+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Non-maintainer upload. * Rebuild for wheezy-backports. . augeas (1.2.0-0.2+deb8u1) jessie-proposed-updates; urgency=medium . * Non-maintainer upload. . [ Yann Soubeyrand ] * Httpd lense: - Allow EOL comments after section tags (thanks Dominic Cleal from Red Hat for reporting the patch) (Closes: #802665) - Include /etc/apache2/conf-available directory (Closes: #764699) . [ Mattia Rizzolo ] * debian/patches/0003-Httpd-Allow-eol-comments-after-section-tags.patch: + Rewrite DEP-3 header. . augeas (1.2.0-0.2~bpo70+2) wheezy-backports; urgency=medium . * libaugeas0: Use a strict version for augeas-lenses dependency, otherwise an incompatible augeas-lenses from stable is installed by default. . augeas (1.2.0-0.2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * libaugeas0: Pre-Depend on multiarch-support (required for wheezy). base-files (8+deb8u3) stable; urgency=low . * Changed /etc/debian_version to 8.3, for Debian 8.3 point release. * os-release: Drop trailing slash in SUPPORT_URL variable, as the URL is not supposed to have it. Closes: #781809, #800791. bcfg2 (1.3.5-1+deb8u1) stable; urgency=medium . * Apply patch from Jonas Jochmaring to support Django 1.7 (Closes: #755645) * Add fix for reports.wsgi to the Django 1.7 patch * Install the new south_migrations into the package ben (0.7.0+deb8u1) jessie; urgency=medium . [ Emilio Pozuelo Monfort ] * Fix buildd.debian.org compact links . [ Mehdi Dogguy ] * Ignore potential errors when deleting lock file * Call dose-debcheck with --deb-native-arch bind9 (1:9.9.5.dfsg-9+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to fix CVE-2015-8000. CVE-2015-8000: Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. bind9 (1:9.9.5.dfsg-9+deb8u3) jessie-security; urgency=medium . * CVE-2015-5722 blueman (1.99~alpha1-1+deb8u1) jessie-security; urgency=medium . * Fix local privilege escalation in blueman.Mechanism bouncycastle (1.49+dfsg-3+deb8u1) jessie-security; urgency=high . * Team upload. * CVE-2015-7940: fix invalid curve attack as described in http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html (Closes: #802671) ca-certificates (20141019+deb8u1) stable; urgency=medium . * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.6. Closes: #806239 The following certificate authorities were added (+): + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + "Certinomis - Root CA" + "CFCA EV ROOT" + "COMODO RSA Certification Authority" + "Entrust Root Certification Authority - EC1" + "Entrust Root Certification Authority - G2" + "GlobalSign ECC Root CA - R4" + "GlobalSign ECC Root CA - R5" + "IdenTrust Commercial Root CA 1" + "IdenTrust Public Sector Root CA 1" + "OISTE WISeKey Global Root GB CA" + "S-TRUST Universal Root CA" + "Staat der Nederlanden EV Root CA" + "Staat der Nederlanden Root CA - G3" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" + "USERTrust ECC Certification Authority" + "USERTrust RSA Certification Authority" The following certificate authorities were removed (-): - "A-Trust-nQual-03" - "America Online Root Certification Authority 1" - "America Online Root Certification Authority 2" - "Buypass Class 3 CA 1" - "ComSign Secured CA" - "Digital Signature Trust Co. Global CA 1" - "Digital Signature Trust Co. Global CA 3" - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" - "GTE CyberTrust Global Root" - "SG TRUST SERVICES RACINE" - "TC TrustCenter Class 2 CA II" - "TC TrustCenter Universal CA I" - "Thawte Premium Server CA" - "Thawte Server CA" - "TURKTRUST Certificate Services Provider Root 1" - "TURKTRUST Certificate Services Provider Root 2" - "UTN DATACorp SGC Root CA" - "Verisign Class 4 Public Primary Certification Authority - G3" cacti (0.8.8b+dfsg-8+deb8u3) jessie-security; urgency=high . * Add upstream patch to fix (Closes: #807599) - CVE-2015-8369 SQL Injection vulnerability in graph.php ceph (0.80.7-2+deb8u1) jessie; urgency=medium . * [61b5e0] Patch to fix CVE-2015-5245 applied from upstream (Closes: #798567) charybdis (3.4.2-5~deb8u1) stable; urgency=high . * switch to new anonscm hostnames * initialise gnutls properly (Closes: #768339, #705369) * add fix for CVE-2015-5290, cherry-picked from upstream d5f856c^..172b58f chromium-browser (47.0.2526.80-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - Multiple vulnerabilities fixed in libv8 4.7.80.23. - CVE-2015-6788: Type confusion in extensions. Credit to anonymous. - CVE-2015-6789: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2015-6790: Escaping issue in saved pages. Credit to Inti De Ceukelaire. - CVE-2015-6791: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (47.0.2526.73-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1302: Information leak in PDF viewer. Credit to Rob Wu. - CVE-2015-6765: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6766: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6767: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6768: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6769: Cross-origin bypass in core. Credit to Mariusz Mlynski. - CVE-2015-6770: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6771: Out of bounds access in v8. Credit to anonymous. - CVE-2015-6772: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6764: Out of bounds access in v8. Credit to Guang Gong. - CVE-2015-6773: Out of bounds access in Skia. Credit to cloudfuzzer. - CVE-2015-6774: Use-after-free in Extensions. Credit to anonymous. - CVE-2015-6775: Type confusion in PDFium. Credit to Atte Kettunen. - CVE-2015-6776: Out of bounds access in PDFium. Credit to Hanno Böck. - CVE-2015-6777: Use-after-free in DOM. Credit to Long Liu. - CVE-2015-6778: Out of bounds access in PDFium. Credit to Karl Skomski. - CVE-2015-6779: Scheme bypass in PDFium. Credit to Til Jasper Ullrich. - CVE-2015-6780: Use-after-free in Infobars. Credit to Khalil Zhani. - CVE-2015-6781: Integer overflow in Sfntly. Credit to miaubiz. - CVE-2015-6782: Content spoofing in Omnibox. Credit to Luan Herrera. - CVE-2015-6784: Escaping issue in saved pages. Credit to Inti De Ceukelaire. - CVE-2015-6785: Wildcard matching issue in CSP. Credit to Michael Ficarra. - CVE-2015-6786: Scheme bypass in CSP. Credit to Michael Ficarra. * Lengthen GPU timeout (closes: #781940). * Enable accelerated video decoding (closes: #793815). chromium-browser (47.0.2526.73-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2015-1302: Information leak in PDF viewer. Credit to Rob Wu. - CVE-2015-6765: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6766: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6767: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6768: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6769: Cross-origin bypass in core. Credit to Mariusz Mlynski. - CVE-2015-6770: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6771: Out of bounds access in v8. Credit to anonymous. - CVE-2015-6772: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6764: Out of bounds access in v8. Credit to Guang Gong. - CVE-2015-6773: Out of bounds access in Skia. Credit to cloudfuzzer. - CVE-2015-6774: Use-after-free in Extensions. Credit to anonymous. - CVE-2015-6775: Type confusion in PDFium. Credit to Atte Kettunen. - CVE-2015-6776: Out of bounds access in PDFium. Credit to Hanno Böck. - CVE-2015-6777: Use-after-free in DOM. Credit to Long Liu. - CVE-2015-6778: Out of bounds access in PDFium. Credit to Karl Skomski. - CVE-2015-6779: Scheme bypass in PDFium. Credit to Til Jasper Ullrich. - CVE-2015-6780: Use-after-free in Infobars. Credit to Khalil Zhani. - CVE-2015-6781: Integer overflow in Sfntly. Credit to miaubiz. - CVE-2015-6782: Content spoofing in Omnibox. Credit to Luan Herrera. - CVE-2015-6784: Escaping issue in saved pages. Credit to Inti De Ceukelaire. - CVE-2015-6785: Wildcard matching issue in CSP. Credit to Michael Ficarra. - CVE-2015-6786: Scheme bypass in CSP. Credit to Michael Ficarra. chromium-browser (47.0.2526.16-1) experimental; urgency=medium . * New upstream beta release. * Lengthen GPU timeout (closes: #781940). * Enable accelerated video decoding (closes: #793815). chromium-browser (46.0.2490.71-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-6755: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-6756: Use-after-free in PDFium. Credit to anonymous. - CVE-2015-6757: Use-after-free in ServiceWorker. Credit to Collin Payne. - CVE-2015-6758: Bad-cast in PDFium. Credit to Atte Kettunen of OUSPG. - CVE-2015-6759: Information leakage in LocalStorage. Credit to Muneaki Nishimura. - CVE-2015-6760: Improper error handling in libANGLE. Credit to Ronald Crane, an independent security researcher. - CVE-2015-6762: CORS bypass via CSS fonts. Credit to Muneaki Nishimura. - CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 4.6.85.23). chromium-browser (46.0.2490.71-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2015-1303: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-1304: Cross-origin bypass in V8. Credit to Mariusz Mlynski. - CVE-2015-6755: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-6756: Use-after-free in PDFium. Credit to anonymous. - CVE-2015-6757: Use-after-free in ServiceWorker. Credit to Collin Payne. - CVE-2015-6758: Bad-cast in PDFium. Credit to Atte Kettunen of OUSPG. - CVE-2015-6759: Information leakage in LocalStorage. Credit to Muneaki Nishimura. - CVE-2015-6760: Improper error handling in libANGLE. Credit to Ronald Crane, an independent security researcher. - CVE-2015-6761: Memory corruption in FFMpeg. Credit to Aki Helin and Khalil Zhani. - CVE-2015-6762: CORS bypass via CSS fonts. Credit to Muneaki Nishimura. - CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 4.6.85.23). chromium-browser (46.0.2490.13-1) experimental; urgency=medium . * New upstream beta release. chromium-browser (45.0.2454.101-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1303: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-1304: Cross-origin bypass in V8. Credit to Mariusz Mlynski. chromium-browser (45.0.2454.85-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1291: Cross-origin bypass in DOM. Credit to anonymous. - CVE-2015-1292: Cross-origin bypass in ServiceWorker. Credit to Mariusz Mlynski. - CVE-2015-1293: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-1294: Use-after-free in Skia. Credit to cloudfuzzer. - CVE-2015-1295: Use-after-free in Printing. Credit to anonymous. - CVE-2015-1296: Character spoofing in omnibox. Credit to zcorpan. - CVE-2015-1297: Permission scoping error in WebRequest. Credit to Alexander Kashev. - CVE-2015-1298: URL validation error in extensions. Credit to Rob Wu. - CVE-2015-1299: Use-after-free in Blink. Credit to taro.suzuki.dev. - CVE-2015-1300: Information leak in Blink. Credit to cgvwzq. - CVE-2015-1301: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in the libv8 library (updated to 4.5.103.29). chromium-browser (45.0.2454.85-1~deb8u1) jessie-security; urgency=high . * New upstream stable release: - CVE-2015-1291: Cross-origin bypass in DOM. Credit to anonymous. - CVE-2015-1292: Cross-origin bypass in ServiceWorker. Credit to Mariusz Mlynski. - CVE-2015-1293: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-1294: Use-after-free in Skia. Credit to cloudfuzzer. - CVE-2015-1295: Use-after-free in Printing. Credit to anonymous. - CVE-2015-1296: Character spoofing in omnibox. Credit to zcorpan. - CVE-2015-1297: Permission scoping error in WebRequest. Credit to Alexander Kashev. - CVE-2015-1298: URL validation error in extensions. Credit to Rob Wu. - CVE-2015-1299: Use-after-free in Blink. Credit to taro.suzuki.dev. - CVE-2015-1300: Information leak in Blink. Credit to cgvwzq. - CVE-2015-1301: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in the libv8 library (updated to 4.5.103.29). chromium-browser (44.0.2403.157-1) unstable; urgency=medium . * New upstream stable release: - GPU process race condition fixed (closes: #794472). * Use system ffmpeg (closes: #763632): - Thanks to Andreas Cadhalpun. chromium-browser (44.0.2403.107-2) unstable; urgency=medium . * More updates to debian/copyright. * Add some more instructions for bug presubmission. * Remove no longer needed mainscript and preinst scripts. * Use chromium.png in the desktop launcher (closes: #794818). chromium-browser (44.0.2403.107-1) unstable; urgency=medium . * New upstream stable release. * More updates to debian/copyright. chromium-browser (44.0.2403.89-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen. - CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer. - CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva. - CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft. - CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to andrewm.bpi. - CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte). - CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne. - CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined. - CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva. - CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon. - CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer. - CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa. - CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva. - CVE-2015-1283: Heap-buffer-overflow in expat. Credit to Huzaifa Sidhpurwala. - CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen. - CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes. - CVE-2015-1286: UXSS in blink. Credit to anonymous. - CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor. - CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to Mike Ruddy. - CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives. * Remove hotword patch, now disabled by default upstream. chrony (1.30-2+deb8u1) jessie; urgency=medium . * Build depend on libcap-dev. Without it, chronyd can’t drop root privileges. (Closes: #768803) commons-httpclient (3.1-11+deb8u1) jessie; urgency=high . * Team upload. * Add CVE-2015-5262.patch. Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during SSL Handshake. (Closes: #798650) cpuset (1.5.6-4+deb8u1) jessie; urgency=high . * Update filesystem namespace prefix patch (Closes: #796893) cups-filters (1.0.61-5+deb8u3) jessie-security; urgency=high . * Backport upstream fixes to also consider the semicolon (';') as an illegal shell escape character (CVE-2015-8560, Closes: #807930) cups-filters (1.0.61-5+deb8u2) jessie-security; urgency=high . * Backport upstream fixes to also consider the back tick ('`') as an illegal shell escape character (CVE-2015-8327) curlftpfs (0.9.2-9~deb8u1) jessie; urgency=medium . * Non-maintainer upload with maintainer approval. * Rebuild for jessie. . curlftpfs (0.9.2-9) unstable; urgency=medium . * Avoid unsafe cast for getpass() on 64-bit archs. Closes: #795879. * Bump Standards-Version to 3.9.6. cyrus-sasl2 (2.1.26.dfsg1-13+deb8u1) jessie-security; urgency=high . * [CVE-2013-4122]: Handle NULL returns from glibc 2.17+ crypt() (Closes: #784112) dbconfig-common (1.8.47+nmu3+deb8u1) jessie; urgency=medium . * Fix permission of PostgreSQL backup files, thanks Simon Ruderich (Closes: #805638) * Repair permissions of already created backups, but only when upgrading from versions before this one (but not from versions after wheezy's point update). debian-handbook (8.20151209~deb8u1) jessie; urgency=medium . * Upload jessie version of the book to jessie. debian-handbook (8.20151102) unstable; urgency=medium . [ Roland Mas ] * Update chapters 5, 6, 8, 9, 10, 11 for Debian 8 Jessie. * Update appendix A for Debian 8 Jessie. * easy-rsa is now in its own package (closes: #691983). * Remove historical information about IDE drives. . [ Raphaël Hertzog ] * Update the foreword for Debian 8 Jessie. * Update chapters 1, 2, 3, 4, 7, 12, 13, 14, 15 for Debian 8 Jessie. * Update appendix B for Debian 8 Jessie. * Fix typo OPSF -> OSPF and Traditionnally -> Traditionally. Closes: #737255, #737884 Thanks to Anders Jonsson for the patches. * Fix typo possibbility -> possibility. Closes: #754481 Thanks to Julian Weber for the patch. * Be more gender neutral. Closes: #736588 Thanks to Johannes Schauer for the patch. * Multiples updates requested by Cyril Brulebois: - drop Joey from d-i coordinators - drop Cyril from XSF coordinators - mention Steve McIntyre for debian-cd - virtualbox-ose-guest-dkms -> virtualbox-guest-dkms - virtualbox is now in contrib - chromium is well established by now Closes: #757388 * Replace some textual references by true . Closes: #788940 * Replace incorrect option --log-priority with --log-level for LOG target of iptables. Closes: #789285 Thanks to Ryuunosuke AYANOKOUZI for the patch. * Add small tip explaining the possibily to put a user in the libvirt group. Thanks to Paul Chavent for the suggestion. Closes: #734397 * Document suricata instead of snort. * Add a section on “dpkg --verify”. * Add a section on AppArmor. * Add a new section on RTC services. Thanks to Daniel Pocock. Closes: #800884, #802682 debian-handbook (7.20150828) unstable; urgency=medium . * Fixed small typo in preface of german version. Closes: #792605 Thanks to Georg Faerber for the patch. * Update all PO files so that they work with publican 4.3.2 from unstable. Closes: #791812 debian-handbook (7.20150616) unstable; urgency=medium . * Fix typo OPSF -> OSPF and Traditionnally -> Traditionally. Closes: #737255, #737884 Thanks to Anders Jonsson for the patches. * Fix typo possibbility -> possibility. Closes: #754481 Thanks to Julian Weber for the patch. * Use same build script as for debian-handbook.info. * Include all translations in the package. * Update Standards-Version to 3.9.6 * Save space by dropping useless files. Closes: #672459 debian-installer (20150422+deb8u3) jessie; urgency=medium . [ Samuel Thibault ] * Add beep to UEFI x86 boot menu (Closes: #796591). * Add 's' shortcut for speech to UEFI x86 boot menu. . [ Steve McIntyre ] * Add the part_gpt module into the core grub image to make it easier for users doing slightly different things with our images; include support for GPT partition tables as well as msdos (Closes: #789600). . [ Martin Michlmayr ] * Exclude usb-serial-modules from the armel network-console image since it's not useful there (Closes: #809301). * Exclude usb-modules explicitly on armel/orion5x network-console to work around bug in util/pkg-list. * Drop the file extension from the initrd for QNAP devices. * Re-introduce installer images for QNAP TS-x09. * Provide u-boot images for plug computers. . [ Cyril Brulebois ] * Adjust p-u support to handle file:// instead of (f|ht)tp:// only, thanks to Łukasz Stelmach for both the report and the patch (Closes: #803711). debian-installer-netboot-images (20150422+deb8u3) jessie; urgency=medium . * Update to 20150422+deb8u3 images, from jessie-proposed-updates docbook2x (0.8.8-9+deb8u1) jessie; urgency=medium . [ Santiago Vila ] * d/p/07_fix_597454_usr_share_info_dir_gz.patch: do not install info/dir.gz files. (Closes: #799700) doctrine (2.4.6-1+deb8u1) jessie; urgency=medium . * gbp.conf: Track the jessie branch * Fix security misconfiguration vulnerability [CVE-2015-5723] dpkg (1.17.26) jessie-security; urgency=high . [ Guillem Jover ] * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic. Reported by Jacek Wielemborek . Closes: #798324 * Fix an off-by-one write access in dpkg-deb when parsing the old format .deb control member size. Thanks to Hanno Böck . Fixes CVE-2015-0860. * Fix an off-by-one read access in dpkg-deb when parsing ar member names. Thanks to Hanno Böck . . [ Updated programs translations ] * Catalan (Jordi Mallach). * Turkish (Mert Dirik). Closes: #785095 . [ Updated scripts translations ] * German (Helge Kreutzmann). (Various fixes) * Spanish (Santiago Vila). Closes: #799020 . [ Updated manpages translations ] * German (Helge Kreutzmann). (Various fixes) drbd-utils (8.9.2~rc1-2+deb8u1) jessie; urgency=medium . * Fix drbdadm adjust with IPv6 peer addresses (Closes: #808315) drupal7 (7.32-1+deb8u5) stable-security; urgency=high . * Backported from 7.39: SA-CORE-2015-003 (cross site scripting, access bypass, SQL injection, open redirect). CVE IDs not yet assigned. drupal7 (7.32-1+deb8u5~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports * Backported from 7.39: SA-CORE-2015-003 (cross site scripting, access bypass, SQL injection, open redirect). CVE IDs not yet assigned. ejabberd (14.07-4+deb8u3) jessie; urgency=medium . * Add patch to fix broken ldap queries (Closes: #797645) exfat-utils (1.1.0-2+deb8u1) jessie; urgency=medium . * Add the fix for https://github.com/relan/exfat/issues/5 found and reported by The Fuzzing Project. Check sector and cluster size. * Add the fix for https://github.com/relan/exfat/issues/6 found and reported by The Fuzzing Project. Detect infinite loop. exim4 (4.84-8+deb8u2) jessie; urgency=medium . * 87_Fix-transport-results-pipe-for-multiple-recipients-c.patch: Pull and unfuzz bd21a78 from upstream GIT, to fix a bug causing duplicate deliveries especially on TLS connections. Closes: #805576 exim4 (4.84-8+deb8u1) jessie; urgency=medium . * Pull 85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch and 86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch from upstream GIT to fixup more MIME ACL related crashes. (Thanks, Lutz Preßler) Closes: #803562 fglrx-driver (1:15.9-4~deb8u1) jessie; urgency=medium . * Rebuild for jessie. * Reinstate the libxvbaw-dev package. * Remove Conflicts/Replaces: xvba-va-driver. * Revert patches 12-4.3.0-build and 13-4.4.0-build, the patched kernel module does not work on Linux 4.3. (See #809638 for details.) . fglrx-driver (1:15.9-4) unstable; urgency=medium . * Fix spelling error in long description. * Add patch 06-spelling-error-manpage to fix a spelling error in atieventsd manpage. * Add patch 13-4.4.0-build from Ubuntu to fix a FTBFS with Linux 4.4. . fglrx-driver (1:15.9-3) unstable; urgency=high . [ Andreas Beckmann ] * d/rules: Move tar option --no-recursion before the list of files. * fglrx-atieventsd.init: Fix 'stop' and implement 'status', thanks to D. Leggett. (Closes: #803494) * Reinstate breaks between fglrx-driver and libgl1-fglrx-glx. * Update lintian overrides. . [ Patrick Matthäi ] * Add Ubuntu patch 12-4.3.0-build. Closes: #807965 . fglrx-driver (1:15.9-2) unstable; urgency=medium . * amd-opencl-icd: Ship libamdocl12cl{32,64}.so. (Closes: #793488) . fglrx-driver (1:15.9-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release 15.9 (2015-09-15) (15.201.1151). (Closes: #799439) * Fixes CVE-2015-7724. (Closes: #803517) * Use signature from 15.7. * Update watch file. * Update lintian overrides. . [ Patrick Matthäi ] * Refresh patch 04-3.17rc6-no_hotplug. * Rewrite patch 05-4.0.0-build. * Drop merged patch 06-4.0.0-build-2. * Rewrite patch 07-4.1.0-build. * Rewrite patch 08-4.2.0-build. * Rewrite patch 09-4.2.0-build.fpregs_active. * Rewrite patch 10-4.2.0-build.copy_xregs_to_kernel. * Rewrite patch 11-4.1.0-gpl-only. . fglrx-driver (1:15.7-3) unstable; urgency=high . * Add patch 11-4.1.0-gpl-only to finaly allow fglrx to build with Linux 4.1. . fglrx-driver (1:15.7-2) unstable; urgency=high . [ Andreas Beckmann ] * Drop libxvbaw-dev package. * fglrx-driver, fglrx-kernel-*: Report in the package description the latest tested Linux version that can build the kernel module. . [ Patrick Matthäi ] * Add Ubuntu patch 06-4.0.0-build-2. * Add Ubuntu patch 07-4.1.0-build to fix a FTBFS with Linux 4.1. Closes: #795222, #795230 * Add Ubuntu patches 08-4.2.0-build, 09-4.2.0-build.fpregs_active and 10-4.2.0-build.copy_xregs_to_kernel so fglrx may work with Linux 4.2. . fglrx-driver (1:15.7-1) unstable; urgency=medium . [ Andreas Beckmann ] * libfglrx-amdxvba1: Can be used as a va-driver backend. - Provides: va-driver since libXvBAW.so.1 now contains the required entrypoints. - Conflicts/Provides/Replaces: xvba-va-driver since that wrapper is no longer needed. - Ship dri/{xvba,fglrx}_drv_video.so symlinks. * Update list of supported models. * Create /usr/src/fglrx.tar.bz2 reproducibly. . [ Patrick Matthäi ] * New upstream release 15.7 (2015-07-0?) (15.20.1046). Closes: #791905 - Refresh hunky patch 04-3.17rc6-no_hotplug. - Rewrite patch 05-4.0.0-build. - Xorg 1.17 is supported now. Closes: #784903 * Fixes CVE-2015-7723. * Use signature from upstream package. * Remove breaks between fglrx-driver and libgl1-fglrx-glx, since it confuses dpkg. . fglrx-driver (1:15.5-1) unstable; urgency=low . * New upstream release 15.5 (2015-06-02) (15.101.1001). Closes: #790794 - Adjust some lintian overrides. * Updated dutch translation from Frans Spiesschaert. Closes: #776756 * Adjust patch 05-4.0.0-build so it works again. . fglrx-driver (1:14.12-2) unstable; urgency=low . [ Andreas Beckmann ] * fglrx_3.17rc6-no_hotplug.patch: New patch, add support for Linux >= 3.17. Found in the kanotix package. (Closes: #768397) . [ Michael Gilbert ] * Remove myself from the uploaders list. . [ Patrick Matthäi ] * Uploading to unstable. * Rename patches (correct order). * Add patch 05-4.0.0-build from Michael Rasmussen to fix a FTBFS with Linux 4.0.0. Thanks! Closes: #785150 * Remove unused lintian override. . fglrx-driver (1:14.12-1) experimental; urgency=medium . * New upstream release 14.12 (2014-12-09) (14.501.1003). (Closes: #764523) * Update watch file, thanks to Bart Martens. * amd-opencl-dev: Bump the Breaks/Replaces on nvidia-libopencl1 to cover new upstream releases of nvidia-graphics-drivers-legacy-304xx in wheezy. * New Dutch (nl) debconf translation thanks to Frans Spiesschaert. (Closes: #767493) * Upload to experimental. fglrx-driver (1:15.9-3) unstable; urgency=high . [ Andreas Beckmann ] * d/rules: Move tar option --no-recursion before the list of files. * fglrx-atieventsd.init: Fix 'stop' and implement 'status', thanks to D. Leggett. (Closes: #803494) * Reinstate breaks between fglrx-driver and libgl1-fglrx-glx. * Update lintian overrides. . [ Patrick Matthäi ] * Add Ubuntu patch 12-4.3.0-build. Closes: #807965 fglrx-driver (1:15.9-3~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . fglrx-driver (1:15.9-3) unstable; urgency=high . [ Andreas Beckmann ] * d/rules: Move tar option --no-recursion before the list of files. * fglrx-atieventsd.init: Fix 'stop' and implement 'status', thanks to D. Leggett. (Closes: #803494) * Reinstate breaks between fglrx-driver and libgl1-fglrx-glx. * Update lintian overrides. . [ Patrick Matthäi ] * Add Ubuntu patch 12-4.3.0-build. Closes: #807965 fglrx-driver (1:15.9-2) unstable; urgency=medium . * amd-opencl-icd: Ship libamdocl12cl{32,64}.so. (Closes: #793488) fglrx-driver (1:15.9-2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . fglrx-driver (1:15.9-2) unstable; urgency=medium . * amd-opencl-icd: Ship libamdocl12cl{32,64}.so. (Closes: #793488) . fglrx-driver (1:15.9-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release 15.9 (2015-09-15) (15.201.1151). (Closes: #799439) * Use signature from 15.7. * Update watch file. * Update lintian overrides. . [ Patrick Matthäi ] * Refresh patch 04-3.17rc6-no_hotplug. * Rewrite patch 05-4.0.0-build. * Drop merged patch 06-4.0.0-build-2. * Rewrite patch 07-4.1.0-build. * Rewrite patch 08-4.2.0-build. * Rewrite patch 09-4.2.0-build.fpregs_active. * Rewrite patch 10-4.2.0-build.copy_xregs_to_kernel. * Rewrite patch 11-4.1.0-gpl-only. fglrx-driver (1:15.9-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release 15.9 (2015-09-15) (15.201.1151). (Closes: #799439) * Use signature from 15.7. * Update watch file. * Update lintian overrides. . [ Patrick Matthäi ] * Refresh patch 04-3.17rc6-no_hotplug. * Rewrite patch 05-4.0.0-build. * Drop merged patch 06-4.0.0-build-2. * Rewrite patch 07-4.1.0-build. * Rewrite patch 08-4.2.0-build. * Rewrite patch 09-4.2.0-build.fpregs_active. * Rewrite patch 10-4.2.0-build.copy_xregs_to_kernel. * Rewrite patch 11-4.1.0-gpl-only. fglrx-driver (1:15.9-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . fglrx-driver (1:15.9-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release 15.9 (2015-09-15) (15.201.1151). (Closes: #799439) * Use signature from 15.7. * Update watch file. * Update lintian overrides. . [ Patrick Matthäi ] * Refresh patch 04-3.17rc6-no_hotplug. * Rewrite patch 05-4.0.0-build. * Drop merged patch 06-4.0.0-build-2. * Rewrite patch 07-4.1.0-build. * Rewrite patch 08-4.2.0-build. * Rewrite patch 09-4.2.0-build.fpregs_active. * Rewrite patch 10-4.2.0-build.copy_xregs_to_kernel. * Rewrite patch 11-4.1.0-gpl-only. . fglrx-driver (1:15.7-3) unstable; urgency=high . * Add patch 11-4.1.0-gpl-only to finaly allow fglrx to build with Linux 4.1. fglrx-driver (1:15.7-3) unstable; urgency=high . * Add patch 11-4.1.0-gpl-only to finaly allow fglrx to build with Linux 4.1. fglrx-driver (1:15.7-3~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . fglrx-driver (1:15.7-3) unstable; urgency=high . * Add patch 11-4.1.0-gpl-only to finaly allow fglrx to build with Linux 4.1. . fglrx-driver (1:15.7-2) unstable; urgency=high . [ Andreas Beckmann ] * Drop libxvbaw-dev package. * fglrx-driver, fglrx-kernel-*: Report in the package description the latest tested Linux version that can build the kernel module. . [ Patrick Matthäi ] * Add Ubuntu patch 06-4.0.0-build-2. * Add Ubuntu patch 07-4.1.0-build to fix a FTBFS with Linux 4.1. Closes: #795222, #795230 * Add Ubuntu patches 08-4.2.0-build, 09-4.2.0-build.fpregs_active and 10-4.2.0-build.copy_xregs_to_kernel so fglrx may work with Linux 4.2. . fglrx-driver (1:15.7-1) unstable; urgency=medium . [ Andreas Beckmann ] * libfglrx-amdxvba1: Can be used as a va-driver backend. - Provides: va-driver since libXvBAW.so.1 now contains the required entrypoints. - Conflicts/Provides/Replaces: xvba-va-driver since that wrapper is no longer needed. - Ship dri/{xvba,fglrx}_drv_video.so symlinks. * Update list of supported models. * Create /usr/src/fglrx.tar.bz2 reproducibly. . [ Patrick Matthäi ] * New upstream release. Closes: #791905 - Refresh hunky patch 04-3.17rc6-no_hotplug. - Rewrite patch 05-4.0.0-build. - Xorg 1.17 is supported now. Closes: #784903 * Use signature from upstream package. * Remove breaks between fglrx-driver and libgl1-fglrx-glx, since it confuses dpkg. . fglrx-driver (1:15.5-1) unstable; urgency=low . * New upstream release. Closes: #790794 - Adjust some lintian overrides. * Updated dutch translation from Frans Spiesschaert. Closes: #776756 * Adjust patch 05-4.0.0-build so it works again. . fglrx-driver (1:14.12-2) unstable; urgency=low . [ Andreas Beckmann ] * fglrx_3.17rc6-no_hotplug.patch: New patch, add support for Linux >= 3.17. Found in the kanotix package. (Closes: #768397) . [ Michael Gilbert ] * Remove myself from the uploaders list. . [ Patrick Matthäi ] * Uploading to unstable. * Rename patches (correct order). * Add patch 05-4.0.0-build from Michael Rasmussen to fix a FTBFS with Linux 4.0.0. Thanks! Closes: #785150 * Remove unused lintian override. . fglrx-driver (1:14.12-1) experimental; urgency=medium . * New upstream release 14.12 (2014-12-09) (14.501.1003). (Closes: #764523) * Update watch file, thanks to Bart Martens. * amd-opencl-dev: Bump the Breaks/Replaces on nvidia-libopencl1 to cover new upstream releases of nvidia-graphics-drivers-legacy-304xx in wheezy. * New Dutch (nl) debconf translation thanks to Frans Spiesschaert. (Closes: #767493) * Upload to experimental. fglrx-driver (1:15.7-2) unstable; urgency=high . [ Andreas Beckmann ] * Drop libxvbaw-dev package. * fglrx-driver, fglrx-kernel-*: Report in the package description the latest tested Linux version that can build the kernel module. . [ Patrick Matthäi ] * Add Ubuntu patch 06-4.0.0-build-2. * Add Ubuntu patch 07-4.1.0-build to fix a FTBFS with Linux 4.1. Closes: #795222, #795230 * Add Ubuntu patches 08-4.2.0-build, 09-4.2.0-build.fpregs_active and 10-4.2.0-build.copy_xregs_to_kernel so fglrx may work with Linux 4.2. fglrx-driver (1:15.7-1) unstable; urgency=medium . [ Andreas Beckmann ] * libfglrx-amdxvba1: Can be used as a va-driver backend. - Provides: va-driver since libXvBAW.so.1 now contains the required entrypoints. - Conflicts/Provides/Replaces: xvba-va-driver since that wrapper is no longer needed. - Ship dri/{xvba,fglrx}_drv_video.so symlinks. * Update list of supported models. * Create /usr/src/fglrx.tar.bz2 reproducibly. . [ Patrick Matthäi ] * New upstream release. Closes: #791905 - Refresh hunky patch 04-3.17rc6-no_hotplug. - Rewrite patch 05-4.0.0-build. - Xorg 1.17 is supported now. Closes: #784903 * Use signature from upstream package. * Remove breaks between fglrx-driver and libgl1-fglrx-glx, since it confuses dpkg. fglrx-driver (1:15.5-1) unstable; urgency=low . * New upstream release. Closes: #790794 - Adjust some lintian overrides. * Updated dutch translation from Frans Spiesschaert. Closes: #776756 * Adjust patch 05-4.0.0-build so it works again. fglrx-driver (1:14.12-2) unstable; urgency=low . [ Andreas Beckmann ] * fglrx_3.17rc6-no_hotplug.patch: New patch, add support for Linux >= 3.17. Found in the kanotix package. (Closes: #768397) . [ Michael Gilbert ] * Remove myself from the uploaders list. . [ Patrick Matthäi ] * Uploading to unstable. * Rename patches (correct order). * Add patch 05-4.0.0-build from Michael Rasmussen to fix a FTBFS with Linux 4.0.0. Thanks! Closes: #785150 * Remove unused lintian override. fglrx-driver (1:14.12-1) experimental; urgency=medium . * New upstream release 14.12 (2014-12-09) (14.501.1003). (Closes: #764523) * Update watch file, thanks to Bart Martens. * amd-opencl-dev: Bump the Breaks/Replaces on nvidia-libopencl1 to cover new upstream releases of nvidia-graphics-drivers-legacy-304xx in wheezy. * New Dutch (nl) debconf translation thanks to Frans Spiesschaert. (Closes: #767493) * Upload to experimental. file (1:5.22+15-2+deb8u1) stable; urgency=medium . * Fix handling of file's --parameter option. Closes: #798410 - The file program segfaults after processing the --parameter parameter. [commit FILE5_24-22-g27b4e34] - Any --parameter values have no effect if used with --files-from. [commit FILE5_24-23-g4ddb783] flash-kernel (3.35+deb8u2) stable; urgency=medium . [ Ian Campbell ] * Avoid waiting for Ctrl-C if any debconf frontend is in use, not just non-interactive. (Closes: #791794) foomatic-filters (4.0.17-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-8327.patch patch. CVE-2015-8327: foomatic-rip did not consider the back tick as an illegal shell escape character allowing arbitrary code execution. (Closes: #806886) * Add CVE-2015-8560.patch patch. CVE-2015-8560: code execution via improper escaping of ; (semicolon). (Closes: #807993) freeimage (3.15.4-4.2) jessie-security; urgency=high . * Non-maintainer upload. * Fix integer overflow CVE-2015-0852. (Closes: #797165) freetype (2.5.2-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2014-9745: Fix Savannah bug #41590. Protect against invalid number in t1load.c parse_encoding(). * CVE-2014-9746, CVE-2014-9747: Fix Savannah bug #41309. Correct use of uninitialized data in t1load.c, cidload.c, t42parse.c and psobjs.c. freexl (1.0.0g-1+deb8u3) jessie-security; urgency=high . * Add patch to fix regression introduced by afl-vulnerabilitities.patch. fuse-exfat (1.1.0-2+deb8u1) jessie; urgency=medium . * Add the fix for https://github.com/relan/exfat/issues/5 found and reported by The Fuzzing Project. Check sector and cluster size. * Add the fix for https://github.com/relan/exfat/issues/6 found and reported by The Fuzzing Project. Detect infinite loop. ganeti (2.12.4-1+deb8u3) jessie-security; urgency=high . * Fix gnt-instance info regression after CVE-2015-7945 (Closes: #810850) ganeti (2.12.4-1+deb8u2) jessie-security; urgency=medium . * Redact the DRBD secret in instance queries (CVE-2015-7945). * RAPI hardening: bind to lo and require authentication (CVE-2015-7944). * Add NEWS entry documenting RAPI hardening. * Add DEP-8 tests from unstable + Ship missing QA files from upstream git. ganeti (2.12.4-1) unstable; urgency=medium . * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz), including the following fixes: + Fix a performance regression in 2.12 during gnt-cluster verify and gnt-cluster verify-disks (high CPU usage) (closes: #784620). + Make the RAPI responsive after master-failover. + Fix gnt-cluster verify reporting existing instance disks on non-default VGs as missing. * Drop GHC 7.8 patch + It is part of the 2.12.4 release. * Drop dh_autoreconf + Not needed after removing the GHC 7.8 patch. ganglia-modules-linux (1.3.6-1+deb8u1) stable; urgency=medium . * Only restart service if already running. (Closes: #790951) gdk-pixbuf (2.31.1-2+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add additional patch for CVE-2015-4491. The n_x variable could be made large enough to overflow, which was missed in the initial commit upstream. gdk-pixbuf (2.31.1-2+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to fix CVE-2015-7673. CVE-2015-7673: Heap overflow and DoS vulnerability when scaling a TGA file. * Add patch to fix CVE-2015-7674. CVE-2015-7674: Heap overflow when scaling a GIF file. getmail4 (4.46.0-1+deb8u1) jessie; urgency=low . * The Python 2.7.9 introduced a regression while addressing CVE-2013-1752 with poplib._MAXLINE=2048 which causes problem for some HTML mails etc.. This fix sets poplib._MAXLINE=1MB as in the getmail 4.48.0. Closes: #782614 git (1:2.1.4-2.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2015-7545, arbitrary code execution issues via URLs with: - 01-CVE-2015-7545-1.patch: add a protocol-whitelist environment variable - 02-CVE-2015-7545-2.patch: allow only certain protocols for submodule fetches - 03-CVE-2015-7545-3.patch: refactor protocol whitelist code - 04-CVE-2015-7545-4.patch: limit redirection to protocol-whitelist - 05-CVE-2015-7545-5.patch: limit redirection depth * Make new tests executable. glance (2014.1.3-12+deb8u1) jessie-proposed-updates; urgency=medium . * CVE-2015-5251: Glance image status manipulation. Applied upstream patch after rebasing it from Juno to Icehouse (Closes: #799931). glibc (2.19-18+deb8u2) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fix getaddrinfo sometimes returning uninitialized data with nscd. Closes: #798515. - Fix data corruption while reading the NSS files database (CVE-2015-5277). Closes: #799966. - Fix buffer overflow (read past end of buffer) in internal_fnmatch. - Fix _IO_wstr_overflow integer overflow. - Fix unexpected closing of nss_files databases after lookups, causing denial of service (CVE-2014-8121). Closes: #779587. - Fix NSCD netgroup cache. Closes: #800523. * patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to unconditionally disable LD_POINTER_GUARD. Closes: #798316, #801691. * patches/any/cvs-mangle-tls_dtor_list.diff: new patch from upstream to mangle function pointers in tls_dtor_list. Closes: #802256. * patches/any/cvs-strxfrm-buffer-overflows.diff: new patch from upstream to fix memory allocations issues that can lead to buffer overflows on the stack. Closes: #803927. . [ Henrique de Moraes Holschuh ] * Replace patches/amd64/local-blacklist-on-TSX-Haswell.diff by local-blacklist-for-Intel-TSX.diff also blacklisting some Broadwell models. Closes: #800574. gnome-orca (3.14.0-4+deb8u1) jessie; urgency=medium . * Team upload. * patches/password-not-spoken.diff: Make sure to bring focus on password entry when typing a key, so we don't echo it. (Closes: #800602). gnome-shell-extension-weather (0~20140924.git7e28508-1+deb8u1) jessie; urgency=medium . * d/p/missing-api-key.patch: new patch. Displays a warning if API key has not been supplied by the user, since querying openweathermap.org no longer works without such a key. (Closes: #801979) grub2 (2.02~beta2-22+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2015-8370: buffer overflow when checking password entered during bootup (Closes: #807614). gummi (0.6.5-3+deb8u1) stable; urgency=medium . * Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432). human-icon-theme (0.28.debian-3.4~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . human-icon-theme (0.28.debian-3.4) unstable; urgency=medium . * Non-maintainer upload. * debian/clean-up.sh: Do not run processes in background. (Closes: #793062) icedove (31.8.0-1~deb8u1) stable-security; urgency=medium . * [d427fea] Imported Upstream version 31.8.0 - MFSA 2015-59 aka CVE-2015-2724 - MFSA 2015-66 aka CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740 - MFSA 2015-70 aka CVE-2015-4000 - MFSA 2015-71 aka CVE-2015-2721 * [6516780] lintian: add override for libpng * [1c33ec2] build against internal libnss3 icedove (31.8.0-1~deb7u1) oldstable-security; urgency=medium . * [d427fea] Imported Upstream version 31.8.0 - MFSA 2015-59 aka CVE-2015-2724 - MFSA 2015-66 aka CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740 - MFSA 2015-70 aka CVE-2015-4000 - MFSA 2015-71 aka CVE-2015-2721 * [a906439] lintian: add override for libpng icedove (31.7.0-1) unstable; urgency=medium . * [c3c81df] Imported Upstream version 31.7.0 * [471ec7c] rebuild patch queue from patch-queue branch added patches: - fixes/vp8_impl.cc-backporting-naming-for-const.patch (Closes: #785429) * [137ee51] lintian: add override for libpng iceweasel (38.5.0esr-1~deb8u2) stable-security; urgency=medium . * security/nss/lib/ckfw/builtins/certdata.txt: Remove the SPI Inc. and CAcert.org CA certificates. The former was removed in NSS 3.21-1 and the latter in 3.16-1, and remained here largely overlooked. . iceweasel (38.5.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. iceweasel (38.5.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. iceweasel (38.5.0esr-1~deb7u2) oldstable-security; urgency=medium . * security/nss/lib/ckfw/builtins/certdata.txt: Remove the SPI Inc. and CAcert.org CA certificates. The former was removed in NSS 3.21-1 and the latter in 3.16-1, and remained here largely overlooked. . iceweasel (38.5.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. iceweasel (38.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116,122-123,127-128,130-132}, also known as: CVE-2015-4513, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197. iceweasel (38.4.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116,122-123,127-128,130-133}, also known as: CVE-2015-4513, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197, CVE-2015-7181, CVE-2015-7182, CVE-2015-7183. . * debian/control*: Bump nspr and nss build dependencies. iceweasel (38.4.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116,122-123,127-128,130-133}, also known as: CVE-2015-4513, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197, CVE-2015-7181, CVE-2015-7182, CVE-2015-7183. . * debian/control*: Bump nspr and nss build dependencies. iceweasel (38.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,105-106,110-112}, also known as: CVE-2015-4500, CVE-2015-4511, CVE-2015-4509, CVE-2015-4519, CVE-2015-4520, CVE-2015-7174. . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * config/system-headers: Fix build against latest freetype code. bz#1143411, bz#1194520. iceweasel (38.3.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,101,105-106,110-112}, also known as: CVE-2015-4500, CVE-2015-4506, CVE-2015-4511, CVE-2015-4509, CVE-2015-4519, CVE-2015-4520, CVE-2015-7174. . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * config/system-headers: Fix build against latest freetype code. bz#1143411, bz#1194520. iceweasel (38.3.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,101,105-106,110-112}, also known as: CVE-2015-4500, CVE-2015-4506, CVE-2015-4511, CVE-2015-4509, CVE-2015-4519, CVE-2015-4520, CVE-2015-7174. . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * config/system-headers: Fix build against latest freetype code. bz#1143411, bz#1194520. iceweasel (38.2.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (38.2.0esr-2) UNRELEASED; urgency=medium . * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. . icu (52.1-8+deb8u3) jessie-security; urgency=high . * Fix CVE-2015-1270 - uninitialized memory read (closes: #798647). ieee-data (20150531.1~deb8u1) stable; urgency=medium . * New iab.txt url updated. * SSL connections disable, since standards.ieee.org uses TLS AIA and many dowloaders do not support it. Closes: #783096, #779543. * Files mam.txt and oui36.txt added. intel-microcode (3.20151106.1~deb8u1) stable; urgency=medium . * Rebuild for jessie (stable update), no changes required * This is the same package as 3.20151106.1~bpo8+1 (jessie-backports) and 3.20151106.1 (unstable, stretch) . intel-microcode (3.20151106.1) unstable; urgency=medium . * New upstream microcode data file 20151106 + New Microcodes: sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336 sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264 + Updated Microcodes: sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288 sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504 sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384 sig 0x000306f2, pf mask 0x6f, 2015-08-10, rev 0x0036, size 30720 sig 0x00040651, pf mask 0x72, 2015-08-13, rev 0x001d, size 20480 * This massive Haswell + Broadwell (and related Xeons) update fixes several critical errata, including the high-hitting BDD86/BDM101/ HSM153(?) which triggers an MCE and locks the processor core (LP: #1509764) * Might fix critical errata BDD51, BDM53 (TSX-related) * source: remove superseded upstream data file: 20150121 * Add support for supplementary microcode bundles: + README.source: update and mention supplementary microcode + Makefile: support supplementary microcode Add support for supplementary microcode bundles, which (unlike .fw microcode override files) can be superseded by a higher revision microcode from the latest regular microcode bundle. Also, fix the "oldies" target to have its own exclude filter (IUC_OLDIES_EXCLUDE) * Add support for x32 arch: + README.source: mention x32 + control,rules: enable building on x32 arch (Closes: #777356) * ucode-blacklist: add Broadwell and Haswell-E signatures Add a missing signature for Haswell Refresh (Haswell-E) to the "must be updated only by the early microcode update driver" list. There is at least one report of one of the Broadwell microcode updates disabling TSX-NI, so add them as well just in case intel-microcode (3.20151106.1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20151106.1) unstable; urgency=medium . * New upstream microcode data file 20151106 + New Microcodes: sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336 sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264 + Updated Microcodes: sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288 sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504 sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384 sig 0x000306f2, pf mask 0x6f, 2015-08-10, rev 0x0036, size 30720 sig 0x00040651, pf mask 0x72, 2015-08-13, rev 0x001d, size 20480 * This massive Haswell + Broadwell (and related Xeons) update fixes several critical errata, including the high-hitting BDD86/BDM101/ HSM153(?) which triggers an MCE and locks the processor core (LP: #1509764) * Might fix critical errata BDD51, BDM53 (TSX-related) * source: remove superseded upstream data file: 20150121 * Add support for supplementary microcode bundles: + README.source: update and mention supplementary microcode + Makefile: support supplementary microcode Add support for supplementary microcode bundles, which (unlike .fw microcode override files) can be superseded by a higher revision microcode from the latest regular microcode bundle. Also, fix the "oldies" target to have its own exclude filter (IUC_OLDIES_EXCLUDE) * Add support for x32 arch: + README.source: mention x32 + control,rules: enable building on x32 arch (Closes: #777356) * ucode-blacklist: add Broadwell and Haswell-E signatures Add a missing signature for Haswell Refresh (Haswell-E) to the "must be updated only by the early microcode update driver" list. There is at least one report of one of the Broadwell microcode updates disabling TSX-NI, so add them as well just in case iptables-persistent (1.0.3+deb8u1) jessie; urgency=medium . * [10cab8] Stop rules files being world-readable. Thanks to Bernhard Thaler (Closes: #764645) * [dbeffc] Rewrite README, install for both packages (Closes: #807285) * [dcd3f5] Update VCS links * [e0e1cf] Re-tab plugins/15-ip4tables and plugins/25-ip6tables isc-dhcp (4.3.1-6+deb8u2) jessie-security; urgency=high . * Fix CVE-2015-8605: maliciously crafted IPv4 packet can cause any of the running DHCP applications (server, client, or relay) to crash. isc-dhcp (4.3.1-6+deb8u1) jessie; urgency=medium . [ Michael Gilbert ] * Fix error when max lease time is used on 64-bit systems (closes: #795227). keepassx (0.4.3+dfsg-0.1+deb8u1) jessie; urgency=medium . * Add patch that fixes CVE-2015-8378 (Closes: #791858) krb5 (1.12.1+dfsg-19+deb8u1) jessie-security; urgency=high . * Import upstream patches for four CVEs: - CVE-2015-2695: SPNEGO context aliasing during establishment, Closes: #803083 - CVE-2015-2696: IAKERB context aliasing during establishment, Closes: #803084 - CVE-2015-2697: unsafe string handling in TGS processing, Closes: #803088 - CVE-2015-2698: regression (memory corruption) in patch for CVE-2015-2696 * In addition to CVE-2015-2698, the upstream patches for CVE-2015-2695 and CVE-2015-2696 introduced regressions preventing the use of gss_import_sec_context() with contexts established using IAKERB or SPNEGO; the fixes for those regressions are included here. ldb (2:1.1.17-2+deb8u1) jessie-security; urgency=high . * Add patch CVE-2015-3223: Fixes CVE-2015-3223: Denial of Service. * Add patch CVE-2015-5330: Fixes CVE-2015-5330: Remote memory read. libapache-mod-fastcgi (2.4.7~0910052141-1.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Switch B-D from libtool to libtool-bin to fix FTBFS. (Closes: #793189) libapache2-mod-perl2 (2.0.9~1624218-2+deb8u1) jessie; urgency=medium . * Apply upstream 2.0.9 patches fixing crashes in modperl_interp_unselect(). Thanks to Patrick Matthäi. (Closes: #803043) libcgi-session-perl (4.48-1+deb8u1) jessie; urgency=medium . * Team upload. * Untaint raw data coming from session storage backends. + fixes a taint regression caused by CVE-2015-8607 fixes in perl (Closes: #810799) libcommons-collections3-java (3.2.1-7+deb8u1) jessie-security; urgency=medium . * Backported a modification from commons-collections 3.2.2 disabling the deserialization of the functors classes unless the system property org.apache.commons.collections.enableUnsafeSerialization is set to true. This fixes a vulnerability in unsafe applications deserializing objects from untrusted sources without sanitizing the input data. libdatetime-timezone-perl (1:1.75-2+2015g) jessie; urgency=medium . * Update to Olson database version 2015g. Add patch debian/patches/olson-2015g, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Turkey, Norfolk, Fiji, and Fort Nelson. libencode-perl (2.63-1+deb8u1) jessie; urgency=medium . * Add patch dont-die-without-bom.patch. The decode() routine died when no BOM was found. This patch, backported from upstream's 2.77 release, changes the behaviour to fall back to BE according to RFC2781 and the Unicode Standard version 8.0. (Closes: #799086) libhtml-scrubber-perl (0.11-1+deb8u1) jessie; urgency=medium . * [SECURITY] CVE-2015-5667: Backport upstream patch fixing a cross-site scripting vulnerability in comments. (Closes: #803943) libinfinity (0.6.7-1~deb8u1) jessie; urgency=medium . * Upload to Debian jessie. . libinfinity (0.6.7-1) unstable; urgency=medium . * New upstream release libinfinity (0.6.6-1) unstable; urgency=medium . * New upstream release - Check certificates for expiration and weak algorithms even if the CA is trusted. (Closes: #783601) libiptables-parse-perl (1.1-1+deb8u1) jessie; urgency=medium . * Team upload. * Add CVE-2015-8326.patch patch. CVE-2015-8326: Use of predictable names for temporary files. libiptables-parse-perl (1.1-1+deb7u1) wheezy; urgency=medium . * Team upload. * Add CVE-2015-8326.patch patch. CVE-2015-8326: Use of predictable names for temporary files. libphp-phpmailer (5.2.9+dfsg-2+deb8u1) jessie-security; urgency=high . * gbp.conf: Track the jessie branch * Backport fix from 5.2.14: PHPMailer Message Injection Vulnerability [CVE-2015-8476] (Closes: #807265) libpng (1.2.50-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to address CVE-2015-8472. CVE-2015-8472: Incomplete fix for callers on png_set_PLTE. (Closes: #807112) * Add CVE-2015-8540.patch patch. CVE-2015-8540: underflow read in png_check_keyword(). (Closes: #807694) libpng (1.2.50-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7981.patch patch. CVE-2015-7981: Out-of-bounds read in png_convert_to_rfc1123. (Closes: #803078) * Add Prevent-writing-over-length-PLTE-chunk-Cosm.patch patch. CVE-2015-8126: Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions. (Closes: #805113) * Add Fixed-new-bug-with-CRC-error-after-reading-.patch patch. Fixed new bug with CRC error after reading an over-length palette. libraw (0.16.0-9+deb8u2) stable; urgency=high . * debian/patches/: patchset updated - 0002-Fix_CVE-2015-8366_CVE-2015-8367.patch added | CVE-2015-8366: Index overflow in smal_decode_segment | CVE-2015-8367: Memory objects are not intialized properly libreoffice (1:4.3.3-2+deb8u2) jessie-security; urgency=high . * debian/patches/CVE-2015-4551.diff: backport fix for Arbritary file disclosure vulnerability (CVE-2014-4551) from libreoffice-4-4-4 branch * debian/patches/ww8dontwrap.diff: fix 'LibreOffice "Piece Table Counter" Invalid Check Design Error Vulnerability' (CVE-2015-5213), from libreoffice-4-4-5 branch * debian/patches/coverity-1266485.diff: fix 'LibreOffice "PrinterSetup Length" Integer Underflow Vulnerability' (CVE-2015-5212), from libreoffice-4-4-5 branch * debian/patches/pStatus-vector-offsets.diff: fix 'LibreOffice Bookmark Status Memory Corruption Vulnerability' (CVE-2015-5214), from libreoffice-4-4 branch libssh (0.6.3-4+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * debian/patches: - Add 0002_CVE-2015-3146.patch Fix "null pointer dereference due to a logical error in the handling of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" (Closes: #784404, CVE-2015-3146) libvdpau (0.8-3+deb8u2) jessie-security; urgency=medium . * Cherry-pick upstream commit to fix crash with the DRI_PRIME environment variable set on 64-bit systems, regression caused by switch to secure_getenv(3). (Closes: #802625) - [1cda354] 0034-mesa_dri2-Add-missing-include-of-config.h-to-define.patch libvdpau (0.8-3+deb8u1) jessie-security; urgency=high . * Patch for CVE 2015-5198, 2015-5199, 2015-5200 - Use secure_getenv(3) to improve security (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895. * Add myself to Uploaders libxml2 (2.9.1+dfsg1-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to address CVE-2015-7941. CVE-2015-7941: Denial of service via out-of-bounds read. (Closes: #783010) * Add 0058-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch. CVE-2015-1819: Enforce the reader to run in constant memory. (Closes: #782782) * Add patches to address CVE-2015-8317. CVE-2015-8317: Out-of-bounds heap read when parsing file with unfinished xml declaration. * Add patches to address CVE-2015-7942. CVE-2015-7942: heap-based buffer overflow in xmlParseConditionalSections(). (Closes: #802827) * Add 0063-Fix-parsing-short-unclosed-comment-uninitialized-acc.patch patch. Parsing an unclosed comment can result in `Conditional jump or move depends on uninitialised value(s)` and unsafe memory access. (Closes: #782985) * Add 0064-CVE-2015-8035-Fix-XZ-compression-support-loop.patch patch. CVE-2015-8035: DoS when parsing specially crafted XML document if XZ support is enabled. (Closes: #803942) * Add 0065-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch patch. CVE-2015-8241: Buffer overread with XML parser in xmlNextChar. (Closes: #806384) * Add 0066-Avoid-processing-entities-after-encoding-conversion-.patch patch. CVE-2015-7498: Heap-based buffer overflow in xmlParseXmlDecl. * Add 0067-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch patch. CVE-2015-7497: Heap-based buffer overflow in xmlDictComputeFastQKey. * Add 0068-CVE-2015-5312-Another-entity-expansion-issue.patch patch. CVE-2015-5312: CPU exhaustion when processing specially crafted XML input. * Add patches to address CVE-2015-7499. CVE-2015-7499: Heap-based buffer overflow in xmlGROW. * Add 0071-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch patch. CVE-2015-7500: Heap buffer overflow in xmlParseMisc. linux (3.16.7-ckt20-1+deb8u2) jessie-security; urgency=medium . * [xen] Fix race conditions in back-end drivers (CVE-2015-8550, XSA-155) * [xen] pciback: Fix state validation in MSI control operations (CVE-2015-8551, CVE-2015-8852, XSA-157) * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (CVE-2015-8569) * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575) * ptrace: being capable wrt a process requires mapped uids/gids (CVE-2015-8709) * KEYS: Fix race between read and revoke (CVE-2015-7550) * [x86] KVM: Reload pit counters for all channels when restoring state (CVE-2015-7513) * udp: properly support MSG_PEEK with truncated buffers (Closes: #808293, regression in 3.16.7-ckt17) * Revert "xhci: don't finish a TD if we get a short transfer event mid TD" (Closes: #808602, #808953, regression in 3.16.7-ckt20) linux (3.16.7-ckt20-1+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt20-1+deb8u2) jessie-security; urgency=medium . * [xen] Fix race conditions in back-end drivers (CVE-2015-8550, XSA-155) * [xen] pciback: Fix state validation in MSI control operations (CVE-2015-8551, CVE-2015-8852, XSA-157) * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (CVE-2015-8569) * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575) * ptrace: being capable wrt a process requires mapped uids/gids (CVE-2015-8709) * KEYS: Fix race between read and revoke (CVE-2015-7550) * [x86] KVM: Reload pit counters for all channels when restoring state (CVE-2015-7513) * udp: properly support MSG_PEEK with truncated buffers (Closes: #808293, regression in 3.16.7-ckt17) * Revert "xhci: don't finish a TD if we get a short transfer event mid TD" (Closes: #808602, #808953, regression in 3.16.7-ckt20) . linux (3.16.7-ckt20-1+deb8u1) jessie-security; urgency=medium . [ Salvatore Bonaccorso ] * [x86] KVM: rename update_db_bp_intercept to update_bp_intercept . [ Ben Hutchings ] * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe() * media: usbvision: fix crash on detecting device with invalid configuration (CVE-2015-7833, partly fixed in 3.16.7-ckt11-1+deb8u6) * splice: sendfile() at once fails for big files (Closes: #785189) * unix: avoid use-after-free in ep_remove_wait_queue (CVE-2013-7446) * Btrfs: fix truncation of compressed and inlined extents (CVE-2015-8374) * net: add validation for the socket syscall protocol argument (CVE-2015-8543) . linux (3.16.7-ckt20-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt18 - mac80211: enable assoc check for mesh interfaces - PCI: Add VPD function 0 quirk for Intel Ethernet devices - staging: comedi: usbduxsigma: don't clobber ai_timer in command test - staging: comedi: usbduxsigma: don't clobber ao_timer in command test - [armhf] usb: dwc3: ep0: Fix mem corruption on OUT transfers of more than 512 bytes - [x86] KVM: MMU: fix validation of mmio page fault (regression in 3.11) - iio: industrialio-buffer: Fix iio_buffer_poll return value (regression in 3.13) - iio: event: Remove negative error code from iio_event_poll (regression in 3.13) - NFSv4: don't set SETATTR for O_RDONLY|O_EXCL - fs: Set the size of empty dirs to 0. (regression in 3.16.7-ckt15) - [x86] staging: comedi: adl_pci7x3x: fix digital output on PCI-7230 - blk-mq: fix buffer overflow when reading sysfs file of 'pending' - NFS: nfs_set_pgio_error sometimes misses errors - NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client - usb: host: ehci-sys: delete useless bus_to_hcd conversion - USB: symbolserial: Use usb_get_serial_port_data (regression in 3.10) - igb: Fix oops caused by missing queue pairing (regression in 3.14) - eCryptfs: Invalidate dcache entries when lower i_nlink is zero - libxfs: readahead of dir3 data blocks should use the read verifier - xfs: Fix xfs_attr_leafblock definition - [arm64] kconfig: Move LIST_POISON to a safe value - Btrfs: check if previous transaction aborted to avoid fs corruption - xfs: Fix file type directory corruption for btree directories - [arm64] flush FP/SIMD state correctly after execve() - xfs: return errors from partial I/O failures to files - drm/radeon/atom: Send out the full AUX address - [x86] drm/i915: Always mark the object as dirty when used by the GPU - IB/uverbs: reject invalid or unknown opcodes - [x86] crypto: ghash-clmulni: specify context size for ghash async algorithm - fs: create and use seq_show_option for escaping - scsi: fix scsi_error_handler vs. scsi_host_dev_release race - [x86] drm/i915: Limit the number of loops for reading a split 64bit register (regression in 3.16.7-ckt16) - hfs,hfsplus: cache pages correctly between bnode_create and bnode_free - hfs: fix B-tree corruption after insertion at position 0 - [armel/versatile,armhf] Input: ambakmi - fix system PM by converting to modern callbacks (regression in 3.14) - svcrdma: Fix send_reply() scatter/gather set-up - [x86] mm: Initialize pmd_idx in page_table_range_init_count() - batman-adv: fix multicast counter when purging originators - batman-adv: fix counter for multicast supporting nodes - batman-adv: Fix potential synchronization issues in mcast tvlv handler - batman-adv: Fix potentially broken skb network header access - [powerpc/powerpc64] mm: Fix pte_pagesize_index() crash on 4K w/64K hash - ath10k: fix dma_mapping_error() handling - mmc: sdhci: also get preset value and driver type for MMC_DDR52 (regression in 3.16) - IB/mlx4: Fix potential deadlock when sending mad to wire - IB/mlx4: Forbid using sysfs to change RoCE pkeys - IB/uverbs: Fix race between ib_uverbs_open and remove_one - mmc: core: fix race condition in mmc_wait_data_done - task_work: remove fifo ordering guarantee - netlink, mmap: fix edge-case leakages in nf queue zero-copy - md: flush ->event_work before stopping array. - md/raid10: always set reshape_safe when initializing reshape_position. - ext4: fix loss of delalloc extent info in ext4_zero_range() - [powerpc,ppc64el] MSI: Fix race condition in tearing down MSI interrupts - UBI: block: Add missing cache flushes - net/ipv6: Correct PIM6 mrt_lock handling - netlink, mmap: transform mmap skb into full skb on taps - openvswitch: Zero flows on allocation. - fib_rules: fix fib rule dumps across multiple skbs http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt19 - CIFS: fix type confusion in copy offload ioctl - [x86] apic: Serialize LVTT and TSC_DEADLINE writes - [arm64] head.S: initialise mdcr_el2 in el2_setup - kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd - kvm: fix double free for fast mmio eventfd - [powerpc*] mm: Recompute hash value after a failed update (regression in 3.11) - [i386] platform: Fix Geode LX timekeeping in the generic x86 build - [arm64,armhf] KVM: Disable virtual timer even if the guest is not using it - [x86] hp-wmi: limit hotkey enable - zram: fix possible use after free in zcomp_create() (regression in 3.15) - [x86] drm/vmwgfx: Fix up user_dmabuf refcounting - [armhf] dts: omap3-beagle: make i2c3, ddc and tfp410 gpio work again (regression in 3.15) - Btrfs: fix read corruption of compressed and shared extents - btrfs: skip waiting on ordered range for special files - [armhf] usb: chipidea: udc: using the correct stall implementation - [armhf] net: mvneta: fix DMA buffer unmapping in mvneta_rx() (regression in 3.16.7-ckt16) - iser-target: remove command with state ISTATE_REMOVE - [x86] KVM: trap AMD MSRs for the TSeg base and mask - usb: Use the USB_SS_MULT() macro to get the burst multiplier. - xhci: give command abortion one more chance before killing xhci - usb: xhci: Clear XHCI_STATE_DYING on start - xhci: change xhci 1.0 only restrictions to support xhci 1.1 - xhci: init command timeout timer earlier to avoid deleting it uninitialized - cifs: use server timestamp for ntlmv2 authentication - [x86] paravirt: Replace the paravirt nop with a bona fide empty function - [amd64] nmi: Fix a paravirt stack-clobbering bug in the NMI code (regression in 3.16.7-ckt16) - ocfs2/dlm: fix deadlock when dispatch assert master - [x86] drm/i915/bios: handle MIPI Sequence Block v3+ gracefully - drm/qxl: only report first monitor as connected if we have no state - PCI: Fix devfn for VPD access through function 0 (regression in 3.16.7-ckt18) - PCI: Use function 0 VPD for identical functions, regular VPD for others - netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC - vxlan: set needed headroom correctly - jbd2: avoid infinite loop when destroying aborted journal - asix: Don't reset PHY on if_up for ASIX 88772 - asix: Do full reset during ax88772_bind - fib_rules: Fix dump_rules() not to exit early - net/xen-netfront: only napi_synchronize() if running - [x86] intel_pstate: Fix overflow in busy_scaled due to long delay - UBI: Validate data_size - UBI: return ENOSPC if no enough space available - [mips*/4kc-malta] dma-default: Fix 32-bit fall back to GFP_DMA - [x86] efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down - [x86] Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS - mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault - [x86] mm: Set NX on gap between __ex_table and rodata - clocksource: Fix abs() usage w/ 64bit values - [x86] drm/vmwgfx: Fix kernel NULL pointer dereference on older hardware - fs: if a coredump already exists, unlink and recreate with O_EXCL - sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state - l2tp: protect tunnel->del_work by ref_count - af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag - net/unix: fix logic about sk_peek_offset - skbuff: Fix skb checksum flag on skb pull - skbuff: Fix skb checksum partial check. - net: add pfmemalloc check in sk_add_backlog() - ppp: don't override sk->sk_state in pppoe_flush_dev() - ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings - ovs: do not allocate memory from offline numa node - netlink: Trim skb to alloc size to avoid MSG_TRUNC - net: add length argument to skb_copy_and_csum_datagram_iovec (regression in 3.16.7-ckt17) (CVE-2015-8019) - Btrfs: update fix for read corruption of compressed and shared extents http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt20 - regmap: debugfs: Ensure we don't underflow when printing access masks - regmap: debugfs: Don't bother actually printing when calculating max length - [x86] xen: Support kexec/kdump in HVM guests by doing a soft reset - svcrdma: handle rdma read with a non-zero initial page offset (regression in 3.16) - dm: fix AB-BA deadlock in __dm_destroy() (regression in 3.16.7-ckt10) - cifs: [SMB3] Do not fall back to SMBWriteX in set_file_size error cases - dm raid: fix round up of default region size - staging: speakup: fix speakup-r regression - [arm64] readahead: fault retry breaks mmap file read random detection - sched/core: Fix TASK_DEAD race in finish_task_switch() - dm cache: fix NULL pointer when switching from cleaner policy - 3w-9xxx: don't unmap bounce buffered commands (regression in 3.16.7-ckt17) - workqueue: make sure delayed work run in local cpu - drm/radeon: add pm sysfs files late - drm/nouveau/fbcon: take runpm reference when userspace has an open fd - crypto: ahash - ensure statesize is non-zero - btrfs: check unsupported filters in balance arguments - btrfs: fix use after free iterating extrefs - btrfs: fix possible leak in btrfs_ioctl_balance() - drm: Reject DRI1 hw lock ioctl functions for kms drivers - usb: xhci: Add support for URB_ZERO_PACKET to bulk/sg transfers - rbd: fix double free on rbd_dev->header_name - ath9k: declare required extra tx headroom - iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() - xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) - iio: mxs-lradc: Fix temperature offset - [x86] drm/i915: Deny wrapping an userptr into a framebuffer - xhci: don't finish a TD if we get a short transfer event mid TD - xhci: handle no ping response error properly - drm/nouveau/gem: return only valid domain when there's only one - [powerpc*] rtas: Validate rtas.entry before calling enter_rtas() - mm: make sendfile(2) killable - rbd: don't leak parent_spec in rbd_dev_probe_parent() - rbd: prevent kernel stack blow up on rbd map - dm btree remove: fix a bug when rebalancing nodes after removal - dm btree: fix leak of bufio-backed block in btree_split_beneath error path - IB/cm: Fix rb-tree duplicate free and use-after-free - iwlwifi: mvm: init card correctly on ctkill exit check (regression in 3.16.7-ckt2) - module: Fix locking in symbol_put_addr() - crypto: api - Only abort operations on fatal signal - md/raid1: submit_bio_wait() returns 0 on success - md/raid10: submit_bio_wait() returns 0 on success - [x86] iommu/amd: Don't clear DTE flags when modifying it - [armel,armhf] i2c: mv64xxx: really allow I2C offloading - drm/radeon: don't try to recreate sysfs entries on resume - mvsas: Fix NULL pointer dereference in mvs_slot_task_free - [arm64] Revert "ARM64: unwind: Fix PC calculation" - rbd: require stable pages if message data CRCs are enabled - md/raid5: fix locking in handle_stripe_clean_event() - Revert "md: allow a partially recovered device to be hot-added to an array." (regression in 3.14) - ipv6: Fix IPsec pre-encap fragmentation check - ppp: fix pppoe_dev deletion condition in pppoe_release() - ipv6: gre: support SIT encapsulation (regression in 3.13) - isdn_ppp: Add checks for allocation failure in isdn_ppp_open() - ppp, slip: Validate VJ compression slot parameters completely (CVE-2015-7799) - staging/dgnc: fix info leak in ioctl - sched/preempt: Fix cond_resched_lock() and cond_resched_softirq() (regression in 3.13) . [ Aurelien Jarno ] * [mips*/octeon] Enable CAVIUM_CN63XXP1 (Closes: #800595) . [ Ben Hutchings ] * nbd: Restore request timeout detection (Closes: #770479) * netlink: Fix ABI change in 3.16.7-ckt18 * [x86] Enable PINCTRL_BAYTRAIL (Closes: #797949) * firmware_class: Fix condition in directory search loop (Closes: #804862) * ehci: Fix ABI change in 3.16.7-ckt19 * [arm64] Defer workaround for erratum #843419 * [x86] KVM: svm: unconditionally intercept #DB (CVE-2015-8104) . linux (3.16.7-ckt17-1) jessie; urgency=medium . * New upstream stable updates: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt12 - [x86] reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag - UBI: fix soft lockup in ubi_check_volume() - mnt: Fail collect_mounts when applied to unmounted mounts - btrfs: unlock i_mutex after attempting to delete subvolume during send (regression in 3.16) - [arm64] dma-mapping: always clear allocated buffers - ALSA: emu10k1: Fix card shortname string buffer overflow - SCSI: add 1024 max sectors black list flag - 3w-sas,3w-xxxx,3w-9xxx: fix command completion race - [armhf] usb: chipidea: otg: remove mutex unlock and lock while stop and start role (regression in 3.16) - cdc-acm: prevent infinite loop when parsing CDC headers. (regression in 3.16.7-ckt8) - ALSA: emux: Fix mutex deadlock in OSS emulation - rbd: end I/O the entire obj_request on error - mlx4_en: Use correct loop cursor in error path. - [armhf,arm64] KVM: Fix and refactor unmap_range - [armhf] KVM: Unmap IPA on memslot delete/move - [armhf] KVM: user_mem_abort: support stage 2 MMIO page mapping - [armhf,arm64] KVM: avoid returning negative error code as bool - [armhf,arm64] KVM: fix use of WnR bit in kvm_is_write_fault() - [armhf] KVM: vgic: plug irq injection race - [armhf,arm64] KVM: Fix set_clear_sgi_pend_reg offset - [armhf,arm64] KVM: Fix VTTBR_BADDR_MASK and pgd alloc - [armhf,arm64] KVM: fix potential NULL dereference in user_mem_abort() - [armhf,arm64] KVM: Ensure memslots are within KVM_PHYS_SIZE - [arm64] KVM: fix unmapping with 48-bit VAs - [armhf,arm64] kvm: drop inappropriate use of kvm_is_mmio_pfn() - [armhf,arm64] KVM: Reset the HCR on each vcpu when resetting the vcpu - [armhf,arm64] KVM: Introduce stage2_unmap_vm - [armhf,arm64] KVM: Don't allow creating VCPUs after vgic_initialized - [armhf,arm64 KVM: Require in-kernel vgic for the arch timers - [arm64] KVM: Fix TLB invalidation by IPA/VMID - [arm64] KVM: Fix HCR setting for 32bit guests - [arm64] KVM: Do not use pgd_index to index stage-2 pgd - net: make skb_gso_segment error handling more robust - blk-mq: fix CPU hotplug handling - mm/memory-failure: call shake_page() when error hits thp tail page - nilfs2: fix sanity check of btree level in nilfs_btree_root_broken() - ocfs2: dlm: fix race between purge and get lock resource - drm/radeon: make VCE handle check more strict - drm/radeon: make UVD handle checking more strict - drm/radeon: more strictly validate the UVD codec - mnt: Fix fs_fully_visible to verify the root directory is visible - pinctrl: Don't just pretend to protect pinctrl_maps, do it for real - crush: ensuring at most num-rep osds are selected - netfilter: nf_tables: fix error handling of rule replacement - netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() - netfilter: nf_tables: check for overflow of rule dlen field - netfilter: nft_rbtree: fix locking - sched/autogroup: Fix failure to set cpu.rt_runtime_us - xprtrdma: Free the pd if ib_query_qp() fails - xfs: ensure truncate forces zeroed blocks to disk http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt13 - usb: gadget: configfs: Fix interfaces array NULL-termination - nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op - libata: Blacklist queued TRIM on all Samsung 800-series (Closes: #790520) - md/raid5: don't record new size if resize_stripes fails. - sched: Handle priority boosted tasks proper in setscheduler() - [armel,armhf] net fix emit_udiv() for BPF_ALU | BPF_DIV | BPF_K intruction. - drm/radeon: add new bonaire pci id (Closes: #792099) - firmware: dmi_scan: Fix ordering of product_uuid - ext4: fix NULL pointer dereference when journal restart fails (regression in 3.11) - ext4: check for zero length extent explicitly (regression in 3.13) - jbd2: fix r_count overflows leading to buffer overflow in journal recovery - igb: Fix oops on changing number of rings - igb: Fix NULL assignment to incorrect variable in igb_reset_q_vector - [arm64] add missing PAGE_ALIGN() to __dma_free() - net: socket: Fix the wrong returns for recvmsg and sendmsg (regression in 3.16.7-ckt9) - mac80211: move WEP tailroom size check - [x86] KVM: MMU: fix smap permission check - [x86] KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages - [x86] KVM: MMU: fix SMAP virtualization - sd: Disable support for 256 byte/sector disks - xen/events: don't bind non-percpu VIRQs with percpu chip - libceph: request a new osdmap if lingering request maps to no osd - [s390x] crypto: ghash - Fix incorrect ghash icv buffer handling. - ipvs: fix memory leak in ip_vs_ctl.c - ipv6: fix ECMP route replacement - ipv4: Avoid crashing in ip_error - bridge: fix parsing of MLDv2 reports - module: Call module notifier on failure after complete_formation() (regression in 3.16) - [x86] gpio: gpio-kempld: Fix get_direction return value (regression in 3.12) - [armel,armhf] 8356/1: mm: handle non-pmd-aligned end of RAM - mac80211: don't use napi_gro_receive() outside NAPI context - xfs: xfs_attr_inactive leaves inconsistent attr fork state behind - fs, omfs: add NULL terminator in the end up the token list - vfs: d_walk() might skip too much (regression in 3.16.7-ckt4) - target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST - net_sched: invoke ->attach() after setting dev->qdisc - fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings (regression in 3.16.7-ckt11) http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt14 - n_tty: Fix auditing support for cannonical mode (regression in 3.12) - lib: Fix strnlen_user() to not touch memory after specified maximum - xfrm: fix a race in xfrm_state_lookup_byspi - thermal: step_wise: Revert optimization (regression in 3.12) - net: dp83640: fix broken calibration routine. - net: dp83640: reinforce locking rules. - unix/caif: sk_socket can disappear when state is unlocked - xen/netback: Properly initialize credit_bytes (regression in 3.16) - ipv4/udp: Verify multicast group is ours in upd_v4_early_demux() (regression in 3.13) - bridge: disable softirqs around br_fdb_update to avoid lockup - Btrfs: send, add missing check for dead clone root - Btrfs: send, don't leave without decrementing clone root's send_progress - btrfs: incorrect handling for fiemap_fill_next_extent return - btrfs: cleanup orphans while looking up default subvolume - [x86] iommu/vt-d: Allow RMRR on graphics devices too (regression in 3.16.3) - [armhf] irqchip: sunxi-nmi: Fix off-by-one error in irq iterator - mm/memory_hotplug.c: set zone->wait_table to null after freeing it - block: fix ext_dev_lock lockdep report (regression in 3.16.4) - iser-target: Fix variable-length response error completion (regression in 3.16) - iser-target: release stale iser connections http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt15 - [x86] KVM: nSVM: Check for NRIPS support before updating control field - nfs: take extra reference to fl->fl_file when running a setlk - net: don't wait for order-3 page allocation - bridge: fix br_stp_set_bridge_priority race conditions - packet: read num_members once in packet_rcv_fanout() - packet: avoid out of bounds read in round robin fanout - neigh: do not modify unlinked entries - tcp: Do not call tcp_fastopen_reset_cipher from interrupt context (regression in 3.13) - sctp: Fix race between OOTB responce and route removal - media: s5h1420: fix a buffer overflow when checking userspace params - media: cx24116: fix a buffer overflow when checking userspace params - media: af9013: Don't accept invalid bandwidth - media: cx24117: fix a buffer overflow when checking userspace params - spi: fix race freeing dummy_tx/rx before it is unmapped - mtd: fix: avoid race condition when accessing mtd->usecount - intel_pstate: set BYT MSR with wrmsrl_on_cpu() (regression in 3.14) - leds / PM: fix hibernation on arm when gpio-led used with CPU led trigger (regression in 3.11) - mnt: Refactor the logic for mounting sysfs and proc in a user namespace - scsi_transport_srp: Fix a race condition - w1_therm reference count family data - drm/radeon: take the mode_config mutex when dealing with hpds (v2) - [armhf] usb: dwc3: gadget: return error if command sent to DGCMD register fails - rcu: Correctly handle non-empty Tiny RCU callback list with none ready - [armhf] usb: dwc3: gadget: don't clear EP_BUSY too early - staging: rtl8712: prevent buffer overrun in recvbuf2recvframe - SUNRPC: Fix a memory leak in the backchannel code - ieee802154: Fix sockaddr_ieee802154 implicit padding information leak. - mnt: Modify fs_fully_visible to deal with locked ro nodev and atime - regulator: core: fix constraints output buffer - ACPI / PM: Add missing pm_generic_complete() invocation (regression in 3.16) - [armel,armh] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup - [arm64] Do not attempt to use init_mm in reset_context() - ext4: fix race between truncate and __ext4_journalled_writepage() - [x86] pcmcia: Disable write buffering on Toshiba ToPIC95 - fs/ufs: revert "ufs: fix deadlocks introduced by sb mutex merge" (regression in 3.16.4) - jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail() - jbd2: fix ocfs2 corrupt when updating journal superblock fails - fs/ufs: restore s_lock mutex (regression in 3.16) - regmap: Fix possible shift overflow in regmap_field_init() - [x86] PCI: Use host bridge _CRS info on systems with >32 bit addressing (regression in 3.14) - libata: Do not blacklist Micron M500DC (regression in 3.14) - [x86] iommu/amd: Handle large pages correctly in free_pagetable (regression in 3.11) - ext4: call sync_blockdev() before invalidate_bdev() in put_super() - xfs: fix remote symlinks on V5/CRC filesystems - ext4: don't retry file block mapping on bigalloc fs with non-extent file - xfs: don't truncate attribute extents if no extents exist - NET: ROSE: Don't dereference NULL neighbour pointer. - netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook - fs: Fix S_NOSEC handling - stmmac: troubleshoot unexpected bits in des0 & des1 - PM / sleep: Increase default DPM watchdog timeout to 60 (regression in 3.13) - [armhf] clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier (regression in 3.11) - drm/radeon: compute ring fix hibernation (CI GPU family) v2. - drm/radeon: SDMA fix hibernation (CI GPU family). - [armhf] net: mvneta: disable IP checksum with jumbo frames for Armada 370 - [arm64] Don't report clear pmds and puds as huge - fuse: initialize fc->release before calling it - vfs: Ignore unlocked mounts in fs_fully_visible - proc: Allow creating permanently empty directories that serve as mount points - mnt: Update fs_fully_visible to test for permanently empty directories - ACPICA: Tables: Enable both 32-bit and 64-bit FACS (regression in 3.14) - ACPICA: Tables: Fix an issue that FACS initialization is performed twice - ACPICA: Tables: Enable default 64-bit FADT addresses favor - [x86] KVM: make vapics_in_nmi_mode atomic - [s390x] KVM: virtio-ccw: don't overwrite config space values - 9p: forgetting to cancel request on interrupted zero-copy RPC - e1000e: Cleanup handling of VLAN_HLEN as a part of max frame size (regression in 3.15) - ath9k_htc: memory corruption calling set_bit() - mac80211: prevent possible crypto tx tailroom corruption - cfg80211: ignore netif running state when changing iftype - Btrfs: lock superblock before remounting for rw subvol (regression in 3.15) - of: return NUMA_NO_NODE from fallback of_node_to_nid() (regression in 3.13) - sched/fair: Prevent throttling in early pick_next_task_fair() (regression in 3.15) - ACPI / init: Switch over platform to the ACPI mode later (regression in 3.14) - [armhf] drm/tegra: dpaux: Fix transfers larger than 4 bytes - mmc: card: Fixup request missing in mmc_blk_issue_rw_rq - perf: Fix ring_buffer_attach() RCU sync, again - LZ4 : fix the data abort issue http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt16 - Btrfs: use kmem_cache_free when freeing entry in inode cache - Btrfs: fix race between caching kthread and returning inode to inode cache - Btrfs: fix fsync data loss after append write - ext4: fix reservation release on invalidatepage for delalloc fs - ext4: be more strict when migrating to non-extent based file - ext4: correctly migrate a file with a hole at the beginning - 9p: don't leave a half-initialized inode sitting around - thermal: step_wise: fix: Prevent from binary overflow when trend is dropping - dm btree remove: fix bug in redistribute3 - [armhf] crypto: omap-des - Fix unmapping of dma channels - [armhf] usb: musb: host: rely on port_mode to call musb_start() (regression in 3.13) - drm: add a check for x/y in drm_mode_setcrtc - bio integrity: do not assume bio_integrity_pool exists if bioset exists - Btrfs: fix memory leak in the extent_same ioctl - Btrfs: fix list transaction->pending_ordered corruption - Btrfs: fix file corruption after cloning inline extents - [armel,armhf] 8404/1: dma-mapping: fix off-by-one error in bitmap size check (regression in 3.15) - net: graceful exit from netif_alloc_netdev_queues() - ip_tunnel: fix ipv4 pmtu check to honor inner ip header df (regression in 3.11) - net: do not process device backlog during unregistration - rds: rds_ib_device.refcount overflow - mm: avoid setting up anonymous pages into file mapping - HID: cp2112: fix to force single data-report reply - [armhf] net: mvneta: fix refilling for Rx DMA buffers - [armhf] usb: dwc3: gadget: return error if command sent to DEPCMD register fails - usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function - usb: core: lpm: set lpm_capable for root hub device (regression in 3.15) - USB: OHCI: Fix race between ED unlink and URB submission (regression in 3.16.2) - usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 - md/raid1: fix test for 'was read error from last working device'. - [armhf] mmc: omap_hsmmc: Fix DTO and DCRC handling - bonding: correctly handle bonding type change on enslave failure - inet: frags: fix defragmented packet's IP header for af_packet - vfs: freeing unlinked file indefinitely delayed - mmc: sdhci: Fix FSL ESDHC reset handling quirk (regression in 3.16) http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt17 - sysfs: Create mountpoints with sysfs_create_mount_point - iscsi-target: Fix use-after-free during TPG session shutdown - iscsi-target: Fix iscsit_start_kthreads failure OOPs (regression in 3.16.7-ckt11) - iscsi-target: Fix iser explicit logout TX kthread leak (regression in 3.16.7-ckt11) - xfs: remote attribute headers contain an invalid LSN - xfs: remote attributes need to be considered data - [x86] drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop - ipr: Fix locking for unit attention handling - ipr: Fix invalid array indexing for HRRQ - [x86] xen: Probe target addresses in set_aliased_prot() before the hypercall - netfilter: ctnetlink: put back references to master ct and expect object (regression in 3.12) - ipvs: do not use random local source address for tunnels - ipvs: fix crash if scheduler is changed - ipvs: fix crash with sync protocol v0 and FTP - NFS: Don't revalidate the mapping if both size and change attr are up to date (regression in 3.16) - packet: missing dev_put() in packet_do_bind() - packet: tpacket_snd(): fix signed/unsigned comparison - net: sched: fix refcount imbalance in actions - act_pedit: check binding before calling tcf_hash_release() - nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem - [armel/ixp4xx] crypto: Remove bogus BUG_ON on scattered dst buffer - rbd: fix copyup completion race - md/bitmap: return an error when bitmap superblock is corrupt. - md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies - [armhf] thermal: exynos: Disable the regulator on probe failure - xhci: fix off by one error in TRB DMA address boundary check - mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations - [mips*] Make set_pte() SMP safe. - ipc: modify message queue accounting to not take kernel data structures into account - ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() - fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() - rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver - net/tipc: initialize security state for new connection socket - net: call rcu_read_lock early in process_backlog - net: Clone skb before setting peeked flag - net: Fix skb csum races when peeking - net: Fix skb_set_peeked use-after-free bug - ipv6: lock socket in ip6_datagram_connect() - netlink: don't hold mutex in rcu callback when releasing mmapd ring - rds: fix an integer overflow test in rds_info_getsockopt() - udp: fix dst races with multicast early demux - bna: fix interrupts storm caused by erroneous packets (regression in 3.14) - net: gso: use feature flag argument in all protocol gso handlers - ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp - xen-blkfront: don't add indirect pages to list when !feature_persistent - xen-blkback: replace work_pending with work_busy in purge_persistent_gnt() - regmap: regcache-rbtree: Clean new present bits on present bitmap resize (regression in 3.12) - target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT - [x86] ldt: Make modify_ldt synchronous - [x86] ldt: Correct LDT access in single stepping logic - [i386] ldt: Correct FPU emulation access to LDT - dm btree: add ref counting ops for the leaves of top level btrees - libfc: Fix fc_exch_recv_req() error path (regression in 3.13) - libfc: Fix fc_fcp_cleanup_each_cmd() - [x86] drm/vmwgfx: Fix execbuf locking issues - mm/hwpoison: fix page refcount of unknown non LRU page - ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits - ipc/sem.c: change memory barrier in sem_lock() to smp_rmb() - ipc/sem.c: update/correct memory barriers - [mips*] Fix seccomp syscall argument for MIPS64 (regression in 3.15) - [i386] ldt: Further fix FPU emulation - ALSA: usb-audio: Fix runtime PM unbalance (regression in 3.15) - libata: Add factory recertified Crucial M500s to blacklist - [arm64] KVM: Fix host crash when injecting a fault into a 32bit guest - batman-adv: fix kernel crash due to missing NULL checks (regression in 3.16) - batman-adv: protect tt_local_entry from concurrent delete events - perf: Fix PERF_EVENT_IOC_PERIOD migration race (regression in 3.14) - net: Fix RCU splat in af_key - ip6_gre: release cached dst on tunnel removal - xen/gntdevt: Fix race condition in gntdev_release() - signalfd: fix information leak in signalfd_copyinfo - signal: fix information leak in copy_siginfo_to_user - signal: fix information leak in copy_siginfo_from_user32 . [ Ben Hutchings ] * [x86] vmwgfx: Enable DRM_VMWGFX_FBCON (Closes: #714929) * [x86] edac: Add edac_ie31200 driver from Linux 3.17 (Closes: #780773) * [mips*] Correct FP ISA requirements (Closes: #781892) * Revert "ACPICA: Utilities: split IO address types from data type models." to avoid ABI change on i386 * libata: add ATA_HORKAGE_NOTRIM * libata: force disable trim for SuperSSpeed S238 * block: Do a full clone when splitting discard bios (Closes: #793326) * [armel,sh4] linux-image: Recommend u-boot-tools rather than the obsolete uboot-mkimage package (Closes: #793608) * linux-source: Depend on xz-utils, not bzip2 (Closes: #796940) * [x86] i2c: i801: Use wait_event_timeout to wait for interrupts (Closes: #799786) * Adjust for migration to git: - Update .gitignore files - debian/control: Update Vcs-* fields - README.Debian, README.source: Update references to svn * media: uvcvideo: Disable hardware timestamps by default (Closes: #794327) . [ Ian Campbell ] * [xen] xen-netback: return correct ethtool stats (Closes: #786936) * of: make sure of_alias is initialized before accessing it. (Closes: #784053) . [ Uwe Kleine-König ] * Merge jessie-security changes . [ Aurelien Jarno ] * [mips*] Correct FP emulation delay slot exception propagation. * [mips*el/loongson3] Set Loongson 3 ISA to MIPS64R1 to correctly emulate the corresponding FP instructions. linux (3.16.7-ckt20-1+deb8u1) jessie-security; urgency=medium . [ Salvatore Bonaccorso ] * [x86] KVM: rename update_db_bp_intercept to update_bp_intercept . [ Ben Hutchings ] * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe() * media: usbvision: fix crash on detecting device with invalid configuration (CVE-2015-7833, partly fixed in 3.16.7-ckt11-1+deb8u6) * splice: sendfile() at once fails for big files (Closes: #785189) * unix: avoid use-after-free in ep_remove_wait_queue (CVE-2013-7446) * Btrfs: fix truncation of compressed and inlined extents (CVE-2015-8374) * net: add validation for the socket syscall protocol argument (CVE-2015-8543) linux (3.16.7-ckt20-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt18 - mac80211: enable assoc check for mesh interfaces - PCI: Add VPD function 0 quirk for Intel Ethernet devices - staging: comedi: usbduxsigma: don't clobber ai_timer in command test - staging: comedi: usbduxsigma: don't clobber ao_timer in command test - [armhf] usb: dwc3: ep0: Fix mem corruption on OUT transfers of more than 512 bytes - [x86] KVM: MMU: fix validation of mmio page fault (regression in 3.11) - iio: industrialio-buffer: Fix iio_buffer_poll return value (regression in 3.13) - iio: event: Remove negative error code from iio_event_poll (regression in 3.13) - NFSv4: don't set SETATTR for O_RDONLY|O_EXCL - fs: Set the size of empty dirs to 0. (regression in 3.16.7-ckt15) - [x86] staging: comedi: adl_pci7x3x: fix digital output on PCI-7230 - blk-mq: fix buffer overflow when reading sysfs file of 'pending' - NFS: nfs_set_pgio_error sometimes misses errors - NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client - usb: host: ehci-sys: delete useless bus_to_hcd conversion - USB: symbolserial: Use usb_get_serial_port_data (regression in 3.10) - igb: Fix oops caused by missing queue pairing (regression in 3.14) - eCryptfs: Invalidate dcache entries when lower i_nlink is zero - libxfs: readahead of dir3 data blocks should use the read verifier - xfs: Fix xfs_attr_leafblock definition - [arm64] kconfig: Move LIST_POISON to a safe value - Btrfs: check if previous transaction aborted to avoid fs corruption - xfs: Fix file type directory corruption for btree directories - [arm64] flush FP/SIMD state correctly after execve() - xfs: return errors from partial I/O failures to files - drm/radeon/atom: Send out the full AUX address - [x86] drm/i915: Always mark the object as dirty when used by the GPU - IB/uverbs: reject invalid or unknown opcodes - [x86] crypto: ghash-clmulni: specify context size for ghash async algorithm - fs: create and use seq_show_option for escaping - scsi: fix scsi_error_handler vs. scsi_host_dev_release race - [x86] drm/i915: Limit the number of loops for reading a split 64bit register (regression in 3.16.7-ckt16) - hfs,hfsplus: cache pages correctly between bnode_create and bnode_free - hfs: fix B-tree corruption after insertion at position 0 - [armel/versatile,armhf] Input: ambakmi - fix system PM by converting to modern callbacks (regression in 3.14) - svcrdma: Fix send_reply() scatter/gather set-up - [x86] mm: Initialize pmd_idx in page_table_range_init_count() - batman-adv: fix multicast counter when purging originators - batman-adv: fix counter for multicast supporting nodes - batman-adv: Fix potential synchronization issues in mcast tvlv handler - batman-adv: Fix potentially broken skb network header access - [powerpc/powerpc64] mm: Fix pte_pagesize_index() crash on 4K w/64K hash - ath10k: fix dma_mapping_error() handling - mmc: sdhci: also get preset value and driver type for MMC_DDR52 (regression in 3.16) - IB/mlx4: Fix potential deadlock when sending mad to wire - IB/mlx4: Forbid using sysfs to change RoCE pkeys - IB/uverbs: Fix race between ib_uverbs_open and remove_one - mmc: core: fix race condition in mmc_wait_data_done - task_work: remove fifo ordering guarantee - netlink, mmap: fix edge-case leakages in nf queue zero-copy - md: flush ->event_work before stopping array. - md/raid10: always set reshape_safe when initializing reshape_position. - ext4: fix loss of delalloc extent info in ext4_zero_range() - [powerpc,ppc64el] MSI: Fix race condition in tearing down MSI interrupts - UBI: block: Add missing cache flushes - net/ipv6: Correct PIM6 mrt_lock handling - netlink, mmap: transform mmap skb into full skb on taps - openvswitch: Zero flows on allocation. - fib_rules: fix fib rule dumps across multiple skbs http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt19 - CIFS: fix type confusion in copy offload ioctl - [x86] apic: Serialize LVTT and TSC_DEADLINE writes - [arm64] head.S: initialise mdcr_el2 in el2_setup - kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd - kvm: fix double free for fast mmio eventfd - [powerpc*] mm: Recompute hash value after a failed update (regression in 3.11) - [i386] platform: Fix Geode LX timekeeping in the generic x86 build - [arm64,armhf] KVM: Disable virtual timer even if the guest is not using it - [x86] hp-wmi: limit hotkey enable - zram: fix possible use after free in zcomp_create() (regression in 3.15) - [x86] drm/vmwgfx: Fix up user_dmabuf refcounting - [armhf] dts: omap3-beagle: make i2c3, ddc and tfp410 gpio work again (regression in 3.15) - Btrfs: fix read corruption of compressed and shared extents - btrfs: skip waiting on ordered range for special files - [armhf] usb: chipidea: udc: using the correct stall implementation - [armhf] net: mvneta: fix DMA buffer unmapping in mvneta_rx() (regression in 3.16.7-ckt16) - iser-target: remove command with state ISTATE_REMOVE - [x86] KVM: trap AMD MSRs for the TSeg base and mask - usb: Use the USB_SS_MULT() macro to get the burst multiplier. - xhci: give command abortion one more chance before killing xhci - usb: xhci: Clear XHCI_STATE_DYING on start - xhci: change xhci 1.0 only restrictions to support xhci 1.1 - xhci: init command timeout timer earlier to avoid deleting it uninitialized - cifs: use server timestamp for ntlmv2 authentication - [x86] paravirt: Replace the paravirt nop with a bona fide empty function - [amd64] nmi: Fix a paravirt stack-clobbering bug in the NMI code (regression in 3.16.7-ckt16) - ocfs2/dlm: fix deadlock when dispatch assert master - [x86] drm/i915/bios: handle MIPI Sequence Block v3+ gracefully - drm/qxl: only report first monitor as connected if we have no state - PCI: Fix devfn for VPD access through function 0 (regression in 3.16.7-ckt18) - PCI: Use function 0 VPD for identical functions, regular VPD for others - netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC - vxlan: set needed headroom correctly - jbd2: avoid infinite loop when destroying aborted journal - asix: Don't reset PHY on if_up for ASIX 88772 - asix: Do full reset during ax88772_bind - fib_rules: Fix dump_rules() not to exit early - net/xen-netfront: only napi_synchronize() if running - [x86] intel_pstate: Fix overflow in busy_scaled due to long delay - UBI: Validate data_size - UBI: return ENOSPC if no enough space available - [mips*/4kc-malta] dma-default: Fix 32-bit fall back to GFP_DMA - [x86] efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down - [x86] Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS - mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault - [x86] mm: Set NX on gap between __ex_table and rodata - clocksource: Fix abs() usage w/ 64bit values - [x86] drm/vmwgfx: Fix kernel NULL pointer dereference on older hardware - fs: if a coredump already exists, unlink and recreate with O_EXCL - sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state - l2tp: protect tunnel->del_work by ref_count - af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag - net/unix: fix logic about sk_peek_offset - skbuff: Fix skb checksum flag on skb pull - skbuff: Fix skb checksum partial check. - net: add pfmemalloc check in sk_add_backlog() - ppp: don't override sk->sk_state in pppoe_flush_dev() - ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings - ovs: do not allocate memory from offline numa node - netlink: Trim skb to alloc size to avoid MSG_TRUNC - net: add length argument to skb_copy_and_csum_datagram_iovec (regression in 3.16.7-ckt17) (CVE-2015-8019) - Btrfs: update fix for read corruption of compressed and shared extents http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt20 - regmap: debugfs: Ensure we don't underflow when printing access masks - regmap: debugfs: Don't bother actually printing when calculating max length - [x86] xen: Support kexec/kdump in HVM guests by doing a soft reset - svcrdma: handle rdma read with a non-zero initial page offset (regression in 3.16) - dm: fix AB-BA deadlock in __dm_destroy() (regression in 3.16.7-ckt10) - cifs: [SMB3] Do not fall back to SMBWriteX in set_file_size error cases - dm raid: fix round up of default region size - staging: speakup: fix speakup-r regression - [arm64] readahead: fault retry breaks mmap file read random detection - sched/core: Fix TASK_DEAD race in finish_task_switch() - dm cache: fix NULL pointer when switching from cleaner policy - 3w-9xxx: don't unmap bounce buffered commands (regression in 3.16.7-ckt17) - workqueue: make sure delayed work run in local cpu - drm/radeon: add pm sysfs files late - drm/nouveau/fbcon: take runpm reference when userspace has an open fd - crypto: ahash - ensure statesize is non-zero - btrfs: check unsupported filters in balance arguments - btrfs: fix use after free iterating extrefs - btrfs: fix possible leak in btrfs_ioctl_balance() - drm: Reject DRI1 hw lock ioctl functions for kms drivers - usb: xhci: Add support for URB_ZERO_PACKET to bulk/sg transfers - rbd: fix double free on rbd_dev->header_name - ath9k: declare required extra tx headroom - iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() - xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) - iio: mxs-lradc: Fix temperature offset - [x86] drm/i915: Deny wrapping an userptr into a framebuffer - xhci: don't finish a TD if we get a short transfer event mid TD - xhci: handle no ping response error properly - drm/nouveau/gem: return only valid domain when there's only one - [powerpc*] rtas: Validate rtas.entry before calling enter_rtas() - mm: make sendfile(2) killable - rbd: don't leak parent_spec in rbd_dev_probe_parent() - rbd: prevent kernel stack blow up on rbd map - dm btree remove: fix a bug when rebalancing nodes after removal - dm btree: fix leak of bufio-backed block in btree_split_beneath error path - IB/cm: Fix rb-tree duplicate free and use-after-free - iwlwifi: mvm: init card correctly on ctkill exit check (regression in 3.16.7-ckt2) - module: Fix locking in symbol_put_addr() - crypto: api - Only abort operations on fatal signal - md/raid1: submit_bio_wait() returns 0 on success - md/raid10: submit_bio_wait() returns 0 on success - [x86] iommu/amd: Don't clear DTE flags when modifying it - [armel,armhf] i2c: mv64xxx: really allow I2C offloading - drm/radeon: don't try to recreate sysfs entries on resume - mvsas: Fix NULL pointer dereference in mvs_slot_task_free - [arm64] Revert "ARM64: unwind: Fix PC calculation" - rbd: require stable pages if message data CRCs are enabled - md/raid5: fix locking in handle_stripe_clean_event() - Revert "md: allow a partially recovered device to be hot-added to an array." (regression in 3.14) - ipv6: Fix IPsec pre-encap fragmentation check - ppp: fix pppoe_dev deletion condition in pppoe_release() - ipv6: gre: support SIT encapsulation (regression in 3.13) - isdn_ppp: Add checks for allocation failure in isdn_ppp_open() - ppp, slip: Validate VJ compression slot parameters completely (CVE-2015-7799) - staging/dgnc: fix info leak in ioctl - sched/preempt: Fix cond_resched_lock() and cond_resched_softirq() (regression in 3.13) . [ Aurelien Jarno ] * [mips*/octeon] Enable CAVIUM_CN63XXP1 (Closes: #800595) . [ Ben Hutchings ] * nbd: Restore request timeout detection (Closes: #770479) * netlink: Fix ABI change in 3.16.7-ckt18 * [x86] Enable PINCTRL_BAYTRAIL (Closes: #797949) * firmware_class: Fix condition in directory search loop (Closes: #804862) * ehci: Fix ABI change in 3.16.7-ckt19 * [arm64] Defer workaround for erratum #843419 * [x86] KVM: svm: unconditionally intercept #DB (CVE-2015-8104) linux (3.16.7-ckt17-1) jessie; urgency=medium . * New upstream stable updates: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt12 - [x86] reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag - UBI: fix soft lockup in ubi_check_volume() - mnt: Fail collect_mounts when applied to unmounted mounts - btrfs: unlock i_mutex after attempting to delete subvolume during send (regression in 3.16) - [arm64] dma-mapping: always clear allocated buffers - ALSA: emu10k1: Fix card shortname string buffer overflow - SCSI: add 1024 max sectors black list flag - 3w-sas,3w-xxxx,3w-9xxx: fix command completion race - [armhf] usb: chipidea: otg: remove mutex unlock and lock while stop and start role (regression in 3.16) - cdc-acm: prevent infinite loop when parsing CDC headers. (regression in 3.16.7-ckt8) - ALSA: emux: Fix mutex deadlock in OSS emulation - rbd: end I/O the entire obj_request on error - mlx4_en: Use correct loop cursor in error path. - [armhf,arm64] KVM: Fix and refactor unmap_range - [armhf] KVM: Unmap IPA on memslot delete/move - [armhf] KVM: user_mem_abort: support stage 2 MMIO page mapping - [armhf,arm64] KVM: avoid returning negative error code as bool - [armhf,arm64] KVM: fix use of WnR bit in kvm_is_write_fault() - [armhf] KVM: vgic: plug irq injection race - [armhf,arm64] KVM: Fix set_clear_sgi_pend_reg offset - [armhf,arm64] KVM: Fix VTTBR_BADDR_MASK and pgd alloc - [armhf,arm64] KVM: fix potential NULL dereference in user_mem_abort() - [armhf,arm64] KVM: Ensure memslots are within KVM_PHYS_SIZE - [arm64] KVM: fix unmapping with 48-bit VAs - [armhf,arm64] kvm: drop inappropriate use of kvm_is_mmio_pfn() - [armhf,arm64] KVM: Reset the HCR on each vcpu when resetting the vcpu - [armhf,arm64] KVM: Introduce stage2_unmap_vm - [armhf,arm64] KVM: Don't allow creating VCPUs after vgic_initialized - [armhf,arm64 KVM: Require in-kernel vgic for the arch timers - [arm64] KVM: Fix TLB invalidation by IPA/VMID - [arm64] KVM: Fix HCR setting for 32bit guests - [arm64] KVM: Do not use pgd_index to index stage-2 pgd - net: make skb_gso_segment error handling more robust - blk-mq: fix CPU hotplug handling - mm/memory-failure: call shake_page() when error hits thp tail page - nilfs2: fix sanity check of btree level in nilfs_btree_root_broken() - ocfs2: dlm: fix race between purge and get lock resource - drm/radeon: make VCE handle check more strict - drm/radeon: make UVD handle checking more strict - drm/radeon: more strictly validate the UVD codec - mnt: Fix fs_fully_visible to verify the root directory is visible - pinctrl: Don't just pretend to protect pinctrl_maps, do it for real - crush: ensuring at most num-rep osds are selected - netfilter: nf_tables: fix error handling of rule replacement - netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() - netfilter: nf_tables: check for overflow of rule dlen field - netfilter: nft_rbtree: fix locking - sched/autogroup: Fix failure to set cpu.rt_runtime_us - xprtrdma: Free the pd if ib_query_qp() fails - xfs: ensure truncate forces zeroed blocks to disk http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt13 - usb: gadget: configfs: Fix interfaces array NULL-termination - nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op - libata: Blacklist queued TRIM on all Samsung 800-series (Closes: #790520) - md/raid5: don't record new size if resize_stripes fails. - sched: Handle priority boosted tasks proper in setscheduler() - [armel,armhf] net fix emit_udiv() for BPF_ALU | BPF_DIV | BPF_K intruction. - drm/radeon: add new bonaire pci id (Closes: #792099) - firmware: dmi_scan: Fix ordering of product_uuid - ext4: fix NULL pointer dereference when journal restart fails (regression in 3.11) - ext4: check for zero length extent explicitly (regression in 3.13) - jbd2: fix r_count overflows leading to buffer overflow in journal recovery - igb: Fix oops on changing number of rings - igb: Fix NULL assignment to incorrect variable in igb_reset_q_vector - [arm64] add missing PAGE_ALIGN() to __dma_free() - net: socket: Fix the wrong returns for recvmsg and sendmsg (regression in 3.16.7-ckt9) - mac80211: move WEP tailroom size check - [x86] KVM: MMU: fix smap permission check - [x86] KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages - [x86] KVM: MMU: fix SMAP virtualization - sd: Disable support for 256 byte/sector disks - xen/events: don't bind non-percpu VIRQs with percpu chip - libceph: request a new osdmap if lingering request maps to no osd - [s390x] crypto: ghash - Fix incorrect ghash icv buffer handling. - ipvs: fix memory leak in ip_vs_ctl.c - ipv6: fix ECMP route replacement - ipv4: Avoid crashing in ip_error - bridge: fix parsing of MLDv2 reports - module: Call module notifier on failure after complete_formation() (regression in 3.16) - [x86] gpio: gpio-kempld: Fix get_direction return value (regression in 3.12) - [armel,armhf] 8356/1: mm: handle non-pmd-aligned end of RAM - mac80211: don't use napi_gro_receive() outside NAPI context - xfs: xfs_attr_inactive leaves inconsistent attr fork state behind - fs, omfs: add NULL terminator in the end up the token list - vfs: d_walk() might skip too much (regression in 3.16.7-ckt4) - target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST - net_sched: invoke ->attach() after setting dev->qdisc - fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings (regression in 3.16.7-ckt11) http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt14 - n_tty: Fix auditing support for cannonical mode (regression in 3.12) - lib: Fix strnlen_user() to not touch memory after specified maximum - xfrm: fix a race in xfrm_state_lookup_byspi - thermal: step_wise: Revert optimization (regression in 3.12) - net: dp83640: fix broken calibration routine. - net: dp83640: reinforce locking rules. - unix/caif: sk_socket can disappear when state is unlocked - xen/netback: Properly initialize credit_bytes (regression in 3.16) - ipv4/udp: Verify multicast group is ours in upd_v4_early_demux() (regression in 3.13) - bridge: disable softirqs around br_fdb_update to avoid lockup - Btrfs: send, add missing check for dead clone root - Btrfs: send, don't leave without decrementing clone root's send_progress - btrfs: incorrect handling for fiemap_fill_next_extent return - btrfs: cleanup orphans while looking up default subvolume - [x86] iommu/vt-d: Allow RMRR on graphics devices too (regression in 3.16.3) - [armhf] irqchip: sunxi-nmi: Fix off-by-one error in irq iterator - mm/memory_hotplug.c: set zone->wait_table to null after freeing it - block: fix ext_dev_lock lockdep report (regression in 3.16.4) - iser-target: Fix variable-length response error completion (regression in 3.16) - iser-target: release stale iser connections http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt15 - [x86] KVM: nSVM: Check for NRIPS support before updating control field - nfs: take extra reference to fl->fl_file when running a setlk - net: don't wait for order-3 page allocation - bridge: fix br_stp_set_bridge_priority race conditions - packet: read num_members once in packet_rcv_fanout() - packet: avoid out of bounds read in round robin fanout - neigh: do not modify unlinked entries - tcp: Do not call tcp_fastopen_reset_cipher from interrupt context (regression in 3.13) - sctp: Fix race between OOTB responce and route removal - media: s5h1420: fix a buffer overflow when checking userspace params - media: cx24116: fix a buffer overflow when checking userspace params - media: af9013: Don't accept invalid bandwidth - media: cx24117: fix a buffer overflow when checking userspace params - spi: fix race freeing dummy_tx/rx before it is unmapped - mtd: fix: avoid race condition when accessing mtd->usecount - intel_pstate: set BYT MSR with wrmsrl_on_cpu() (regression in 3.14) - leds / PM: fix hibernation on arm when gpio-led used with CPU led trigger (regression in 3.11) - mnt: Refactor the logic for mounting sysfs and proc in a user namespace - scsi_transport_srp: Fix a race condition - w1_therm reference count family data - drm/radeon: take the mode_config mutex when dealing with hpds (v2) - [armhf] usb: dwc3: gadget: return error if command sent to DGCMD register fails - rcu: Correctly handle non-empty Tiny RCU callback list with none ready - [armhf] usb: dwc3: gadget: don't clear EP_BUSY too early - staging: rtl8712: prevent buffer overrun in recvbuf2recvframe - SUNRPC: Fix a memory leak in the backchannel code - ieee802154: Fix sockaddr_ieee802154 implicit padding information leak. - mnt: Modify fs_fully_visible to deal with locked ro nodev and atime - regulator: core: fix constraints output buffer - ACPI / PM: Add missing pm_generic_complete() invocation (regression in 3.16) - [armel,armh] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup - [arm64] Do not attempt to use init_mm in reset_context() - ext4: fix race between truncate and __ext4_journalled_writepage() - [x86] pcmcia: Disable write buffering on Toshiba ToPIC95 - fs/ufs: revert "ufs: fix deadlocks introduced by sb mutex merge" (regression in 3.16.4) - jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail() - jbd2: fix ocfs2 corrupt when updating journal superblock fails - fs/ufs: restore s_lock mutex (regression in 3.16) - regmap: Fix possible shift overflow in regmap_field_init() - [x86] PCI: Use host bridge _CRS info on systems with >32 bit addressing (regression in 3.14) - libata: Do not blacklist Micron M500DC (regression in 3.14) - [x86] iommu/amd: Handle large pages correctly in free_pagetable (regression in 3.11) - ext4: call sync_blockdev() before invalidate_bdev() in put_super() - xfs: fix remote symlinks on V5/CRC filesystems - ext4: don't retry file block mapping on bigalloc fs with non-extent file - xfs: don't truncate attribute extents if no extents exist - NET: ROSE: Don't dereference NULL neighbour pointer. - netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook - fs: Fix S_NOSEC handling - stmmac: troubleshoot unexpected bits in des0 & des1 - PM / sleep: Increase default DPM watchdog timeout to 60 (regression in 3.13) - [armhf] clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier (regression in 3.11) - drm/radeon: compute ring fix hibernation (CI GPU family) v2. - drm/radeon: SDMA fix hibernation (CI GPU family). - [armhf] net: mvneta: disable IP checksum with jumbo frames for Armada 370 - [arm64] Don't report clear pmds and puds as huge - fuse: initialize fc->release before calling it - vfs: Ignore unlocked mounts in fs_fully_visible - proc: Allow creating permanently empty directories that serve as mount points - mnt: Update fs_fully_visible to test for permanently empty directories - ACPICA: Tables: Enable both 32-bit and 64-bit FACS (regression in 3.14) - ACPICA: Tables: Fix an issue that FACS initialization is performed twice - ACPICA: Tables: Enable default 64-bit FADT addresses favor - [x86] KVM: make vapics_in_nmi_mode atomic - [s390x] KVM: virtio-ccw: don't overwrite config space values - 9p: forgetting to cancel request on interrupted zero-copy RPC - e1000e: Cleanup handling of VLAN_HLEN as a part of max frame size (regression in 3.15) - ath9k_htc: memory corruption calling set_bit() - mac80211: prevent possible crypto tx tailroom corruption - cfg80211: ignore netif running state when changing iftype - Btrfs: lock superblock before remounting for rw subvol (regression in 3.15) - of: return NUMA_NO_NODE from fallback of_node_to_nid() (regression in 3.13) - sched/fair: Prevent throttling in early pick_next_task_fair() (regression in 3.15) - ACPI / init: Switch over platform to the ACPI mode later (regression in 3.14) - [armhf] drm/tegra: dpaux: Fix transfers larger than 4 bytes - mmc: card: Fixup request missing in mmc_blk_issue_rw_rq - perf: Fix ring_buffer_attach() RCU sync, again - LZ4 : fix the data abort issue http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt16 - Btrfs: use kmem_cache_free when freeing entry in inode cache - Btrfs: fix race between caching kthread and returning inode to inode cache - Btrfs: fix fsync data loss after append write - ext4: fix reservation release on invalidatepage for delalloc fs - ext4: be more strict when migrating to non-extent based file - ext4: correctly migrate a file with a hole at the beginning - 9p: don't leave a half-initialized inode sitting around - thermal: step_wise: fix: Prevent from binary overflow when trend is dropping - dm btree remove: fix bug in redistribute3 - [armhf] crypto: omap-des - Fix unmapping of dma channels - [armhf] usb: musb: host: rely on port_mode to call musb_start() (regression in 3.13) - drm: add a check for x/y in drm_mode_setcrtc - bio integrity: do not assume bio_integrity_pool exists if bioset exists - Btrfs: fix memory leak in the extent_same ioctl - Btrfs: fix list transaction->pending_ordered corruption - Btrfs: fix file corruption after cloning inline extents - [armel,armhf] 8404/1: dma-mapping: fix off-by-one error in bitmap size check (regression in 3.15) - net: graceful exit from netif_alloc_netdev_queues() - ip_tunnel: fix ipv4 pmtu check to honor inner ip header df (regression in 3.11) - net: do not process device backlog during unregistration - rds: rds_ib_device.refcount overflow - mm: avoid setting up anonymous pages into file mapping - HID: cp2112: fix to force single data-report reply - [armhf] net: mvneta: fix refilling for Rx DMA buffers - [armhf] usb: dwc3: gadget: return error if command sent to DEPCMD register fails - usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function - usb: core: lpm: set lpm_capable for root hub device (regression in 3.15) - USB: OHCI: Fix race between ED unlink and URB submission (regression in 3.16.2) - usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 - md/raid1: fix test for 'was read error from last working device'. - [armhf] mmc: omap_hsmmc: Fix DTO and DCRC handling - bonding: correctly handle bonding type change on enslave failure - inet: frags: fix defragmented packet's IP header for af_packet - vfs: freeing unlinked file indefinitely delayed - mmc: sdhci: Fix FSL ESDHC reset handling quirk (regression in 3.16) http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt17 - sysfs: Create mountpoints with sysfs_create_mount_point - iscsi-target: Fix use-after-free during TPG session shutdown - iscsi-target: Fix iscsit_start_kthreads failure OOPs (regression in 3.16.7-ckt11) - iscsi-target: Fix iser explicit logout TX kthread leak (regression in 3.16.7-ckt11) - xfs: remote attribute headers contain an invalid LSN - xfs: remote attributes need to be considered data - [x86] drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop - ipr: Fix locking for unit attention handling - ipr: Fix invalid array indexing for HRRQ - [x86] xen: Probe target addresses in set_aliased_prot() before the hypercall - netfilter: ctnetlink: put back references to master ct and expect object (regression in 3.12) - ipvs: do not use random local source address for tunnels - ipvs: fix crash if scheduler is changed - ipvs: fix crash with sync protocol v0 and FTP - NFS: Don't revalidate the mapping if both size and change attr are up to date (regression in 3.16) - packet: missing dev_put() in packet_do_bind() - packet: tpacket_snd(): fix signed/unsigned comparison - net: sched: fix refcount imbalance in actions - act_pedit: check binding before calling tcf_hash_release() - nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem - [armel/ixp4xx] crypto: Remove bogus BUG_ON on scattered dst buffer - rbd: fix copyup completion race - md/bitmap: return an error when bitmap superblock is corrupt. - md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies - [armhf] thermal: exynos: Disable the regulator on probe failure - xhci: fix off by one error in TRB DMA address boundary check - mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations - [mips*] Make set_pte() SMP safe. - ipc: modify message queue accounting to not take kernel data structures into account - ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() - fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() - rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver - net/tipc: initialize security state for new connection socket - net: call rcu_read_lock early in process_backlog - net: Clone skb before setting peeked flag - net: Fix skb csum races when peeking - net: Fix skb_set_peeked use-after-free bug - ipv6: lock socket in ip6_datagram_connect() - netlink: don't hold mutex in rcu callback when releasing mmapd ring - rds: fix an integer overflow test in rds_info_getsockopt() - udp: fix dst races with multicast early demux - bna: fix interrupts storm caused by erroneous packets (regression in 3.14) - net: gso: use feature flag argument in all protocol gso handlers - ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp - xen-blkfront: don't add indirect pages to list when !feature_persistent - xen-blkback: replace work_pending with work_busy in purge_persistent_gnt() - regmap: regcache-rbtree: Clean new present bits on present bitmap resize (regression in 3.12) - target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT - [x86] ldt: Make modify_ldt synchronous - [x86] ldt: Correct LDT access in single stepping logic - [i386] ldt: Correct FPU emulation access to LDT - dm btree: add ref counting ops for the leaves of top level btrees - libfc: Fix fc_exch_recv_req() error path (regression in 3.13) - libfc: Fix fc_fcp_cleanup_each_cmd() - [x86] drm/vmwgfx: Fix execbuf locking issues - mm/hwpoison: fix page refcount of unknown non LRU page - ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits - ipc/sem.c: change memory barrier in sem_lock() to smp_rmb() - ipc/sem.c: update/correct memory barriers - [mips*] Fix seccomp syscall argument for MIPS64 (regression in 3.15) - [i386] ldt: Further fix FPU emulation - ALSA: usb-audio: Fix runtime PM unbalance (regression in 3.15) - libata: Add factory recertified Crucial M500s to blacklist - [arm64] KVM: Fix host crash when injecting a fault into a 32bit guest - batman-adv: fix kernel crash due to missing NULL checks (regression in 3.16) - batman-adv: protect tt_local_entry from concurrent delete events - perf: Fix PERF_EVENT_IOC_PERIOD migration race (regression in 3.14) - net: Fix RCU splat in af_key - ip6_gre: release cached dst on tunnel removal - xen/gntdevt: Fix race condition in gntdev_release() - signalfd: fix information leak in signalfd_copyinfo - signal: fix information leak in copy_siginfo_to_user - signal: fix information leak in copy_siginfo_from_user32 . [ Ben Hutchings ] * [x86] vmwgfx: Enable DRM_VMWGFX_FBCON (Closes: #714929) * [x86] edac: Add edac_ie31200 driver from Linux 3.17 (Closes: #780773) * [mips*] Correct FP ISA requirements (Closes: #781892) * Revert "ACPICA: Utilities: split IO address types from data type models." to avoid ABI change on i386 * libata: add ATA_HORKAGE_NOTRIM * libata: force disable trim for SuperSSpeed S238 * block: Do a full clone when splitting discard bios (Closes: #793326) * [armel,sh4] linux-image: Recommend u-boot-tools rather than the obsolete uboot-mkimage package (Closes: #793608) * linux-source: Depend on xz-utils, not bzip2 (Closes: #796940) * [x86] i2c: i801: Use wait_event_timeout to wait for interrupts (Closes: #799786) * Adjust for migration to git: - Update .gitignore files - debian/control: Update Vcs-* fields - README.Debian, README.source: Update references to svn * media: uvcvideo: Disable hardware timestamps by default (Closes: #794327) . [ Ian Campbell ] * [xen] xen-netback: return correct ethtool stats (Closes: #786936) * of: make sure of_alias is initialized before accessing it. (Closes: #784053) . [ Uwe Kleine-König ] * Merge jessie-security changes . [ Aurelien Jarno ] * [mips*] Correct FP emulation delay slot exception propagation. * [mips*el/loongson3] Set Loongson 3 ISA to MIPS64R1 to correctly emulate the corresponding FP instructions. linux (3.16.7-ckt11-1+deb8u6~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt11-1+deb8u6) jessie-security; urgency=medium . [ Salvatore Bonaccorso ] * KEYS: Fix race between key destruction and finding a keyring by name * KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring (CVE-2015-7872) * KEYS: Don't permit request_key() to construct a new keyring . [ Ben Hutchings ] * usbvision: fix overflow of interfaces array (CVE-2015-7833) * RDS: fix race condition when sending a message on unbound socket (CVE-2015-7990) * [x86] KVM: Intercept #AC to avoid guest->host denial-of-service (CVE-2015-5307) . linux (3.16.7-ckt11-1+deb8u5) jessie-security; urgency=medium . [ Ben Hutchings ] * USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257) * sctp: fix race on protocol/netns initialization (CVE-2015-5283) . [ Salvatore Bonaccorso ] * ipc: fully initialize sem_array before making it visible * ipc: Initialize msg/shm IPC objects before doing ipc_addid() (CVE-2015-7613) linux (3.16.7-ckt11-1+deb8u4) jessie-security; urgency=medium . * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272) * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156) * vhost: actually track log eventfd file (CVE-2015-6252) * aufs3: mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036) * RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937) * vfs: Fix possible escape from mount namespace (CVE-2015-2925): - namei: lift (open-coded) terminate_walk() in follow_dotdot_rcu() into callers - dcache: Handle escaped paths in prepend_path - vfs: Test for and handle paths that are unreachable from their mnt_root linux (3.16.7-ckt11-1+deb8u4~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt11-1+deb8u4) jessie-security; urgency=medium . * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272) * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156) * vhost: actually track log eventfd file (CVE-2015-6252) * aufs3: mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036) * RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937) * vfs: Fix possible escape from mount namespace (CVE-2015-2925): - namei: lift (open-coded) terminate_walk() in follow_dotdot_rcu() into callers - dcache: Handle escaped paths in prepend_path - vfs: Test for and handle paths that are unreachable from their mnt_root linux-tools (3.16.7-ckt20-1) jessie; urgency=medium . * New upstream stable update - perf session: Do not fail on processing out of order event - tools lib traceevent kbuffer: Remove extra update to data pointer in PADDING - kconfig: Fix warning "‘jump’ may be used uninitialized" - scripts/sortextable: suppress warning: `relocs_size' may be used uninitialized - perf symbols: Store if there is a filter in place - perf hists browser: Take the --comm, --dsos, etc filters into account - perf hists: Update the column width for the "srcline" sort key - perf stat: Get correct cpu id for print_aggr - perf header: Fixup reading of HEADER_NRCPUS feature - tools lib traceevent: Fix string handling in heterogeneous arch environments - perf tools: Fix copying of /proc/kcore . [ Ben Hutchings ] * [x86] Add hyperv-daemons package, thanks to Hideki Yamane (closes: #782761) - Apply upstream bug fixes up to Linux 4.1 inclusive * Adjust for migration to git: - Update .gitignore files - debian/control: Update Vcs-* fields - debian/rules: Exclude .git from maintainerclean rule * debian/lib/python/debian_linux/debian.py: Change package version regexp to match linux package lldpd (0.7.11-2+deb8u1) jessie; urgency=medium . * Fix a segfault when receiving incorrectly formed LLDP management addresses: - 0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch * Fix an assert error when receiving incorrectly formed LLDP management addresses: - 0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch lxc (1:1.0.6-6+deb8u2) jessie-security; urgency=high . * CVE-2015-1335: prevent local containment administrator from escaping container via symlink attack. (Closes: #800471). Also include 2 followup patches that fixed regressions in the original fix. Patches obtained from the Ubuntu package: - 0020-CVE-2015-1335.patch - 0021-CVE-2015-1335-2.patch - 0022-CVE-2015-1335-3.patch lxc (1:1.0.6-6+deb8u2~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. madfuload (1.2-4+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Use autoreconf -fi to fix FTBFS with automake 1.14. (Closes: #793190) mariadb-10.0 (10.0.22-0+deb8u1) jessie-security; urgency=high . [ Otto Kekäläinen ] * New upstream release 10.0.22. Includes fixes for the following security vulnerabilities (Closes: #802874): - CVE-2015-4802 - CVE-2015-4807 - CVE-2015-4815 - CVE-2015-4826 - CVE-2015-4830 - CVE-2015-4836 - CVE-2015-4858 - CVE-2015-4861 - CVE-2015-4870 - CVE-2015-4913 - CVE-2015-4792 * New release includes updated man pages (Closes: #779992) * Add CVE IDs to previous changelog entries . [ Arnaud Fontaine ] * New upstream release 10.0.21. + Refreshed debian/patches/*. + Upstream changed mysqld_safe_syslog.cnf to fix logging error + Includes fixes the following security vulnerabilities: - CVE-2015-4816 - CVE-2015-4819 - CVE-2015-4879 - CVE-2015-4895 mariadb-10.0 (10.0.21-3) unstable; urgency=low . * Updated Brazilian Portuguese translation (Closes: #798048) * Upload 10.0.21 and all changes tested initially in experimental to unstable. Now sensible as mysql-5.6 has entered testing. mariadb-10.0 (10.0.21-2) experimental; urgency=low . * Update gdb.conf to have tags signed by default * Add CVE IDs to previous changelog entries * Pass DEB_BUILD_ARCH to CMake options to enhance buils on some platforms * Test suite failures are now fatal on all platforms and not ignored anywhere * Revert most of commit 579282f and re-enable Mroonga mariadb-10.0 (10.0.21-1) experimental; urgency=low . [ Otto Kekäläinen ] * Created libmariadbd18 and moved .so file from libmariadbd-dev there * Reproducible build improvement: Add LC_ALL=C to mysql.sym sort command * New upstream release. - Upstream added skip_log_error to mysqld_safe config (Closes: #781945) - Diffie-Helman modulus increased to 2048-bits (Closes: #788905) * Split mariadb-test-data-10.0 out of the main test package. This will save disk space in Debian archives as the arch independent data files are in one single package that can be used on all platforms and the package that is built on multiple platform shrinks significantly. . [ Jean Weisbuch ] * The MYCHECK_RCPT variable can now be set from the default file. * The check_for_crashed_tables() function on the debian-start script has been fixed to be able to log (and email) the errors it encountered : Errors are sent to stderr by the CLI while only stdout was captured by the function. * The same function now also checks Aria tables along with MyISAM ones. mariadb-10.0 (10.0.20-3) unstable; urgency=medium . [ Andreas Beckmann ] * mariadb-common: Depend on a version of mysql-common that ships /usr/share/mysql-common/configure-symlinks. (Closes: #787533) * mariadb-common.postinst: Drop fallback my.cnf symlink management. * mariadb-common.preinst: Clean up my.cnf/my.cnf.old from the fallback. . [ Otto Kekäläinen ] * Clean up old cruft from rules file after review by Sergei Golubchik * Unified config file layout with upstream .cnf layout * Recover mysql-upgrade dir/link handlig wrongly removed in f7caa041db * Minor Lintian and documentation fixes * Switch 'nm -n' to 'nm --defined-only' to improve reproducible builds . [ Olaf van der Spek ] * Minor spell checking (Closes: #792123) . [ Israel Tsadok ] * Fix mariadb-server-10.0.preinst script that failed to save a new /var/lib/mysql-upgrade/DATADIR.link if a previous DATADIR.link existed and the /var/lib/mysql directory was a symbolic link with an absolute path as target (Closes: #792918) . [ Jean Weisbuch ] * Added a Debian default file for the mariadb-server-10.0 package which allows one to set the MYSQLD_STARTUP_TIMEOUT variable used in the init script mariadb-10.0 (10.0.20-2) unstable; urgency=low . * Fix bash test logic in postinstall (Closes: #789589) * Add extra sort in d/rules mysqld.sym.gz command to satisfy Debian reproducible build requirements * Switch to utf8mb4 as default character set mariadb-10.0 (10.0.20-1) unstable; urgency=low . * New upstream release. Includes fix for the following security vulnerability: - CVE-2015-3152: Client command line option --ssl-verify-server-cert (and MYSQL_OPT_SSL_VERIFY_SERVER_CERT option of the client API) when used together with --ssl will ensure that the established connection is SSL-encrypted and the MariaDB server has a valid certificate. * New release includes fix for memory corruption on arm64 (Closes: #787221) * Added patch to enhance build reproducibility regarding the file INFO_BIN mariadb-10.0 (10.0.20-0+deb8u1) jessie-security; urgency=high . [ Otto Kekäläinen ] * New upstream release 10.0.20. Includes fixes for the following security vulnerabilities: - CVE-2015-3152: Client command line option --ssl-verify-server-cert (and MYSQL_OPT_SSL_VERIFY_SERVER_CERT option of the client API) when used together with --ssl will ensure that the established connection is * Includes fixes done in 10.0.18 for the following security vulnerabilities: - CVE-2014-8964 bundled PCRE contained heap-based buffer overflow vulnerability that allowed the server to crash or have other unspecified impact via a crafted regular expression made possible with the REGEXP_SUBSTR function (MDEV-8006). - CVE-2015-0501 - CVE-2015-2571 - CVE-2015-0505 - CVE-2015-0499 * Includes fixes done in 10.0.17 for the following security vulnerabilities: - CVE-2015-2568 - CVE-2015-2573 - CVE-2015-0433 - CVE-2015-0441 * Import of 10.0.17 included updated lines to the mariadb-server-10.0.postinst (upstream commit dc94bd0) which add parameter '--disable-log-bin' to the 'mysql_install_db' and 'mysqld --bootstrap' commands * Security: improved hardening flags (hardening=+all,-pie) so that the resulting binaries would have closer to the same security features as the old binaries had when built using deprecated hardening-wrapper. * Removed /var/log/mysql.log from logrotate. No mysql related log should be directly under /var/log. The correct place is in /var/log/mysql * d/control: Related to innochecksum manpage move, also break/replace the mysql-client-5.5/6 packages (Closes: #779873) * Documentation changes: * Updated Swedish translation by Martin Bagge and Anders Jonsson (Closes: #781684) * Updated copyright file based on Lintian feedback . [ Robie Basak ] * Move innochecksum back to mariadb-server-core-10.0 to align with other variants (LP: #1421520). . [ Jan Wagner ] * Adding mysqld_multi.server_lsb-header.patch, provides LSB headers for example initscript (Closes: #778762) * Adding mysqld_multi_confd.patch, makes mysqld_multi reading conf.d (Closes: #778761) mariadb-10.0 (10.0.19-1) unstable; urgency=low . * New upstream release. Fixed the server crash caused by mysql_upgrade (MDEV-8115). * Upload to unstable from master branch as Jessie is not released. mariadb-10.0 (10.0.18-1~exp1) experimental; urgency=low . * New upstream release. Includes fixes for the following security vulnerabilities: - CVE-2014-8964 bundled PCRE contained heap-based buffer overflow vulnerability that allowed the server to crash or have other unspecified impact via a crafted regular expression made possible with the REGEXP_SUBSTR function (MDEV-8006). - CVE-2015-0501 - CVE-2015-2571 - CVE-2015-0505 - CVE-2015-0499 * Cleanup in d/copyright * Make the mariadb-common depends versioned to guarantee that latest config files are installed mariadb-10.0 (10.0.17-1) unstable; urgency=low . [ Robie Basak ] * Move innochecksum back to mariadb-server-core-10.0 to align with other variants (LP: #1421520). . [ Jan Wagner ] * Adding mysqld_multi.server_lsb-header.patch, provides LSB headers for example initscript (Closes: #778762) * Adding mysqld_multi_confd.patch, makes mysqld_multi reading conf.d (Closes: #778761) . [ Otto Kekäläinen ] * New upstream release * Remove /var/log/mysql.log from logrotate. Everything should be inside the mysql directory (/var/log/mysql/) and not directly on plain /var/log * d/control: Related to innochecksum manpage move, also break/replace the mysql-client-5.5/6 packages (Closes: #779873) * New release confirmed to build with GCC-5 (Closes: #777996) * Updated Swedish translation by Martin Bagge and Anders Jonsson (Closes: #781684) mariadb-10.0 (10.0.17-1~exp2) experimental; urgency=low . * d/control: Related to innochecksum manpage move, also break/replace the mysql-client-5.5/6 packages (Closes: #779873) * Add automatic fallback to the new /etc/mysql/my.cnf management scheme for cases where mysql-common/configure-symlinks is not yet available and users complain the installation ends up broken. * New release confirmed to build with GCC-5 (Closes: #777996) mariadb-10.0 (10.0.17-1~exp1) experimental; urgency=low . [ Jan Wagner ] * Adding mysqld_multi.server_lsb-header.patch, provides LSB headers for example initscript (Closes: #778762) * Adding mysqld_multi_confd.patch, makes mysqld_multi reading conf.d (Closes: #778761) . [ Robie Basak ] * Move innochecksum back to mariadb-server-core-10.0 to align with other variants (LP: #1421520). * Fix typo in mariadb-server-10.0.postinst. * Fix typo in postinst mktemp call (LP: #1420831). . [ Arnaud Fontaine ] * d/control: innochecksum manpage has been moved to mariadb-client-10.0 in 10.0.13-1 (ba97056), thus add Breaks/Replaces in mariadb-client-10.0 against mariadb-server-10.0 << 10.0.13-1~. . [ Otto Kekäläinen ] * Follow to new /etc/mysql/my.cnf management scheme * Remove the my.cnf move command as it increases complexity too much and might emit an error code if mariadb-common is upgraded before mysql-common is. * Add patch to enhance build reproducibility * Remove /var/log/mysql.log from logrotate. Everything should be inside the mysql directory (/var/log/mysql/) and not directly on plain /var/log * New upstream release mdadm (3.3.2-5+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * disable-incremental-assembly.patch: incremental assembly prevents booting in degraded mode (Closes: #784070) miniupnpc (1.9.20140610-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-6031.patch patch. CVE-2015-6031: Buffer overflow vulnerability in XML parser functionality. (Closes: #802650) mkvmlinuz (37+deb8u1) stable; urgency=medium . * Push run-parts output to stderr. (Closes: #741642) monit (1:5.9-1+deb8u1) jessie; urgency=medium . * Fix umask-related regression between 5.8.1 and 5.9 (Closes: #796989) mpm-itk (2.4.7-02-1.1+deb8u1) stable; urgency=medium . * Upload to stable to fix an RC bug. * 01-close-socket-in-correct-process.diff: New patch from upstream. Fix an issue where connections would be attempted closed in the parent instead of in the child. This would result in "Connection: close" not being honored, and various odd effects with SSL keepalive in certain browsers. (Closes: #798108) multipath-tools (0.5.0-6+deb8u2) jessie; urgency=medium . * fix discovery of devices with blank rev - 0014-libmultipath-discovery-blank-rev-attr.patch: * Updates for compatibility with commit "multipath: Implement 'property' blacklist". - 0015-libmultipath-property-whitelist-SCSI_IDENT.patch Thanks to Mauricio Faria de Oliveira (Closes: #782400, #782488) * [5ffc2f4] Add documentation to cover additional friendly names scenarios. Thanks to Scott Moser (Closes: #788841) * [af3f228] init: Fix stop failure when no root device is found (Closes: #795278) * [b77859e] Add debian/gbp.conf to use pristine-tar branch mysql-5.5 (5.5.46-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.46 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html - CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 (Closes: #802564) * Add fix-test-suite-failure-caused-by-arbitrary-date-in-the-future.patch. Fix test suite failure caused by arbitrary date in the future. Thanks to Marc Deslauriers mysql-5.5 (5.5.46-0+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.46 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html - CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 (Closes: #802564) * Add fix-test-suite-failure-caused-by-arbitrary-date-in-the-future.patch. Fix test suite failure caused by arbitrary date in the future. Thanks to Marc Deslauriers * Add revert-to-_sync_lock_test_and_set.patch. Fixes FTBFS on arm and powerpw by reverting to __sync_lock_test_and_set. The gcc version in wheezy is too old to have __atomic_*. Thanks to Marc Deslauriers for the patch. mysql-5.5 (5.5.46-0+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * Backport mysql-5.5 to squeeze from wheezy (Thanks to Salvatore Bonaccorso ). * Drop unversioned packages: libmysqld-pic, libmysqld-dev, libmysqlclient-dev: - Remove debian/install,dir files: libmysqlclient-dev.* libmysqld-dev.* libmysqld-pic.* * debian/control: - Remove Build-Depends on doxygen-latex - mysql-server-5.5: * Remove Replaces and Breaks: libmysqlclient-dev ( << 5.5.17~) * Remove versioned dependency on initscripts. 2.88dsf-13.3 not available on squeeze. * Provides: mysql-server - Move mysql-common to mysql-common-5.5: * Create a new mysql-common-5.5 package to avoid dist-upgrade to upgrade mysql-common (5.1). * Conflicts: mysql-common (>> ${source:Version}) for a clean upgrade to wheezy. * Remove Breaks: mysql-common - mysql-server and mysql-client include Depends: on mysql-server-5.1 and mysql-client-5.1. * debian/compat: Move from 9 to 8 * debian/patches: - 71_disable_rpl_tests.patch: * Add rpl_innodb_bug28430 to disabled tests. * Really disable fix +rpl_heartbeat_basic. * debian/rules: - Remove multiarch support - Remove specific override_dh_command-arch targets (supported by debhelper >= 8.9.7). netcfg (1.131+deb8u1) stable; urgency=medium . * Fix is_layer3_qeth on s390x to avoid bailing out if the network driver is not qeth. (Closes: #798376) nspr (2:4.10.7-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2015-7183, mfsa-2015-133: heap-buffer overflow in PL_ARENA_ALLOCATE ntp (1:4.2.6.p5+dfsg-7+deb8u1) jessie-security; urgency=medium . * Fix CVE-2015-7850 * Fix CVE-2015-7704 * Fix CVE-2015-7701 * Fix CVE-2015-7852 * Fix CVE-2015-7851 * Fix CVE-2015-7855 * Fix CVE-2015-7871 * Rename CVE-2014-9297.patch to CVE-2014-9750.patch * Rename CVE-2014-9298.patch to CVE-2014-9751.patch * Rename bug-2797.patch to CVE-2015-3405.patch * FIX CVE-2015-5146 * FIX CVE-2015-5194 * FIX CVE-2015-5195 * FIX CVE-2015-7703 * FIX CVE-2015-5219 * FIX CVE-2015-5300 * FIX CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 * Add build-depends on bison since one of the patches update the .y file. ntp (1:4.2.6.p5+dfsg-7+deb7u1) jessie-security; urgency=medium . * Fix CVE-2015-7850 * Fix CVE-2015-7704 * Fix CVE-2015-7701 * Fix CVE-2015-7852 * Fix CVE-2015-7853 * Fix CVE-2015-7851 * Fix CVE-2015-7705 * Fix CVE-2015-7855 * Fix CVE-2015-7871 * Rename CVE-2014-9297.patch to CVE-2014-9750.patch and add missing patch. * Rename CVE-2014-9298.patch to CVE-2014-9751.patch * Rename bug-2797.patch to CVE-2015-3405.patch * FIX CVE-2015-5146 * FIX CVE-2015-5194 * FIX CVE-2015-5195 * FIX CVE-2015-5196 * FIX CVE-2015-5219 * FIX CVE-2015-5300 * FIX CVE-2015-7691, CVE-2015-7962, CVE-2015-7702 * Add build-depends on bison since one of the patches update the .y file. nvidia-graphics-drivers (340.96-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.96 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805917) * Merge changes from 304.131-1. * Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * d/rules: Move tar option --no-recursion before the list of files. * d/control: Make dependencies on nvidia-alternative strictly versioned to prevent partial upgrades. * d/module/debian/control.template: Add armhf to the Architecture list, otherwise module-assistant can't build any module packages from nvidia-kernel-source on armhf. * Upload to jessie. nvidia-graphics-drivers (340.96-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-drivers (340.96-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.96 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805917) * Improved compatibility with recent Linux kernels. * Merge changes from 304.131-1. * Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * d/rules: Move tar option --no-recursion before the list of files. * d/control: Make dependencies on nvidia-alternative strictly versioned to prevent partial upgrades. * d/module/debian/control.template: Add armhf to the Architecture list, otherwise module-assistant can't build any module packages from nvidia-kernel-source on armhf. * Upload to jessie. nvidia-graphics-drivers (340.93-8) unstable; urgency=medium . * nvidia-detect: Fix lspci call if there are multiple NVIDIA GPUs installed and report driver support for each of them. (Closes: #804073) * bug-control: Report status of bumblebee and bumblebee-nvidia. * nvidia-alternative.postinst: Activate the register-glx-alternative-nvidia trigger with --no-await. * Update documentation to use update-glx to configure the 'nvidia' and 'glx' alternatives. nvidia-graphics-drivers (340.93-8~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers (340.93-8) unstable; urgency=medium . * nvidia-detect: Fix lspci call if there are multiple NVIDIA GPUs installed and report driver support for each of them. (Closes: #804073) * bug-control: Report status of bumblebee and bumblebee-nvidia. * nvidia-alternative.postinst: Activate the register-glx-alternative-nvidia trigger with --no-await. * Update documentation to use update-glx to configure the 'nvidia' and 'glx' alternatives. . nvidia-graphics-drivers (340.93-7) unstable; urgency=medium . * Ship the NEWS in xserver-xorg-video-nvidia and nvidia-kernel-dkms, too. * Bump glx-alternative-nvidia dependency to (>= 0.7) for Xorg autoconfig. . nvidia-graphics-drivers (340.93-6) unstable; urgency=medium . * nvidia-opencl-icd: Restore the Depends: libcuda1. * d/rules: Move tar option --no-recursion before the list of files. * Bump dependency to nvidia-kernel-common (>= 20151021) which no longer applies non-default permissions on the /dev/nvidia* device nodes. (See: #801598, #801869) (Closes: #801191, #801097) * nvidia-modprobe.conf: Re-enable the PCI ID matching aliases. . nvidia-graphics-drivers (340.93-5) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.128-1 (wheezy) and 340.93-0+deb8u1 (jessie). * nvidia-kernel-support: Ship nvidia-modprobe.conf (previously in nvidia-alternative), managed via nvidia-alternative. * nvidia-kernel-support: Ship nvidia-blacklists-nouveau.conf and nvidia-load.conf, managed via nvidia-alternative. * Reroute all kernel module dependencies through nvidia-kernel-support. (Closes: #801298) * nvidia-modprobe.conf: Temporarily disable the PCI-ID-match aliases and go back to insecure default permissions (root:root 0666). (See: #801869) * Xorg autoconfig does not cause the permission issues. (See: #801598) * Update lintian overrides. . [ Luca Boccassi ] * arm-outer-sync.patch: New patch to fix armhf kernel module build for Linux 4.3. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). . nvidia-graphics-drivers (340.93-4) unstable; urgency=medium . [ Andreas Beckmann ] * Update lintian overrides. * bug-script: Report device node permissions. * bug-control, bug-script: Report information about CUDA libraries. * libcuda1: Provides: libcuda1-any. * xserver-xorg-video-nvidia: Ship nvidia-drm-outputclass.conf, managed via nvidia-alternative. * Add nvidia-kernel-support package. . [ Luca Boccassi ] * seq-printf.patch: New patch to fix kernel module build for Linux 4.3. nvidia-graphics-drivers (340.93-7) unstable; urgency=medium . * Ship the NEWS in xserver-xorg-video-nvidia and nvidia-kernel-dkms, too. * Bump glx-alternative-nvidia dependency to (>= 0.7) for Xorg autoconfig. nvidia-graphics-drivers (340.93-6) unstable; urgency=medium . * nvidia-opencl-icd: Restore the Depends: libcuda1. * d/rules: Move tar option --no-recursion before the list of files. * Bump dependency to nvidia-kernel-common (>= 20151021) which no longer applies non-default permissions on the /dev/nvidia* device nodes. (See: #801598, #801869) (Closes: #801191, #801097) * nvidia-modprobe.conf: Re-enable the PCI ID matching aliases. nvidia-graphics-drivers (340.93-5) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.128-1 (wheezy) and 340.93-0+deb8u1 (jessie). * nvidia-kernel-support: Ship nvidia-modprobe.conf (previously in nvidia-alternative), managed via nvidia-alternative. * nvidia-kernel-support: Ship nvidia-blacklists-nouveau.conf and nvidia-load.conf, managed via nvidia-alternative. * Reroute all kernel module dependencies through nvidia-kernel-support. (Closes: #801298) * nvidia-modprobe.conf: Temporarily disable the PCI-ID-match aliases and go back to insecure default permissions (root:root 0666). (See: #801869) * Xorg autoconfig does not cause the permission issues. (See: #801598) * Update lintian overrides. . [ Luca Boccassi ] * Add patch to fix armhf kernel module build failure on 4.3 * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). nvidia-graphics-drivers (340.93-4) unstable; urgency=medium . [ Andreas Beckmann ] * Update lintian overrides. * bug-script: Report device node permissions. * bug-control, bug-script: Report information about CUDA libraries. * libcuda1: Provides: libcuda1-any. * xserver-xorg-video-nvidia: Ship nvidia-drm-outputclass.conf, managed via nvidia-alternative. * Add nvidia-kernel-support package. . [ Luca Boccassi ] * Add patch to fix kernel module build failure on 4.3 nvidia-graphics-drivers (340.93-3) unstable; urgency=medium . * Revert glx-alternative-nvidia dependency to (>= 0.5) because Xorg autoconfig causes some permission issues (see: #799948). * Document the permission issues. nvidia-graphics-drivers (340.93-3~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * nvidia-kernel-*: [i386] Restore support for building amd64 kernel modules, jessie still has linux-image-amd64:i386. (Closes: #800554) . nvidia-graphics-drivers (340.93-3) unstable; urgency=medium . * Revert glx-alternative-nvidia dependency to (>= 0.5) because Xorg autoconfig causes some permission issues (see: #799948). * Document the permission issues. . nvidia-graphics-drivers (340.93-2) unstable; urgency=medium . * nvidia-modprobe.conf: (Closes: #798207) - Don't use aliases for the renamed modules, only use install and remove commands. - Remodel the nvidia-uvm -> nvidia dependency via an install command. - Duplicate the module's built-in PCI-ID-match aliases to ensure they cause the virtual "nvidia" module to be loaded instead of a random one. * Drop instructions and debconf notes about manual xorg.conf creation. The driver now integrates with Xorg s.t. it is automatically detected and loaded if selected as the glx alternative. (Closes: #586502, #612093) * Add NEWS entry about no longer requiring manual xorg.conf creation. * Bump glx-alternative-nvidia dependency to (>= 0.6) for Xorg autoconfig. * libgl1-nvidia-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-legacy-304xx-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. . nvidia-graphics-drivers (340.93-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.93 (2015-09-02). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800566) - Fixed a bug that caused the X server to crash if an OpenGL application tried to allocate a drawable when GPU-accessible memory is exhausted. - Fixed a bug that could cause an Xid error when terminating a video playback application using the overlay presentation queue in VDPAU. - Fixed a rare deadlock condition when running applications that use OpenGL in multiple threads on a Quadro GPU. - Fixed a bug which caused truncation of the EGLAttribEXT value returned by eglQueryDeviceAttribEXT() on 64-bit systems. - Fixed a kernel memory leak that occurred when looping hardware- accelerated video decoding with VDPAU on Maxwell-based GPUs. - Fixed a bug that caused the X server to crash if a RandR 1.4 output provided by a Sink Output provider was selected as the primary output on X.Org xserver 1.17 and higher. - Fixed a bug that caused waiting on X Sync Fence objects in OpenGL to hang indefinitely in some cases. - Fixed a bug that prevented OpenGL from properly recovering from hardware errors or sync object waits that had timed out. * Improved compatibility with recent Linux kernels. * fixes-for-kernel-4.0.0.patch: Remove, fixed upstream. * conftest.h: - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * nvidia-driver-bin, libnvidia-compiler, libnvidia-eglcore: Add Provides+Conflicts: $pkg-${nvidia:Version} to forbid co-installation with the respective legacy packages from the same upstream version due to file conflicts on versioned files are not handled via alternatives. * bug-script: Report file information in arm-linux-gnueabihf directories. * bug-script: Collect information from /etc/modules{,-load.d/}. * nvidia-driver: Add Recommends: nvidia-persistenced. nvidia-graphics-drivers (340.93-2) unstable; urgency=medium . * nvidia-modprobe.conf: (Closes: #798207) - Don't use aliases for the renamed modules, only use install and remove commands. - Remodel the nvidia-uvm -> nvidia dependency via an install command. - Duplicate the module's built-in PCI-ID-match aliases to ensure they cause the virtual "nvidia" module to be loaded instead of a random one. * Drop instructions and debconf notes about manual xorg.conf creation. The driver now integrates with Xorg s.t. it is automatically detected and loaded if selected as the glx alternative. (Closes: #586502, #612093) * Add NEWS entry about no longer requiring manual xorg.conf creation. * Bump glx-alternative-nvidia dependency to (>= 0.6) for Xorg autoconfig. * libgl1-nvidia-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-legacy-304xx-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. nvidia-graphics-drivers (340.93-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.93 (2015-09-02). - Fixed a bug that caused the X server to crash if an OpenGL application tried to allocate a drawable when GPU-accessible memory is exhausted. - Fixed a bug that could cause an Xid error when terminating a video playback application using the overlay presentation queue in VDPAU. - Fixed a rare deadlock condition when running applications that use OpenGL in multiple threads on a Quadro GPU. - Fixed a bug which caused truncation of the EGLAttribEXT value returned by eglQueryDeviceAttribEXT() on 64-bit systems. - Fixed a kernel memory leak that occurred when looping hardware- accelerated video decoding with VDPAU on Maxwell-based GPUs. - Fixed a bug that caused the X server to crash if a RandR 1.4 output provided by a Sink Output provider was selected as the primary output on X.Org xserver 1.17 and higher. - Fixed a bug that caused waiting on X Sync Fence objects in OpenGL to hang indefinitely in some cases. - Fixed a bug that prevented OpenGL from properly recovering from hardware errors or sync object waits that had timed out. * Improved compatibility with recent Linux kernels. * fixes-for-kernel-4.0.0.patch: Remove, fixed upstream. * conftest.h: - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * nvidia-driver-bin, libnvidia-compiler, libnvidia-eglcore: Add Provides+Conflicts: $pkg-${nvidia:Version} to forbid co-installation with the respective legacy packages from the same upstream version due to file conflicts on versioned files. * bug-script: Report file information in arm-linux-gnueabihf directories. * bug-script: Collect information from /etc/modules{,-load.d/}. * nvidia-driver: Add Recommends: nvidia-persistenced. nvidia-graphics-drivers (340.93-0+deb8u1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.93 (2015-09-02). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800566) - Fixed a bug that caused the X server to crash if an OpenGL application tried to allocate a drawable when GPU-accessible memory is exhausted. - Fixed a bug that could cause an Xid error when terminating a video playback application using the overlay presentation queue in VDPAU. - Fixed a rare deadlock condition when running applications that use OpenGL in multiple threads on a Quadro GPU. - Fixed a bug which caused truncation of the EGLAttribEXT value returned by eglQueryDeviceAttribEXT() on 64-bit systems. - Fixed a kernel memory leak that occurred when looping hardware- accelerated video decoding with VDPAU on Maxwell-based GPUs. - Fixed a bug that caused the X server to crash if a RandR 1.4 output provided by a Sink Output provider was selected as the primary output on X.Org xserver 1.17 and higher. - Fixed a bug that caused waiting on X Sync Fence objects in OpenGL to hang indefinitely in some cases. - Fixed a bug that prevented OpenGL from properly recovering from hardware errors or sync object waits that had timed out. * Improved compatibility with recent Linux kernels. * fixes-for-kernel-4.0.0.patch: Remove, fixed upstream. * conftest.h: - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * nvidia-driver-bin, libnvidia-compiler, libnvidia-eglcore, libgl1-nvidia-glx: Add Provides+Conflicts: $pkg-${nvidia:Version} to forbid co-installation with the respective legacy packages from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. * bug-script: Report file information in arm-linux-gnueabihf directories. * bug-script: Collect information from /etc/modules{,-load.d/}. * bug-script: Report device node permissions. * bug-control, bug-script: Report information about CUDA libraries. * nvidia-detect: Update list of newer PCI IDs from release 346.87. * Merge changes from 304.128-1. . nvidia-graphics-drivers (340.76-4) unstable; urgency=medium . [ Andreas Beckmann ] * README.source: Document my schroot setup for testing module compilation. * Update lintian overrides. . [ Luca Boccassi ] * conftest.h: - dma_map_ops and dma_ops are available for PPC and ARM too * Add ignore_xen_on_arm.patch needed for dkms build on armhf: armmp kernel headers ship with CONFIG_XEN enabled, which breaks the build, so since running this driver on XEN is currently not supported, ignore the check for XEN in nv-linux.h as a workaround on arm, and also disable CONFIG_XEN and CONFIG_XEN_DOM0 if building on <= 3.16. (Closes: #794435) * README.source: Document armhf setup for testing module compilation. . nvidia-graphics-drivers (340.76-3) unstable; urgency=medium . [ Vincent Cheng ] * nvidia-detect: Detect stretch as supported suite, and parse -h as --help. (Closes: #792801) . [ Luca Boccassi ] * Fix nvidia-modprobe.conf module unload ordering, to stop nvidia-uvm getting stuck until a second modprobe -r nvidia-current is issued. Fix provided by Jö Fahlke. Thanks! (Closes: #793386) . [ Andreas Beckmann ] * Add Luca Boccassi to Uploaders. * nvidia-driver, nvidia-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * conftest.h: - Fix conftest.sh function write_cr4. - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. . nvidia-graphics-drivers (340.76-2) unstable; urgency=medium . * fixes-for-kernel-4.0.0.patch: New patch to add support for Linux 4.0, thanks to Jessie Frazelle. (Closes: #781810) * conftest.h: - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). * Split some old UNRELEASED changelog entries to linearize the BTS history. . nvidia-graphics-drivers (340.76-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.76 (2015-01-27). - Fixed a bug that caused frequent AMD-Vi page faults on systems with some AMD 8xx/9xx-series chipsets when used with some NVIDIA GPUs. - Fixed a regression that could cause system crashes when terminating the X server on systems with an NVIDIA Quadro SDI Capture card installed. - Fixed a bug that caused audio over HDMI to not work on some GPUs while using a display that supports HDMI 3D. * Improved compatibility with recent Linux kernels. (Closes: #778698) * nvidia-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-kernel.tar.xz. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). nvidia-graphics-drivers (340.93-0+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Replace 'dpkg-parsechangelog --show-field=Date' with a sed expression. . nvidia-graphics-drivers (340.93-0+deb8u1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.93 (2015-09-02). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800566) - Fixed a bug that caused the X server to crash if an OpenGL application tried to allocate a drawable when GPU-accessible memory is exhausted. - Fixed a bug that could cause an Xid error when terminating a video playback application using the overlay presentation queue in VDPAU. - Fixed a rare deadlock condition when running applications that use OpenGL in multiple threads on a Quadro GPU. - Fixed a bug which caused truncation of the EGLAttribEXT value returned by eglQueryDeviceAttribEXT() on 64-bit systems. - Fixed a kernel memory leak that occurred when looping hardware- accelerated video decoding with VDPAU on Maxwell-based GPUs. - Fixed a bug that caused the X server to crash if a RandR 1.4 output provided by a Sink Output provider was selected as the primary output on X.Org xserver 1.17 and higher. - Fixed a bug that caused waiting on X Sync Fence objects in OpenGL to hang indefinitely in some cases. - Fixed a bug that prevented OpenGL from properly recovering from hardware errors or sync object waits that had timed out. * Improved compatibility with recent Linux kernels. * fixes-for-kernel-4.0.0.patch: Remove, fixed upstream. * conftest.h: - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * nvidia-driver-bin, libnvidia-compiler, libnvidia-eglcore, libgl1-nvidia-glx: Add Provides+Conflicts: $pkg-${nvidia:Version} to forbid co-installation with the respective legacy packages from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. * bug-script: Report file information in arm-linux-gnueabihf directories. * bug-script: Collect information from /etc/modules{,-load.d/}. * bug-script: Report device node permissions. * bug-control, bug-script: Report information about CUDA libraries. * nvidia-detect: Update list of newer PCI IDs from release 346.87. * Merge changes from 304.128-1. . nvidia-graphics-drivers (340.76-4) unstable; urgency=medium . [ Andreas Beckmann ] * README.source: Document my schroot setup for testing module compilation. * Update lintian overrides. . [ Luca Boccassi ] * conftest.h: - dma_map_ops and dma_ops are available for PPC and ARM too * Add ignore_xen_on_arm.patch needed for dkms build on armhf: armmp kernel headers ship with CONFIG_XEN enabled, which breaks the build, so since running this driver on XEN is currently not supported, ignore the check for XEN in nv-linux.h as a workaround on arm, and also disable CONFIG_XEN and CONFIG_XEN_DOM0 if building on <= 3.16. (Closes: #794435) * README.source: Document armhf setup for testing module compilation. . nvidia-graphics-drivers (340.76-3) unstable; urgency=medium . [ Vincent Cheng ] * nvidia-detect: Detect stretch as supported suite, and parse -h as --help. (Closes: #792801) . [ Luca Boccassi ] * Fix nvidia-modprobe.conf module unload ordering, to stop nvidia-uvm getting stuck until a second modprobe -r nvidia-current is issued. Fix provided by Jö Fahlke. Thanks! (Closes: #793386) . [ Andreas Beckmann ] * Add Luca Boccassi to Uploaders. * nvidia-driver, nvidia-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * conftest.h: - Fix conftest.sh function write_cr4. - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. . nvidia-graphics-drivers (340.76-2) unstable; urgency=medium . * fixes-for-kernel-4.0.0.patch: New patch to add support for Linux 4.0, thanks to Jessie Frazelle. (Closes: #781810) * conftest.h: - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). * Split some old UNRELEASED changelog entries to linearize the BTS history. . nvidia-graphics-drivers (340.76-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.76 (2015-01-27). - Fixed a bug that caused frequent AMD-Vi page faults on systems with some AMD 8xx/9xx-series chipsets when used with some NVIDIA GPUs. - Fixed a regression that could cause system crashes when terminating the X server on systems with an NVIDIA Quadro SDI Capture card installed. - Fixed a bug that caused audio over HDMI to not work on some GPUs while using a display that supports HDMI 3D. * Improved compatibility with recent Linux kernels. (Closes: #778698) * nvidia-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-kernel.tar.xz. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). nvidia-graphics-drivers (340.76-5) unstable; urgency=medium . * Drop obsolete transitional package nvidia-glx. * nvidia-kernel-*: [i386] Drop support for building amd64 kernel modules. * Overhaul arch-specific UVM support. * nvidia-detect: Add support for the upcoming nvidia-legacy-340xx-driver. * Rename nvidia-uvm.ko to nvidia-{current,legacy-*}-uvm.ko. nvidia-graphics-drivers (340.76-5~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. (Closes: #795610) nvidia-graphics-drivers (340.76-4) unstable; urgency=medium . [ Andreas Beckmann ] * README.source: Document my schroot setup for testing module compilation. * Update lintian overrides. . [ Luca Boccassi ] * conftest.h: - dma_map_ops and dma_ops are available for PPC and ARM too * Add ignore_xen_on_arm.patch needed for dkms build on armhf: armmp kernel headers ship with CONFIG_XEN enabled, which breaks the build, so since running this driver on XEN is currently not supported, ignore the check for XEN in nv-linux.h as a workaround on arm, and also disable CONFIG_XEN and CONFIG_XEN_DOM0 if building on <= 3.16. (Closes: #794435) * README.source: Document armhf setup for testing module compilation. nvidia-graphics-drivers (340.76-3) unstable; urgency=medium . [ Vincent Cheng ] * nvidia-detect: Detect stretch as supported suite, and parse -h as --help. (Closes: #792801) . [ Luca Boccassi ] * Fix nvidia-modprobe.conf module unload ordering, to stop nvidia-uvm getting stuck until a second modprobe -r nvidia-current is issued. Fix provided by Jö Fahlke. Thanks! (Closes: #793386) . [ Andreas Beckmann ] * Add Luca Boccassi to Uploaders. * nvidia-driver, nvidia-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * conftest.h: - Fix conftest.sh function write_cr4. - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. nvidia-graphics-drivers (340.76-2) unstable; urgency=medium . * fixes-for-kernel-4.0.0.patch: New patch to add support for Linux 4.0, thanks to Jessie Frazelle. (Closes: #781810) * conftest.h: - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). nvidia-graphics-drivers (340.76-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.76 (2015-01-27). - Fixed a bug that caused frequent AMD-Vi page faults on systems with some AMD 8xx/9xx-series chipsets when used with some NVIDIA GPUs. - Fixed a regression that could cause system crashes when terminating the X server on systems with an NVIDIA Quadro SDI Capture card installed. - Fixed a bug that caused audio over HDMI to not work on some GPUs while using a display that supports HDMI 3D. * Improved compatibility with recent Linux kernels. (Closes: #778698) * nvidia-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-kernel.tar.xz. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76) nvidia-graphics-drivers-legacy-304xx (304.131-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.131 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805918) - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). * Improved compatibility with recent Linux kernels. * Synchronize packaging with nvidia-graphics-drivers 340.96-1: - d/control: Make dependencies on nvidia-legacy-304xx-alternative strictly versioned to prevent partial upgrades. * Synchronize packaging with nvidia-graphics-drivers 304.131-1: - Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. nvidia-graphics-drivers-legacy-304xx (304.131-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Replace 'dpkg-parsechangelog --show-field=Date' with a sed expression. . nvidia-graphics-drivers-legacy-304xx (304.131-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.131 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805918) - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). * Improved compatibility with recent Linux kernels. * Synchronize packaging with nvidia-graphics-drivers 340.96-1: - d/control: Make dependencies on nvidia-legacy-304xx-alternative strictly versioned to prevent partial upgrades. * Synchronize packaging with nvidia-graphics-drivers 304.131-1: - Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.128-8) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-5: * Synchronize packaging with nvidia-graphics-drivers 340.93-8: - bug-control: Report status of bumblebee and bumblebee-nvidia. - nvidia-legacy-340xx-alternative.postinst: Activate the register-glx-alternative-nvidia trigger with --no-await. - Update documentation to use update-glx to configure the 'nvidia' and 'glx' alternatives. nvidia-graphics-drivers-legacy-304xx (304.128-8~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * nvidia-kernel-*: [i386] Restore support for building amd64 kernel modules, jessie still has linux-image-amd64:i386. (Closes: #799960) . nvidia-graphics-drivers-legacy-304xx (304.128-8) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-5: * Synchronize packaging with nvidia-graphics-drivers 340.93-8: - bug-control: Report status of bumblebee and bumblebee-nvidia. - nvidia-legacy-340xx-alternative.postinst: Activate the register-glx-alternative-nvidia trigger with --no-await. - Update documentation to use update-glx to configure the 'nvidia' and 'glx' alternatives. . nvidia-graphics-drivers-legacy-304xx (304.128-7) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-4: * Synchronize packaging with nvidia-graphics-drivers 340.93-7: - Ship the NEWS in xserver-xorg-video-nvidia and nvidia-kernel-dkms, too. - Bump glx-alternative-nvidia dependency to (>= 0.7) for Xorg autoconfig. * Synchronize packaging with nvidia-graphics-drivers 340.93-6: - d/rules: Move tar option --no-recursion before the list of files. - Bump dependency to nvidia-kernel-common (>= 20151021) which no longer applies non-default permissions on the /dev/nvidia* device nodes. - nvidia-modprobe.conf: Re-enable the PCI ID matching aliases. * Synchronize packaging with nvidia-graphics-drivers 340.93-2: - Add NEWS entry about no longer requiring manual xorg.conf creation. . nvidia-graphics-drivers-legacy-304xx (304.128-6) unstable; urgency=medium . * Add nvidia-legacy-304xx-kernel-support package. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-2: * Synchronize packaging with nvidia-graphics-drivers 340.93-5: - nvidia-legacy-304xx-kernel-support: Ship nvidia-modprobe.conf (previously in nvidia-legacy-304xx-alternative), managed via nvidia-legacy-304xx-alternative. - nvidia-legacy-304xx-kernel-support: Ship nvidia-blacklists-nouveau.conf and nvidia-load.conf, managed via nvidia-legacy-304xx-alternative. - Reroute all kernel module dependencies through nvidia-legacy-304xx-kernel-support. - nvidia-modprobe.conf: Temporarily disable the PCI-ID-match aliases and go back to insecure default permissions (root:root 0666). (See: #801869) * Synchronize packaging with nvidia-graphics-drivers 340.93-4: - xserver-xorg-video-nvidia-legacy-304xx: Ship nvidia-drm-outputclass.conf, managed via nvidia-legacy-304xx-alternative. - seq-printf.patch: New patch to fix kernel module build for Linux 4.3. * Synchronize packaging with nvidia-graphics-drivers 340.93-3: - nvidia-legacy-304xx-modprobe.conf: + Don't use aliases for the renamed modules, only use install and remove commands. + Duplicate the module's built-in PCI-ID-match aliases to ensure they cause the virtual "nvidia" module to be loaded instead of a random one. * Synchronize packaging with nvidia-graphics-drivers 340.93-2: - Drop instructions and debconf notes about manual xorg.conf creation. The driver now integrates with Xorg s.t. it is automatically detected and loaded if selected as the glx alternative. * Synchronize packaging with nvidia-graphics-drivers 340.76-5: - nvidia-kernel-*: [i386] Drop support for building amd64 kernel modules. - Overhaul arch-specific UVM support. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). * Update lintian overrides. . nvidia-graphics-drivers-legacy-304xx (304.128-5) unstable; urgency=medium . * Upload to unstable. . nvidia-graphics-drivers-legacy-304xx (304.128-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.128 (2015-08-31). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800567) * Improved compatibility with recent Linux kernels. (Closes: #801193, #802452) * Removed f_path.dentry.patch, fixed upstream. * Removed fixes-for-kernel-4.0.0.patch, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers 340.93-0+deb8u1: * Synchronize packaging with nvidia-graphics-drivers 340.76-4: - README.source: Document setup for testing module compilation. * Synchronize packaging with nvidia-graphics-drivers 340.76-3: - Add Luca Boccassi to Uploaders. - nvidia-legacy-304xx-driver, nvidia-legacy-304xx-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * Synchronize packaging with nvidia-graphics-drivers 340.76-1: nvidia-legacy-304xx-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-legacy-304xx-kernel.tar.xz. * Synchronize packaging with nvidia-graphics-drivers 304.128-1: - libgl1-nvidia-legacy-304xx-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. - bug-script: Synchronize with nvidia-graphics-drivers 340.93-4. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.128-7) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-4: * Synchronize packaging with nvidia-graphics-drivers 340.93-7: - Ship the NEWS in xserver-xorg-video-nvidia and nvidia-kernel-dkms, too. - Bump glx-alternative-nvidia dependency to (>= 0.7) for Xorg autoconfig. * Synchronize packaging with nvidia-graphics-drivers 340.93-6: - d/rules: Move tar option --no-recursion before the list of files. - Bump dependency to nvidia-kernel-common (>= 20151021) which no longer applies non-default permissions on the /dev/nvidia* device nodes. - nvidia-modprobe.conf: Re-enable the PCI ID matching aliases. * Synchronize packaging with nvidia-graphics-drivers 340.93-2: - Add NEWS entry about no longer requiring manual xorg.conf creation. nvidia-graphics-drivers-legacy-304xx (304.128-6) unstable; urgency=medium . * Add nvidia-legacy-304xx-kernel-support package. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-2: * Synchronize packaging with nvidia-graphics-drivers 340.93-5: - nvidia-legacy-304xx-kernel-support: Ship nvidia-modprobe.conf (previously in nvidia-legacy-304xx-alternative), managed via nvidia-legacy-304xx-alternative. - nvidia-legacy-304xx-kernel-support: Ship nvidia-blacklists-nouveau.conf and nvidia-load.conf, managed via nvidia-legacy-304xx-alternative. - Reroute all kernel module dependencies through nvidia-legacy-304xx-kernel-support. - nvidia-modprobe.conf: Temporarily disable the PCI-ID-match aliases and go back to insecure default permissions (root:root 0666). (See: #801869) * Synchronize packaging with nvidia-graphics-drivers 340.93-4: - xserver-xorg-video-nvidia-legacy-304xx: Ship nvidia-drm-outputclass.conf, managed via nvidia-legacy-304xx-alternative. - seq-printf.patch: New patch to fix kernel module build for Linux 4.3. * Synchronize packaging with nvidia-graphics-drivers 340.93-3: - nvidia-legacy-304xx-modprobe.conf: + Don't use aliases for the renamed modules, only use install and remove commands. + Duplicate the module's built-in PCI-ID-match aliases to ensure they cause the virtual "nvidia" module to be loaded instead of a random one. * Synchronize packaging with nvidia-graphics-drivers 340.93-2: - Drop instructions and debconf notes about manual xorg.conf creation. The driver now integrates with Xorg s.t. it is automatically detected and loaded if selected as the glx alternative. * Synchronize packaging with nvidia-graphics-drivers 340.76-5: - nvidia-kernel-*: [i386] Drop support for building amd64 kernel modules. - Overhaul arch-specific UVM support. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). * Update lintian overrides. nvidia-graphics-drivers-legacy-304xx (304.128-5) unstable; urgency=medium . * Upload to unstable. . nvidia-graphics-drivers-legacy-304xx (304.128-1) UNRELEASED; urgency=medium . * New upstream legacy 304xx branch release 304.128 (2015-08-31). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800567) * Improved compatibility with recent Linux kernels. * Removed f_path.dentry.patch, fixed upstream. * Removed fixes-for-kernel-4.0.0.patch, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers 340.93-0+deb8u1: * Synchronize packaging with nvidia-graphics-drivers 340.76-4: - Add ignore_xen_on_arm.patch needed for dkms build on armhf: armmp kernel headers ship with CONFIG_XEN enabled, which breaks the build, so since running this driver on XEN is currently not supported, ignore the check for XEN in nv-linux.h as a workaround on arm, and also disable CONFIG_XEN and CONFIG_XEN_DOM0 if building on <= 3.16. - README.source: Document setup for testing module compilation. * Synchronize packaging with nvidia-graphics-drivers 340.76-3: - Add Luca Boccassi to Uploaders. - nvidia-legacy-304xx-driver, nvidia-legacy-304xx-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * Synchronize packaging with nvidia-graphics-drivers 340.76-1: nvidia-legacy-304xx-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-legacy-304xx-kernel.tar.xz. * Synchronize packaging with nvidia-graphics-drivers 304.128-1: - libgl1-nvidia-legacy-304xx-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. - bug-script: Synchronize with nvidia-graphics-drivers 340.93-4. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. nvidia-graphics-drivers-legacy-304xx (304.128-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.128 (2015-08-31). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800567) * Improved compatibility with recent Linux kernels. * Removed f_path.dentry.patch, fixed upstream. * Removed fixes-for-kernel-4.0.0.patch, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers 340.93-0+deb8u1: * Synchronize packaging with nvidia-graphics-drivers 340.76-4: - README.source: Document setup for testing module compilation. * Synchronize packaging with nvidia-graphics-drivers 340.76-3: - Add Luca Boccassi to Uploaders. - nvidia-legacy-304xx-driver, nvidia-legacy-304xx-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * Synchronize packaging with nvidia-graphics-drivers 340.76-1: nvidia-legacy-304xx-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-legacy-304xx-kernel.tar.xz. * Synchronize packaging with nvidia-graphics-drivers 304.128-1: - libgl1-nvidia-legacy-304xx-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. - bug-script: Synchronize with nvidia-graphics-drivers 340.93-4. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.128-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-drivers-legacy-304xx (304.128-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.128 (2015-08-31). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800567) * Improved compatibility with recent Linux kernels. (Closes: #801193, #802452) * Removed f_path.dentry.patch, fixed upstream. * Removed fixes-for-kernel-4.0.0.patch, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers 340.93-0+deb8u1: * Synchronize packaging with nvidia-graphics-drivers 340.76-4: - README.source: Document setup for testing module compilation. * Synchronize packaging with nvidia-graphics-drivers 340.76-3: - Add Luca Boccassi to Uploaders. - nvidia-legacy-304xx-driver, nvidia-legacy-304xx-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * Synchronize packaging with nvidia-graphics-drivers 340.76-1: nvidia-legacy-304xx-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-legacy-304xx-kernel.tar.xz. * Synchronize packaging with nvidia-graphics-drivers 304.128-1: - libgl1-nvidia-legacy-304xx-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. - bug-script: Synchronize with nvidia-graphics-drivers 340.93-4. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * Upload to jessie. . nvidia-graphics-drivers-legacy-304xx (304.125-2) unstable; urgency=medium . * Add f_path.dentry.patch and fixes-for-kernel-4.0.0.patch (cherrypicked from svn branches/343 and trunk respectively) to fix FTBFS with linux 3.19 and 4.0. (Closes: #785442, #786383) nvidia-graphics-drivers-legacy-304xx (304.125-2) unstable; urgency=medium . * Add f_path.dentry.patch and fixes-for-kernel-4.0.0.patch (cherrypicked from svn branches/343 and trunk respectively) to fix FTBFS with linux 3.19 and 4.0. (Closes: #785442, #786383) nvidia-graphics-drivers-legacy-304xx (304.125-2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. (Closes: #795610) nvidia-graphics-modules (340.96+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.96. * Upload to jessie. nvidia-graphics-modules (340.96+3.16.0+1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-modules (340.96+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.96. * Upload to jessie. nvidia-graphics-modules (340.93+4.2.0+1) unstable; urgency=medium . * Build for Linux 4.2.0 (ABI 1). nvidia-graphics-modules (340.93+4.1.0+1) unstable; urgency=medium . * Use nvidia-kernel-source 340.93. nvidia-graphics-modules (340.93+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.93. * Upload to jessie. nvidia-graphics-modules (340.93+3.16.0+1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-modules (340.93+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.93. * Upload to jessie. . nvidia-graphics-modules (340.76+3.16.0+1) unstable; urgency=medium . * Use nvidia-kernel-source 340.76. nvidia-graphics-modules (340.76+4.1.0+2) unstable; urgency=medium . * Build for Linux 4.1.0 (ABI 2). nvidia-graphics-modules (340.76+4.1.0+1) unstable; urgency=medium . * Build for Linux 4.1.0 (ABI 1). nvidia-graphics-modules (340.76+4.0.0+2) unstable; urgency=medium . * Build for Linux 4.0.0 (ABI 2). * Drop obsolete Conflicts/Replaces. * Drop transitional package nvidia-kernel-486:i386. nvidia-graphics-modules (340.76+4.0.0+1) unstable; urgency=medium . * Build for Linux 4.0.0-1. * Drop build-dep on linux-headers-$(ABI)-amd64 on arch i386 (src:linux no longer builds the -amd64 package on i386, as of ABI version 4.0.0-1). nvidia-graphics-modules (340.76+3.16.0+1) unstable; urgency=medium . * Use nvidia-kernel-source 340.76. openafs (1.6.9-2+deb8u4) jessie-security; urgency=high . * Apply upstream security patches corresponding to the 1.6.15 release: - OPENAFS-SA-2015-007 (CVE-2015-7762, CVE-2015-7763): rx ACK packets reveal plaintext of previously encrypted data packets. openafs (1.6.9-2+deb8u4~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for jessie-backports (Closes: #775869.) openjdk-7 (7u91-2.6.3-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u91-2.6.3-1~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-7 (7u91-2.6.2-1) unstable; urgency=medium . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.2 (based on 7u91): * Security fixes - S8048030, CVE-2015-4734: Expectations should be consistent - S8068842, CVE-2015-4803: Better JAXP data handling - S8076339, CVE-2015-4903: Better handling of remote object invocation - S8076383, CVE-2015-4835: Better CORBA exception handling - S8076387, CVE-2015-4882: Better CORBA value handling - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency - S8076413, CVE-2015-4883: Better JRMP message handling - S8078427, CVE-2015-4842: More supportive home environment - S8078440: Safer managed types - S8080541: More direct property handling - S8080688, CVE-2015-4860: Service for DGC services - S8081760: Better group dynamics - S8086092, CVE-2015-4840: More palette improvements - S8086733, CVE-2015-4893: Improve namespace handling - S8087350: Improve array conversions - S8103671, CVE-2015-4805: More objective stream classes - S8103675: Better Binary searches - S8130078, CVE-2015-4911: Document better processing - S8130193, CVE-2015-4806: Improve HTTP connections - S8130864: Better server identity handling - S8130891, CVE-2015-4843: (bf) More direct buffering - S8131291, CVE-2015-4872: Perfect parameter patterning - S8132042, CVE-2015-4844: Preserve layout presentation * d/patches/it-debian-build-flags.diff: refreshed * d/patches/it-set-compiler.diff: refreshed * d/patches/it-use-quilt.diff: refreshed and updated * d/patches/it-jamvm-2.0.diff: refreshed * d/patches/xrender: removed as it was applied upstream openjdk-7 (7u85-2.6.1-6+deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u85-2.6.1-6) unstable; urgency=high . [ Tiago Stürmer Daitx ] * Security fixes - S8048030, CVE-2015-4734: Expectations should be consistent - S8068842, CVE-2015-4803: Better JAXP data handling - S8076339, CVE-2015-4903: Better handling of remote object invocation - S8076383, CVE-2015-4835: Better CORBA exception handling - S8076387, CVE-2015-4882: Better CORBA value handling - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency - S8076413, CVE-2015-4883: Better JRMP message handling - S8078427, CVE-2015-4842: More supportive home environment - S8078440: Safer managed types - S8080541: More direct property handling - S8080688, CVE-2015-4860: Service for DGC services - S8081744, CVE-2015-4868: Clear out list corner case - S8081760: Better group dynamics - S8086092. CVE-2015-4840: More palette improvements - S8086733, CVE-2015-4893: Improve namespace handling - S8087350: Improve array conversions - S8103671, CVE-2015-4805: More objective stream classes - S8103675: Better Binary searches - S8129611: Accessbridge error handling improvement - S8130078, CVE-2015-4911: Document better processing - S8130185: More accessible access switch - S8130193, CVE-2015-4806: Improve HTTP connections - S8130864: Better server identity handling - S8130891, CVE-2015-4843: (bf) More direct buffering - S8131291, CVE-2015-4872: Perfect parameter patterning - S8132042, CVE-2015-4844: Preserve layout presentation * S6966259: Make PrincipalName and Realm immutable, required for S8048030 * S8078822: 8068842 fix missed one new file PrimeNumberSequenceGenerator.java . [ Matthias Klose ] * Re-enable the atk bridge for releases with a fixed atk bridge. Again closes: #797595. openjdk-7 (7u85-2.6.1-6~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-7 (7u85-2.6.1-5) unstable; urgency=medium . * Fix passing --disable-system-sctp for non-linux targets. openjdk-7 (7u85-2.6.1-5~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u85-2.6.1-4) unstable; urgency=medium . * Build again with pulseaudio on alpha. * Update the kfreebsd support patches (Steven Chamberlain). Closes: #798123. * Fix parallel build. Closes: #798124. * Disable again the atk bridge, too many regressions. Reopens: #797595. openjdk-7 (7u85-2.6.1-3) unstable; urgency=medium . * Configure with --disable-system-sctp on KFreeBSD. * Stop building jamvm on mips and mipsel, fails to build. openjdk-7 (7u85-2.6.1-2) unstable; urgency=medium . * Stop building zero on AArch64, broken on the merged IcedTea Hotspot. * Only build-depend on libsctp-dev on linux architectures. * Configure for zero on sparc64, Hotspot build fails too. openjdk-7 (7u85-2.6.1-1) unstable; urgency=medium . * IcedTea7 2.6.1 release (based on OpenJDK 7u85). * Configure for Hotspot on sparc64. * Add mips to the openjdk stage1 architectures. * Sort the enums and the annotations in the package-tree.html files (Emmanuel Bourg). Closes: #787159. * Re-enable the atk bridge for releases with a fixed atk bridge. Closes: #797595. * Make derivatives builds the same as the parent distro. Closes: #797662. openjdk-7 (7u79-2.5.6-1) unstable; urgency=medium . * IcedTea7 2.5.6 release (based on OpenJDK 7u79). * Security fixes - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites. - S8067694, CVE-2015-2625: Improved certification checking. - S8071715, CVE-2015-4760: Tune font layout engine. - S8071731: Better scaling for C1. - S8072490: Better font morphing redux. - S8072887: Better font handling improvements. - S8073334: Improved font substitutions. - S8073773: Presume path preparedness. - S8073894: Getting to the root of certificate chains. - S8074330: Set font anchors more solidly. - S8074335: Substitute for substitution formats. - S8074865, CVE-2015-2601: General crypto resilience changes. - S8074871: Adjust device table handling. - S8075374, CVE-2015-4748: Responding to OCSP responses. - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling. - S8075738: Better multi-JVM sharing. - S8075833, CVE-2015-2613: Straighter Elliptic Curves. - S8075838: Method for typing MethodTypes. - S8075853, CVE-2015-2621: Proxy for MBean proxies. - S8076328, CVE-2015-4000: Enforce key exchange constraints. - S8076376, CVE-2015-2628: Enhance IIOP operations. - S8076397, CVE-2015-4731: Better MBean connections. - S8076401, CVE-2015-2590: Serialize OIS data. - S8076405, CVE-2015-4732: Improve serial serialization. - S8076409, CVE-2015-4733: Reinforce RMI framework. - S8077520, CVE-2015-2632: Morph tables into improved form. - PR2487, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize. * Update the kfreebsd hotspot support patch (Steven Chamberlain). Closes: #788982. * openjdk-7-jre: Recommend the real libgconf2-4 and libgnome2-0 packages. Closes: #786594. openjdk-7 (7u79-2.5.6-1~deb8u1) jessie-security; urgency=medium . * Rebuild for stable openjdk-7 (7u79-2.5.6-1~deb7u1) wheezy-security; urgency=low . * Rebuild for oldstable openjdk-7 (7u79-2.5.5-1) unstable; urgency=high . * IcedTea7 2.5.5 release (based on OpenJDK 7u79). * Security fixes - S8059064: Better G1 log caching. - S8060461: Fix for JDK-8042609 uncovers additional issue. - S8064601, CVE-2015-0480: Improve jar file handling. - S8065286: Fewer subtable substitutions. - S8065291: Improved font lookups. - S8066479: Better certificate chain validation. - S8067050: Better font consistency checking. - S8067684: Better font substitutions. - S8067699, CVE-2015-0469: Better glyph storage. - S8068320, CVE-2015-0477: Limit applet requests. - S8068720, CVE-2015-0488: Better certificate options checking. - S8069198: Upgrade image library. - S8071726, CVE-2015-0478: Better RSA optimizations. - S8071818: Better vectorization on SPARC. - S8071931, CVE-2015-0460: Return of the phantom menace. * Build the documentation when building with a Hotspot VM. Closes: #781577. * openjdk-7-jre.preinst: Fix version for alternatives cleanup. Closes: #775072. * Re-enable HotSpot on SPARC; zero doesn't workm and there seems to be some work ongoing upstream. * Refresh patches. * Only install the openjdk-java.desktop file when using cautious-launcher. openjdk-7 (7u79-2.5.5-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie, the upload didn' reach jessie in time due to a failing mips build openjdk-7 (7u79-2.5.5-1~deb7u1) wheezy-security; urgency=low . * Rebuild for stable openjdk-7 (7u75-2.5.4-3) unstable; urgency=medium . * Replace the ARM32 Thumb JIT with the ARM32 JIT. * Fix 8059327: XML parser returns corrupt attribute value. Closes: #780166. * openjdk-7-jre.preinst: Cleanup obsolete alternatives (javaws, pluginappletviewer) left by openjdk-6-jre/squeeze (Andreas Beckmann). Closes: #775072. openldap (2.4.40+dfsg-1+deb8u2) jessie; urgency=medium . * debian/patches/ITS8003-fix-off-by-one-in-LDIF-length.patch: Import upstream patch to fix a crash when adding a large attribute value with the auditlog overlay enabled. (Closes: #806909) openldap (2.4.40+dfsg-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add ITS8240-remove-obsolete-assert.patch patch. Import upstream patch to remove an unnecessary assert(0) that could be triggered remotely by an unauthenticated user by sending a malformed BER element. (CVE-2015-6908, Closes: #798622) openslp-dfsg (1.2.1-10+deb8u1) jessie-security; urgency=high . * QA upload from the Security Team * Fix double free as per CVE-2015-5177 openssh (1:6.7p1-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Disable roaming in openssh client: roaming code is vulnerable to an information leak (CVE-2016-0777) and heap-based buffer overflow (CVE-2016-0778). openssl (1.0.1k-3+deb8u2) jessie-security; urgency=medium . * Fix CVE-2015-3194 * Fix CVE-2015-3195 * Fix CVE-2015-3196 openvpn (2.3.4-5+deb8u1) stable; urgency=medium . * Add --no-block to if-up.d script to avoid hanging boot on interfaces with openvpn instances. (Closes: #787090, #785200) owncloud (7.0.4+dfsg-4~deb8u4) jessie; urgency=medium . * Backport security fixes from 7.0.12, 8.0.10, and 8.0.9: - Reflected XSS in OCS provider discovery [oc-sa-2016-001] [CVE-2016-1498] - Disclosure of files that begin with \".v\" due to unchecked return value [oc-sa-2016-003] [CVE-2016-1500] - Information Exposure Through Directory Listing in the file scanner [oc-sa-2016-002] [CVE-2016-1499] - Full installation path disclosure through error message [oc-sa-2016-004] [CVE-2016-1501] owncloud (7.0.4+dfsg-4~deb8u3) jessie-security; urgency=high . * Backport security fixes from 7.0.5, 7.0.7, 8.0.6, and 7.0.9: - Fix stored XSS in "activity" application [oC-SA-2015-010] [CVE-2015-5953] - Fix disclosure of users files when deleting parent folders of shared files [oC-SA-2015-011] [CVE-2015-5954] - Fix information exposure through directory listing [oC-SA-2015-014] [CVE-2015-6500] (Closes: #800126) - Fix PHP arbitrary class instantiation in "files_external" [oC-SA-2015-018] owncloud (7.0.4+dfsg-4~deb8u2) jessie; urgency=medium . * Backport security fixes from 7.0.6 and 7.0.8: - Local file inclusion on MS Windows Platform [OC-SA-2015-006] [CVE-2015-4716] - Resource exhaustion when sanitizing filenames [OC-SA-2015-007] [CVE-2015-4717] - Command injection when using external SMB storage [OC-SA-2015-008] [CVE-2015-4718] - Calendar export: Authorization Bypass Through User-Controlled Key [OC-SA-2015-015] [CVE-2015-6670] owncloud-client (1.7.0~beta1+really1.6.4+dfsg-1+deb8u1) stable-security; urgency=high . * cherry-pick patches to fix CVE-2015-4456 pam (1.1.8-3.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Fix CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module (Closes: #789986) pcre3 (2:8.35-3.3+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * Add additional CVE references and bug closer to previous changelog. CVE-2015-2327 fix was included in the previous 2:8.35-3.3+deb8u1 upload. CVE-2015-8384 different issue than CVE-2015-3210 but fixed with same commit. CVE-2015-8388 different issue than CVE-2015-5073 but fixed with same commit. Add bug closer to bugs in the BTS retrospectively. * Add 0001-Fix-compile-time-loop-for-recursive-reference-within.patch. CVE-2015-2328: Stack-based buffer overflow in compile_regex(). * Add 794589-information-disclosure.patch. CVE-2015-8382: Fix "pcre_exec does not fill offsets for certain regexps" leading to information disclosure. (Closes: #794589) * Add 0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch. CVE-2015-8383: Buffer overflow caused by repeated conditional group. * Add 0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch. CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group. * Add 0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch. CVE-2015-8386: Buffer overflow caused by lookbehind assertion. * Add 0001-Add-integer-overflow-check-to-n-code.patch. CVE-2015-8387: Integer overflow in subroutine calls. * Add 0001-Fix-overflow-when-ovector-has-size-1.patch. CVE-2015-8380: Heap-based buffer overflow in pcre_exec. (Closes: #806467) * Add 0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch. CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns. * Add 0001-Fix-bug-for-classes-containing-sequences.patch. CVE-2015-8390: Reading from uninitialized memory when processing certain patterns. * Add 0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch. CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time. * Add 0001-Fix-buffer-overflow-for-named-references-in-situatio.patch. CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups. * Add 0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch. CVE-2015-8393: Information leak when running pcgrep -q on crafted binary. * Add 0001-Add-missing-integer-overflow-checks.patch. CVE-2015-8394: Integer overflow caused by missing check for certain conditions. * Add 0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch. CVE-2015-8381: Heap Overflow in compile_regex(). CVE-2015-8395: Buffer overflow caused by certain references. (Closes: #796762) pcre3 (2:8.35-3.3+deb8u1) jessie; urgency=medium . * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073 pdns (3.4.1-4+deb8u4) jessie; urgency=medium . * Fix upgrades with default configuration. The postinst script used to do a "grep include" on pdns.conf, which in older versions would work (mostly), because the default config only had a single "include=" entry. Now this is no longer true, so remove that. Also, changing the include directory would have never worked. (Closes: #798773) pdns (3.4.1-4+deb8u3) jessie-security; urgency=high . * Security update: apply patches for CVE-2015-5230 perl (5.20.2-3+deb8u3) jessie; urgency=medium . * Backport Encode::Unicode BOM fix from Encode-2.77. (Closes: #798727) + break+replace libencode-perl (<< 2.63-1+deb8u1) accordingly perl (5.20.2-3+deb8u2) jessie-security; urgency=high . * [SECURITY] CVE-2015-8607 fix untaint issue with File::Spec::canonpath() php-auth-sasl (1.0.6-1+deb8u1) stable; urgency=medium . * Team upload. * Rebuild with pkg-php-tools 1.28 (Closes: #793948) * gbp.conf: target jessie php-doctrine-annotations (1.2.1-1+deb8u1) jessie; urgency=medium . * gbp.conf: Track the jessie branch * Fix security misconfiguration vulnerability [CVE-2015-5723] php-doctrine-cache (1.3.1-1+deb8u1) jessie; urgency=medium . * gbp.conf: Track the jessie branch * Fix security misconfiguration vulnerability [CVE-2015-5723] php-doctrine-common (2.4.2-2+deb8u1) jessie; urgency=medium . * gbp.conf: Track the jessie branch * Fix security misconfiguration vulnerability [CVE-2015-5723] php-dropbox (1.0.0-3+deb8u1) jessie; urgency=medium . * Refuse to handle any files containing a @ [CVE-2015-4715] * Track Jessie php-horde (5.2.1+debian0-2+deb8u2) jessie-security; urgency=high . * Add session token checking to various admin pages (Closes: #803641) php-mail-mimedecode (1.5.5-2+deb8u1) stable; urgency=medium . * Team upload. * Rebuild with pkg-php-tools 1.28 (Closes: #793947) * gbp.conf: target jessie php5 (5.6.17+dfsg-0+deb8u1) jessie; urgency=high . * Imported Upstream version 5.6.17+dfsg - Core: . Fixed bug #66909 (configure fails utf8_to_mutf7 test). . Fixed bug #70958 (Invalid opcode while using ::class as trait method parameter default value). . Fixed bug #70957 (self::class can not be resolved with reflection for abstract class). . Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions). . Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions). - FPM: . Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). - GD: . Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds). - Mysqlnd: . Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction). - SOAP: . Fixed bug #70900 (SoapClient systematic out of memory error). - Standard: . Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters). - PDO_Firebird: . Fixed bug #60052 (Integer returned as a 64bit integer on X64_86). - WDDX: . Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization). . Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability). - XMLRPC: . Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()). * Rebase patches on top of 5.6.17+dfsg release * Make phar command versioned and use update-alternatives for 'phar' name to allow coinstallation with src:php7.0 packages php5 (5.6.16+dfsg-4) unstable; urgency=medium . * Make phar command versioned and use update-alternatives for 'phar' name to allow src:php5 packages to be co-installed with src:php7.0 php5 (5.6.16+dfsg-3) unstable; urgency=medium . * Remove invalid patch to not reset packagingroot inside PEAR/Command/Install.php * Revert PEAR version to last working version from PHP 5.6.14 (Closes: #805222) php5 (5.6.16+dfsg-2) unstable; urgency=medium . [ Jan Wagner ] * Adding 'PHP_INI_SCAN_DIR=/etc/php5/${conf_dir}/conf.d/' to session cleanup script when calling php . [ Ondřej Surý ] * Add patch to not reset packagingroot inside PEAR/Command/Install.php (Closes: #805222) php5 (5.6.16+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.16+dfsg - Core: . Fixed bug #70828 (php-fpm 5.6 with opcache crashes when referencing a non-existent constant). . Fixed bug #70748 (Segfault in ini_lex () at Zend/zend_ini_scanner.l). - Mysqlnd: . Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag. - OCI8: . Fixed bug #68298 (OCI int overflow). - PDO_DBlib: . Fixed bug #69757 (Segmentation fault on nextRowset). - SOAP: . Fixed bug #70875 (Segmentation fault if wsdl has no targetNamespace attribute). - SPL: . Fixed bug #70852 (Segfault getting NULL offset of an ArrayObject). * Rebase patches on top of 5.6.16+dfsg release php5 (5.6.15+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.15+dfsg - Core: . Fixed bug #70681 (Segfault when binding $this of internal instance method to null). . Fixed bug #70685 (Segfault for getClosure() internal method rebind with invalid $this). - Date: . Fixed bug #70619 (DateTimeImmutable segfault). - Mcrypt: . Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was specified under RC4). - Mysqlnd: . Fixed bug #70384 (mysqli_real_query():Unknown type 245 sent by the server). . Fixed bug #70572 segfault in mysqlnd_connect. - Opcache: . Fixed bug #70632 (Third one of segfault in gc_remove_from_buffer). . Fixed bug #70631 (Another Segfault in gc_remove_from_buffer()). . Fixed bug #70601 (Segfault in gc_remove_from_buffer()). . Fixed compatibility with Windows 10 (see also bug #70652). * Rebase patches on top of 5.6.15+dfsg php5 (5.6.14+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.14+dfsg - Core: . Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions). - CLI server: . Fixed bug #68291 (404 on urls with '+'). - DOM: . Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding). - Mysqlnd: . Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server). - OpenSSL: . Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource). . Fixed bug #70395 (Missing ARG_INFO for openssl_seal()). . Fixed bug #60632 (openssl_seal fails with AES). . Fixed bug #68312 (Lookup for openssl.cnf causes a message box). - PDO: . Fixed bug #70389 (PDO constructor changes unrelated variables). - Phar: . Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). . Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). - Phpdbg: . Fix phpdbg_break_next() sometimes not breaking. - Standard: . Fixed bug #67131 (setcookie() conditional for empty values not met). - Streams: . Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections). - Zip: . Fixed bug #70322 (ZipArchive::close() doesn't indicate errors). * Rebase patches on top of PHP 5.6.14+dfsg php5 (5.6.14+dfsg-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.6.14+dfsg - Core: . Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions). - CLI server: . Fixed bug #68291 (404 on urls with '+'). - DOM: . Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding). - Mysqlnd: . Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server). - OpenSSL: . Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource). . Fixed bug #70395 (Missing ARG_INFO for openssl_seal()). . Fixed bug #60632 (openssl_seal fails with AES). . Fixed bug #68312 (Lookup for openssl.cnf causes a message box). - PDO: . Fixed bug #70389 (PDO constructor changes unrelated variables). - Phar: . Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). . Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). - Phpdbg: . Fix phpdbg_break_next() sometimes not breaking. - Standard: . Fixed bug #67131 (setcookie() conditional for empty values not met). - Streams: . Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections). - Zip: . Fixed bug #70322 (ZipArchive::close() doesn't indicate errors). * Rebase patches on top of PHP 5.6.14+dfsg php5 (5.6.13+dfsg-2) unstable; urgency=medium . [ Justin Pasher ] * Improve sessionclean script to handle tiered and symlinked directories . [ Bernat Arlandis ] * Fix the bug where sessionclean doesn't touch session files php5 (5.6.13+dfsg-1) unstable; urgency=medium . * New upstream version 5.6.13+dfsg * Refresh patches on top of 5.6.13+dfsg release php5 (5.6.13+dfsg-0+deb8u1) jessie-security; urgency=medium . * Imported Upstream version 5.6.13+dfsg - Core: . Fixed bug #69900 (Too long timeout on pipes). . Fixed bug #69487 (SAPI may truncate POST data). . Fixed bug #70198 (Checking liveness does not work as expected). . Fixed bug #70172 (Use After Free Vulnerability in unserialize()). . Fixed bug #70219 (Use after free vulnerability in session deserializer). - CLI server: . Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE). . Fixed bug #70264 (CLI server directory traversal). - Date: . Fixed bug #70266 (DateInterval::__construct.interval_spec is not supposed to be optional). . Fixed bug #70277 (new DateTimeZone($foo) is ignoring text after null byte). - EXIF: . Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes). - hash: . Fixed bug #70312 (HAVAL gives wrong hashes in specific cases). - MCrypt: . Fixed bug #69833 (mcrypt fd caching not working). - Opcache: . Fixed bug #70237 (Empty while and do-while segmentation fault with opcode on CLI enabled). - PCRE: . Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match). . Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions). - SOAP: . Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). - SPL: . Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via ob_start). . Fixed bug #70303 (Incorrect constructor reflection for ArrayObject). . Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). . Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). - Standard: . Fixed bug #70052 (getimagesize() fails for very large and very small WBMP). . Fixed bug #70157 (parse_ini_string() segmentation fault with INI_SCANNER_TYPED). - XSLT: . Fixed bug #69782 (NULL pointer dereference). - ZIP: . Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). * Refresh patches on top of 5.6.13+dfsg release php5 (5.6.12+dfsg-1) unstable; urgency=medium . * Drop explicit support for upstart (Closes: #792892) * Imported Upstream version 5.6.12+dfsg * Rebase patches using gbp pq on top of PHP 5.6.12+dfsg * Silence the MySQL library mismatch warning (Closes: #794191) php5 (5.6.12+dfsg-0+deb8u1) jessie-security; urgency=medium . * New upstream version 5.6.12+dfsg - Core: . Fixed bug #70012 (Exception lost with nested finally block). . Fixed bug #70002 (TS issues with temporary dir handling). . Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls). . Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). . Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref). - CLI server: . Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL). . Fixed bug #64878 (304 responses return Content-Type header). - GD: . Fixed bug #53156 (imagerectangle problem with point ordering). . Fixed bug #66387 (Stack overflow with imagefilltoborder). . Fixed bug #70102 (imagecreatefromwebm() shifts colors). . Fixed bug #66590 (imagewebp() doesn't pad to even length). . Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). . Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory). . Fixed bug #69024 (imagescale segfault with palette based image). . Fixed bug #53154 (Zero-height rectangle has whiskers). . Fixed bug #67447 (imagecrop() add a black line when cropping). . Fixed bug #68714 (copy 'n paste error). . Fixed bug #66339 (PHP segfaults in imagexbm). . Fixed bug #70047 (gd_info() doesn't report WebP support). - ODBC: . Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns). - OpenSSL: . Fixed bug #69882 (OpenSSL error “key values mismatch” after openssl_pkcs12_read with extra cert) . Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). - Phar: . Improved fix for bug #69441. . Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). - SOAP: . Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions). - SPL: . Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). . Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). . Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). . Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). - Standard: . Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes). * New upstream version 5.6.11 - Core: . Fixed bug #69768 (escapeshell*() doesn't cater to !). . Fixed bug #69703 (Use __builtin_clzl on PowerPC). . Fixed bug #69732 (can induce segmentation fault with basic php code). . Fixed bug #69642 (Windows 10 reported as Windows 8). . Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault). . Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business"). . Fixed bug #69740 (finally in generator (yield) swallows exception in iteration). . Fixed bug #69835 (phpinfo() does not report many Windows SKUs). . Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). . Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776. - GD: . Fixed bug #61221 (imagegammacorrect function loses alpha channel). - GMP: . Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP number). - Mysqlnd: . Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM) (CVE-2015-3152). - PCRE: . Fixed Bug #53823 (preg_replace: * qualifier on unicode replace garbles the string). . Fixed bug #69864 (Segfault in preg_replace_callback) - PDO_pgsql: . Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u). . Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote). . Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps). - SimpleXML: . Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name). - SPL: . Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error). . Fixed bug #67805 (SplFileObject setMaxLineLength). . Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()). - Sqlite3: . Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()). * Rebase d/patches on top of 5.6.12+dfsg release . php5 (5.6.10+dfsg-0+deb8u1) jessie-security; urgency=medium . * New upstream version 5.6.10+dfsg (CVE-2015-4644, CVE-2015-4643, CVE-2015-4598) - Core: . Fixed bug #66048 (temp. directory is cached during multiple requests). . Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait). . Fixed bug #69599 (Strange generator+exception+variadic crash). . Fixed bug #69628 (complex GLOB_BRACE fails on Windows). . Fixed POST data processing slowdown due to small input buffer size on Windows. . Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). . Fixed bug #69719 (Incorrect handling of paths with NULs). - FTP . Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). - GD: . Fixed bug #69479 (GD fails to build with newer libvpx). - Iconv: . Fixed bug #48147 (iconv with //IGNORE cuts the string). - Litespeed SAPI: . Fixed bug #68812 (Unchecked return value). - Mail: . Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers). - MCrypt: . Added file descriptor caching to mcrypt_create_iv() - Opcache . Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF). - Phar: . Fixed bug #69680 (phar symlink in binary directory broken). - Postgres: . Fixed bug #69667 (segfault in php_pgsql_meta_data). - Sqlite3: . Upgrade bundled sqlite to 3.8.10.2. * Refresh patches using gbp pq php5 (5.6.11+dfsg-1) unstable; urgency=medium . * New upstream version 5.6.11+dfsg * Finish the transition to libsystemd, but allow backports (Closes: #779780) * Refresh patches using gbp pq rebase/export php5 (5.6.9+dfsg-1) unstable; urgency=medium . * New upstream version 5.6.9+dfsg - Core: . Fixed bug #69467 (Wrong checked for the interface by using Trait). . Fixed bug #69420 (Invalid read in zend_std_get_method). . Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). . Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). . Fixed bug #68652 (segmentation fault in destructor). . Fixed bug #69419 (Returning compatible sub generator produces a warning). . Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). . Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). . Fixed bug #69522 (heap buffer overflow in unpack()). - FTP: . Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). - ODBC: . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). . Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). . Fixed bug #69381 (out of memory with sage odbc driver). - OpenSSL: . Fixed bug #69402 (Reading empty SSL stream hangs until timeout). - PCNTL: . Fixed bug #68598 (pcntl_exec() should not allow null char). - PCRE . Upgraded pcrelib to 8.37. - Phar: . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). * Rebased patches on top of 5.6.9+dfsg version php5 (5.6.9+dfsg-0+deb8u1) jessie-security; urgency=medium . * Update gbp.conf for jessie branch * New upstream version 5.6.9+dfsg - Core: . Fixed bug #69467 (Wrong checked for the interface by using Trait). . Fixed bug #69420 (Invalid read in zend_std_get_method). . Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). . Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). . Fixed bug #68652 (segmentation fault in destructor). . Fixed bug #69419 (Returning compatible sub generator produces a warning). . Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). . Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). . Fixed bug #69522 (heap buffer overflow in unpack()). - FTP: . Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). - ODBC: . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). . Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). . Fixed bug #69381 (out of memory with sage odbc driver). - OpenSSL: . Fixed bug #69402 (Reading empty SSL stream hangs until timeout). - PCNTL: . Fixed bug #68598 (pcntl_exec() should not allow null char). - PCRE . Upgraded pcrelib to 8.37. - Phar: . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). * Rebased patches on top of 5.6.9+dfsg version * New upstream version 5.6.8+dfsg - Core: . Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) . Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) . Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) . Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) . Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso) . Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) . Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) . Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) . Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas) - Apache2handler: . Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema) - cURL: . Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) . Fixed bug #68739 (Missing break / control flow). (Laruence) . Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) - Date: . Fixed bug #69336 (Issues with "last day of "). (Derick Rethans) - Enchant: . Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol) - Ereg: . Fixed bug #68740 (NULL Pointer Dereference). (Laruence) - Fileinfo: . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski) - Filter: . Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch) . Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch) - OPCache: . Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence) . Fixed bug #69281 (opcache_is_script_cached no longer works). (danack) . Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) - OpenSSL . Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright) . Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey) . Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey) . Add a check for RAND_egd to allow compiling against LibreSSL (Leigh) - Phar: . Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike) . Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike) . Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike) . Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar"). (Mike) . Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas) . Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas) - Postgres: . Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence) - SPL: . Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com) - SOAP: . Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence) - Sqlite3: . Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd) . Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol) . Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan) * Update d/gbp.conf to new config style * Update patches for 5.6.8 release * Switch to gbp pq patch management phpmyadmin (4:4.2.12-2+deb8u1) jessie-security; urgency=high . * Fix several security: - CVE-2015-2206: Risk of BREACH attack due to reflected parameter. - CVE-2015-3902: XSRF/CSRF vulnerability in phpMyAdmin setup. - CVE-2015-3903: Vulnerability allowing man-in-the-middle attack on API call to GitHub. - CVE-2015-6830: Vulnerability that allows bypassing the reCaptcha test. - CVE-2015-7873: Content spoofing vulnerability when redirecting user to an external site. plowshare4 (1.0.5-1+deb8u1) stable; urgency=high . * Disable javascript support (Closes: #791467) postgresql-9.1 (9.1.19-0+deb8u1) jessie; urgency=medium . * New upstream version, relevant PL/Perl change: + Fix plperl to handle non-ASCII error message texts correctly. postgresql-9.1 (9.1.19-0+deb7u1) wheezy; urgency=medium . * New upstream version. . + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) . Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) postgresql-9.4 (9.4.5-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. . + Guard against stack overflows in json parsing (Oskari Saarenmaa) . If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289) . + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) . Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) postgresql-9.4 (9.4.5-0+deb8u1~bpo70+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . postgresql-9.4 (9.4.5-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. . + Guard against stack overflows in json parsing (Oskari Saarenmaa) . If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289) . + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) . Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) . postgresql-9.4 (9.4.4-0+deb8u1) jessie; urgency=medium . * New upstream version. + Fix possible failure to recover from an inconsistent database state + Fix rare failure to invalidate relation cache init file . postgresql-9.4 (9.4.3-0+deb8u1) jessie; urgency=medium . * New upstream version: Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane; Closes: #786874) . postgresql-9.4 (9.4.2-0+deb8u1) stable-security; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . + Protect against wraparound of multixact member IDs (Álvaro Herrera, Robert Haas, Thomas Munro) . Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound. . * Repository moved to git, update Vcs headers. . postgresql-9.4 (9.4.1-1) unstable; urgency=medium . * New upstream version. + libpq5: Name lookups fixed in minimal chroots (Closes: #756627) + Fix buffer overruns in to_char() (CVE-2015-0241) + Fix buffer overruns in contrib/pgcrypto (CVE-2015-0243) + Fix possible loss of frontend/backend protocol synchronization after an error (CVE-2015-0244) + Fix information leak via constraint-violation error messages (CVE-2014-8161) . postgresql-9.4 (9.4.0-1) unstable; urgency=medium . * 9.4 released. * libpq5.symbols: PQhostaddr removed; it was new in 9.4. . postgresql-9.4 (9.4~rc1-1) unstable; urgency=medium . * First 9.4 RC release. * Update psql call in dump-reload instructions. * Reenable 010_pg_basebackup.t tests, fixed upstream. . postgresql-9.4 (9.4~beta3-3) unstable; urgency=medium . * Temporarily disable failing test in 010_pg_basebackup.t. . postgresql-9.4 (9.4~beta3-2) unstable; urgency=medium . * postgresql-9.4.preinst: Output detailed dump-reload instructions when refusing the package upgrade, and also add a NEWS item about it. (Closes: #764705) * Add libipc-run-perl for the regression tests which otherwise skip large parts. * Update Standards-Version. . postgresql-9.4 (9.4~beta3-1) unstable; urgency=medium . * New upstream beta version. + Catalog version number changed, older 9.4 clusters need to be dumped and reloaded. + Regexp regression fixed. (Closes: #760564) + CACHE_LINE_SIZE definition renamed to mitigate conflict on *BSD. (Closes: #763098) . [ Martin Pitt ] * Add missing logrotate test dependency. . [ Christoph Berg ] * Set Multi-Arch: foreign in postgresql-client-9.4 and postgresql-doc-9.4. (Closes: #757520; do it even on non-multiarch dists, it doesn't hurt.) * Fix postgresql_fdw in description, spotted by Zack Weinberg, thanks! (Closes: #762389) . postgresql-9.4 (9.4~beta2-1) unstable; urgency=low . * New upstream beta version. + Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) . Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. . * postgresql-9.4.preinst: Fail upgrade when upgrading from beta1, the catalog version changed. People should dump/remove their old clusters first. * Use util-linux' uuid lib as backend for the uuid-ossp extension (--with-uuid=e2fs). * Enable sepgsql (--with-selinux). On systems with libselinux1-dev < 2.1.10, this is automatically disabled. * Revert multiarch for libpq-dev and libecpg-dev. (Closes: #750111, #750112) * Remove our pg_regress patches to support --host=/path. Implemented upstream as fix for CVE-2014-0067. * debian/copyright: Say that there are various copyright holders for the contrib modules. (Hello Lintian!) * Update Vcs URLs. . postgresql-9.4 (9.4~beta1-2) experimental; urgency=medium . * Update watch file for 9.4. * Enable multiarch support in libpq and friends. (Closes: #706849) Support is automatically disabled when the distribution does not support it. * Stop providing postgresql-dbg in postgresql-9.4-dbg. Its only purpose was to conflict with other postgresql-*-dbg packages, and that's no longer needed with build-id debug symbols. * Skip -pie on 32bit archs for performance and stability reasons. Closes: #749686; details at http://www.postgresql.org/message-id/20140519115318.GB7296@msgid.df7cb.de * Update contrib copyright statements, and move them to a separate file. Thanks to Thorsten Alteholz for reviewing the package. . postgresql-9.4 (9.4~beta1-1) experimental; urgency=low . * Update for 9.4. Packaging based on 9.3 branch. * Bump to debhelper 9 to get debug symbol files based on build-ids. postgresql-9.4 (9.4.4-2) unstable; urgency=medium . * Add docbook-xml to build-depends. * debian/rules: Remove broken "generate POT files for translators" code. * Import patch from upstream to fix compatibility with perl 5.22. (Closes: #787468) * Fix memory read barrier on alpha, thanks to Michael Cree for the patch! (Closes: #756368) * postgresql postrm: Don't clean {/etc,/var/lib,/var/log}/postgresql on purge. (Closes: #793861) postgresql-9.4 (9.4.4-1) unstable; urgency=medium . * New upstream version. + Fix possible failure to recover from an inconsistent database state + Fix rare failure to invalidate relation cache init file prosody (0.9.7-2+deb8u2) jessie-security; urgency=high . * CVE-2016-1231: path traversal in http built-in server * CVE-2016-1232: weak PRNG for dialback on S2S putty (0.63-10+deb8u1) jessie-security; urgency=high . * More robust control sequence parameter handling, including: - CVE-2015-5309: Fix a potentially memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator. pygments (2.0.1+dfsg-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-8557.patch patch. CVE-2015-8557: Shell injection in FontManager._get_nix_font_path. (Closes: #802828) pykerberos (1.1.5-0.1+deb8u1) jessie; urgency=medium . * Add KDC authenticity verification support (CVE-2015-3206) Obtained from upstream, ignoring white-space changes, URL: https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c (Closes: #796195) python-django (1.7.7-1+deb8u3) jessie-security; urgency=high . * SECURITY UPDATE: - CVE-2015-8213: Settings leak possibility in ``date`` template filter python-yaql (0.2.3-2+deb8u1) jessie-proposed-updates; urgency=medium . * Removed python3-yaql package: it's not working, and nothing depends on it (Closes: #795910). qemu (1:2.1+dfsg-12+deb8u4) jessie-security; urgency=high . * ne2000-add-checks-to-validate-ring-buffer-pointers-CVE-2015-5279.patch fix for Heap overflow vulnerability in ne2000_receive() function (Closes: #799074 CVE-2015-5279) * ne2000-avoid-infinite-loop-when-receiving-packets-CVE-2015-5278.patch (Closes: #799073 CVE-2015-5278) qemu (1:2.1+dfsg-12+deb8u4~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports: - disable seccomp (not in wheezy) - build-depend on iasl|acpica-tools - s/python:any/python/ in build-depends . qemu (1:2.1+dfsg-12+deb8u4) jessie-security; urgency=high . * ne2000-add-checks-to-validate-ring-buffer-pointers-CVE-2015-5279.patch fix for Heap overflow vulnerability in ne2000_receive() function (Closes: #799074 CVE-2015-5279) * ne2000-avoid-infinite-loop-when-receiving-packets-CVE-2015-5278.patch (Closes: #799073 CVE-2015-5278) . qemu (1:2.1+dfsg-12+deb8u3) jessie-security; urgency=high . * Acknowlege the previous update. Thank you Salvatore for the hard work you did fixing so many security issues. * rename last patches removing numeric prefixes, so that different series wont intermix with each other, add Bug-Debian: headers. * Add e1000-avoid-infinite-loop-in-transmit-CVE-2015-6815.patch. CVE-2015-6815: net: e1000 infinite loop issue in processing transmit descriptor. (Closes: #798101 CVE-2015-6815) * Add ide-fix-ATAPI-command-permissions-CVE-2015-6855.patch. CVE-2015-6855: ide: qemu allows arbitrary commands to be sent to an ATAPI device from guest, while illegal comands might have security impact, f.e. WIN_READ_NATIVE_MAX results in divide by zero error. (Closes: CVE-2015-6855) . qemu (1:2.1+dfsg-12+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0001-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch patch. CVE-2015-3214: i8254: out-of-bounds memory access in pit_ioport_read function. (Closes: #795461) * Add patches to address heap overflow when processing ATAPI commands. CVE-2015-5154: heap overflow during I/O buffer memory access. (Closes: #793811) * Add CVE-2015-5225.patch patch. CVE-2015-5225: vnc: heap memory corruption in vnc_refresh_server_surface. (Closes: #796465) * Add 0001-virtio-serial-fix-ANY_LAYOUT.patch patch. CVE-2015-5745: buffer overflow in virtio-serial. (Closes: #795087) * Add patches for CVE-2015-5165. CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest. (Closes: #794610) . qemu (1:2.1+dfsg-12+deb8u1) jessie-security; urgency=high . * slirp-use-less-predictable-directory-name-in-tmp-CVE-2015-4037.patch (Closes: CVE-2015-4037) * 11 patches for XEN PCI pass-through issues (Closes: #787547 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106) * pcnet-force-buffer-access-to-be-in-bounds-CVE-2015-3209.patch with preparation bugfix pcnet-fix-negative-array-index-read.patch from upstream (Closes: #788460 CVE-2015-3209) qemu (1:2.1+dfsg-12+deb8u3) jessie-security; urgency=high . * Acknowlege the previous update. Thank you Salvatore for the hard work you did fixing so many security issues. * rename last patches removing numeric prefixes, so that different series wont intermix with each other, add Bug-Debian: headers. * Add e1000-avoid-infinite-loop-in-transmit-CVE-2015-6815.patch. CVE-2015-6815: net: e1000 infinite loop issue in processing transmit descriptor. (Closes: #798101 CVE-2015-6815) * Add ide-fix-ATAPI-command-permissions-CVE-2015-6855.patch. CVE-2015-6855: ide: qemu allows arbitrary commands to be sent to an ATAPI device from guest, while illegal comands might have security impact, f.e. WIN_READ_NATIVE_MAX results in divide by zero error. (Closes: CVE-2015-6855) qemu (1:2.1+dfsg-12+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0001-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch patch. CVE-2015-3214: i8254: out-of-bounds memory access in pit_ioport_read function. (Closes: #795461) * Add patches to address heap overflow when processing ATAPI commands. CVE-2015-5154: heap overflow during I/O buffer memory access. (Closes: #793811) * Add CVE-2015-5225.patch patch. CVE-2015-5225: vnc: heap memory corruption in vnc_refresh_server_surface. (Closes: #796465) * Add 0001-virtio-serial-fix-ANY_LAYOUT.patch patch. CVE-2015-5745: buffer overflow in virtio-serial. (Closes: #795087) * Add patches for CVE-2015-5165. CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest. (Closes: #794610) qpsmtpd (0.84-11+deb8u1) stable; urgency=medium . * Patch for compatibility-breaker change in Net::DNS (Closes: #795836) * Depend on libnet-dns-perl >= 0.81, since 0.66 from oldstable has the opposite compatibility problem quassel (1:0.10.0-2.3+deb8u2) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2015-8547: remote DoS in quassel core, using /op * command. (Closes: #807801) - Add debian/patches/CVE-2015-8547.patch, cherry-picked from upstream. redis (2:2.8.17-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 06-CVE-2015-8080-Integer-wraparound-in-lua_struct.c-cau.patch patch. CVE-2015-8080: Integer wraparound in lua_struct.c causing stack-based buffer overflow. (Closes: #804419) redis (2:2.8.17-1+deb8u2) stable; urgency=medium . * Backport debian/redis-server.tmpfile from unstable so that a valid runtime directory is created when running under systemd. This ensures that there is a secure and sensible location for the UNIX socket. (Closes: #803233) redmine (3.0~20140825-8~deb8u1) jessie; urgency=medium . * Backport as a stable update for Jessie. redmine (3.0~20140825-7) unstable; urgency=medium . * debian/postinst: always remove and recreate Gemfile.lock to handle the case where dependencies are being upgraded. redmine (3.0~20140825-6) unstable; urgency=medium . * debian/doc/examples/apache2-host.conf: fix typo in package name user is told to install Closes: #777736 * Fix upgrades when there are locally-installed plugins Closes: #779273 - debian/postinst: run rake under `bundle exec` to correctly handle upgrades when the local admin installed non-packaged plugins (i.e. ~100% of them). - 2003_externalize_session_config.patch, 2002_FHS_through_env_vars.patch, gemfile-adjustments.patch: always set RAILS_ETC, RAILS_* unconditionally from X_DEBIAN_SITEID because the load order under `bundle exec` seems to be a little different. - change Gemfile.lock handling: + symlink Gemfile.lock to /var/lib/redmine/Gemfile.lock + always update it at the beginning of debian/postinst + trigger postinst Ruby packages are upgraded * Don't leave unowned files after purge. Closes: #781534 - debian/postinst: - don't create files under /usr/share/redmine/app - pass SCHEMA=/dev/null to rake `db:migrate` so it won't create /usr/share/redmine/db/schema.rb - debian/postrm: remove the aforementioned files * debian/postinst: fix several programming errors - initialize variable that will hold the return code of a potentially failing command to 0 so it is not undefined if the command suceeeds. Closes: #780894 - add missing quotes around $fHasOldSessionName - fix logic when testing whether session.yml file exists - restrict usage of $2 as a version number when triggered, since $2 will contain the trigger names instead. * debian/patches/fix-move-issue-between-projects.patch: applied patch by Tristam Fenton-May to fix moving issues across projects (Closes: #783717) * debian/install: - install bin/ directory so rails detects redmine as a proper Rails app + This fixes running `rails console`, `rails dbconsole` etc from within the installed package at /usr/share/redmine. - don't install deprecated script/ directory * debian/doc/examples/apache2-passenger-*.conf: document line that must be changed in extra instances. * debian/patches/gemfile-adjustments.patch: - bump dependency on redcarpet - don't try to read database.yml is it's not readable rpcbind (0.2.1-6+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7236.patch patch. CVE-2015-7236: Memory corruption in PMAP_CALLIT code leading to denial of service. (Closes: #799307) rsyslog (8.4.2-1+deb8u2) jessie; urgency=medium . * Fix crash in imfile module when using inotify mode. Patch cherry-picked from upstream Git. (Closes: #770998) * Prevent a segfault in dynafile creation. Patch cherry-picked from upstream Git. (Closes: #807908) ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium . * Fix CVE-2015-4410: DoS and possible injection (Closes: #787951) s390-dasd (0.0.32~deb8u1) jessie; urgency=medium . * Upload to Debian stable. . s390-dasd (0.0.32) unstable; urgency=medium . * If no channel is found, exit cleanly. This allows s390-dasd to step out of the way on VMs with virtio disks. * Log error conditions. . s390-dasd (0.0.31) unstable; urgency=medium . [ Updated translations ] * Turkish (tr.po) by Mert Dirik s390-dasd (0.0.31) unstable; urgency=medium . [ Updated translations ] * Turkish (tr.po) by Mert Dirik samba (2:4.1.17+dfsg-2+deb8u1) jessie-security; urgency=high . * Add patch cve_2015_5252.diff, fixes: - CVE-2015-5252: Insufficient symlink verification in smbd * Add patch cve_2015_5296.diff, fixes: - CVE-2015-5296: Samba client requesting encryption vulnerable downgrade attack * Add patch cve_2015_5299.diff, fixes: - CVE-2015-5299: Missing access control check in shadow copy code * Add patch cve_2015_7540.diff, fixes: - CVE-2015-7540: Remote DoS in Samba (AD) LDAP server * Add patch cve_2015_8467.diff, fixes: - CVE-2015-8467: Denial of service attack against Windows Active Directory server * Add patch cve_2015_3223_5330.diff, fixes: - CVE-2015-3223: Denial of service in Samba Active Directory server - CVE-2015-5330: Remote memory read in Samba LDAP server * Bump build dependency for ldb to >= 2:1.1.17-2+deb8u1~. screen (4.2.1-3+deb8u1) jessie-security; urgency=high . * Fix stack overflow due to too deep recursion (CVE-2015-6806). shadow (1:4.2-3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Fix error handling in busy user detection. (Closes: #778287) smokeping (2.6.9-1+deb8u1) stable-security; urgency=high . * security fix for CVE-2015-0859: code execution via CGI arguments due to Debian Apache configuration sparse (0.4.5~rc1-2~deb8u1) jessie; urgency=medium . * QA upload. * Rebuild for jessie. . sparse (0.4.5~rc1-2) unstable; urgency=medium . [ Andreas Beckmann ] * QA upload. * Set maintainer to Debian QA Group. (See #794643) * Fix Homepage and Vcs-Browser URLs. * Refresh patch to apply without fuzz. . [ Uwe Kleine-König ] * Cherry-pick commit from upstream to fix build failure with llvm-3.5. * Temporarily build-depend on libedit-dev because llvm-config claims to need that. (Closes: #793197) spice (0.12.5-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add series of patches for CVE-2015-5260 and CVE-2015-6261. CVE-2015-5260: insufficient validation of surface_id parameter can cause crash. (Closes: #801089) CVE-2015-5261: host memory access from guest using crafted images. (Closes: #801091) spice (0.12.5-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-3247.patch patch. CVE-2015-3247: Memory corruption in worker_update_monitors_config(). (Closes: #797976) spip (3.0.17-2+deb8u1) jessie; urgency=medium . * Track Jessie * Backport XSS fixes in private content from 3.0.21 squid3 (3.4.8-6+deb8u1) jessie-security; urgency=high . [ Luigi Gangitano ] * debian/patches/36-squid-3.4-13225.patch - Added upstream patch fixing Improper Protection of Alternate Path (Ref: SQUID-2015:2, CVE-2015-5400) (Closes: #793128) stk (4.4.4-5+deb8u1) jessie; urgency=medium . [ Hanno Zulla ] * Install missing SKINI.{msg,tbl} include files strongswan (5.2.1-6+deb8u2) jessie-security; urgency=medium . * debian/patches: - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when using EAP MSCHAPv2. strongswan (5.2.1-6+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . strongswan (5.2.1-6+deb8u2) jessie-security; urgency=medium . * debian/patches: - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when using EAP MSCHAPv2. subversion (1.8.10-6+deb8u2) jessie-security; urgency=high . * patches/r1708699-mod_auth_ntlm-kerb-fix: Fix regression interacting with mod_auth_kerb/mod_auth_ntlm in due to CVE-2015-3814 patch. (Closes: #797216) * patches/CVE-2015-5343: Heap overflow and out-of-bounds read in mod_dav_svn subversion (1.8.10-6+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Use libdb5.1 instead of 5.3. * Create libapache2-mod-svn maintainer scripts manually instead of using dh_apache2. * Adapt ruby libdir as it's not multiarched in wheezy. * Add ruby1.8 and ruby1.8-dev to Build-Conflicts to make sure the same versions of ruby and ruby-dev are installed. * Remove dependency on apache2-bin, not needed for apache 2.2. . subversion (1.8.10-6+deb8u2) jessie-security; urgency=high . * patches/r1708699-mod_auth_ntlm-kerb-fix: Fix regression interacting with mod_auth_kerb/mod_auth_ntlm in due to CVE-2015-3814 patch. (Closes: #797216) * patches/CVE-2015-5343: Heap overflow and out-of-bounds read in mod_dav_svn sudo (1.8.10p3-1+deb8u3) jessie-security; urgency=medium . * Non-maintainer upload * Disable editing of files via user-controllable symlinks (Closes: #804149) (CVE-2015-5602) - sudoedit path restriction bypass using symlinks - Change warning when user tries to sudoedit a symbolic link - Open sudoedit files with O_NONBLOCK and fail if they are not regular files - Remove S_ISREG check from sudo_edit_open(), it is already done in the caller - Add directory writability checks for sudoedit - Fix directory writability checks for sudoedit - Enable sudoedit directory writability checks by default sus (7.20160107~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . sus (7.20160107) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 changed; update checksum (Closes: #790535) | The chapters on m4 and expr seems to have been improved slightly * urgency=medium since susv4 is no longer installable . sus (7.20150719) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 has changed; update checksum (Closes: #790535) | No normative changes, only tidying * urgency=medium since susv4 is no longer installable sus (7.20150719) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 has changed; update checksum (Closes: #790535) | No normative changes, only tidying * urgency=medium since susv4 is no longer installable swift (2.2.0-1+deb8u1) jessie-proposed-updates; urgency=medium . [ Thomas Goirand ] * Fixed swift user creation (standardized on pkgos way). * CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift object. Applied upstream patch: Prevent unauthorized delete in versioned container (Closes: #783163). . [ Ondřej Nový ] * Fixed service name of object-expirer. * Added container-sync init script. * CVE-2015-5223: Information leak via Swift tempurls. Applied upstream patch: Disallow unsafe tempurl operations to point to unauthorized data (Closes: #797032). symfony (2.3.21+dfsg-4+deb8u2) jessie-security; urgency=high . * Backport security fixes from 2.3.35 - Session Fixation in the "Remember Me" Login Feature [CVE-2015-8124] - Vulnerability in Security Remember-Me Service [CVE-2015-8125] systemd (215-17+deb8u3) stable; urgency=medium . * Fix namespace breakage due to incorrect path sorting. (Closes: #787758) * Don't timeout after 90 seconds when no password was entered for cryptsetup devices. (Closes: #802897) * Only set the kernel's timezone when the RTC runs in local time. Otherwise, every daylight saving time change or time zone change by travelling will make the time jump, and the local time might jump backwards which creates unsolvable problems with file timestamps. (Closes: #759319) * Fix incorrect handling of comma separator in systemd-delta. (Closes: #793477) * Make DHCP broadcast behaviour configurable in systemd-networkd via RequestBroadcast=. This is a backport from upstream which doesn't change the default setting. (Closes: #797894) tangerine-icon-theme (0.26.debian-3.1~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . tangerine-icon-theme (0.26.debian-3.1) unstable; urgency=medium . * Non-maintainer upload. * debian/clean-up.sh: Do not run processes in background. (Closes: #793161) tomcat8 (8.0.14-1+deb8u1) jessie-security; urgency=medium . * Fixed CVE-2014-7810: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. torbrowser-launcher (0.1.9-1+deb8u2) jessie; urgency=medium . * Dedicated to the memory of Ian Murdock. Thank you very much for starting and shaping Debian, Ian! The world would be very different today without your work and you will never be forgotten. * Add debian/patches/series file so that the patches from 0.1.9-1+deb8u1 are actually applied. - Apply 3d9f4ed and 5f833d7 from 0.2.0 upstream release to deal with changed pathes in the 4.5 torbrowser release. (Closes: #784041) - 3d9f4ed also removes the accept links feature (as it has stopped worked with 4.5.) - Apply f219f35 from 0.2.0 to stop acting as default browser, because a default browser should be captable of accepting links. * Refresh those patches so they apply cleanly. * Cherry-picks from 0.2.2: - 39901c6 Stop confining start-tor-browser script with AppArmor, and fix profiles to work with TBB 4.5+ (#181) - Set usr.bin.torbrowser-launcher AppArmor profiles to complain mode to make it work again (based on 70c750e). - e07beac Get stable version using torbrowser updater xml. (Closes: #804184) - ab141ee Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180), (includes 7829f3e cleanup commit.) - 1ff1055 Force download URLs to be strings and not unicode (#205). - 94d184a Only convert unicode URLs to strings if they are actually unicode (#205). (Closes: #805078) torbrowser-launcher (0.1.9-1+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . torbrowser-launcher (0.1.9-1+deb8u2) jessie; urgency=medium . * Dedicated to the memory of Ian Murdock. Thank you very much for starting and shaping Debian, Ian! The world would be very different today without your work and you will never be forgotten. * Add debian/patches/series file so that the patches from 0.1.9-1+deb8u1 are actually applied. - Apply 3d9f4ed and 5f833d7 from 0.2.0 upstream release to deal with changed pathes in the 4.5 torbrowser release. (Closes: #784041) - 3d9f4ed also removes the accept links feature (as it has stopped worked with 4.5.) - Apply f219f35 from 0.2.0 to stop acting as default browser, because a default browser should be captable of accepting links. * Refresh those patches so they apply cleanly. * Cherry-picks from 0.2.2: - 39901c6 Stop confining start-tor-browser script with AppArmor, and fix profiles to work with TBB 4.5+ (#181) - Set usr.bin.torbrowser-launcher AppArmor profiles to complain mode to make it work again (based on 70c750e). - e07beac Get stable version using torbrowser updater xml. (Closes: #804184) - ab141ee Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180), (includes 7829f3e cleanup commit.) - 1ff1055 Force download URLs to be strings and not unicode (#205). - 94d184a Only convert unicode URLs to strings if they are actually unicode (#205). (Closes: #805078) tryton-server (3.4.0-3+deb8u1) jessie-security; urgency=high . * Adding patch 02-CVE-2015-0861_field_access_on_multi_write.patch. Field access was only checked for the field defined in the first values dictionary, but it must be checked for all dictionaries in *args. - https://bugs.tryton.org/issue5167 - https://codereview.tryton.org/22631002 ttylog (0.26-1~deb8u1) stable; urgency=medium . * Resolve the issue in 'jessie' with the truncating of the modem_device string during the normal operation of ttylog. * Revert Debhelper Compatibility and Build-Depends to version 8 for 'jessie'. tzdata (2015g-0+deb8u1) stable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) tzdata (2015g-0+deb7u1) oldstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) tzdata (2015g-0+deb6u1) squeeze-lts; urgency=medium . * New upstream version: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST (closes: #801336). - DST suspension from 2015-06-14 03:00 through 2015-07-19 02:00 in Morroco. tzdata (2015f-1) unstable; urgency=high . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST. unzip (6.0-16+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Update 16-fix-integer-underflow-csiz-decrypted patch. Fix regression in handling 0-byte files. (Closes: #804595) unzip (6.0-16+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix infinite loop when extracting password-protected archive. This is CVE-2015-7697. Closes: #802160. * Fix heap overflow when extracting password-protected archive. This is CVE-2015-7696. Closes: #802162. * Fix additional unsigned overflow on invalid input. uqm (0.6.2.dfsg-9.1~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . uqm (0.6.2.dfsg-9.1) unstable; urgency=medium . * Non-maintainer upload. * Fix missing -lm, thanks to Peter Piwowarski. (Closes: #792920) virtualbox (4.3.32-dfsg-1+deb8u2) jessie-security; urgency=medium . * d/rules: re-enable VBOX_WITH_VMSVGA and VBOX_WITH_VMSVGA3D (Closes: #795531). - the CVEs are already fixed - this patch makes it build more coherently with how upstream builds it. - the proper patch should be on upstream changeset 57410 but we don't need it anymore virtualbox (4.3.32-dfsg-1+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . virtualbox (4.3.32-dfsg-1+deb8u2) jessie-security; urgency=medium . * d/rules: re-enable VBOX_WITH_VMSVGA and VBOX_WITH_VMSVGA3D (Closes: #795531). - the CVEs are already fixed - this patch makes it build more coherently with how upstream builds it. - the proper patch should be on upstream changeset 57410 but we don't need it anymore virtualbox (4.3.32-dfsg-1+deb8u2~bpo60+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . virtualbox (4.3.32-dfsg-1+deb8u2) jessie-security; urgency=medium . * d/rules: re-enable VBOX_WITH_VMSVGA and VBOX_WITH_VMSVGA3D (Closes: #795531). - the CVEs are already fixed - this patch makes it build more coherently with how upstream builds it. - the proper patch should be on upstream changeset 57410 but we don't need it anymore . virtualbox (4.3.32-dfsg-1+deb8u1) jessie-security; urgency=medium . [ Gianfranco Costamagna ] * New upstream security release. - Addressed CVE-2015-4813 and CVE-2015-4896 * Use my uid to fix NMU warning * Remove pre-depends on dpkg, useless now. . [ Ritesh Raj Sarraf ] * Move virtualbox-dkms | virtualbox-source to Depends, needed to fully configure virtualbox kernel module prior to reload virtualbox service, avoiding a race condition. (Closes: #798527, #798979) . virtualbox (4.3.30-dfsg-1+deb8u1) jessie-security; urgency=medium . [ Ritesh Raj Sarraf ] * Imported upstream release. . [ Gianfranco Costamagna ] * Readd again some removed lintian overrides. * virtualbox 4.3.30 builds fine with gcc 5.1, removing the gcc-4.9 workaround (d/{rules,control}) * Update copyright file. * Patch refresh. * Remove some more windows prebuilt files. * Add libnotify-bin as runtime-dependency for the x11 package (used for notify-send command) (Closes: #792292) - Thanks Torquil Macdonald Sørensen for the useful and complete bug report. . virtualbox (4.3.28-dfsg-1) unstable; urgency=medium . * New upstream release (Closes: #785655). - fix for CVE-2015-3456 a.k.a. VENOM (Closes: #785424) - patch refresh. - remove d/p/37-diff_smap_4.patch. * Remove MAKE=kmk on virtualbox{,-guest}-source.files/rules (Closes: #785161). Upstream doesn't recommend using kmk to build kernel modules. this reverts 63fa6b7b86035b53e8d053b894814eccac9ce595 * Add gbp.conf file. . virtualbox (4.3.26-dfsg-3) unstable; urgency=medium . [ Adam Conrad ] * Re-work the packaging to account for the kernel modules being shipped in the master kernel packages, removing the need for dkms (LP: #1434579): - Make the dkms package provide a virtual package matching what the kernel packages provide to indicate that they ship the dkms modules. - Add an alternate dep from the utils package to the virtual driver. - Make the x11 driver package associate with the VGA controller PCI ID. . virtualbox (4.3.26-dfsg-2) experimental; urgency=medium . [ Gianfranco Costamagna ] * remove obsolete lintian overrides. * d/p/37-diff_smap_4.patch, cherry-pick upstream patch to fix a kernel paging issue (LP: #1437845). . [ Ritesh Raj Sarraf ] * Remove Michael Meskes from uploaders. . virtualbox (4.3.26-dfsg-1) experimental; urgency=medium . * Imported upstream release. * Conflict with upstream proprietary packages 4.3 series. (LP: #1371287, LP: #1375018, LP: #1385931, LP: #1386328, LP: #1421926) . virtualbox (4.3.24-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported upstream release (Closes: #779025). * Remove d/p/38-remove-hardcoded-gcc.patch, use --with-gcc and --with-g++ configure flags. * Remove d/p/37-fix-build.patch, merged upstream. . [ Ritesh Raj Sarraf ] * [3bf4cdd] Add back versioned dependency on gcc multilib . virtualbox (4.3.22-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported Upstream release. * Update copyright year. * d/p/37-fix-build.patch fix build, following upstream change in xorg driver build (thanks to Michael Thayer for the hint and the help). * Remove old patches. * d/p/38-remove-hardcoded-gcc.patch use CC and CXX from d/rules until virtualbox is gcc-5 ready. . [ Ritesh Raj Sarraf ] * [1413631] Build with gcc 4 only * [f34c886] Add versioned dependency on g++-multilib . virtualbox (4.3.20-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported Upstream release. . [ Ritesh Raj Sarraf ] * Flip build dependency to libcurl4-gnutls-dev . virtualbox (4.3.18-dfsg-3+deb8u3) jessie; urgency=medium . * d/p/39-crash-raw-mode.patch fix crash in raw mode. (Closes: #785689) from upstream changeset 53083 thanks Frank for the hint! . virtualbox (4.3.18-dfsg-3+deb8u2) jessie-security; urgency=high . * d/p/CVE-2015-3456.patch fix for CVE-2015-3456 a.k.a. VENOM (Closes: #785424) . virtualbox (4.3.18-dfsg-3+deb8u1) jessie; urgency=medium . [ Moritz Mühlenhoff ] * d/p/37-disable-smap.patch, cherry-pick upstream patch to fix a kernel paging issue (LP: #1437845, Closes: #783142). . virtualbox (4.3.18-dfsg-3) unstable; urgency=medium . * Conflict with upstream proprietary packages 4.3 series. (LP: #1371287, LP: #1375018, LP: #1385931, LP: #1386328, LP: #1421926) virtualbox (4.3.30-dfsg-1+deb8u1) jessie-security; urgency=medium . [ Ritesh Raj Sarraf ] * Imported upstream release. . [ Gianfranco Costamagna ] * Readd again some removed lintian overrides. * virtualbox 4.3.30 builds fine with gcc 5.1, removing the gcc-4.9 workaround (d/{rules,control}) * Update copyright file. * Patch refresh. * Remove some more windows prebuilt files. * Add libnotify-bin as runtime-dependency for the x11 package (used for notify-send command) (Closes: #792292) - Thanks Torquil Macdonald Sørensen for the useful and complete bug report. virtualbox (4.3.30-dfsg-1) unstable; urgency=medium . [ Ritesh Raj Sarraf ] * Imported upstream release. . [ Gianfranco Costamagna ] * Readd again some removed lintian overrides. * virtualbox 4.3.30 builds fine with gcc 5.1, removing the gcc-4.9 workaround (d/{rules,control}) * Update copyright file. * Patch refresh. * Remove some more windows prebuilt files. * Add libnotify-bin as runtime-dependency for the x11 package (used for notify-send command) (Closes: #792292) - Thanks Torquil Macdonald Sørensen for the useful and complete bug report. virtualbox (4.3.28-dfsg-1) unstable; urgency=medium . * New upstream release (Closes: #785655). - fix for CVE-2015-3456 a.k.a. VENOM (Closes: #785424) - patch refresh. - remove d/p/37-diff_smap_4.patch. * Remove MAKE=kmk on virtualbox{,-guest}-source.files/rules (Closes: #785161). Upstream doesn't recommend using kmk to build kernel modules. this reverts 63fa6b7b86035b53e8d053b894814eccac9ce595 * Add gbp.conf file. virtualbox (4.3.26-dfsg-3) unstable; urgency=medium . [ Adam Conrad ] * Re-work the packaging to account for the kernel modules being shipped in the master kernel packages, removing the need for dkms (LP: #1434579): - Make the dkms package provide a virtual package matching what the kernel packages provide to indicate that they ship the dkms modules. - Add an alternate dep from the utils package to the virtual driver. - Make the x11 driver package associate with the VGA controller PCI ID. virtualbox (4.3.26-dfsg-2) experimental; urgency=medium . [ Gianfranco Costamagna ] * remove obsolete lintian overrides. * d/p/37-diff_smap_4.patch, cherry-pick upstream patch to fix a kernel paging issue (LP: #1437845). . [ Ritesh Raj Sarraf ] * Remove Michael Meskes from uploaders. virtualbox (4.3.26-dfsg-1) experimental; urgency=medium . * Imported upstream release. * Conflict with upstream proprietary packages 4.3 series. (LP: #1371287, LP: #1375018, LP: #1385931, LP: #1386328, LP: #1421926) virtualbox (4.3.24-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported upstream release (Closes: #779025). * Remove d/p/38-remove-hardcoded-gcc.patch, use --with-gcc and --with-g++ configure flags. * Remove d/p/37-fix-build.patch, merged upstream. . [ Ritesh Raj Sarraf ] * [3bf4cdd] Add back versioned dependency on gcc multilib virtualbox (4.3.22-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported Upstream release. * Update copyright year. * d/p/37-fix-build.patch fix build, following upstream change in xorg driver build (thanks to Michael Thayer for the hint and the help). * Remove old patches. * d/p/38-remove-hardcoded-gcc.patch use CC and CXX from d/rules until virtualbox is gcc-5 ready. . [ Ritesh Raj Sarraf ] * [1413631] Build with gcc 4 only * [f34c886] Add versioned dependency on g++-multilib virtualbox (4.3.20-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported Upstream release. . [ Ritesh Raj Sarraf ] * Flip build dependency to libcurl4-gnutls-dev vlc (2.2.1-1~deb8u1) jessie; urgency=medium . [ Sebastian Ramacher ] * New upstream release. * debian/patches: Removed codec-schroedinger-fix-potential-buffer-overflow.patch, demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch, and stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch. They are included upstream. * debian/libvlccore8.symbols: Bump version requirements for meta data change. (Closes: #798763, #798899) . [ Benjamin Drung ] * drop/rules: Drop removed --enable-glx configure flag. vlc (2.2.0-1) unstable; urgency=medium . [ Helmut Grohne ] * Add versioned depends on libvlccore8 to libvlc5 which shares /usr/share/doc to comply with Debian policy 12.3. (Closes: #779251) . [ Mateusz Łukasik ] * New upstream release. (Closes: #757462, #780476) - Fix various (potentially exploitable) heap overflows and heap buffer overflows in different demuxers (LP: #1390491) * Drop patches included upstream: - demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch - stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch * Disable build samba plugin on hurd for fix FTBFS. (Closes: #765578) . [ Benjamin Drung ] * Point Vcs-Browser to cgit instead of gitweb. * Drop removed --enable-glx configure flag. vzctl (4.8-1+deb8u2) jessie-security; urgency=high . * Correction of regression problem introduced in the upgrade code for version 4.8-1+deb8u1. vzctl (4.8-1+deb8u1) jessie-security; urgency=high . * Security backport from 4.9.4. * CT configuration secured during upgrade as it is done in 4.9.4 package. webkitgtk (2.4.9-1~deb8u1) stable; urgency=high . * New upstream release. + This fixes CVE-2015-2330. * debian/patches/ax-focus-events.patch, debian/patches/fix-ftbfs-pluginpackage.patch, debian/patches/fix-mips64-build.patch, debian/patches/fix-textrel-x86.patch, debian/patches/g-closure-unref.diff, debian/patches/nullptr-accessibilitymenulistoption.patch, debian/patches/nullptr-frameprogresstracker.patch, debian/patches/render-text-control.patch: + Remove. * debian/patches/02_notebook_scroll.patch, debian/patches/fix-arm64-build.patch, debian/patches/restore_sparc_code.patch, debian/patches/x32_support.patch: + Refresh. * debian/source/lintian-overrides: + lintian gives false positives with many of the javascript files in the source tarball, thinking that they are minified (see #798900). wireshark (1.12.1+g01b65bf-4+deb8u3) jessie-security; urgency=high . * security fixes from Wireshark 1.12.7: - Protocol tree crash (CVE-2015-6241) - Crash in wmem block allocator in the memory manager (CVE-2015-6242) - Crash in the dissector table implementation (CVE-2015-6243) - The ZigBee dissector could crash (CVE-2015-6244) - The GSM RLC/MAC dissector could go into an infinite loop (CVE-2015-6245) - The WaveAgent dissector could crash (CVE-2015-6246) - The ptvcursor implementation could crash (CVE-2015-6248) - The OpenFlow dissector could crash (CVE-2015-6247) - The WCCP dissector could crash (CVE-2015-6249) wordpress (4.1+dfsg-1+deb8u7) jessie-security; urgency=high . * Apply changeset 36185 fixes XSS CVE-2016-1564 Closes: #810325 wordpress (4.1+dfsg-1+deb8u6) jessie-security; urgency=high . * Fix changeset 33359 Closes: #803100 wordpress (4.1+dfsg-1+deb8u5) jessie-security; urgency=medium . * Backport of 4.3.1 security fixes Closes: #799140 * Changeset 34137 XSS in user list table * Changeset 34144 unclosed HTML elements CVE-2015-5714 * Changeset 34151 unsticky private posts CVE-2015-5715 wpa (2.3-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-5314.patch patch. CVE-2015-5314: hostapd: EAP-pwd missing last fragment length validation. * Add CVE-2015-5315.patch patch. CVE-2015-5315: wpa_supplicant: EAP-pwd missing last fragment length validation. * Add CVE-2015-5316.patch patch. CVE-2015-5316: EAP-pwd peer error path failure on unexpected Confirm message. wpa (2.3-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to address CVE-2015-4141. CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer encoding. (Closes: #787372) * Add patch to address CVE-2015-4142. CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing. (Closes: #787373) * Add patches to address CVE-2015-414{3,4,5,6} CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146: EAP-pwd missing payload length validation. (Closes: #787371) * Add patch to address 2015-5 vulnerability. NFC: Fix payload length validation in NDEF record parser (Closes: #795740) * Add patch to address CVE-2015-5310. CVE-2015-5310: wpa_supplicant unauthorized WNM Sleep Mode GTK control. wxmaxima (13.04.2-4+deb8u1) jessie; urgency=medium . * New patch that prevents a crash on encountering parenthesis in dialogues (closes: bug#796954, #752528). * New maintainer xen (4.4.1-9+deb8u3) jessie-security; urgency=high . * Fix CVE-2015-3259 (XSA-137) * Fix CVE-2015-3340 (XSA-132) * Fix CVE-2015-6654 (XSA-141) * Fix CVE-2015-7311 (XSA-142) * Fix CVE-2015-7812 (XSA-145) * Fix CVE-2015-7813 (XSA-146) * Fix CVE-2015-7814 (XSA-147) * Fix CVE-2015-7969 (XSA-151 and XSA-149) * Fix CVE-2015-7970 (XSA-150) * Fix CVE-2015-7971 (XSA-152) * Fix CVE-2015-7972 (XSA-153) * Fix CVE-2015-8104 and CVE-2015-5307 (XSA-156) xen (4.4.1-9+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7835-xsa148.patch patch. CVE-2015-7835: x86: Uncontrolled creation of large page mappings by PV guests. xscreensaver (5.30-1+deb8u1) jessie-security; urgency=medium . * Add upstream patch for "xscreensaver aborts when unplugging second monitor" security issue (closes: #802914) http://www.openwall.com/lists/oss-security/2015/10/24/2 zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium . * Backport security fix from 1.12.17 - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 zendframework (1.12.9+dfsg-2+deb8u4) jessie-security; urgency=high . * Backport security fixes from 1.12.16: - ZF2015-07: Filesystem Permissions Issues in Multiple Components http://framework.zend.com/security/advisory/ZF2015-07 [CVE-2015-5723] - ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite) http://framework.zend.com/security/advisory/ZF2015-08 [CVE-2014-8089] ====================================== Sat, 05 Sep 2015 - Debian 8.2 released ====================================== ========================================================================= [Date: Sat, 05 Sep 2015 08:37:46 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: librfilter-ruby1.8 | 0.12-2.1 | all rdeliver | 0.12-2.1 | all rubyfilter | 0.12-2.1 | source rubyfilter-doc | 0.12-2.1 | all Closed bugs: 790318 ------------------- Reason ------------------- RoQA; broken (empty) package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:38:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnetty3.1-java | 3.1.0.CR1-1 | all netty3.1 | 3.1.0.CR1-1 | source Closed bugs: 795430 ------------------- Reason ------------------- RoQA; dependency for jetty which is not present in jessie ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:38:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: php-zend-xml | 1.0.0-1 | source, all Closed bugs: 796115 ------------------- Reason ------------------- RoM; security issues; useless in jessie ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:39:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: criu | 1.3.1-1 | source, amd64, armhf criu-dbg | 1.3.1-1 | amd64, armhf Closed bugs: 796534 ------------------- Reason ------------------- RoM; fast-moving target, too difficult to keep updated ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:39:48 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: dactyl | 1.1+hg7904-0+nmu1 | source xul-ext-pentadactyl | 1.1+hg7904-0+nmu1 | all Closed bugs: 797072 ------------------- Reason ------------------- RoM; incompatible with newer Iceweasel ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:40:11 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: fullscreen-extension | 1.0.4-1 | source xul-ext-fullscreen | 1.0.4-1 | all Closed bugs: 797394 ------------------- Reason ------------------- RoM; incompatible with newer Iceweasel ---------------------------------------------- ========================================================================= activemq (5.6.0+dfsg1-4+deb8u1) jessie-security; urgency=high . * Team upload. * Fixed CVE-2014-3576: DoS via unauthenticated remote shutdown command (Closes: #792857) akonadi (1.13.0-2+deb8u1) stable-proposed-updates; urgency=medium . * Team upload. * Apply upstream_dont_leak_old_external_payload_files.patch which fixes a bug that let old files be kept when they should be removed. apache2 (2.4.10-10+deb8u3) jessie; urgency=medium . * Revert fix for deferred mpm switch for now, because it is at least not complete or maybe causes regressions (see #791902). Re-opens #789914 apache2 (2.4.10-10+deb8u2) jessie; urgency=medium . [ Stefan Fritsch ] * Fix upgrade logic: When upgrading from wheezy with apache2.2-common but without apache2 installed to jessie, part of the conffile handling logic would not run, causing outdated conffile content to be kept. This is part of the solution for bug #794933. The other part will be included in the upgrade to Debian 9 (stretch). * core: Fix -D[efined] or [d] variables lifetime accross restarts. This could cause all kinds of strange behavior. PR 56008. PR 57328 * mpm_event: Fix process deadlock when shutting down a worker. PR 56960 * mpm_event: Fix crashes due to various race conditions. Closes: #779078 . [ Jean-Michel Vourgère ] * apache2.postinst: Fixed tests on deferred mpm switch. Closes: #789914 apache2 (2.4.10-10+deb8u1) jessie-security; urgency=medium . * CVE-2015-3183: Fix chunk header parsing defect. * CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an unfixable way. Add a new replacement API ap_some_authn_required() and ap_force_authn hook. apt (1.0.9.8.1) stable; urgency=medium . [ David Kalnischkies ] * parse specific-arch dependencies correctly on single-arch systems (Closes: 777760) * remove "first package seen is native package" assumption. Thanks to Axel Beckert for testing (Closes: 782777) . [ Michael Vogt ] * Fix endless loop in apt-get update that can cause disk fillup (LP: #1445239) bareos (14.2.1+20141017gitc6c5b56-3+deb8u1) stable; urgency=medium . [ Felix Geyer ] * backport the fix for the backup corruption on multi-volume jobs (Closes: #788543) * add autopkgtests . [ Evgeni Golov ] * do not try to create the databases when running tests base-files (8+deb8u2) stable; urgency=low . * Changed /etc/debian_version to 8.2, for Debian 8.2 point release. bind9 (1:9.9.5.dfsg-9+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-5477: A failure to reset a value to NULL in tkey.c could result in an assertion failure. bind9 (1:9.9.5.dfsg-9+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-4620: Specially constructed zone data can cause a resolver to crash when validating. binutils-mingw-w64 (5.2+deb8u1) stable; urgency=medium . * Apply upstream fix to handle Visual Studio DLLs (Closes: #787162). bird (1.4.5-1+deb8u1) jessie-proposed-updates; urgency=medium . [ Christoph Biedl ] * Correctly migrate bird6.conf from bird6 package (Closes: #791464) cacti (0.8.8b+dfsg-8+deb8u2) jessie-security; urgency=high . * Security update - CVE-2015-4634 SQL injection in graphs.php - Multiple other SQL injection vulnerabilities cacti (0.8.8b+dfsg-8+deb8u1) jessie-security; urgency=high . * Security update - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. - CVE-2015-4342 SQL Injection and Location header injection from cdef id - CVE-2015-4454 SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php. - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540 chromium-browser (44.0.2403.89-1~deb8u1) jessie-security; urgency=high . * New upstream security release: - CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous. - CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous. - CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to Mike Ruddy. - CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen. - CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer. - CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva. - CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft. - CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to andrewm.bpi. - CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte). - CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne. - CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined. - CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva. - CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon. - CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer. - CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa. - CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva. - CVE-2015-1283: Heap-buffer-overflow in expat. Credit to Huzaifa Sidhpurwala. - CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen. - CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes. - CVE-2015-1286: UXSS in blink. Credit to anonymous. - CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor. - CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to Mike Ruddy. - CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives. - Hotword extension disabled by default (closes: #786909). chromium-browser (43.0.2357.130-1) unstable; urgency=medium . * New upstream security release: - CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous. - CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous. - CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to Mike Ruddy. * Don't build the Google Now extension. * More updates to debian/copyright. chromium-browser (43.0.2357.124-3) unstable; urgency=medium . * Fix syntax error in default-flags (closes: #789310). chromium-browser (43.0.2357.124-2) unstable; urgency=medium . * More updates to debian/copyright. * Disable all external component loading. * Set flag to avoid hidden items in the about:extensions dialog. chromium-browser (43.0.2357.124-1) unstable; urgency=medium . * New upstream release. * Disable wallet extension. * Remove more sourceless files. * Remove no longer files included from debian/copright. chromium-browser (43.0.2357.81-1) unstable; urgency=medium . * New upstream release fixing missing icon (closes: #786490). * Disable hotword (closes: #786909). * Remove some sourceless files. chromium-browser (43.0.2357.65-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1252: Sandbox escape in Chrome. Credit to anonymous. - CVE-2015-1253: Cross-origin bypass in DOM. Credit to anonymous. - CVE-2015-1254: Cross-origin bypass in Editing. Credit to armin@rawsec.net. - CVE-2015-1255: Use-after-free in WebAudio. Credit to Khalil Zhani. - CVE-2015-1256: Use-after-free in SVG. Credit to Atte Kettunen. - CVE-2015-1251: Use-after-free in Speech. Credit to SkyLined. - CVE-2015-1257: Container-overflow in SVG. Credit to miaubiz. - CVE-2015-1258: Negative-size parameter in Libvpx. Credit to cloudfuzzer - CVE-2015-1259: Uninitialized value in PDFium. Credit to Atte Kettunen. - CVE-2015-1260: Use-after-free in WebRTC. Credit to Khalil Zhani. - CVE-2015-1261: URL bar spoofing. Credit to Juho Nurminen. - CVE-2015-1262: Uninitialized value in Blink. Credit to miaubiz. - CVE-2015-1263: Insecure download of spellcheck dictionary. Credit to Mike Ruddy. - CVE-2015-1264: Cross-site scripting in bookmarks. Credit to K0r3Ph1L. - Fix for gzip file downloading (closes: #677948). - Fix for bookmark navigation (closes: #756211). * Enable HiDPI (closes: #763421). * Make chromium-l10n binnmuable. * Fix Built-Using fields. cinder (2014.1.3-11+deb8u1) jessie-security; urgency=medium . * CVE-2015-1851: Cinder host file disclosure through qcow2 backing file. Applied upstream patch (Closes: #788996): Disallow_backing_files_when_uploading_volumes_to_image.patch conntrack (1:1.4.2-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-6496.patch patch. CVE-2015-6496: conntrackd crash on unexpected network traffic. (Closes: #796103) cron (3.0pl1-127+deb8u1) jessie; urgency=medium . * d/cron.service: Use KillMode=process to kill only the daemon. The default of KillMode=control-group kills all the processes in the control group, for example when restarting the daemon. This is a deviation from past behavior we do not want. Thanks, Alexandre Detiste! Closes: #783683 cross-gcc (14+deb8u1) jessie; urgency=medium . * Require bash in rules.template makefile (Closes: #780583) cups (1.7.5-11+deb8u1) jessie-security; urgency=high . * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through dynamic linker and isolated vulnerabilities: STR: #4609, VU#810572 - CVE-2015-1158 - Improper Update of Reference Count - CVE-2015-1159 - Cross-Site Scripting cups-filters (1.0.61-5+deb8u1) jessie-security; urgency=high . * Backport upstream fixes for buffer overflows on size allocation in texttopdf (CVE-2015-3258, CVE-2015-3279) dbus (1.8.20-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release - fix a memory leak when GetConnectionCredentials is called - stop dbus-monitor replying to org.freedesktop.DBus.Peer messages, including those that another process should have replied to dbus (1.8.18-1) unstable; urgency=medium . * New upstream bugfix release - Hardening: lock down the session bus to only allow EXTERNAL auth by default, the same as the system bus. This avoids allowing DBUS_COOKIE_SHA1, which can end up using a predictable random source on systems where /dev/urandom is unavailable or dbus-daemon runs out of memory. See the upstream NEWS for more details. debian-installer (20150422+deb8u2) jessie; urgency=medium . [ Martin Michlmayr ] * Add image for Seagate DockStar. * Add symlinks for OpenRD variants. * Append DTB for LaCie NAS devices that require it. debian-installer-launcher (19+deb8u1) jessie; urgency=medium . * Set the menu icon text in the source package to read "Install Debian jessie". Remove the dynamic text generating section from the debian/rules. (Closes: #787131) debian-installer-netboot-images (20150422+deb8u2) jessie; urgency=medium . * Update to 20150422+deb8u2 images, from jessie-proposed-updates designate (2014.1-18+deb8u1) jessie-proposed-updates; urgency=medium . * CVE-2015-5695: mDNS DoS through incorrect handling of large RecordSets: applied upstream patch (Closes: #796108). dovecot (1:2.2.13-12~deb8u1) stable; urgency=high . * [6e16721] Fix a mbox corruption problem by applying two patches from mercurial upstream. - fix-mbox-corruption-18534.patch (changeset 18534:94bd895721d8). - fix-mbox-corruption-18679.patch (changeset 18679:b6ea460e7cc4). Thanks to Santiago Vila (Closes: 776094) drupal7 (7.32-1+deb8u4) stable-security; urgency=high . * Backported from 7.38: SA-CORE-2015-002 (Multiple vulnerabilities. CVE IDs assigned as follows: + Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234 + Open redirect (Field UI module - Drupal 7): CVE-2015-3232 + Open redirect (Overlay module - Drupal 7: CVE-2015-3233 + Information disclosure (Render cache system - Drupal 7): CVE-2015-3231 drupal7 (7.32-1+deb8u4~bpo70+1) wheezy-backports; urgency=high . * Backported from 7.38: SA-CORE-2015-002 (Multiple vulnerabilities. CVE IDs assigned as follows: + Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234 + Open redirect (Field UI module - Drupal 7): CVE-2015-3232 + Open redirect (Overlay module - Drupal 7: CVE-2015-3233 + Information disclosure (Render cache system - Drupal 7): CVE-2015-3231 ejabberd (14.07-4+deb8u2) jessie; urgency=medium . * Adjust logrotate postrotate command in case ejabberd is not running (Closes: #786588) * Include upstream patch to fix logging of nicknames in muc logs (Closes: #706897) * Fix parsing of "ldap_dn_filter" option (Closes: #784535) * postinst: restart on upgrade (Closes: #788007) expat (2.1.0-6+deb8u1) jessie-security; urgency=high . * Fix CVE-2015-1283, multiple integer overflows in the XML_GetBuffer function. flash-kernel (3.35+deb8u1) stable; urgency=medium . * Combine i.MX53 QSB and LOCO board entries, they are the same thing and the LOCO variant was missing DTB information. (Closes: #788782) freexl (1.0.0g-1+deb8u2) jessie-security; urgency=high . * Add patch to fix 32 bit multiplication overflow. fusiondirectory (1.0.8.2-5+deb8u1) jessie-proposed-updates; urgency=medium . * debian/fusiondirectory.links: + Add symlinks for prototype and scripaculous shared javascript libraries. * debian/patches: + Add 2005_relative-path-to-js.patch. Access javascript libraries via a path relative to FusionDirectory's base path (Closes: #786864, #782531). gdk-pixbuf (2.31.1-2+deb8u2) jessie-security; urgency=medium . * CVE-2015-4491 gdk-pixbuf (2.31.1-2+deb8u1) jessie-security; urgency=medium . * CVE-2015-4491 ghostscript (9.06~dfsg-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-3228.patch patch. CVE-2015-3228: Integer overflow in gs_heap_alloc_bytes() (Closes: #793489) glibc (2.19-18+deb8u1) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fix pthread_mutex_trylock with lock elision. Closes: #759197, #788999. - Fix gprof entry point on ppc64el. Closes: #794222. - Fix a buffer overflow in getanswer_r (CVE-2015-1781). Closes: #796105. glusterfs (3.5.2-2+deb8u1) jessie-proposed-updates; urgency=medium . * Add upstream patch 02-nfs-unix-domain-socket-created-as-fifo to fix a bug on using glusterfs as nfs volume: unix domain sockets were created as FIFO. gnome-terminal (3.14.1-1+deb8u1) jessie; urgency=medium . * Provide fallback for reading current directory if OSC 7 fails. In Debian there is no mechanism (yet) to source scripts for non-login interactive shells so we can't rely on /etc/profile.d/vte*.sh but instead fallback to reading /proc to determine the working directory of the current tab. (Closes: #706065) gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium . * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from upstream version 3.3.12 to fix a crash in VIA PadLock asm. (Thanks, Peter Lebbing). Closes: #788704 * Pull 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch (the latter unfuzzed) from GnuTLS 3.3.15 to fix GNUTLS-SA-2015-2. - A ServerKeyExchange signature sent by the server was not verified to be in the acceptable by the client set of algorithms. That had the effect of allowing MD5 signatures (which are disabled by default) in the ServerKeyExchange message. gnutls28 (3.3.8-6+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 47_GNUTLS-SA-2015-3.patch patch. Fixes double free in DN decoding [GNUTLS-SA-2015-3]. (Closes: #795068) gosa (2.7.4+reloaded2-1+deb8u1) jessie-proposed-updates; urgency=medium . * debian/patches: + Add 2007_gen-uids-like-gosa26.patch. Fix idGenerator for patterns like {%sn[3-6}-{%givenName[3-6]}. (Closes: #793455). + Add 2008_enable-csv-import-on-clean-installs.patch. Enable CSV / LDIF import on (non-Debian-Edu) clean GOsa² installations by default. (Closes: #782529) groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high . * Fix remote execution of untrusted code and possible DoS vulnerability. (CVE-2015-3253) (Closes: #793398). grub-installer (1.117+deb8u1) jessie; urgency=medium . [ Ian Campbell ] * Correctly propagate grub-installer/force-efi-extra-removable to installed system. (Closes: #792247). gtk+3.0 (3.14.5-1+deb8u1) jessie; urgency=medium . [ Ruben Undheim ] * Added patches backported from upstream for three serious bugs: - debian/patches/074_fix_freeze_while_resume_events.patch (Closes: #787419) - debian/patches/075_fontchoose_crash_bugfix.patch (Closes: #748469) - debian/patches/076_treeview_dont_create_overly_large.patch (Closes: #788002) * Added patch backported from upstream for one annoying bug: - debian/patches/081_fix_huge_icons.patch (Closes: #773135) haproxy (1.5.8-3+deb8u2) jessie; urgency=medium . * Fix a segfault when parsing a configuration file containing disabled proxy sections. Closes: #792116. - BUG/MINOR: config: fix typo in condition when propagating process binding - BUG/MEDIUM: config: do not propagate processes between stopped processes haproxy (1.5.8-3+deb8u1) jessie-security; urgency=high . * Fix an information leak. CVE-2015-3281. - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data haproxy (1.5.8-3+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . haproxy (1.5.8-3+deb8u1) jessie-security; urgency=high . * Fix an information leak. CVE-2015-3281. - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data haproxy (1.5.8-3+deb8u1~bpo60+1) squeeze-backports-sloppy; urgency=high . * Rebuild for squeeze-backports-sloppy. . haproxy (1.5.8-3+deb8u1) jessie-security; urgency=high . * Fix an information leak. CVE-2015-3281. - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data how-can-i-help (10+deb8u1) jessie; urgency=medium . * Change hcih data source from http to https. Since the http is not supported by UDD anymore, older hcih versions won't be able to work. (Closes: #787471) Patch from Stephen Kitt * Added gbp configuration pointing to jessie branch. how-can-i-help (10+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * debian/gbp.conf: Changed gbp configuration so that it points to wheezy-backports branch. * debian/control: Added dependency on ca-certificates as it is required to allow ssl connections to UDD. In jessie and beyond it is automatically provided by rubygems-integration. . how-can-i-help (10+deb8u1) jessie; urgency=medium . * Change hcih data source from http to https. Since the http is not supported by UDD anymore, older hcih versions won't be able to work. (Closes: #787471) Patch from Stephen Kitt * Added gbp configuration pointing to jessie branch. . how-can-i-help (10) unstable; urgency=medium . [ Tomasz Nitecki ] * Added support for 'newcomer' tag. Closes: #769640 - Added support for 'newcomer' option - Updated manual and help - Added 'gift' tag depreciation warning . [ Lucas Nussbaum ] * Fix a few typos in the manpage. + Re-generated the manpage from ascii. The generated format changed slightly, causing a rather huge diff. . how-can-i-help (9) unstable; urgency=medium . [ Lucas Nussbaum ] * Step down from the Maintainer role and add Tomasz. He has been doing all the great work lately anyway. . [ Tomasz Nitecki ] * Bump standards version to 3.9.6 (no changes required). * Added an option to show pseudo-packages tagged as 'gift'. Pseudo-packages tagged as 'gift' will appear in a new 'infrastructure' section, regardless of the fact if they are installed or not. They can be hidden using 'ignore' file. Thanks to Laura Arjona Reina for the idea! . how-can-i-help (8) unstable; urgency=medium . [ Tomasz Nitecki ] * how-can-i-help can be configured to show only specific types of opportunities. Closes: #742245 * Updated manpage and --help output. * Added two more links to 'see also' section. . [ Paul Wise ] * Use https instead of http where possible. iceweasel (38.2.1esr-1~deb8u1) stable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (38.2.0esr-2~deb8u1) stable-security; urgency=medium . * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. iceweasel (38.2.1esr-1~deb7u1) oldstable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (38.2.0esr-2~deb7u1) oldstable-security; urgency=medium . * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. iceweasel (38.2.0esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-{79-80,82-83,87-88,90,92}, also known as: CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. iceweasel (38.2.0esr-1~stretch) stretch; urgency=medium . * Non-maintainer upload. * Rebuild 38.2.0esr-1 for stretch so that various security fixes can bypass the g++-5 transition. iceweasel (38.2.0esr-1~deb8u1) stable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{79-80,82-83,87-90,92}, also known as: CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. . iceweasel (38.1.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. . iceweasel (38.1.0esr-3) unstable; urgency=medium . * debian/browser.js.in, debian/vendor.js.in: Fix localized searchplugins. Closes: #775813. . iceweasel (38.1.0esr-2) unstable; urgency=medium . * debian/control*: Bump NSS build dependency. . iceweasel (38.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59-67,69}, also known as: CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743. . * debian/rules: Use the right --target, --host and --build arguments to configure for the Mozilla build system, which uses different meanings. * debian/branding/firefox-branding.js: Add devtools.selfxss.count pref to the iceweasel branding to match unofficial branding. Closes: #787975. * debian/browser.js.in: Use a sticky pref for browser.newtabpage.enhanced. * debian/branding/content/Makefile.in: Revert branding changes for SVG wordmark, not used on ESR . * modules/libpref/prefapi.*, modules/libpref/prefread.*, modules/libpref/test/unit/data/testPrefSticky*.js, modules/libpref/test/unit/test_stickyprefs.js, modules/libpref/test/unit/xpcshell.ini: support 'sticky' preferences, meaning a user value is retained even when it matches the default. bz#1098343. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js, browser/base/content/newtab/page.js, browser/modules/DirectoryLinksProvider.jsm: Update patch from bz#1094324 to fit what landed upstream in newer versions. . iceweasel (38.0.1-5) unstable; urgency=medium . * debian/rules: Force a timezone when extracting defaults/* files from omni.ja archives. . iceweasel (38.0.1-4) unstable; urgency=medium . * python/mozbuild/mozpack/files.py: Fixup to keep file type. * toolkit/content/Makefile.in, toolkit/content/buildconfig.html: Remove build machine name from about:buildconfig. bz#1168316. . iceweasel (38.0.1-3) unstable; urgency=medium . * debian/upstream.mk: Force a timezone when setting MOZ_BUILD_DATE. . * python/mozbuild/mozpack/files.py: Normalize file mode in jars. bz#1168231. . iceweasel (38.0.1-2) unstable; urgency=medium . * debian/upstream.mk: Set MOZ_BUILD_DATE to the date of the last debian/changelog entry for non-Aurora builds. * debian/branding/content/Makefile.in: Add a dummy conversion for about.png to remove timestamps. * debian/browser.js.in: Default to classic view for about:newtab. * debian/copyright: Update copyright file to some degree. * debian/control*: Bump Standards-Version to 3.9.6.0. - debian/rules: Add build-arch and build-indep targets to debian/rules. * debian/control*: Switch Vcs-* urls to anonscm.debian.org. . * ipc/testshell/XPCShellEnvironment.cpp, js/src/shell/js.cpp, js/xpconnect/src/XPCShellImpl.cpp: Remove build() function from js and xpc shells. bz#1166243. * toolkit/locales/l10n.mk. Use dozip.py for langpacks. bz#1166538. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js browser/modules/DirectoryLinksProvider.jsm: Set browser.newtabpage.enhanced default in prefs. bz#1094324. . iceweasel (38.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/vendor.js.in: Disable auto-installing webide related addons. Closes: #785595. * debian/rules: Disable jit on mips. Only mipsel is supported by the jit code currently. . * configure.in, media/libjpeg/moz.build: Fixup libjpeg-turbo assembly cleanup. * security/manager/ssl/src/SSLServerCertVerification.cpp: Add a NULL-check for extensions on the end entity certificate when gathering EKU telemetry. Closes: #782772. . iceweasel (38.0-2) unstable; urgency=medium . * debian/repack.py: Fix to support filter patterns excluding a top-level directory. . * configure.in: Cleanup how libjpeg-turbo assembly build variables are set. bz#1165654. This should fix FTBFSes on arm64 and mips*. * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900. . iceweasel (38.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46,48-51,53-56}, also know as: CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718. . * debian/branding/Makefile.in, debian/branding/moz.build: Adapt build rules to upstream changes * debian/branding/locales/en-US/brand.*: Add brandShorterName to Iceweasel branding. * debian/branding/content/Makefile.in: Add silhouette-40.svg from the unofficial branding to iceweasel branding * debian/control*: Bump nss and sqlite build dependencies. * debian/control.in, debian/upstream.mk: Change backport rules. - Set LESS_SYSTEM_LIBS on wheezy and jessie. - Only use gstreamer 0.10 on wheezy. . iceweasel (37.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-45, also known as CVE-2015-2706. . iceweasel (37.0.1-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-44, also known as CVE-2015-0799. . * debian/browser.js.in: Change the pref used to disable openh264. Closes: #769716. . iceweasel (37.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-34,36-40,42}, also known as: CVE-2015-0815, CVE-2015-0814, CVE-2015-0813, CVE-2015-0812, CVE-2015-0816, CVE-2015-0811, CVE-2015-0808, CVE-2015-0807, CVE-2015-0805, CVE-2015-0806, CVE-2015-0803, CVE-2015-0804, CVE-2015-0801, CVE-2015-0802. . iceweasel (36.0.4-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. . iceweasel (36.0.1-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Don't build with --disable-eme, reverting the change from 36.0-1. . iceweasel (36.0.1-1) experimental; urgency=medium . * New upstream release. . * gfx/layers/basic/BasicCompositor.cpp, gfx/layers/basic/BasicLayerManager.cpp: Reintroduce pixman code path removed in bz#1097776 for --disable-skia builds. bz#1136958. . iceweasel (36.0-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Force enable skia, to possibly fix FTBFS on non-x86/amd64/arm architectures. . * gfx/skia/moz.build: Remove duplicate SkDiscardableMemory_none.cpp. bz#1136958. . iceweasel (36.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,13-17,19-27}, also known as: CVE-2015-0836, CVE-2015-0835, CVE-2015-0832, CVE-2015-0830, CVE-2015-0834, CVE-2015-0831, CVE-2015-0829, CVE-2015-0827, CVE-2015-0826, CVE-2015-0825, CVE-2015-0824, CVE-2015-0823, CVE-2015-0822, CVE-2015-0821, CVE-2015-0819, CVE-2015-0820. . * debian/control*: Bump nss and sqlite build dependencies. * debian/branding/Makefile.in, debian/branding/moz.build, debian/extra-stuff/Makefile.in, debian/extra-stuff/moz.build: Update and cleanup. * debian/browser.install.in: Remove mozilla-xremote-client, it was removed upstream. * debian/browser.install.in, debian/rules: Remove libmozsandbox.so, it's not a shared library anymore. * debian/browser.mozconfig.in: Build with --disable-eme for now, . iceweasel (35.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/browser.install.in, debian/rules: Only install libmozsandbox.so on i386 and amd64. * debian/control: Recommend gstreamer packages for video playing capabilities. Closes: #737092. Also change the gstreamer build dependencies not to use alternatives. . iceweasel (35.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01-06,08-09}, also known as: CVE-2014-8634, CVE-2014-8635, CVE-2014-8637, CVE-2014-8637, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8636. . * debian/browser.mozconfig.in: Build with --enable-pie instead of our own patch to the build system. . * moz.build: Fix how debian/extra-stuff is added to upstream build system directory traversal after upstream changes. . iceweasel (34.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83-89,91}, also known as: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-8631, CVE-2014-8632. . * debian/branding/firefox-branding.js: Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which resets previously downloaded snippets after a day. * debian/browser.js.in: Avoid openh264 being downloaded and disable it if it is already there. Closes: #769716. * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --disable-compile-environment for l10n builds because of bz#1063880. * debian/browser.install.in: Add sandbox library. . iceweasel (33.1-1) experimental; urgency=medium . * New upstream release. . * debian/changelog: Add missing entries for 27.0.1-1. * debian/rules: Don't force to build with GCC 4.9 on armhf anymore. * debian/browser.mozconfig.in: Don't build with --enable-unified-compilation. It may be causing build problems on architectures with limited resources. * debian/browser.install.in, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in, debian/duckduckgo.xml: Remove duckduckgo search engine, since upstream now has it included. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to nothing. Closes: #721689. . * Import patches from the nss source package that are relevant to building iceweasel against the in-tree nss source, for backports: - security/nss/lib/freebl/unix_rand.c, security/nss/cmd/shlibsign/shlibsign.c: Fix FTBFS on Hurd because of MAXPATHLEN - security/nss/coreconf/Linux.mk, security/nss/coreconf/arch.mk, security/nss/coreconf/config.mk, security/nss/lib/freebl/unix_rand.c, security/nss/lib/softoken/softoken.h, security/nss/lib/ssl/sslmutex.*: GNU/kFreeBSD support. - security/nss/lib/ckfw/builtins/certdata.txt: Adds the SPI Inc. and CAcert.org CA certificates. Those patches were applied on the esr24 branch, but were forgotten on the release branch at the time. * media/libcubeb/tests/moz.build: Work around binutils assertion on mips. . iceweasel (33.0-2) experimental; urgency=medium . * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. . * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983. . iceweasel (33.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{74-76,78-82}, also known as: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586, CVE-2014-1583. . * debian/control*: Bump nss and sqlite build dependencies. * debian/browser.install.in, debian/control.in, debian/rules, debian/upstream.mk, debian/vendor.js.in: Change how official branding is handled. * debian/rules: Disable tests on stable-security. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Allow to build against Gtk+3 by setting the GTK3 environment variable while building. . iceweasel (32.0.3-1) experimental; urgency=medium . * New upstream release. . * toolkit/components/search/nsSearchService.js: Bump search engine max icon size to 35kB. Closes: #749084. * build/autoconf/compiler-opts.m4, config/rules.mk: Build target programs as position independent executable when supported by gcc/clang. bz#857628. . iceweasel (32.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{67-70,72}, also known as: CVE-2014-1562, CVE-2014-1553, CVE-2014-1554, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567. . * debian/browser.bug-script.in, debian/browser.install.in, debian/extra-stuff/Makefile.in, debian/extra-stuff/reportbug-helper-script, debian/installer/package-manifest.browser: Fix bug script. * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (38.2.0esr-1~deb7u1) oldstable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{79-80,82-83,87-90,92}, also known as: CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. . iceweasel (38.1.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. . iceweasel (38.1.0esr-3) unstable; urgency=medium . * debian/browser.js.in, debian/vendor.js.in: Fix localized searchplugins. Closes: #775813. . iceweasel (38.1.0esr-2) unstable; urgency=medium . * debian/control*: Bump NSS build dependency. . iceweasel (38.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59-67,69}, also known as: CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743. . * debian/rules: Use the right --target, --host and --build arguments to configure for the Mozilla build system, which uses different meanings. * debian/branding/firefox-branding.js: Add devtools.selfxss.count pref to the iceweasel branding to match unofficial branding. Closes: #787975. * debian/browser.js.in: Use a sticky pref for browser.newtabpage.enhanced. * debian/branding/content/Makefile.in: Revert branding changes for SVG wordmark, not used on ESR . * modules/libpref/prefapi.*, modules/libpref/prefread.*, modules/libpref/test/unit/data/testPrefSticky*.js, modules/libpref/test/unit/test_stickyprefs.js, modules/libpref/test/unit/xpcshell.ini: support 'sticky' preferences, meaning a user value is retained even when it matches the default. bz#1098343. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js, browser/base/content/newtab/page.js, browser/modules/DirectoryLinksProvider.jsm: Update patch from bz#1094324 to fit what landed upstream in newer versions. . iceweasel (38.0.1-5) unstable; urgency=medium . * debian/rules: Force a timezone when extracting defaults/* files from omni.ja archives. . iceweasel (38.0.1-4) unstable; urgency=medium . * python/mozbuild/mozpack/files.py: Fixup to keep file type. * toolkit/content/Makefile.in, toolkit/content/buildconfig.html: Remove build machine name from about:buildconfig. bz#1168316. . iceweasel (38.0.1-3) unstable; urgency=medium . * debian/upstream.mk: Force a timezone when setting MOZ_BUILD_DATE. . * python/mozbuild/mozpack/files.py: Normalize file mode in jars. bz#1168231. . iceweasel (38.0.1-2) unstable; urgency=medium . * debian/upstream.mk: Set MOZ_BUILD_DATE to the date of the last debian/changelog entry for non-Aurora builds. * debian/branding/content/Makefile.in: Add a dummy conversion for about.png to remove timestamps. * debian/browser.js.in: Default to classic view for about:newtab. * debian/copyright: Update copyright file to some degree. * debian/control*: Bump Standards-Version to 3.9.6.0. - debian/rules: Add build-arch and build-indep targets to debian/rules. * debian/control*: Switch Vcs-* urls to anonscm.debian.org. . * ipc/testshell/XPCShellEnvironment.cpp, js/src/shell/js.cpp, js/xpconnect/src/XPCShellImpl.cpp: Remove build() function from js and xpc shells. bz#1166243. * toolkit/locales/l10n.mk. Use dozip.py for langpacks. bz#1166538. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js browser/modules/DirectoryLinksProvider.jsm: Set browser.newtabpage.enhanced default in prefs. bz#1094324. . iceweasel (38.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/vendor.js.in: Disable auto-installing webide related addons. Closes: #785595. * debian/rules: Disable jit on mips. Only mipsel is supported by the jit code currently. . * configure.in, media/libjpeg/moz.build: Fixup libjpeg-turbo assembly cleanup. * security/manager/ssl/src/SSLServerCertVerification.cpp: Add a NULL-check for extensions on the end entity certificate when gathering EKU telemetry. Closes: #782772. . iceweasel (38.0-2) unstable; urgency=medium . * debian/repack.py: Fix to support filter patterns excluding a top-level directory. . * configure.in: Cleanup how libjpeg-turbo assembly build variables are set. bz#1165654. This should fix FTBFSes on arm64 and mips*. * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900. . iceweasel (38.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46,48-51,53-56}, also know as: CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718. . * debian/branding/Makefile.in, debian/branding/moz.build: Adapt build rules to upstream changes * debian/branding/locales/en-US/brand.*: Add brandShorterName to Iceweasel branding. * debian/branding/content/Makefile.in: Add silhouette-40.svg from the unofficial branding to iceweasel branding * debian/control*: Bump nss and sqlite build dependencies. * debian/control.in, debian/upstream.mk: Change backport rules. - Set LESS_SYSTEM_LIBS on wheezy and jessie. - Only use gstreamer 0.10 on wheezy. . iceweasel (37.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-45, also known as CVE-2015-2706. . iceweasel (37.0.1-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-44, also known as CVE-2015-0799. . * debian/browser.js.in: Change the pref used to disable openh264. Closes: #769716. . iceweasel (37.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-34,36-40,42}, also known as: CVE-2015-0815, CVE-2015-0814, CVE-2015-0813, CVE-2015-0812, CVE-2015-0816, CVE-2015-0811, CVE-2015-0808, CVE-2015-0807, CVE-2015-0805, CVE-2015-0806, CVE-2015-0803, CVE-2015-0804, CVE-2015-0801, CVE-2015-0802. . iceweasel (36.0.4-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. . iceweasel (36.0.1-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Don't build with --disable-eme, reverting the change from 36.0-1. . iceweasel (36.0.1-1) experimental; urgency=medium . * New upstream release. . * gfx/layers/basic/BasicCompositor.cpp, gfx/layers/basic/BasicLayerManager.cpp: Reintroduce pixman code path removed in bz#1097776 for --disable-skia builds. bz#1136958. . iceweasel (36.0-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Force enable skia, to possibly fix FTBFS on non-x86/amd64/arm architectures. . * gfx/skia/moz.build: Remove duplicate SkDiscardableMemory_none.cpp. bz#1136958. . iceweasel (36.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,13-17,19-27}, also known as: CVE-2015-0836, CVE-2015-0835, CVE-2015-0832, CVE-2015-0830, CVE-2015-0834, CVE-2015-0831, CVE-2015-0829, CVE-2015-0827, CVE-2015-0826, CVE-2015-0825, CVE-2015-0824, CVE-2015-0823, CVE-2015-0822, CVE-2015-0821, CVE-2015-0819, CVE-2015-0820. . * debian/control*: Bump nss and sqlite build dependencies. * debian/branding/Makefile.in, debian/branding/moz.build, debian/extra-stuff/Makefile.in, debian/extra-stuff/moz.build: Update and cleanup. * debian/browser.install.in: Remove mozilla-xremote-client, it was removed upstream. * debian/browser.install.in, debian/rules: Remove libmozsandbox.so, it's not a shared library anymore. * debian/browser.mozconfig.in: Build with --disable-eme for now, . iceweasel (35.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/browser.install.in, debian/rules: Only install libmozsandbox.so on i386 and amd64. * debian/control: Recommend gstreamer packages for video playing capabilities. Closes: #737092. Also change the gstreamer build dependencies not to use alternatives. . iceweasel (35.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01-06,08-09}, also known as: CVE-2014-8634, CVE-2014-8635, CVE-2014-8637, CVE-2014-8637, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8636. . * debian/browser.mozconfig.in: Build with --enable-pie instead of our own patch to the build system. . * moz.build: Fix how debian/extra-stuff is added to upstream build system directory traversal after upstream changes. . iceweasel (34.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83-89,91}, also known as: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-8631, CVE-2014-8632. . * debian/branding/firefox-branding.js: Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which resets previously downloaded snippets after a day. * debian/browser.js.in: Avoid openh264 being downloaded and disable it if it is already there. Closes: #769716. * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --disable-compile-environment for l10n builds because of bz#1063880. * debian/browser.install.in: Add sandbox library. . iceweasel (33.1-1) experimental; urgency=medium . * New upstream release. . * debian/changelog: Add missing entries for 27.0.1-1. * debian/rules: Don't force to build with GCC 4.9 on armhf anymore. * debian/browser.mozconfig.in: Don't build with --enable-unified-compilation. It may be causing build problems on architectures with limited resources. * debian/browser.install.in, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in, debian/duckduckgo.xml: Remove duckduckgo search engine, since upstream now has it included. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to nothing. Closes: #721689. . * Import patches from the nss source package that are relevant to building iceweasel against the in-tree nss source, for backports: - security/nss/lib/freebl/unix_rand.c, security/nss/cmd/shlibsign/shlibsign.c: Fix FTBFS on Hurd because of MAXPATHLEN - security/nss/coreconf/Linux.mk, security/nss/coreconf/arch.mk, security/nss/coreconf/config.mk, security/nss/lib/freebl/unix_rand.c, security/nss/lib/softoken/softoken.h, security/nss/lib/ssl/sslmutex.*: GNU/kFreeBSD support. - security/nss/lib/ckfw/builtins/certdata.txt: Adds the SPI Inc. and CAcert.org CA certificates. Those patches were applied on the esr24 branch, but were forgotten on the release branch at the time. * media/libcubeb/tests/moz.build: Work around binutils assertion on mips. . iceweasel (33.0-2) experimental; urgency=medium . * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. . * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983. . iceweasel (33.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{74-76,78-82}, also known as: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586, CVE-2014-1583. . * debian/control*: Bump nss and sqlite build dependencies. * debian/browser.install.in, debian/control.in, debian/rules, debian/upstream.mk, debian/vendor.js.in: Change how official branding is handled. * debian/rules: Disable tests on stable-security. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Allow to build against Gtk+3 by setting the GTK3 environment variable while building. . iceweasel (32.0.3-1) experimental; urgency=medium . * New upstream release. . * toolkit/components/search/nsSearchService.js: Bump search engine max icon size to 35kB. Closes: #749084. * build/autoconf/compiler-opts.m4, config/rules.mk: Build target programs as position independent executable when supported by gcc/clang. bz#857628. . iceweasel (32.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{67-70,72}, also known as: CVE-2014-1562, CVE-2014-1553, CVE-2014-1554, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567. . * debian/browser.bug-script.in, debian/browser.install.in, debian/extra-stuff/Makefile.in, debian/extra-stuff/reportbug-helper-script, debian/installer/package-manifest.browser: Fix bug script. * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (38.1.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. iceweasel (38.1.1esr-1~deb9u1) stretch; urgency=high . * Non-maintainer upload. * Rebuild iceweasel/38.1.1esr-1 in stretch so CVE-2015-4495 can be fixed there before the g++-5 transition finishes. No source changes. iceweasel (38.1.0esr-3) unstable; urgency=medium . * debian/browser.js.in, debian/vendor.js.in: Fix localized searchplugins. Closes: #775813. iceweasel (38.1.0esr-2) unstable; urgency=medium . * debian/control*: Bump NSS build dependency. iceweasel (38.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59-67,69}, also know as: CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743. . * debian/rules: Use the right --target, --host and --build arguments to configure for the Mozilla build system, which uses different meanings. * debian/branding/firefox-branding.js: Add devtools.selfxss.count pref to the iceweasel branding to match unofficial branding. Closes: #787975. * debian/browser.js.in: Use a sticky pref for browser.newtabpage.enhanced. * debian/branding/content/Makefile.in: Revert branding changes for SVG wordmark, not used on ESR . * modules/libpref/prefapi.*, modules/libpref/prefread.*, modules/libpref/test/unit/data/testPrefSticky*.js, modules/libpref/test/unit/test_stickyprefs.js, modules/libpref/test/unit/xpcshell.ini: support 'sticky' preferences, meaning a user value is retained even when it matches the default. bz#1098343. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js, browser/base/content/newtab/page.js, browser/modules/DirectoryLinksProvider.jsm: Update patch from bz#1094324 to fit what landed upstream in newer versions. iceweasel (38.0.1-5) unstable; urgency=medium . * debian/rules: Force a timezone when extracting defaults/* files from omni.ja archives. iceweasel (38.0.1-4) unstable; urgency=medium . * python/mozbuild/mozpack/files.py: Fixup to keep file type. * toolkit/content/Makefile.in, toolkit/content/buildconfig.html: Remove build machine name from about:buildconfig. bz#1168316. iceweasel (38.0.1-3) unstable; urgency=medium . * debian/upstream.mk: Force a timezone when setting MOZ_BUILD_DATE. . * python/mozbuild/mozpack/files.py: Normalize file mode in jars. bz#1168231. iceweasel (38.0.1-2) unstable; urgency=medium . * debian/upstream.mk: Set MOZ_BUILD_DATE to the date of the last debian/changelog entry for non-Aurora builds. * debian/branding/content/Makefile.in: Add a dummy conversion for about.png to remove timestamps. * debian/browser.js.in: Default to classic view for about:newtab. * debian/copyright: Update copyright file to some degree. * debian/control*: Bump Standards-Version to 3.9.6.0. - debian/rules: Add build-arch and build-indep targets to debian/rules. * debian/control*: Switch Vcs-* urls to anonscm.debian.org. . * ipc/testshell/XPCShellEnvironment.cpp, js/src/shell/js.cpp, js/xpconnect/src/XPCShellImpl.cpp: Remove build() function from js and xpc shells. bz#1166243. * toolkit/locales/l10n.mk. Use dozip.py for langpacks. bz#1166538. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js browser/modules/DirectoryLinksProvider.jsm: Set browser.newtabpage.enhanced default in prefs. bz#1094324. iceweasel (38.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/vendor.js.in: Disable auto-installing webide related addons. Closes: #785595. * debian/rules: Disable jit on mips. Only mipsel is supported by the jit code currently. . * configure.in, media/libjpeg/moz.build: Fixup libjpeg-turbo assembly cleanup. * security/manager/ssl/src/SSLServerCertVerification.cpp: Add a NULL-check for extensions on the end entity certificate when gathering EKU telemetry. Closes: #782772. iceweasel (38.0-2) unstable; urgency=medium . * debian/repack.py: Fix to support filter patterns excluding a top-level directory. . * configure.in: Cleanup how libjpeg-turbo assembly build variables are set. bz#1165654. This should fix FTBFSes on arm64 and mips*. * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900. iceweasel (38.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46,48-51,53-56}, also know as: CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718. . * debian/branding/Makefile.in, debian/branding/moz.build: Adapt build rules to upstream changes * debian/branding/locales/en-US/brand.*: Add brandShorterName to Iceweasel branding. * debian/branding/content/Makefile.in: Add silhouette-40.svg from the unofficial branding to iceweasel branding * debian/control*: Bump nss and sqlite build dependencies. * debian/control.in, debian/upstream.mk: Change backport rules. - Set LESS_SYSTEM_LIBS on wheezy and jessie. - Only use gstreamer 0.10 on wheezy. iceweasel (37.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-45, also known as CVE-2015-2706. iceweasel (37.0.1-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-44, also known as CVE-2015-0799. . * debian/browser.js.in: Change the pref used to disable openh264. Closes: #769716. iceweasel (37.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-34,36-40,42}, also known as: CVE-2015-0815, CVE-2015-0814, CVE-2015-0813, CVE-2015-0812, CVE-2015-0816, CVE-2015-0811, CVE-2015-0808, CVE-2015-0807, CVE-2015-0805, CVE-2015-0806, CVE-2015-0803, CVE-2015-0804, CVE-2015-0801, CVE-2015-0802. iceweasel (36.0.4-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. iceweasel (36.0.1-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Don't build with --disable-eme, reverting the change from 36.0-1. iceweasel (36.0.1-1) experimental; urgency=medium . * New upstream release. . * gfx/layers/basic/BasicCompositor.cpp, gfx/layers/basic/BasicLayerManager.cpp: Reintroduce pixman code path removed in bz#1097776 for --disable-skia builds. bz#1136958. iceweasel (36.0-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Force enable skia, to possibly fix FTBFS on non-x86/amd64/arm architectures. . * gfx/skia/moz.build: Remove duplicate SkDiscardableMemory_none.cpp. bz#1136958. iceweasel (36.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,13-17,19-27}, also known as: CVE-2015-0836, CVE-2015-0835, CVE-2015-0832, CVE-2015-0830, CVE-2015-0834, CVE-2015-0831, CVE-2015-0829, CVE-2015-0827, CVE-2015-0826, CVE-2015-0825, CVE-2015-0824, CVE-2015-0823, CVE-2015-0822, CVE-2015-0821, CVE-2015-0819, CVE-2015-0820. . * debian/control*: Bump nss and sqlite build dependencies. * debian/branding/Makefile.in, debian/branding/moz.build, debian/extra-stuff/Makefile.in, debian/extra-stuff/moz.build: Update and cleanup. * debian/browser.install.in: Remove mozilla-xremote-client, it was removed upstream. * debian/browser.install.in, debian/rules: Remove libmozsandbox.so, it's not a shared library anymore. * debian/browser.mozconfig.in: Build with --disable-eme for now, iceweasel (35.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/browser.install.in, debian/rules: Only install libmozsandbox.so on i386 and amd64. * debian/control: Recommend gstreamer packages for video playing capabilities. Closes: #737092. Also change the gstreamer build dependencies not to use alternatives. iceweasel (35.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01-06,08-09}, also known as: CVE-2014-8634, CVE-2014-8635, CVE-2014-8637, CVE-2014-8637, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8636. . * debian/browser.mozconfig.in: Build with --enable-pie instead of our own patch to the build system. . * moz.build: Fix how debian/extra-stuff is added to upstream build system directory traversal after upstream changes. iceweasel (34.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83-89,91}, also known as: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-8631, CVE-2014-8632. . * debian/branding/firefox-branding.js: Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which resets previously downloaded snippets after a day. * debian/browser.js.in: Avoid openh264 being downloaded and disable it if it is already there. Closes: #769716. * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --disable-compile-environment for l10n builds because of bz#1063880. * debian/browser.install.in: Add sandbox library. iceweasel (33.1-1) experimental; urgency=medium . * New upstream release. . * debian/changelog: Add missing entries for 27.0.1-1. * debian/rules: Don't force to build with GCC 4.9 on armhf anymore. * debian/browser.mozconfig.in: Don't build with --enable-unified-compilation. It may be causing build problems on architectures with limited resources. * debian/browser.install.in, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in, debian/duckduckgo.xml: Remove duckduckgo search engine, since upstream now has it included. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to nothing. Closes: #721689. . * Import patches from the nss source package that are relevant to building iceweasel against the in-tree nss source, for backports: - security/nss/lib/freebl/unix_rand.c, security/nss/cmd/shlibsign/shlibsign.c: Fix FTBFS on Hurd because of MAXPATHLEN - security/nss/coreconf/Linux.mk, security/nss/coreconf/arch.mk, security/nss/coreconf/config.mk, security/nss/lib/freebl/unix_rand.c, security/nss/lib/softoken/softoken.h, security/nss/lib/ssl/sslmutex.*: GNU/kFreeBSD support. - security/nss/lib/ckfw/builtins/certdata.txt: Adds the SPI Inc. and CAcert.org CA certificates. Those patches were applied on the esr24 branch, but were forgotten on the release branch at the time. * media/libcubeb/tests/moz.build: Work around binutils assertion on mips. iceweasel (33.0-2) experimental; urgency=medium . * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. . * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983. iceweasel (33.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{74-76,78-82}, also known as: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586, CVE-2014-1583. . * debian/control*: Bump nss and sqlite build dependencies. * debian/browser.install.in, debian/control.in, debian/rules, debian/upstream.mk, debian/vendor.js.in: Change how official branding is handled. * debian/rules: Disable tests on stable-security. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Allow to build against Gtk+3 by setting the GTK3 environment variable while building. iceweasel (32.0.3-1) experimental; urgency=medium . * New upstream release. . * toolkit/components/search/nsSearchService.js: Bump search engine max icon size to 35kB. Closes: #749084. * build/autoconf/compiler-opts.m4, config/rules.mk: Build target programs as position independent executable when supported by gcc/clang. bz#857628. iceweasel (32.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{67-70,72}, also known as: CVE-2014-1562, CVE-2014-1553, CVE-2014-1554, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567. . * debian/browser.bug-script.in, debian/browser.install.in, debian/extra-stuff/Makefile.in, debian/extra-stuff/reportbug-helper-script, debian/installer/package-manifest.browser: Fix bug script. * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (32.0~b5-1) experimental; urgency=medium . * New upstream beta release. . * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. . * media/libstagefright/moz.build: Fix libstagefright build on GNU/kFreeBSD. bz#1048064. iceweasel (32.0~b3-1) experimental; urgency=medium . * New upstream beta release. . * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. . * testing/mozbase/mozinfo/mozinfo/mozinfo.py: Add a fallback for unknown platforms after bz#945869. bz#1044414. iceweasel (32.0~b1-1) experimental; urgency=medium . * New upstream beta release. . * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (31.8.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59,61,64-66,69-71}, also known as: CVE-2015-2724, CVE-2015-2728, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2743, CVE-2015-4000, CVE-2015-2721. . * debian/rules, debian/control*: Use bundled libraries because of the requirement for a newer NSS. . * dom/indexedDB/IndexedDatabaseManager.cpp: Backout mercurial changeset 4fd4c854dc0f (fixup for bz#1142210) to unbust unified builds. iceweasel (31.8.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59,61,64-66,69-71}, also known as: CVE-2015-2724, CVE-2015-2728, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2743, CVE-2015-4000, CVE-2015-2721. . * debian/rules, debian/control*: Use bundled libraries because of the requirement for a newer NSS. . * dom/indexedDB/IndexedDatabaseManager.cpp: Backout mercurial changeset 4fd4c854dc0f (fixup for bz#1142210) to unbust unified builds. iceweasel (31.7.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46-48,51,54,57}, also known as: CVE-2015-2708, CVE-2015-0797, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716, CVE-2011-3079. . * debian/control.in, debian/rules, debian/upstream.mk: Change backport rules. - Only set LESS_SYSTEM_LIBS on wheezy (for now). - Only exclude gstreamer 1.0 on wheezy. iceweasel (31.7.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46-48,51,54,57}, also known as: CVE-2015-2708, CVE-2015-0797, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716, CVE-2011-3079. . * debian/control.in, debian/rules, debian/upstream.mk: Change backport rules. - Only set LESS_SYSTEM_LIBS on wheezy (for now). - Only exclude gstreamer 1.0 on wheezy. icu (52.1-8+deb8u2) jessie-security; urgency=high . * Fix security bugs: - CVE-2014-8146 , a heap overflow, - CVE-2014-8147 , an integer overflow, - CVE-2015-4760 , missing boundary checks in layout engine, - CVE-2014-6585 , finish null pointer checks. jackrabbit (2.3.6-1+deb8u1) jessie-security; urgency=medium . * Team upload. * Add CVE-2015-1833.patch. Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others. (Closes: #787316) jackrabbit (2.3.6-1+deb7u1) wheezy-security; urgency=medium . * Team upload. * Add CVE-2015-1833.patch. Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others. (Closes: #787316) kic (2.4a-2~deb8u1) jessie; urgency=medium . * QA upload. * Rebuild for jessie. . kic (2.4a-2) unstable; urgency=medium . * QA upload. * Set Maintainer to Debian QA Group. (See: #691834) * configure: Do not add -L without argument to $LIBS. (Closes: #793367) lame (3.99.5+repack1-7+deb8u1) jessie; urgency=medium . * debian/patches/force_align_arg_pointer.patch: Enable functions with SSE instructions to maintain their own properly aligned stack. Fixes crashes with a general protection error when called from the ocaml bindings (Closes: #786438). Thanks Detrick Merz for the bug report, Robert Hegemann and especially Bernhard Übelacker for their help with analyzing the bug. libapache-mod-jk (1:1.2.37-4+deb8u1) jessie-security; urgency=high . * Team upload. * Add CVE-2014-8111.patch. (Closes: #783233) It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. - Add option to control handling of multiple adjacent slashes in mount and unmount. New default is collapsing the slashes only in unmount. Before this change, adjacent slashes were never collapsed, so most mounts and unmounts didn't match for URLs with multiple adjacent slashes. - Configuration is done via new JkOption for Apache (values "CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount"). libav (6:11.4-1~deb8u1) jessie-security; urgency=high . [ Sebastian Ramacher ] * New upstream release fixing multiple security issues. - h264: Make sure reinit failures mark the context as not initialized (CVE-2015-3417) - msrle: Use FFABS to determine the frame size in msrle_decode_pal4 (CVE-2015-3395) - cavs: Remove an unneeded scratch buffer - configure: Disable i686 for i586 and lower CPUs (debian/783082) - mjpegenc: Fix JFIF header byte ordering (bug/808) - nut: Make sure to clean up on read_header failure - png: Set the color range as full range - avi: Validate sample_size - nut: Check chapter creation in decode_info_header - alac: Reject rice_limit 0 if compression is used - ape: Support _0000 files with nblock smaller than 64 - mux: Do not leave stale side data pointers in ff_interleave_add_packet() - avresample: Reallocate the internal buffer to the correct size (bug/825) - mpegts: Update the PSI/SI table only if the version change - rtsp: Make sure we don't write too many transport entries into a fixed-size array - rtpenc_jpeg: Handle case of picture dimensions not dividing by 8 - mov: Fix little endian audio detection - x86: Put COPY3_IF_LT under HAVE_6REGS (gentoo/541930) - roqvideoenc: set enc->avctx in roq_encode_init - mp3: Properly use AVCodecContext API - libvpx: Fix mixed use of av_malloc() and av_reallocp() - Revert "lavfi: always check av_expr_parse_and_eval() return value" - alsdec: only adapt order for positive max_order - alsdec: check sample pointer range in revert_channel_correlation - aacpsy: correct calculation of minath in psy_3gpp_init - alsdec: limit avctx->bits_per_raw_sample to 32 - aasc: return correct buffer size from aasc_decode_frame - matroskadec: fix crash when parsing invalid mkv - avconv: do not overwrite the stream codec context for streamcopy - webp: ensure that each transform is only used once - h264_ps: properly check cropping parameters against overflow - hevc: zero the correct variables on invalid crop parameters - hevc: make the crop sizes unsigned . [ Reinhard Tartler] * drop 01-configure-disable-i686-for-i586 libav (6:11.3-3) unstable; urgency=medium . * Fix use of illegal instruction on i586. (Closes: #783082) - debian/confflags: Pass correct value to --cpu. Thanks to Bernhard Übelacker for the patch. - debian/patches: + 01-configure-disable-i686-for-i586.patch: Upstream patch to disable i686 on instructions on i586. + 02-configure-disable-ebx-gcc-4.9.patch: Workaround build failure with gcc 4.9 and newer by disabling the use of ebx in handwritten assembler code. Thanks to Bernhard Übelacker for the initial patch. libav (6:11.3-2) unstable; urgency=medium . * debian/control: - Bump Standards-Version to 3.9.6. - libav-tools: Add x264 to Suggests. (Closes: #779097) - Build-Depend on libx265-dev. * debian/libav-tools.maintscript: Remove /etc/avserver.conf. (Closes: #760763) * debian/confflags: Enable x265 encoder. (Closes: #780796) * debian/rules: Use matching version in shlibs. (LP: #1407103) libcrypto++ (5.6.1-6+deb8u1) jessie-security; urgency=high . * Fix CVE-2015-2141, misuse of blinding technique that is aimed at preventing timing attacks. * Update my email address. libcrypto++ (5.6.1-6+deb7u1) wheezy-security; urgency=high . * Fix CVE-2015-2141, misuse of blinding technique that is aimed at preventing timing attacks. * Update my email address. libdatetime-timezone-perl (1:1.75-2+2015f) jessie; urgency=medium . * Update to Olson database version 2015f. Add patch debian/patches olson-2015e, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for North Korea, Uruguay, and Moldova. libdatetime-timezone-perl (1:1.75-2+2015e) jessie; urgency=medium . * Update to Olson database version 2015e. Add patch debian/patches/olson-2015e, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Morocco. libgee-0.8 (0.16.1-1+deb8u1) jessie; urgency=medium . * Fix default value of --enable-consistency-check, otherwise a very expensive debug option is turned on by default and would make a lot of applications unusably slow. Patch cherry-picked from upstream Git. * Fix the removal of the vala.stamp files so the C sources are regenerated. * Add missing geeutils.vapi. This file is missing in the tarball but is required if we want to rebuild the C source files. * Drop gee_tree_set_check from symbols file. This symbol was exported by accident due to the wrong default value of --enable-consistency-check. It doesn't appear to be used by other applications, so it should be safe to remove. * Add myself to Uploaders. libio-socket-ssl-perl (2.002-2+deb8u1) jessie; urgency=medium . * Add 0001-make-PublicSuffix-_default_data-thread-safe-by-stori.patch. Make PublicSuffix::_default_data thread safe by storing the default data inside a function inside within __DATA__. Thanks to Jonny Schulz for the report (Closes: #788035) libisocodes (1.2.2-1~deb8u1) jessie; urgency=medium . * Rebuild for Jessie . libisocodes (1.2.2-1) unstable; urgency=medium . * Imported Upstream version 1.2.2 - Fix GLib critical warning if the environment variable LANGUAGE is not set. Thanks to Paul Wise for the bug report. Closes: #787395 * Update maintainer name libvirt (1.2.9-9+deb8u1) jessie; urgency=medium . [ Guido Günther ] * [8e4cf5a] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm or kqemu. Thanks to Luke Faraone for the report (Closes: #786650) * [ad1ff0b] Adjust gbp.conf for jessie * [c830a54] Disable test suite due to libxml2 bug #781232 in jessie * [be70aec] Fix crash on live migration this supplements 07dbec0a64783f644854a22aa0355720f0328d17. Thanks to Eckebrecht von Pappenheim (Closes: #788171) . [ Felix Geyer ] * [9fb6c59] Allow access to libnl-3 configuration (Closes: #786652) . [ intrigeri ] * Allow-access-to-libnl-3-config-files.patch: revert changes that are unrelated to the bug this patch is meant to fix. . [ Daniel P. Berrange ] * [afae69a] Report original error when QMP probing fails with new QEMU (Closes: #780093) libwmf (0.2.8.4-10.3+deb8u1) jessie-security; urgency=medium . * CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 libwmf (0.2.8.4-10.3+deb7u1) wheezy-security; urgency=low . * CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 linux (3.16.7-ckt11-1+deb8u3) jessie-security; urgency=high . * path_openat(): fix double fput() (CVE-2015-5706) * KEYS: ensure we free the assoc array edit if edit is valid (CVE-2015-1333) * sctp: fix ASCONF list handling (CVE-2015-3212) * [x86] kvm: fix kvm_apic_has_events to check for NULL pointer (CVE-2015-4692) * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700) * sg_start_req(): make sure that there's not too many elements in iovec (CVE-2015-5707) * md: use kzalloc() when bitmap is disabled (CVE-2015-5697) linux (3.16.7-ckt11-1+deb8u3~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt11-1+deb8u3) jessie-security; urgency=high . * path_openat(): fix double fput() (CVE-2015-5706) * KEYS: ensure we free the assoc array edit if edit is valid (CVE-2015-1333) * sctp: fix ASCONF list handling (CVE-2015-3212) * [x86] kvm: fix kvm_apic_has_events to check for NULL pointer (CVE-2015-4692) * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700) * sg_start_req(): make sure that there's not too many elements in iovec (CVE-2015-5707) * md: use kzalloc() when bitmap is disabled (CVE-2015-5697) linux (3.16.7-ckt11-1+deb8u2) jessie-security; urgency=high . * [amd64] Restore "perf/x86: Further optimize copy_from_user_nmi()" * [amd64] Fix nested NMI handling (CVE-2015-3290, CVE-2015-3291) - Enable nested do_nmi handling for 64-bit kernels - Remove asm code that saves cr2 - Switch stacks on userspace NMI entry - Reorder nested NMI checks - Use DF to avoid userspace RSP confusing nested NMI detection linux (3.16.7-ckt11-1+deb8u2~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt11-1+deb8u2) jessie-security; urgency=high . * [amd64] Restore "perf/x86: Further optimize copy_from_user_nmi()" * [amd64] Fix nested NMI handling (CVE-2015-3290, CVE-2015-3291) - Enable nested do_nmi handling for 64-bit kernels - Remove asm code that saves cr2 - Switch stacks on userspace NMI entry - Reorder nested NMI checks - Use DF to avoid userspace RSP confusing nested NMI detection . linux (3.16.7-ckt11-1+deb8u1) jessie-security; urgency=medium . * udf: Remove repeated loads blocksize * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366) * [amd64] Revert "perf/x86: Further optimize copy_from_user_nmi()" (CVE-2015-3290) linux (3.16.7-ckt11-1+deb8u1) jessie-security; urgency=medium . * udf: Remove repeated loads blocksize * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366) * [amd64] Revert "perf/x86: Further optimize copy_from_user_nmi()" (CVE-2015-3290) linux-ftpd-ssl (0.17.33+0.3-1+deb8u1) jessie; urgency=medium . * QA Upload * NLST of empty directory results in segfault. (Closes: #788331) + debian/patches/500-ssl.diff: Updated. linux-ftpd-ssl (0.17.33+0.3-1+deb7u1) wheezy; urgency=medium . * QA Upload * NLST of empty directory results in segfault. (Closes: #788331) + debian/patches/500-ssl.diff: Updated. lxc (1:1.0.6-6+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch. CVE-2015-1331: Directory traversal flaw that allows arbitrary file creation as the root user. (Closes: #793298) * Add 0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch. CVE-2015-1334: Processes intended to be run inside of confined LXC containers could escape their AppArmor or SELinux confinement. (Closes: #793298) lxc (1:1.0.6-6+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. lynx-cur (2.8.9dev1-2+deb8u1) jessie; urgency=medium . * gnutls_set_default_priority.diff: Use gnutls_set_default_priority() instead of a custom priority string. The fix for the GnuTLS issue GNUTLS-SA-2015-2 combined with a buggy GnuTLS priority string in lynx breaks lynx SSL support. Preemptively apply the fix to lynx before the GnuTLS issue is fixed in stable. Closes: #784430 mesa (10.3.2-1+deb8u1) jessie; urgency=medium . [ Timo Aaltonen ] * radeonsi-disable-asynchronous-dma.diff: Disable asynchronous DMA on radeonsi which can cause lockups. (Closes: #775264) motif (2.3.4-6+deb8u1) jessie-proposed-updates; urgency=medium . * Disable fix for upstream bug #1565 which caused segfaults in ddd and xpdf (Closes: #781995). * Remove XmForceGrabKeyboard@Base from d/libxm4.symbols which was introduced by upstream's updated fix applied in motif 2.3.4-5 (Closes: #782678). mozilla-gnome-keyring (0.10-1~deb8u1) jessie; urgency=medium . * New upstream release. (Closes: #797040) mozilla-gnome-keyring (0.9~20150531gitb0170724-1) experimental; urgency=medium . * New upstream pre-release. (Closes: #788967, #788971) mysql-5.5 (5.5.44-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.44 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - CVE-2015-4752 CVE-2015-4737 CVE-2015-2648 CVE-2015-2643 CVE-2015-2620 CVE-2015-2582 (Closes: #792445) mysql-5.5 (5.5.44-0+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.44 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - CVE-2015-4752 CVE-2015-4737 CVE-2015-2648 CVE-2015-2643 CVE-2015-2620 CVE-2015-2582 (Closes: #792445) nbd (1:3.8-4+deb8u2) jessie; urgency=low . * Cherry-pick two commits from 3.10 to fix authfile parsing. Closes: #785727. nss (2:3.17.2-1.1+deb8u2) jessie; urgency=medium . [ Andrew Ayer ] * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix certificate chain generation to prefer stronger/newer certificates over weaker/older certs. Closes: #774195. nss (2:3.17.2-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 99_CVE-2015-2721.patch patch. CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange. * Add 100_CVE-2015-2730.patch patch. CVE-2015-2730: ECDSA signature validation fails to handle some signatures correctly. ocl-icd (2.2.3-1+deb8u1) jessie; urgency=medium . * Fix "clSVMFree never called in OpenCL ICD" (Closes: #787941) The patch is backported from upstream * ocl-icd-opencl-dev: Bump the Breaks/Replaces on nvidia-libopencl1 to cover new upstream releases of nvidia-graphics-drivers (304.xx legacy series) in wheezy (backported patch from sid by Andreas Beckmann in #787952) openafs (1.6.9-2+deb8u3) jessie-security; urgency=high . * Apply upstream security patches from the 1.6.13 release (thanks to Benjamin Kaduk for providing the patches): - OPENAFS-SA-2015-001 (CVE-2015-3282): vos leaks stack data onto the wire when creating vldb entries - OPENAFS-SA-2015-002 (CVE-2015-3283): bos commands can be spoofed, including some which alter server state - OPENAFS-SA-2015-003 (CVE-2015-3284): pioctls leak kernel memory contents - OPENAFS-SA-2015-004 (CVE-2015-3285): kernel pioctl support for OSD command parsing can trigger a panic - OPENAFS-SA-2015-006 (CVE-2015-3287): Buffer overflow in OpenAFS vlserver * The patch for OPENAFS-SA-2015-005 is not applied, since that vulnerability is limited to the Solaris kernel module opensaml2 (2.5.3-2+deb8u1) jessie-security; urgency=high . * Rebuild against fixed xmltooling for DSA 3321-1 openssl (1.0.1k-3+deb8u1) jessie-security; urgency=medium . * Fix CVE-2015-1791 * Fix CVE-2015-1792 * Fix CVE-2015-1789 * Fix CVE-2015-1790 * Fix CVE-2015-1788 * CVE-2015-4000: Have minimum of 768 bit for DH p7zip (9.20.1~dfsg.1-4.1+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Delay creation of symlinks to prevent arbitrary file writes (CVE-2015-1038) (Closes: #774660) pdf.js (1.0.907+dfsg-1+deb8u1) jessie; urgency=medium . * Drop xul-ext-pdf.js package since it’s not compatible with iceweasel 38 pdns (3.4.1-4+deb8u2) jessie-security; urgency=high . * Security update: apply second patch for CVE-2015-1868 pdns-recursor (3.6.2-2+deb8u2) jessie-security; urgency=high . * Security update: apply second patch for CVE-2015-1868 postgresql-9.1 (9.1.18-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.18-0+deb7u1) wheezy; urgency=medium . * New upstream version. + Fix rare failure to invalidate relation cache init file * Remove obsolete .bzr-builddeb/. postgresql-9.1 (9.1.17-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.17-0+deb7u1) wheezy; urgency=medium . * New upstream version including the fsync fix. postgresql-9.4 (9.4.4-0+deb8u1) jessie; urgency=medium . * New upstream version. + Fix possible failure to recover from an inconsistent database state + Fix rare failure to invalidate relation cache init file postgresql-9.4 (9.4.3-1) unstable; urgency=medium . * New upstream version: Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane; Closes: #786874) prosody (0.9.7-2+deb8u1) jessie; urgency=medium . * Apply upstream patch which fixes CNAME DNS record resolution (closes: #787070) pyjwt (0.2.1-1+deb8u1) jessie-security; urgency=medium . * debian/patches/01_not-use-asymmetric-keys-as-HMAC.patch - Add a check so that asymmetric keys cannot be used as HMAC secrets. See for more details: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ (Closes: #781640) python-apt (0.9.3.12) jessie; urgency=medium . [ Julian Andres Klode ] * apt/cache.py: Work around a cyclic reference from Cache to its methods (Closes: #745487) * python/arfile.cc: LFS: Use long long instead of long for file sizes * python/arfile.cc: Do not allow files larger than SIZE_MAX to be mapped * python/tarfile.cc: LFS: Handle too large file * apt.debfile: Fix splitting of multi-lines Binary fields in dsc files (Closes: #751770) * apt/debfile.py: Arch-qualify in compare_to_version_in_cache() (Closes: #750189) . [ Michael Vogt ] * Fix apt.Package.installed_files for multi-arch packages (LP: #1313699) python-django (1.7.7-1+deb8u2) jessie-security; urgency=medium . * SECURITY UPDATE: - CVE-2015-5963: Possible denial-of-service via logout() python-django (1.7.7-1+deb8u1) jessie-security; urgency=high . * SECURITY UPDATE: - CVE-2015-5143: possible denial-of-service via session store - CVE-2015-5144: email header injection via newlines python-keystoneclient (1:0.10.1-2+deb8u1) jessie-proposed-updates; urgency=high . * CVE-2015-1852: S3token incorrect condition expression for ssl_insecure. Applied upstream patch: Fix s3_token middleware parsing insecure option. (Closes: #783164) * Added python-oslo.utils (build-)depends introduce by this patch. python-keystonemiddleware (1.0.0-3+deb8u1) jessie-proposed-updates; urgency=medium . * Refreshed patches. * cve-2015-1852: S3Token TLS cert verification option not honored. Applied upstream patch. * Added python-oslo.utils new (build-)depends introduced by this patch. python-reportlab (3.1.8-3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Add handle-png-with-transparency.patch to avoid failing when reading a PNG with transparency. Closes: #785023 This fixes a regression compared to the version in Wheezy. python-swiftclient (1:2.3.1-1+deb8u1) jessie-proposed-updates; urgency=medium . * Added missing dependency on python-pkg-resources (Closes: #789685). qemu (1:2.1+dfsg-12+deb8u1) jessie-security; urgency=high . * slirp-use-less-predictable-directory-name-in-tmp-CVE-2015-4037.patch (Closes: CVE-2015-4037) * 11 patches for XEN PCI pass-through issues (Closes: #787547 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106) * pcnet-force-buffer-access-to-be-in-bounds-CVE-2015-3209.patch with preparation bugfix pcnet-fix-negative-array-index-read.patch from upstream (Closes: #788460 CVE-2015-3209) r-cran-rcurl (1.95-4.3-1+deb8u1) jessie; urgency=medium . * Team upload. * Build-Depend on libcurl4-openssl-dev only (Closes: #786473). rawtherapee (4.2-1+deb8u1) jessie; urgency=high . * Add patch debian/patches/02-fix_CVE-2015-3885.patch: - Fix dcraw imput sanitization errors (CVE-2015-3885) redis (2:2.8.17-1+deb8u1) jessie-security; urgency=high . * Fix Lua sandbox bypass by disabling Lua bytecode loading as per CVE-2015-4335 request-tracker4 (4.2.8-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-5475.patch patch. CVE-2015-5475: Cross-site scripting attack via the user and group rights managment pages. * Add XSS-cryptography-interface.patch patch. Fixes cross-site scripting attack via the cryptography interface. requestpolicy (0.5.29-1) jessie; urgency=medium . * Team upload, targeted to Jessie * Imported Upstream version 0.5.29: restore compatibility with iceweasel 38 (Closes: #786565) rsyslog (8.4.2-1+deb8u1) jessie; urgency=medium . * Disable transactions in ompgsql as they were not working properly. Patch cherry-picked from upstream Git. (Closes: #788183) ruby-rack (1.5.2-3+deb8u1) jessie-security; urgency=high . * Create cherry-picked patch for Security Fix (Closes: #789311). - CVE-2015-3225: 0001-Fix-Params_Depth.patch Default depth at which the parameter parser will raise an exception for being too deep, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. * Add 0002-Add-missing-require-to-response.rb.patch. Add missing require of rack/body_proxy in response.rb ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high . * Apply upstream patches to fix Request hijacking vulnerability in Rubygems [CVE-2015-3900] (Closes: #790119) strongswan (5.2.1-6+deb8u1) jessie-security; urgency=high . * debian/patches: - CVE-2015-4171_enforce_remote_auth added, fix potential leak of authentication credential to rogue server when using PSK or EAP. This is CVE-2015-4171. strongswan (5.2.1-6+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . strongswan (5.2.1-6+deb8u1) jessie-security; urgency=high . * debian/patches: - CVE-2015-4171_enforce_remote_auth added, fix potential leak of authentication credential to rogue server when using PSK or EAP. This is CVE-2015-4171. . strongswan (5.2.1-6) unstable; urgency=medium . * Ship /lib/systemd/system/ipsec.service as a symlink to strongswan.service in strongswan-starter instead of using Alias= in the service file. This makes the ipsec name available to invoke-rc.d before the service gets actually enabled, which avoids some confusion (closes: #781209). stunnel4 (3:5.06-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 17-CVE-2015-3644.patch patch. CVE-2015-3644: authentication bypass with the "redirect" option. (Closes: #785352) subversion (1.8.10-6+deb8u1) jessie-security; urgency=high . * Add (Build-)Depends on apache2 packages necessary for security fixes. * patches/CVE-2015-3814: Mixed anonymous/authenticated path-based authz with httpd 2.4 * patches/CVE-2015-3817: svn_repos_trace_node_locations() reveals paths hidden by authz subversion (1.8.10-6+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Use libdb5.1 instead of 5.3. * Create libapache2-mod-svn maintainer scripts manually instead of using dh_apache2. * Adapt ruby libdir as it's not multiarched in wheezy. * Add ruby1.8 and ruby1.8-dev to Build-Conflicts to make sure the same versions of ruby and ruby-dev are installed. * Remove dependency on apache2-bin, not needed for apache 2.2. . subversion (1.8.10-6+deb8u1) jessie-security; urgency=high . * Add (Build-)Depends on apache2 packages necessary for security fixes. * patches/CVE-2015-3814: Mixed anonymous/authenticated path-based authz with httpd 2.4 * patches/CVE-2015-3817: svn_repos_trace_node_locations() reveals paths hidden by authz symfony (2.3.21+dfsg-4+deb8u1) jessie-security; urgency=high . [ Daniel Beyer ] * Backport a security fix from 2.3.29 - ESI unauthorized access [CVE-2015-4050] syslinux (3:6.03+dfsg-5+deb8u1) jessie; urgency=low . * Cherry-pick upstream patches that fix booting on some Chromebooks (Closes: #780765): - 0005-load-linux-correct-type.patch - 0006-load-linux-protected-mode.patch systemd (215-17+deb8u2) stable; urgency=medium . * Disable default DNS servers in systemd-resolved. In v215 they are always added to resolv.conf as fallback entries even when DNS servers were acquired from systemd-networkd. (Closes: #787731) * Use strictly versioned dependendency on libsystemd-dev for the transitional dev packages. The .pc files of the compat libraries declare a strictly versioned dependency on libsystemd.pc, so reflect that in the package dependencies as well. (Closes: #794290) * udev: Increase udev event timeout to 180s. Some kernel modules, like mptsas, can take longer then 30s to load so udevd kills the (hanging) worker responsible for loading the module. Increase timeout from 30s to 180s to workaround this issue. Thanks Faidon Liambotis. (Closes: #787191) tabmixplus (0.4.1.8-1~deb8u1) jessie; urgency=medium . * Track the jessie branch tabmixplus (0.4.1.8~150607a3-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 41.0a1 . [ David Prévot ] * Fix copyright tabmixplus (0.4.1.8~150317a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.8~150317a1 tabmixplus (0.4.1.8~150303a1-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 39.0a1 tabmixplus (0.4.1.7-1) unstable; urgency=medium . * Upload stable release to unstable, since Jessie is being released . [ onemen ] * Version update to 0.4.1.7 . [ David Prévot ] * Track stable releases tabmixplus (0.4.1.7~150212a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.7~150212a1 tabmixplus (0.4.1.7~150126a1-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 38.0a1 tabmixplus (0.4.1.7~150112a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.7~150112a1 tabmixplus (0.4.1.6-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.6 tabmixplus (0.4.1.6~141229a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.6~141229a1 tabmixplus (0.4.1.6~141222a1-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 37.0a1 tabmixplus (0.4.1.6~141114a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.6~141114a1 tabmixplus (0.4.1.6~141025a1-1) experimental; urgency=medium . [ onemen ] * Can't change new tab button position when tabbar is below content * The tabs are cut off by the bottom of the window, when tabs are on the bottom, the window isn't maximized and the menu bar is hidden tabmixplus (0.4.1.6~141014a2-1) experimental; urgency=medium . [ onemen ] * Tab width expands when mouse is over the tab * Don't add id with colon, it cause document.querySelector to throw an exception - An invalid or illegal string was specified * Don't change session preference when Session manager extension installed * Restore Defaults doesn't work when there are pending changes tabmixplus (0.4.1.6~141014a1-1) experimental; urgency=medium . [ onemen ] * Update compatibility with Tile Tabs 11.12 * Tabs merged in reverse order, when the preference openTabNext is true and both browser.tabs.insertRelatedAfterCurrent and openTabNextInverse are false * Use left and right close tab button on tab to show on mouse hover, remove showhover-box and button * Disable close tab button on left side when the button is not inside tab-content tabmixplus (0.4.1.6~140926a1-1) experimental; urgency=medium . [ onemen ] * "Open new tabs next to current one" option is not working. * Unloaded tabs don't have an icon * Follow up bug 1000513 - Combined navigation items in the context menu * Fix incompatibility with UnloadTab extension * Fix incompatibility with WEB.DE MailCheck extension . [ David Prévot ] * Track pre-releases, and upload to experimental tcpdump (4.6.2-5+deb8u1) stable; urgency=low . * Cherry-pick commit 3f15ae25c2 from upstream Git to fix -Z confirmation log being sent to stdout, where it can get mixed with pcap stream data if '-w -' is used (closes: #793479). tidy (20091223cvs-1.4+deb8u1) jessie-security; urgency=high . * Fix heap buffer overflow and memory saturation on invalid HTML input as per CVE-2015-5522 and CVE-2015-5523 (Closes: #792571) torrus (2.08-1+deb8u1) jessie; urgency=medium . * Revert broken patch refresh in commit 486f4baa (Closes: #774851) This bug was introduced in the Jessie development cycle and breaks functionality of rrdup_notify due to looking in the wrong path * debian/gbp.conf: Point to jessie branch twig (1.16.2-1+deb8u1) jessie-security; urgency=high . * gbp: Track the Jessie branch * Backport security fixes from 1.20.0 - forbid access to the Twig environment from templates and internal parts of Twig_Template - fixed limited RCEs when in sandbox mode tzdata (2015f-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST. tzdata (2015f-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST. tzdata (2015e-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version: - DST suspension from 2015-06-14 03:00 through 2015-07-19 02:00 in Morroco. * Change the Provides: to tzdata-stretch from tzdata-jessie. tzdata (2015e-0+deb8u1) stable; urgency=medium . * New upstream version: - DST suspension from 2015-06-14 03:00 through 2015-07-19 02:00 in Morroco. tzdata (2015e-0+deb7u1) oldstable; urgency=medium . * New upstream version: - DST suspension from 2015-06-14 03:00 through 2015-07-19 02:00 in Morroco. tzdata (2015d-1) unstable; urgency=medium . [ Adam Conrad ] * New upstream release with yet another urgent DST change for Egypt. * Install leap-seconds.list to /usr/share/zoneinfo (Closes: #775166) . [ Aurelien Jarno ] * Install zone1970.tab. Closes: #782646. ufraw (0.20-2+deb8u1) jessie; urgency=high . * dcraw.cc: Apply patch from https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff to prevent buffer overflow in ljpeg_start (Closes: #786783, CVE-2015-3885) unattended-upgrades (0.83.3.2+deb8u1) jessie-security; urgency=high . * fix missing package authentication check for apt configurations that force-{confold,confnew} (CVE-2015-1330) . unattended-upgrades (0.83.3.2) stable; urgency=low . * Rebuild in a clean schroot (closes: #783690, #788066) * Cherry pick 4c755d7 so that the optional automatic-reboot feature works again (closes: #788358) unattended-upgrades (0.83.3.2) stable; urgency=low . * Rebuild in a clean schroot (closes: #783690, #788066) * Cherry pick 4c755d7 so that the optional automatic-reboot feature works again (closes: #788358) vlc (2.2.0~rc2-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-5949.patch patch. CVE-2015-5949: Insufficient restrictions on a writable buffer in the 3GP file format parser can be exploited to execute arbitrary code via a specially crafted 3GP file. wesnoth-1.10 (1:1.10.7-2+deb8u1) jessie; urgency=medium . * Security fix: Disallowed inclusion of .pbl files from WML, independent of extension case (CVE-2015-5069, CVE-2015-5070). wesnoth-1.10 (1:1.10.7-2+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Revert changes for ttf-dejavu -> fonts-dejavu-core which isn't in wheezy. wireshark (1.12.1+g01b65bf-4+deb8u2) jessie-security; urgency=high . * security fixes from Wireshark 1.12.6: - WCCP dissector crash (CVE-2015-4651) - GSM DTAP dissector crash (CVE-2015-4652) wireshark (1.12.1+g01b65bf-4+deb8u1) jessie-security; urgency=high . * security fixes from Wireshark 1.12.5: - The LBMR dissector could go into an infinite loop (CVE-2015-3809) - The WebSocket dissector could recurse excessively (CVE-2015-3810) - The WCP dissector could crash while decompressing data (CVE-2015-3811) - The X11 dissector could leak memory (CVE-2015-3812) - The packet reassembly code could leak memory (CVE-2015-3813) - The IEEE 802.11 dissector could go into an infinite loop (CVE-2015-3814) - The Android Logcat file parser could crash. Discovered by Hanno Böck. (CVE-2015-3815) wordpress (4.1+dfsg-1+deb8u4) jessie-security; urgency=high . * Rework changeset 33359 reliable shortcodes CVE-2015-5622 Closes: #794548 * Backports of 4.2.4 security fixes Closes: #794560 * Changeset 33555 SQL Injection CVE-2015-2213 * Changeset 33535 fixes timing attack CVE-2015-4730 * Changeset 33542 prevent posts lock attack CVE-2015-5731 * Changeset 33529 XSS widget title CVE-2015-5732 * CVE-2015-5733: Not vulnerable CS32176 fixes this * Changeset 33549 theme preview XSS CVE-2015-5734 wordpress (4.1+dfsg-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team * Back out fautly patch: - Changeset 33359 reliable shortcodes CVE-2015-5622 wordpress (4.1+dfsg-1+deb8u2) jessie-security; urgency=high . * Removed genericons example files CVE-2015-3429 Closes: #784603 * Backports of 4.1.3 security fixes - Changeset 33357 autodraft perms CVE-2015-5623 - Changeset 33359 reliable shortcodes CVE-2015-5622 xemacs21 (21.4.22-14~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . xemacs21 (21.4.22-14) unstable; urgency=low . * Clean up after half baked removal of circular dependency, add an empty versioned lib directory now dpkg does the right thing with that (closes: #783704). . xemacs21 (21.4.22-13) unstable; urgency=low . * Clean up after half baked removal of circular dependency, add an empty versioned lib directory now dpkg does the right thing with that (closes: #783704). . xemacs21 (21.4.22-12) unstable; urgency=low . * Remove dependency from support to binary package since the binary package already has the equivalent dependency (closes: #735268). * Conflict against old transitional packages to make absolutely sure that they are removed before we try to upgrade (closes: #775733). * Above changes originally from Andreas Beckmann . xemacs21 (21.4.22-13) unstable; urgency=low . * Clean up after half baked removal of circular dependency, add an empty versioned lib directory now dpkg does the right thing with that (closes: #783704). xemacs21 (21.4.22-12) unstable; urgency=low . * Remove dependency from support to binary package since the binary package already has the equivalent dependency (closees: #735268). * Conflict against old transitional packages to make absolutely sure that they are removed before we try to upgrade (closes: #775733). * Above changes originally from Andreas Beckmann . xen (4.4.1-9+deb8u1) jessie-security; urgency=medium . * Apply fix for CVE-2015-4163 (XSA 134) - gnttab: add missing version check to GNTTABOP_swap_grant_ref handling ... avoiding NULL derefs when the version to use wasn't set yet * Apply fix for CVE-2015-4164 (XSA 136) - x86/traps: loop in the correct direction in compat_iret() xmltooling (1.5.3-2+deb8u1) jessie-security; urgency=high . * Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855): Shibboleth SP software crashes on well-formed but invalid XML xserver-xorg-video-modesetting (0.9.0-2) jessie; urgency=medium . * Merge from upstream master: + modesetting: Don't pretend to support rotation (closes: #791644) xserver-xorg-video-modesetting (0.9.0-1+exp1) experimental; urgency=low . * Rebuild against xorg 1.16 rc. zendframework (1.12.9+dfsg-2+deb8u3) jessie-security; urgency=high . * ZF2015-06: XXE/XEE vector when using ZendXml on multibyte payloads http://framework.zend.com/security/advisory/ZF2015-06 [CVE-2015-5161] ====================================== Sat, 06 Jun 2015 - Debian 8.1 released ====================================== ========================================================================= [Date: Sat, 06 Jun 2015 10:31:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: k8temp | 0.4.0-2 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:31:42 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libinotify-kqueue | 20120419-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:31:50 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cuse4bsd | 0~svn2434-2 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:31:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: freebsd-quota | 8.2-3 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:05 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: kfreebsd-downloader-10 | 10.0-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:14 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libsystemd-dummy | 208-2 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:22 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: xserver-xorg-video-nv | 1:2.1.20-3 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:30 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: partman-ufs | 19 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:39 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: zfsutils | 10.1~svn272500-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:45 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: freebsd-smbfs | 10.1~svn272500-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:53 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: fuse4bsd | 0.3.9~pre1.20080208-9 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:00 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ufsutils | 10.1~svn272500-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:08 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: freebsd-utils | 10.1~svn273304-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:14 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: kfreebsd-kernel-headers | 10.1~5 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: kfreebsd-defaults | 10+2 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:29 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: partman-zfs | 45 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= base-files (8+deb8u1) stable; urgency=low . * Changed /etc/debian_version to 8.1, for Debian 8.1 point release. berkeley-abc (1.01+20140822hg4d547a5+dfsg-1+deb8u1) stable-proposed-updates; urgency=medium . * Fixed "Broken on big-endian architectures" (Closes: #782027) - (debian/patches/abc-bugfix-20150403.diff) * Fixed memory alignment problem (Closes: #786916) - (debian/patches/04_memory_alignment_fix.patch) * Fixed FTBFS during reproducibility tests (Closes: 780449) - (debian/patches/reproducibility.patch) blackbox (0.70.1-23+deb8u1) stable; urgency=medium . * QA upload. * debian/patches: Added focus.patch. Fixes bug #784955. caja (1.8.2-3+deb8u1) jessie-proposed-updates; urgency=medium . * debian/patches: + Add 0004_avoid-automounts-while-screen-is-locked.patch. Don't mount newly added USB flash drives / optical disks / etc. while a session is locked by the screensaver. Delay the automounting action until the session has been unlocked again. (Closes: #781608). chromium-browser (43.0.2357.65-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2015-1252: Sandbox escape in Chrome. Credit to anonymous. - CVE-2015-1253: Cross-origin bypass in DOM. Credit to anonymous. - CVE-2015-1254: Cross-origin bypass in Editing. Credit to armin@rawsec.net. - CVE-2015-1255: Use-after-free in WebAudio. Credit to Khalil Zhani. - CVE-2015-1256: Use-after-free in SVG. Credit to Atte Kettunen. - CVE-2015-1251: Use-after-free in Speech. Credit to SkyLined. - CVE-2015-1257: Container-overflow in SVG. Credit to miaubiz. - CVE-2015-1258: Negative-size parameter in Libvpx. Credit to cloudfuzzer - CVE-2015-1259: Uninitialized value in PDFium. Credit to Atte Kettunen. - CVE-2015-1260: Use-after-free in WebRTC. Credit to Khalil Zhani. - CVE-2015-1261: URL bar spoofing. Credit to Juho Nurminen. - CVE-2015-1262: Uninitialized value in Blink. Credit to miaubiz. - CVE-2015-1263: Insecure download of spellcheck dictionary. Credit to Mike Ruddy. - CVE-2015-1264: Cross-site scripting in bookmarks. Credit to K0r3Ph1L. chromium-browser (42.0.2311.135-2) unstable; urgency=medium . * Remove src/ prefix in debian/copyright. * Fix path to default configuration files. * Describe omnibox search in README.debian (closes: 781591). * Fix application name in the launcher script (closes: #783858). * Set CHROME_WRAPPER to /usr/bin/chromium by default (closes: #783097). chromium-browser (42.0.2311.135-1) unstable; urgency=medium . [ Michael Gilbert ] * Remove some unneeded files from the upstream tarball. * Move default configuration files to /usr/share/chromium. * New upstream stable release: - CVE-2015-1243: Use-after-free in DOM. Credit to Saif El-Sherei. - CVE-2015-1250: Various fixes from internal audits, fuzzing and other initiatives. . [ Shawn Landden ] * Supress first run welcome page. * Turn off safebrowsing. * Turn off pinging Google on 404 and other HTTP errors. chromium-browser (42.0.2311.135-1~deb8u1) jessie-security; urgency=high . * New upstream stable release: - CVE-2015-1243: Use-after-free in DOM. Credit to Saif El-Sherei. - CVE-2015-1250: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (42.0.2311.90-2) unstable; urgency=medium . * Update debian/copyright. * Drop some unused patches. * Drop chromium-inspector package. * Remove Giuseppe from the uploaders. - Many thanks for the prior contributions. * Fix built on text (closes: #782052). * Fix path to master_preferences (closes: #777708). * Disable default browser warning (closes: #777265). * Conflict with libgl1-mesa-swx11 (closes: #776388). * Add MHTML mimetype to chromium.desktop (closes: #769039). * Tighten chromium-l10n versioned dependency (closes: #781505). chromium-browser (42.0.2311.90-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1235: Cross-origin-bypass in HTML parser. Credit to anonymous. - CVE-2015-1236: Cross-origin-bypass in Blink. Credit to Amitay Dobo. - CVE-2015-1237: Use-after-free in IPC. Credit to Khalil Zhani. - CVE-2015-1238: Out-of-bounds write in Skia. Credit to cloudfuzzer. - CVE-2015-1240: Out-of-bounds read in WebGL. Credit to w3bd3vil. - CVE-2015-1241: Tap-Jacking. Credit to Phillip Moon and Matt Weston. - CVE-2015-1242: Type confusion in V8. Credit to fcole@onshape.com. - CVE-2015-1244: HSTS bypass in WebSockets. Credit to Mike Ruddy. - CVE-2015-1245: Use-after-free in PDFium. Credit to Khalil Zhani. - CVE-2015-1246: Out-of-bounds read in Blink. Credit to Atte Kettunen. - CVE-2015-1247: Scheme issues in OpenSearch. Credit to Jann Horn. - CVE-2015-1248: SafeBrowsing bypass. Credit to Vittorio Gambaletta. - CVE-2015-1249: Various fixes from internal audits, fuzzing and other initiatives. Also multiple issues in v8 4.2.77.14. chromium-browser (42.0.2311.90-1~deb8u1) jessie-security; urgency=high . * New upstream stable release: - CVE-2015-1235: Cross-origin-bypass in HTML parser. Credit to anonymous. - CVE-2015-1236: Cross-origin-bypass in Blink. Credit to Amitay Dobo. - CVE-2015-1237: Use-after-free in IPC. Credit to Khalil Zhani. - CVE-2015-1238: Out-of-bounds write in Skia. Credit to cloudfuzzer. - CVE-2015-1240: Out-of-bounds read in WebGL. Credit to w3bd3vil. - CVE-2015-1241: Tap-Jacking. Credit to Phillip Moon and Matt Weston. - CVE-2015-1242: Type confusion in V8. Credit to fcole@onshape.com. - CVE-2015-1244: HSTS bypass in WebSockets. Credit to Mike Ruddy. - CVE-2015-1245: Use-after-free in PDFium. Credit to Khalil Zhani. - CVE-2015-1246: Out-of-bounds read in Blink. Credit to Atte Kettunen. - CVE-2015-1247: Scheme issues in OpenSearch. Credit to Jann Horn. - CVE-2015-1248: SafeBrowsing bypass. Credit to Vittorio Gambaletta. - CVE-2015-1249: Various fixes from internal audits, fuzzing and other initiatives. Also multiple issues in v8 4.2.77.14. clamav (0.98.7+dfsg-0+deb8u1) stable; urgency=high . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it consistent with the other postinst scripts. * Build against libsystemd-dev. (Closes: #779758) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Shorten debian/copyright. This fixes some lintian warnings: - dep5-copyright-license-name-not-unique - wildcard-matches-nothing-in-dep5-copyright - unused-file-paragraph-in-dep5-copyright * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. * Fix syntax errors in clamav-freshclam.postinst. Thanks piuparts! * Fix cleanup on purge in clamav-base.postrm. * Use SocketUser, SocketGroup and RemoveOnStop systemd socket options instead of using ExecStartPost and ExecStopPost for that. * Respect clamav-daemon's LocalSocket* options with the systemd unit by extending the clamav-daemon.socket file appropriately, when running dpkg-reconfigure clamav-daemon. (Closes: #783720) * Disable this extendend configuration, when handling the configuration file with debconf is disabled. * Disable clamav-daemon.socket in prerm script. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. clamav (0.98.7+dfsg-0+deb7u1) oldstable; urgency=high . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Fix cleanup on purge in clamav-base.postrm. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. clamav (0.98.7+dfsg-0+deb6u2) squeeze-lts; urgency=medium . * Don't error out if rar file cat fails to work around arch/indep issues on squeeze clamav (0.98.7+dfsg-0+deb6u1) squeeze-lts; urgency=high . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Fix cleanup on purge in clamav-base.postrm. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. . [ Scott Kitterman ] * Drop minimum debhelper version to 8 for squeeze and drop indep specific override of dh_installdocs * Manually patch in results of autoreconf since dh_autoreconf is too old and package FTBFS otherwise * Drop procps requirement and dpkg minimum version requirement since squeeze versions are too old and revert init script changes for freshclam, daemon, and milter to use the squeeze versions of the init scripts (also restore required functions to debian/common_functions) clamav (0.98.6+dfsg-3) unstable; urgency=medium . * Fix syntax errors in clamav-freshclam.postinst. Thanks piuparts! * Fix cleanup on purge in clamav-base.postrm. clamav (0.98.6+dfsg-2) unstable; urgency=medium . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Fix clamav-daemon installability with custom PidFile. Thanks to Andy Dorman for the bug report and patch. (Closes: #778507) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it consistent with the other postinst scripts. * Build against libsystemd-dev. (Closes: #779758) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Shorten debian/copyright. This fixes some lintian warnings: - dep5-copyright-license-name-not-unique - wildcard-matches-nothing-in-dep5-copyright - unused-file-paragraph-in-dep5-copyright * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. clamav (0.98.6+dfsg-1+deb8u1) jessie; urgency=medium . [ Andreas Cadhalpun ] * Fix clamav-daemon installability with custom PidFile. Thanks to Andy Dorman for the bug report and patch. (Closes: #778507) cproto (4.7l-3+deb8u1) jessie; urgency=low . * Fix functional regression vs. 4.7j-5 in wheezy (closes: #784719). - Modify debian/rules to put back --enable-llib configure option, by adding override_dh_auto_configure. This option was accidentally lost in version 4.7j-7 while converting to debhelper 7. This disabled the -X command line option in the cproto program, a regression vs. wheezy. curl (7.38.0-4+deb8u2) jessie-security; urgency=high . * Don't send sensitive HTTP server headers to proxies as per CVE-2015-3153 http://curl.haxx.se/docs/adv_20150429.html curl (7.38.0-4+deb8u1) jessie-security; urgency=high . * Fix re-using authenticated connection when unauthenticated as per CVE-2015-3143 http://curl.haxx.se/docs/adv_20150422A.html * Fix host name out of boundary memory access as per CVE-2015-3144 http://curl.haxx.se/docs/adv_20150422D.html * Fix cookie parser out of boundary memory access as per CVE-2015-3145 http://curl.haxx.se/docs/adv_20150422C.html * Fix Negotiate not treated as connection-oriented as per CVE-2015-3148 http://curl.haxx.se/docs/adv_20150422B.html cwm (5.5-1+deb8u1) stable; urgency=low . * Fix "Lookups for 'exec' and 'wm' fail on XFS" by adding an extra check using lstat() if the d_type check fails (Closes: #783588) dbus (1.8.18-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release - Hardening: lock down the session bus to only allow EXTERNAL auth by default, the same as the system bus. This avoids allowing DBUS_COOKIE_SHA1, which can end up using a predictable random source on systems where /dev/urandom is unavailable or dbus-daemon runs out of memory. See the upstream NEWS for more details. dbus (1.8.16-2) unstable; urgency=medium . * Merge packaging changes (but not the new upstream branch) from experimental: - Move Vcs-Git to cgit; go via https, because we can - Standards-Version: 3.9.6 (no changes needed) - Remove debian/source/local-options, no longer necessary (dpkg-source now unapplies patches after the build if they were unapplied before) - Configure gbp-pq to export patches without patch numbers, and re-export our long-standing Debian patch in that format - dbus-x11: use dbus-x11.install for the Xsession hook - If DEB_BUILD_OPTIONS=noudeb, don't do the udeb build, for a 30% speedup - Change the check for requiring a reboot to be init-system-agnostic so Ubuntu can stop patching it (partially addresses #712167) * Security hardening: build position-independent executables for better ASLR * Security hardening: build with bindnow, so relro (which is already on by default) can make the entire PLT read-only * Transcode debian/rules from Latin-1 to UTF-8 * Reproducible build: remove dates from man pages using sed * Reproducible build: patch Doxyfile.in to not include timestamps in HTML documentation debian-installer (20150422+deb8u1) jessie; urgency=medium . [ Martin Michlmayr ] * Append DTB for SheevaPlug, SheevaPlug eSATA and GuruPlug. (Closes: #785588) . [ Cyril Brulebois ] * Enable p-u in debian/rules for the jessie point releases. debian-installer-netboot-images (20150422+deb8u1) jessie; urgency=medium . * Update to 20150422+deb8u1 images, from jessie-proposed-updates debian-lan-config (0.19+deb8u1) stable-proposed-updates; urgency=medium . * Fix package names on i386. * Workarounds: #759424 (di-n-a) removed, #774033 (deadlock) added. - With the NMUed di-netboot-assistant package available in jessie, only chain.c32 has to be copied to the tftp-boot directory. It is needed to boot from the local disk in the Debian-LAN PXE menu. - The Debian-LAN live system freezes when mounting the home directory with NFSv4. Switch back to NFSv3 which works fine. * Fix squid configuration: Modify ordering to succeed in a single cfengine pass. * Comment 'browser-plugin-gnash' and 'adzapper' in the package-list and the corresponding script: These packages did not make it into jessie. * Define the replacement of exim4-daemon-light by exim4-daemon-heavy and sudo by sudo-ldap to make conversion more robust. * Describe how to use an arbitrary hostname for the 'mainserver'. * Add libcgi-fast-perl to make the zoom in munin work. didjvu (0.2.8-1+deb8u1) stable; urgency=medium . * add fix-insecure-use-of-tmp-when-calling-c44.diff on security issue (Closes: #784888). django-markupfield (1.2.1-2+deb8u1) jessie-security; urgency=high . * Security Upload * Include fix for remote file inclusion, CVE-2015-0846, thanks to James P. Turk for finding this bug and providing a fix. dnsmasq (2.72-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-3294: denial of service and memory disclosure via malformed DNS requests (Closes: #783459) ejabberd (14.07-4+deb8u1) jessie; urgency=low . * Drop debian/ejabberd.8 as there is no "ejabberd" executable anymore * Add --enable-transient_supervisors build-flag (Closes: #782794) * Accept trailing newline characters in Base64 strings (Closes: #782725) elasticsearch (1.0.3+dfsg-5+deb8u1) jessie-security; urgency=high . * Added patch to fix directory traversal bug (CVE-2015-3337) exactimage (0.8.9-7+deb8u1) jessie; urgency=high . * Fix CVE-2015-3885: Integer overflow in the ljpeg_start function in dcraw * debian/patches: - Add CVE-2015-3885.patch, Avoid overflow in ljpeg_start() (Closes: #786785) - Add draw_jpeg_fix.patch, Fix execution order of ljpeg_start() and result check fai (4.3.1+deb8u1) jessie; urgency=high . * setup-storage: add support for parted 2.4, Closes: #785804 * fai: Fix IP address lifetime, Closes: #780144 * update copyright year to 2015 feed2imap (1.2.3-1+deb8u1) jessie; urgency=medium . * debian/patches/0001-Fix-usage-of-filters.patch: apply upstream patch to fix usage of filters (Closes: #783444) * debian/patches/0002-Fix-regression-in-include-images-option.patch: apply upstream patch to fix the `include-images` option (Closes: #784591) freeorion (0.4.4-2+deb8u1) jessie; urgency=medium . * Add fix-FTBFS.patch, fix compiler errors so that FreeOrion can be built from source again. (Closes: #783839) fuse (2.9.3-15+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0007-CVE-2015-3202.patch patch. CVE-2015-3202: Missing scrubbing of the environment before executing a mount or umount of a filesystem. fusionforge (5.3.2+20141104-3+deb8u1) jessie-security; urgency=high . * CVE-2015-0850: Prevent arbitrary command execution via clone URL parameter of the method to create secondary Git repositories. Found by Ansgar Burchardt . ganeti (2.12.4-1~deb8u1) jessie; urgency=medium . [ Apollon Oikonomopoulos ] * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz): Fixes in 2.12.1: + Clean up stale livelock files + Fix setting up the metadata daemon's network interface for Xen + Make the watcher visible on the reason trail on disk activation + Allow `gnt-instance grow-disk' to ignore instance policy + Fix counting votes when doing master failover + Properly check for IPv6 use before making an SSH connection + Properly check if an instance exists in `gnt-instance console' . Fixes in 2.12.2: + Detect and report non-master status on socket connection errors (closes: #783388, #781084) + Improve error handling when looking up instances (closes: #776770) + SSH keys are now distributed only to master and master candidates + Improve performance for operations with frequent configuration reads + Improve robustness of spawning job processes, fixing timeouts + Fix a race condition that caused cluster verify to fail + Fix failing automatic glusterfs mounts + Fix watcher failing to read its status file on upgrade + Fix Xen instance state handling, taking transitional states into account (closes: #776772) + Fix conversion of diskless DRBD instances to plain + Fix upgrades from pre-2.6 versions, by handling hv_state_static and disk_state_static configuration fields + Fix a memory leak in the monitoring daemon + Fix a file descriptor leak in the ConfD client . Fixes in 2.12.3: + Fix config.data upgrade issues from older versions (closes: #783186) + Do not allow the master node to lose its master capability + Properly display externally reserved IPs in `gnt-network info' output + Properly distribute ssconf_hvparams_* using ssconf + Improve `gnt-cluster renew-crypto' robustness against node reachability errors + Make sure the master IP is always removed from the old master after master-failover + Work around Python's os.minor() not supporting devices with high (> 255) minor numbers (closes: #782073) + Fix Luxid failure when DNS returns an IPv6 address that does not reverse resolve . Fixes in 2.12.4: + Fix a performance regression in 2.12 during gnt-cluster verify and gnt-cluster verify-disks (high CPU usage) (closes: #784620). + Make the RAPI responsive after master-failover. + Fix gnt-cluster verify reporting existing instance disks on non-default VGs as missing. * Drop fix-wconfd-metad patch, merged upstream. * d/copyright: adjust copyright years . [ Gregory Potamianos ] * molly-guard: detect master status and warn when attempting to shutdown or reboot the master node. . [ Debconf translations ] * Dutch (Frans Spiesschaert, closes: #765856) * Swedish (Martin Bagge, closes: #769870) ganeti (2.12.4-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . ganeti (2.12.4-1) unstable; urgency=medium . * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz), including the following fixes: + Fix a performance regression in 2.12 during gnt-cluster verify and gnt-cluster verify-disks (high CPU usage) (closes: #784620). + Make the RAPI responsive after master-failover. + Fix gnt-cluster verify reporting existing instance disks on non-default VGs as missing. * Drop GHC 7.8 patch + It is part of the 2.12.4 release. * Drop dh_autoreconf + Not needed after removing the GHC 7.8 patch. . ganeti (2.12.3-1) unstable; urgency=medium . [ Apollon Oikonomopoulos ] * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz): Fixes in 2.12.1: + Clean up stale livelock files + Fix setting up the metadata daemon's network interface for Xen + Make the watcher visible on the reason trail on disk activation + Allow `gnt-instance grow-disk' to ignore instance policy + Fix counting votes when doing master failover + Properly check for IPv6 use before making an SSH connection + Properly check if an instance exists in `gnt-instance console' . Fixes in 2.12.2: + Detect and report non-master status on socket connection errors (closes: #783388, #781084) + Improve error handling when looking up instances (closes: #776770) + SSH keys are now distributed only to master and master candidates + Improve performance for operations with frequent configuration reads + Improve robustness of spawning job processes, fixing timeouts + Fix a race condition that caused cluster verify to fail + Fix failing automatic glusterfs mounts + Fix watcher failing to read its status file on upgrade + Fix Xen instance state handling, taking transitional states into account (closes: #776772) + Fix conversion of diskless DRBD instances to plain + Fix upgrades from pre-2.6 versions, by handling hv_state_static and disk_state_static configuration fields + Fix a memory leak in the monitoring daemon + Fix a file descriptor leak in the ConfD client . Fixes in 2.12.3: + Fix config.data upgrade issues from older versions (closes: #783186) + Do not allow the master node to lose its master capability + Properly display externally reserved IPs in `gnt-network info' output + Properly distribute ssconf_hvparams_* using ssconf + Improve `gnt-cluster renew-crypto' robustness against node reachability errors + Make sure the master IP is always removed from the old master after master-failover + Work around Python's os.minor() not supporting devices with high (> 255) minor numbers (closes: #782073) + Fix Luxid failure when DNS returns an IPv6 address that does not reverse resolve * Backport upstream commits to fix compilation under GHC 7.8: + b78a2c3 Makefile.am: Fix wrong -dep-suffix for GHC 7.8 + 083776b Fix compiler invocation for GHC >= 7.8 + 9664aff Makefile.am: Don't use dots in -osuf + 1ad14f3 Makefile.am: Don't use -dynamic-too for .hpc_o files * Build-depend on dh-autoreconf and use dh_autoreconf to make the GHC 7.8 patch effective * Drop fix-wconfd-metad patch, merged upstream. * d/copyright: adjust copyright years . [ Gregory Potamianos ] * molly-guard: detect master status and warn when attempting to shutdown or reboot the master node. . [ Debconf translations ] * Dutch (Frans Spiesschaert, closes: #765856) * Swedish (Martin Bagge, closes: #769870) ganeti (2.12.3-1) unstable; urgency=medium . [ Apollon Oikonomopoulos ] * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz): Fixes in 2.12.1: + Clean up stale livelock files + Fix setting up the metadata daemon's network interface for Xen + Make the watcher visible on the reason trail on disk activation + Allow `gnt-instance grow-disk' to ignore instance policy + Fix counting votes when doing master failover + Properly check for IPv6 use before making an SSH connection + Properly check if an instance exists in `gnt-instance console' . Fixes in 2.12.2: + Detect and report non-master status on socket connection errors (closes: #783388, #781084) + Improve error handling when looking up instances (closes: #776770) + SSH keys are now distributed only to master and master candidates + Improve performance for operations with frequent configuration reads + Improve robustness of spawning job processes, fixing timeouts + Fix a race condition that caused cluster verify to fail + Fix failing automatic glusterfs mounts + Fix watcher failing to read its status file on upgrade + Fix Xen instance state handling, taking transitional states into account (closes: #776772) + Fix conversion of diskless DRBD instances to plain + Fix upgrades from pre-2.6 versions, by handling hv_state_static and disk_state_static configuration fields + Fix a memory leak in the monitoring daemon + Fix a file descriptor leak in the ConfD client . Fixes in 2.12.3: + Fix config.data upgrade issues from older versions (closes: #783186) + Do not allow the master node to lose its master capability + Properly display externally reserved IPs in `gnt-network info' output + Properly distribute ssconf_hvparams_* using ssconf + Improve `gnt-cluster renew-crypto' robustness against node reachability errors + Make sure the master IP is always removed from the old master after master-failover + Work around Python's os.minor() not supporting devices with high (> 255) minor numbers (closes: #782073) + Fix Luxid failure when DNS returns an IPv6 address that does not reverse resolve * Backport upstream commits to fix compilation under GHC 7.8: + b78a2c3 Makefile.am: Fix wrong -dep-suffix for GHC 7.8 + 083776b Fix compiler invocation for GHC >= 7.8 + 9664aff Makefile.am: Don't use dots in -osuf + 1ad14f3 Makefile.am: Don't use -dynamic-too for .hpc_o files * Build-depend on dh-autoreconf and use dh_autoreconf to make the GHC 7.8 patch effective * Drop fix-wconfd-metad patch, merged upstream. * d/copyright: adjust copyright years . [ Gregory Potamianos ] * molly-guard: detect master status and warn when attempting to shutdown or reboot the master node. . [ Debconf translations ] * Dutch (Frans Spiesschaert, closes: #765856) * Swedish (Martin Bagge, closes: #769870) gdnsd (2.1.2-1~deb8u1) stable; urgency=medium . * Backport as a stable update. gnome-shell (3.14.4-1~deb8u1) jessie; urgency=low . * New upstream translation and bugfix release. + Includes workaround for #768896 which is very annoying for users of the proprietary nvidia driver. * 01_network_list.patch, 02_auth_prompt.patch, 50-compute-weeknumber-with-gdatetime.patch: dropped, merged upstream. * Bump (build-)dependencies on mutter as usual. gnutls28 (3.3.8-6+deb8u1) jessie; urgency=medium . * Reupload 3.3.8-7 unchanged for first point release: 45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff: Pull two patches from upstream to a use-after-free flaw in gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308 Closes: #782776 hello (2.9-2+deb8u1) jessie-security; urgency=low . * Non-maintainer upload by the security team. * No-change test upload to jessie-security. ibus-cangjie (2.2-2+deb8u1) stable; urgency=medium . * Backport 2.4 bugfix (Closes: 782453) * A serious usability issue, where we would in some cases suggest duplicate characters to the users: https://github.com/Cangjians/ibus-cangjie/issues/63 . * A python traceback (in the background, not crashing the engine, but which was nevertheless triggering automatic crash catchers): https://github.com/Cangjians/ibus-cangjie/issues/57 . * An incorrect translation for Taiwan users: https://github.com/Cangjians/ibus-cangjie/issues/61 . * works around another serious usability issue, where the candidate popup was misplaced (i.e not at the input cursor, but at the bottom of the screen) on some applications, most notably Firefox (which is quite the common app) https://github.com/Cangjians/ibus-cangjie/issues/60 icecast2 (2.4.0-1.1+deb8u1) jessie-security; urgency=high . * This fixes a crash (NULL reference) in case URL Auth is used and stream_auth is trigged with no credentials passed by the client. Username and password is now set to empty strings and transmited to the backend server this way. (Closes: #782120, fixes CVE-2015-3026) icedove (31.7.0-1~deb8u1) stable-security; urgency=medium . * [c3c81df] Imported Upstream version 31.7.0 - MFSA 2015-46 aka CVE-2015-2708 - MFSA 2015-47 aka CVE-2015-0797 - MFSA 2015-48 aka CVE-2015-2710 - MFSA 2015-51 aka CVE-2015-2713 - MFSA 2015-54 aka CVE-2015-2716 * [eb8cb5a] adjust gbp.conf for jessie-security branch icedove (31.7.0-1~deb7u1) oldstable-security; urgency=medium . * [c3c81df] Imported Upstream version 31.7.0 - MFSA 2015-46 aka CVE-2015-2708 - MFSA 2015-47 aka CVE-2015-0797 - MFSA 2015-48 aka CVE-2015-2710 - MFSA 2015-51 aka CVE-2015-2713 - MFSA 2015-54 aka CVE-2015-2716 installation-guide (20150423+deb8u1) jessie; urgency=medium . * Backport fixes from sid. . [ Samuel Thibault ] * Give to make-kpkg a "1.0.custom" revision instead of bogus "custom.1.0". Closes: #783613. * Add an example preseed entry for setting up multi-arch. Closes: #785165 . Thanks to Matthew Sweet for the patch. . [ Christian Perrier ] * Fix kernel source compression extension in kernel-baking.xml . [ Holger Wansing ] * Revert to documenting that the text installer is still the default installer. * Remove mention of kfreebsd as supported archs for Jessie ipsec-tools (1:0.8.2+20140711-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add bug785778-null-pointer-deref.patch patch. CVE-2015-4047: Fix NULL pointer dereference in racoon in gssapi.c leading to a possible crash and denial of service attack. (Closes: #785778) ircd-hybrid (1:8.2.0+dfsg.1-2+deb8u1) jessie; urgency=medium . * Remove Suggests: hybserv as the package isn't in jessie * Fix a DoS from localhost clients backported from 8.2.6 (Closes: #782859) * Debconf configuration script no longer ignores the result of upgrade questions (Closes: #779082) * Don't display upgrade warnings on new installs (Closes: #782883) * Support chained SSL certificates (Closes: #769741) lastpass-cli (0.3.0-2+deb8u1) stable; urgency=medium . * Update upstream CA certificate (Closes: #786862) libav (6:11.3-1+deb8u1) jessie; urgency=medium . * Fix use of illegal instruction on i586. (Closes: #783082) - debian/confflags: Pass correct value to --cpu. Thanks to Bernhard Übelacker for the patch. - debian/patches: + 01-configure-disable-i686-for-i586.patch: Upstream patch to disable i686 instructions on i586. + 02-configure-disable-ebx-gcc-4.9.patch: Workaround build failure with gcc 4.9 and newer by disabling the use of ebx in handwritten assembler code. Thanks to Bernhard Übelacker for the initial patch. libdatetime-timezone-perl (1:1.75-2+2015d) jessie; urgency=medium . * Update to Olson database version 2015d. Add patch debian/patches olson-2015d, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Egypt. libdebian-installer (0.99+deb8u1) jessie; urgency=medium . [ Martin Michlmayr ] * Add device tree variants for supported armel/kirkwood devices. (Closes: #787563) libi18n-charset-perl (1.412-1+deb8u1) jessie; urgency=medium . * Team upload. * Remove a stray 'use blib' line. (Closes: #785502) libinfinity (0.6.6-1~deb8u1) jessie; urgency=medium . * New upstream bugfix release - Check certificates for expiration and weak algorithms even if the CA is trusted. (Closes: #783601) - Fix cursor processing and a crash in the client code. libmodule-signature-perl (0.73-1+deb8u2) jessie-security; urgency=high . * Team upload. * Add 0001-make-skip-work-again.patch patch. Restore --skip functionality for cpansign. (Closes: #785701) libmodule-signature-perl (0.73-1+deb8u1) jessie-security; urgency=high . * Team upload. * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch. CVE-2015-3406: Module::Signature parses the unsigned portion of the SIGNATURE file as the signed portion due to incorrect handling of PGP signature boundaries. CVE-2015-3407: Module::Signature incorrectly handles files that are not listed in the SIGNATURE file. This includes some files in the t/ directory that would execute when tests are run. CVE-2015-3408: Module::Signature uses two argument open() calls to read the files when generating checksums from the signed manifest, allowing to embed arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. (Closes: #783451) * Add CVE-2015-3409.patch patch. CVE-2015-3409: Module::Signature incorrectly handles module loading allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. (Closes: #783451) * Add Fix-signature-tests.patch patch. Fix signature tests by defaulting to verify(skip=>1) when $ENV{TEST_SIGNATURE} is true. libraw (0.16.0-9+deb8u1) stable; urgency=high . * debian/patches/: patchset updated - 0001-Fix_CVE-2015-3885.patch added | Integer overflow in the ljpeg_start function | in dcraw 7.00 and earlier allows remote attackers | to cause a denial of service (crash) via a | crafted image, which triggers a buffer overflow, | related to the len variable. libreoffice (1:4.3.3-2+deb8u1) unstable; urgency=high . * debian/patches/hwpreader-check-reads.patch: fix "out of bounds write in hwp file filter" (CVE-2015-1774), patch from libreoffice-4-3 branch libreoffice (1:4.3.3-2+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . * debian/rules: - comment out some conditionals and they don't exactly do what we want on wheezy-backports and use hardcoded values - fix coinmp conditional, use internal one on wheezy... - use internal icu - see https://bugs.freedesktop.org/show_bug.cgi?id=82229#c38 * debian/rules, debian/shlibs.local.coin: add shlibs.local.coin to override all the internal coin dynamic libraries.... * debian/shlibs.override.icu: update to actual current SOVERSION * debian/rules, debian/shlibs.override.libc: revert libc hack again * debian/patches/icu-icudata-link-fix-armhf.diff: fix internal icu build on armhf ("stolen" from icu package) . libreoffice (1:4.3.3-2+deb8u1) unstable; urgency=high . * debian/patches/hwpreader-check-reads.patch: fix "out of bounds write in hwp file filter" (CVE-2015-1774), patch from libreoffice-4-3 branch libtasn1-6 (4.2-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 20_CVE-2015-3622.diff patch. CVE-2015-3622: heap overflow flaw in _asn1_extract_der_octet(). Prevent past of boundary access in octet string decoding. libtest-signature-perl (1.10-1+deb8u1) jessie-security; urgency=high . * Team upload. * Consider MANIFEST.SKIP when verfying signature as part of testsuites. Set skip => 1 on Module::Signature::verify for compatibility with the fix for CVE-2015-3407 in libmodule-signature-perl. libtest-signature-perl (1.10-1+deb7u1) wheezy-security; urgency=high . * Team upload. * Consider MANIFEST.SKIP when verfying signature as part of testsuites. Set skip => 1 on Module::Signature::verify for compatibility with the fix for CVE-2015-3407 in libmodule-signature-perl. libvncserver (0.9.9+dfsg2-6.1+deb8u1) stable; urgency=medium . * added patch for libgcrypt init before use (Closes: #782570) * replaced non-free sha1 implementation (Closes: #786907) * new maintainer due to package adoption libxml-libxml-perl (2.0116+dfsg-1+deb8u1) jessie-security; urgency=high . * Team upload. * Add CVE-2015-3451.patch patch. CVE-2015-3451: expand_entities set to 0 is not preserved after a _clone() call. (Closes: #783443) linux (3.16.7-ckt11-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt10 - fuse: notify: don't move pages - fuse: set stolen page uptodate - dm thin: fix to consistently zero-fill reads to unprovisioned blocks - dm: hold suspend_lock while suspending device during device deletion - dm snapshot: suspend origin when doing exception handover - dm snapshot: suspend merging snapshot when doing exception handover - dm io: deal with wandering queue limits when handling REQ_DISCARD and REQ_WRITE_SAME - [armhf] crypto: arm/aes update NEON AES module to latest OpenSSL version (regression in 3.13) - mac80211: drop unencrypted frames in mesh fwding - mac80211: disable u-APSD queues by default - virtio_console: init work unconditionally - regmap: regcache-rbtree: Fix present bitmap resize (regression in 3.12) - Input: synaptics - fix middle button on Lenovo 2015 products - Input: synaptics - handle spurious release of trackstick buttons - [x86] asm/entry/32: Fix user_mode() misuses - [x86] fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() - [x86] fpu: Drop_fpu() should not assume that tsk equals current - mac80211: count interfaces correctly for combination checks (regression in 3.16) - nl80211: ignore HT/VHT capabilities without QoS/WMM - pagemap: do not leak physical addresses to non-privileged userspace (mitigation of the DRAM 'rowhammer' defect) - iscsi-target: Avoid early conn_logout_comp for iser connections - tcm_qla2xxx: Fix incorrect use of __transport_register_session - [arm64] Honor __GFP_ZERO in dma allocations - xfrm: release dst_orig in case of error in xfrm_lookup() (regression in 3.16.6) - [powerpc*] smp: Wait until secondaries are active & online (regression in 3.15) - [powerpc*] iommu: Remove IOMMU device references via bus notifier (regression in 3.14) - [powerpcspe] mpc85xx: Add ranges to etsec2 nodes (regression in 3.16.7-ckt3) - IB/core: Avoid leakage from kernel to user space - timers/tick/broadcast-hrtimer: Fix suspicious RCU usage in idle loop - [x86] KVM: nVMX: mask unrestricted_guest if disabled on L0 - [ppc64el] pseries: Little endian fixes for post mobility device tree update - block: Fix bug in blk_rq_merge_ok (regression in 3.16) - sched: Fix RLIMIT_RTTIME when PI-boosting to RT - mm: fix anon_vma->degree underflow in anon_vma endless growing prevention (regression in 3.16.7-ckt5) - hfsplus: fix B-tree corruption after insertion at position 0 - iio: fix drivers that check buffer->scan_mask - iio: inv_mpu6050: Clear timestamps fifo while resetting hardware fifo - cifs: smb2_clone_range() - exit on unhandled error - cifs: fix use-after-free bug in find_writable_file - xen/balloon: before adding hotplugged memory, set frames to invalid (regression in 3.16) - iio: adc: vf610: use ADC clock within specification - dmaengine: edma: fix memory leak when terminating running transfers - dmaengine: omap-dma: Fix memory leak when terminating running transfer - mac80211: fix RX A-MPDU session reorder timer deletion - net: use for_each_netdev_safe() in rtnl_group_changelink() - net/mlx4_en: Call register_netdevice in the proper location (regression in 3.14) - NFS: fix BUG() crash in notify_change() with patch to chown_common() http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt11 - n_tty: Fix read buffer overwrite when no newline - [x86] KVM: Fix lost interrupt on irr_pending race (regression in 3.16.2) - tcp: prevent fetching dst twice in early demux code - ipv6: protect skb->sk accesses from recursive dereference inside the stack - bonding: Bonding Overriding Configuration logic restored. (regression in 3.14) - ioctx_alloc(): fix vma (and file) leak on failure - [x86] drm/i915/vlv: remove wait for previous GFX clk disable request (regression in 3.16) - SCSI: Defer processing of REQ_PREEMPT requests for blocked devices - ocfs2: _really_ sync the right range (regression in 3.14) - iscsi target: fix oops when adding reject pdu - ext4: fix indirect punch hole corruption - ip_forward: Drop frames with attached skb->sk - ppp: call skb_checksum_complete_unset in ppp_receive_frame - tcp: fix possible deadlock in tcp_send_fin() (regression in 3.16.7-ckt9) - tcp: avoid looping in tcp_send_fin() - [x86] Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open() - [s390x] KVM: fix handling of write errors in the tpi handler - [s390x] KVM: reinjection of irqs can fail in the tpi handler - [x86] compal-laptop: correct invalid hwmon name (regression in 3.14) - [x86] compal-laptop: Fix leaking hwmon device - [x86] compal-laptop: Check return value of power_supply_register (regression in 3.14) - [x86] sched/idle: Restore mwait_idle() to fix boot hangs, to improve power savings and to improve performance - usb: phy: Find the right match in devm_usb_phy_match - [x86] kvm: Revert "remove sched notifier for cross-cpu migrations" (regression in 3.12) - [mips*el/loongson-3] Add IRQF_NO_SUSPEND to Cascade irqaction (regression in 3.16.7-ckt7) - ring-buffer: Replace this_cpu_*() with __this_cpu_*() - UBI: account for bitflips in both the VID header and data - UBI: fix out of bounds write - UBI: fix check for "too many bytes" - Btrfs: fix log tree corruption when fs mounted with -o discard - btrfs: don't accept bare namespace as a valid xattr - [armel,armhf] 8320/1: fix integer overflow in ELF_ET_DYN_BASE - [mips*] Hibernate: flush TLB entries earlier - ext4: make fsync to sync parent dir in no-journal for real this time - iser-target: Fix session hang in case of an rdma read DIF error - iser-target: Fix possible deadlock in RDMA_CM connection error - [x86] vdso: fix pvclock races with task migration (Closes: #784960) - md/raid0: fix bug with chunksize not a power of 2. - ALSA: emu10k1: don't deadlock in proc-functions - [s390x] hibernate: fix save and restore of kernel text section - Btrfs: fix inode eviction infinite loop after extent_same ioctl - Btrfs: fix inode eviction infinite loop after cloning into it - [powerpc/powerpc64,ppc64*] perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH (Closes: #784278) - target: Fix COMPARE_AND_WRITE with SG_TO_MEM_NOALLOC handling - fs/binfmt_elf.c: fix bug in loading of PIE binaries - IB/core: disallow registering 0-sized memory region - IB/core: don't disallow registering region starting at 0x0 - target/file: Fix SG table for prot_buf initialization - ptrace: fix race between ptrace_resume() and wait_task_stopped() - nfs: fix high load average due to callback thread sleeping (regression in 3.16.7-ckt8) - [x86] drm/i915: vlv: fix save/restore of GFX_MAX_REQ_COUNT reg (regression in 3.16) - ACPI / scan: Annotate physical_node_lock in acpi_scan_is_offline() (regression in 3.14) - vfs: RCU pathwalk breakage when running into a symlink overmounting something - drivers/of: Add empty ranges quirk for PA-Semi (regression in 3.16.7-ckt3) - [x86] apple-gmux: lock iGP IO to protect from vgaarb changes (regression in 3.16.5) - lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR - [arm64] head.S: ensure visibility of page tables (regression in 3.15) - [armhf] crypto: omap-aes - Fix support for unequal lengths - [armhf] fix broken hibernation (regression in 3.16) - jhash: Update jhash_[321]words functions to use correct initval - vti6: fix uninit when using x-netns - [powerpc*] cell: Fix cell iommu after it_page_shift changes (regression in 3.14) - KVM: use slowpath for cross page cached accesses - IB/iser: Fix wrong calculation of protection buffer length - [i386/686-pae] mlx5: wrong page mask if CONFIG_ARCH_DMA_ADDR_T_64BIT enabled for 32Bit architectures - skbuff: Do not scrub skb mark within the same name space (regression in 3.12) - memstick: mspro_block: add missing curly braces - ipv4: Missing sk_nulls_node_init() in ping_unhash(). (CVE-2015-3636) . [ Ben Hutchings ] * debian.py,gencontrol.py: Fix the version sanity checks for backports and security/LTS uploads * Fix error messages at boot on systems without an RTC (Closes: #784146): - [armhf] mvebu: armada-xp-openblocks-ax3-4: Disable internal RTC - rtc: hctosys: do not treat lack of RTC device as error - rtc: hctosys: use function name in the error log * [x86] Input: synaptics: Fix routing of trackpoint buttons on Lenovo 2015 models (Closes: #780862) * [x86] thinkpad_acpi: support new BIOS version string pattern (Closes: #780467) * ext4: fix data corruption caused by unwritten and delayed extents (Closes: #785672) * ext4: move check under lock scope to close a race. * libata: Update Crucial/Micron blacklist * libata: Blacklist queued TRIM on Samsung SSD 850 Pro (Closes: #784152) * [x86] config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected (Closes: #786551) * [arm64] USB: Add support for XHCI on APM Mustang (Closes: #785707) - Enable USB_XHCI_HCD as module, and USB_XHCI_PLATFORM - Make xhci platform driver use 64 bit or 32 bit DMA - Add support for ACPI identification to xhci-platform * md/raid0: fix restore to sector variable in raid0_make_request (regression in 3.16.7-ckt11) * cdc_ncm: Fix tx_bytes statistics (regression in 3.16.7-ckt11) * [x86] e1000e: Add support for Sunrise Point (i219) (Closes: #784546) * [armhf] musb: Backport upstream changes to support multiplatform configuration properly (Closes: #773400) . [ Ian Campbell ] * [armhf] Enable support for Freescale SNVS RTC. (Closes: #782364) * [armhf] Add ehci-orion module to usb-modules udeb. (Closes: #783324) * [armhf] dts: imx53: correct clock-names of SATA node (Closes: #784344) * [armhf+arm64] Enabled generic SYSCON regmap reset driver linux (3.16.7-ckt9-3) unstable; urgency=high . [ Ben Hutchings ] * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561) (CVE-2015-3331) * tcp: Fix crash in TCP Fast Open (Closes: #782515) (CVE-2015-3332) * kernel: Provide READ_ONCE and ASSIGN_ONCE * Replace use of ACCESS_ONCE on non-scalar types with READ_ONCE or barriers as appropriate * kernel: tighten rules for ACCESS ONCE * kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val) * fs: take i_mutex during prepare_binprm for set[ug]id executables (CVE-2015-3339) . [ Ian Campbell ] * [xen] release per-queue Tx and Rx resource when disconnecting, fixing network after save/restore or migration. (Closes: #782698) linux (3.16.7-ckt9-3~deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561) (CVE-2015-3331) * tcp: Fix crash in TCP Fast Open (Closes: #782515) (CVE-2015-3332) * kernel: Provide READ_ONCE and ASSIGN_ONCE * Replace use of ACCESS_ONCE on non-scalar types with READ_ONCE or barriers as appropriate * kernel: tighten rules for ACCESS ONCE * kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val) * fs: take i_mutex during prepare_binprm for set[ug]id executables (CVE-2015-3339) . [ Ian Campbell ] * [xen] release per-queue Tx and Rx resource when disconnecting, fixing network after save/restore or migration. (Closes: #782698) linux (3.16.7-ckt9-3~deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut - debian.py,gencontrol.py: Fix the version sanity checks for backports and security/LTS uploads . linux (3.16.7-ckt9-3~deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561) (CVE-2015-3331) * tcp: Fix crash in TCP Fast Open (Closes: #782515) (CVE-2015-3332) * kernel: Provide READ_ONCE and ASSIGN_ONCE * Replace use of ACCESS_ONCE on non-scalar types with READ_ONCE or barriers as appropriate * kernel: tighten rules for ACCESS ONCE * kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val) * fs: take i_mutex during prepare_binprm for set[ug]id executables (CVE-2015-3339) . [ Ian Campbell ] * [xen] release per-queue Tx and Rx resource when disconnecting, fixing network after save/restore or migration. (Closes: #782698) mate-desktop (1.8.1+dfsg1-3+deb8u1) jessie-proposed-updates; urgency=medium . * debian/control: + Add to D (libmate-desktop-dev): libstartup-notification0-dev, libdconf-dev. mate-netbook (1.8.1-4+deb8u1) jessie-proposed-updates; urgency=medium . [ Martin Wimpress ] * Add 0002_preserve_configuration.patch. Ensure Window Picker applet doesn't override mate-maximus. (Closes: #785090). mate-utils (1.8.1+dfsg1-2+deb8u1) jessie-proposed-updates; urgency=medium . * debian/patches: + Add 0002_fix-errmsg-text.patch. Show actual error message if loading of the mate-screenshot UI fails. (Closes: #783162). + Update 2001_omit-gfdl-licensed-help-files.patch to avoid patch fuzziness. mercurial (3.1.2-2+deb8u1) jessie-security; urgency=high . * Fix "CVE-2014-9462" by adding patch from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes: #783237) mew (1:6.6-2+deb8u1) jessie; urgency=medium . * New patch 060_encrypt.patch to fix incorrect keys in encryption (closes: #784721) mew-beta (7.0.50~6.6+0.20140902-1+deb8u1) jessie; urgency=medium . * New patch 060_encrypt.patch to fix incorrect keys in encryption (closes: #784722) multipath-tools (0.5.0-6+deb8u1) jessie; urgency=medium . * [b40599e] Add dm-service-time path checked. Thanks to Mauricio Faria de Oliveira (Closes: #782363) mutter (3.14.4-1~deb8u1) jessie; urgency=low . * New upstream translation and bugfix release. + Includes new function required for the workaround to #768896 which is very annoying for users of the proprietary nvidia driver. * 10_window-actor_unredirect.patch, 11_black_background.patch: dropped, merged upstream. * Bump shlibs due to new function. mysql-5.5 (5.5.43-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.43 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html - CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2571 (Closes: #782645) * Update copyright years for upstream files mysql-5.5 (5.5.43-0+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.43 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html - CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 (Closes: #782645) * Update copyright years for upstream files nbd (1:3.8-4+deb8u1) jessie-security; urgency=medium . * Add fix for CVE-2015-0847. Closes: #784657. needrestart (1.2-8+deb8u1) stable; urgency=low . * Add patch 17-fix-interp-use-undef-in-chdir to fix warnings and errors if a process has not got a valid cwd. Closes: #779832 * Add patch 18-fix-kernel-version-sorting to fix the Linux kernel version sorting, so that 4.0 is also considered to be higher than 3.19.x. Closes: #781657 * Add patch 20-fix-perl-warning-dangling-kernel to fix Perl warnings while scanning dangling kernel symlinks. node-groove (2.2.6-1+deb8u1) stable; urgency=medium . * Backport patch to fix cpu usage ntfs-3g (1:2014.2.15AR.2-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Update 0002-CVE-2015-3202.patch patch. CVE-2015-3202: Missing scrubbing of the environment before executing a mount or umount of a filesystem. The previous fix for CVE-2015-3202 was incomplete and missed the replacement of one execl call with execle. (Closes: #786475) ntfs-3g (1:2014.2.15AR.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0002-CVE-2015-3202.patch patch. CVE-2015-3202: Missing scrubbing of the environment before executing a mount or umount of a filesystem. open-iscsi (2.0.873+git0.3b4b4500-8+deb8u1) stable; urgency=medium . * [725c5c6] Populate udebs in every architecture they are built (Closes: #784092) opencv (2.4.9.1+dfsg-1+deb8u1) jessie; urgency=medium . [ Bernhard Übelacker ] * Build with -march=i586 instead of -march=i686 on i386. (Closes: #784647) openstack-debian-images (1.3~deb8u1) stable-proposed-updates; urgency=medium . * Fixed debian/gbp.conf to use debian/jessie as new packaging branch. * Backport of the version 1.3 from Sid to Jessie: - Removed the tweak of /etc/modules, as acpiphp and pci_hotplug aren't in the Jessie kernel: they are built not as module (Closes: #783340). - Also adds security repository if building an image for Jessie. Previously, this was done only for Wheezy (Closes: #783480). - Adds dbus + libpam-systemd when building a Jessie image, and acpid + acpi-support-base when building a Wheezy image, so that ACPI shutdown works by default (Closes: #783448). - Adds nano as default when not using the --minimal flag (Closes: #783341). osmosis (0.43.1-3+deb8u1) stable-proposed-updates; urgency=medium . * Add patch from upstream to fix java.lang.ClassCastException for java.util.HashMap to org.openstreetmap.osmosis.hstore.PGHStore. (closes: #785257) owncloud (7.0.4+dfsg-4~deb8u1) jessie-security; urgency=medium . * Upload to jessie-security as agreed with the security team owncloud (7.0.4+dfsg-3) unstable; urgency=medium . * Add gbp config file to follow the jessie branch * Backport security fixes from 7.0.5: - Multiple stored XSS in "contacts" application [OC-SA-2015-001] - Multiple stored XSS in "documents" application [OC-SA-2015-002] - Bypass of file blacklist [OC-SA-2015-004] * Run upgrade script with sudo as www-data user * Depend on php5-cli (it is actually used in postinst) pdf2djvu (0.7.17-4+deb8u1) stable; urgency=medium . * added fix-insecure-use-of-tmp-when-executing-c44.diff, fix of security issue TEMP-0784889-495CCA, see #784889 (closed in Sid by 0.7.21-1). pdns (3.4.1-4+deb8u1) jessie-security; urgency=high . * Security update: apply patch for CVE-2015-1868 pdns (3.4.1-4+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports, including security fix for CVE-2015-1868. . pdns (3.4.1-4+deb8u1) jessie-security; urgency=high . * Security update: apply patch for CVE-2015-1868 . pdns (3.4.1-4) unstable; urgency=medium . * Remove DROP INDEX domainmetaidindex from MySQL schema upgrade files. The Debian schema files since at least wheezy didn't have that index, so we can't drop it. It'd be nicer if we could say DROP INDEX IF EXISTS, but apparently there's no such thing in MySQL. Thanks to Andreas Beckmann (Closes: #773345) . pdns (3.4.1-3~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Remove lmdb backend, as liblmdb-dev is unavailable. * Remove systemd support, as dh-systemd is unavailable * Replace dpkg-parsechangelog -S with wheezy compatible approach * Fix secpoll version. . pdns (3.4.1-3) unstable; urgency=medium . * Fix PACKAGEVERSION not having the actual version. Due to #766559 in dpkg, PACKAGEVERSION ended up not containing the version part. Fixed by using the alternate syntax that dpkg-parsechangelog understands since 1.17.0, thereby avoiding a dependency bump to dpkg 1.17.21. (Closes: #769701) . pdns (3.4.1-2) unstable; urgency=medium . * Bump dpkg-dev dependency for dpkg-parsechangelog -S, which is used to pass the package version to the build process. . pdns (3.4.1-1) unstable; urgency=medium . * Imported Upstream version 3.4.1, a bug fix release, that: * Fixes slaving of DNSSEC-signed zones to NSD or BIND. * Fixes pdnssec increase-serial to not break SOA records in DNSSEC zones. * Adds security status polling. (We set the package vendor and version for this.) * Remove patch 0001-API-Replace-HTTP-Basic-auth-with-static-key-in-custom, which has been applied upstream. * Resync pdns.conf with upstream * Update debian/watch file, as upstream has changed to bz2 files. . pdns (3.4.0-2) unstable; urgency=medium . * Apply patch from upstream switching API auth to a static key. * Install upstream-supplied SQL schema files (Closes: #763555) * Remove bindbackend.conf on purge (Closes: #678929) * Bump Standards-Version to 3.9.6 (no changes) . pdns (3.4.0-1) unstable; urgency=medium . * New upstream release, send to unstable. . pdns (3.4.0~rc1+2014082902-1) experimental; urgency=medium . * Fix typo in init script, causing stop to not work * Add a smoke test as an autopkgtest * Install systemd unit file for pdns * Imported Upstream version 3.4.0~rc1+2014082902 . pdns (3.4.0~rc1+20140829-1) experimental; urgency=medium . * Imported Upstream version 3.4.0~rc1+20140829 . pdns (3.4.0~rc1-1) experimental; urgency=medium . * New upstream release candidate, target experimental * Update schema files for 3.4.0 * Add lmdb, mydns, remote backends * Remove upstream applied patch to honor PKGLIBDIR * Build tests in verbose mode * Explicitly build with bind backend * Stop installing lib*backend.a * Update Vcs-* URLs to anonscm.debian.org * Force usage of libpolarssl.so * Skip make test: the remotebackend tests require various Ruby libraries that we don't have. * Update debian/copyright, the AES files are no longer distributed . pdns (3.3.1-4) unstable; urgency=medium . * Drop unused pdns-backend-mongodb.prerm file * Update schema migration files for 3.3.1. In the case of MySQL, this includes the migration up from 3.0! . pdns (3.3.1-3~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . pdns (3.3.1-3) unstable; urgency=medium . * Correct libdir/pkglibdir usage. PowerDNS upstream abuses autoconf libdir as the package-specific library location, when they should be using pkglibdir instead, which prevented us from correctly setting the multiarch libdir. As the package name is set to 'pdns', modules now go into ${libdir}/pdns, and libdir is now correctly set to the multiarch path, so modules-dir now ends up being (ex.) /usr/lib/x86_64-linux-gnu/pdns. Also fixes embedding the multiarch path as an rpath. . pdns (3.3.1-2) unstable; urgency=medium . * Use pg_config to detect PostgreSQL lib dir (Closes: #750062) . pdns (3.3.1-1) unstable; urgency=medium . * New upstream release. * Remove GRANTs from SQL Schema scripts. The SQL install scripts from upstream used to contain GRANT statements, but these were never needed with dbconfig-common, as the objects are created as the runtime user, plus they can lead to installation failures. * Remove patch "remove-rpath-ldflags-patch" The original issue has been fixed upstream in a better way. * Remove upstream applied patches * Remove duplicate B-D: libpolarssl-dev * Update copyright file, based on work by Marc Haber (Closes: #726401) * Don't overwrite launch= statements in configuration * Resync default pdns.conf . pdns (3.3-2) unstable; urgency=medium . * Fix 3.3-1 SQL upgrade script for PostgreSQL. Thanks to Peter van Dijk for the patch. (Closes: #726945) * Fix FTBFS on s390x. Thanks to Peter van Dijk for the upstream patches. (Closes: #726863) * Add myself to Uploaders * Bump Standards-Version to 3.9.5 (no changes) * Run make with V=1. Needed to get compiler flags into the build log. * Revert "disable dnssec in default configuration to not break updates" Reverting to not break upgrades from wheezy. . pdns (3.3-1) unstable; urgency=low . * The "Habbie saves the World" release . [ Matthijs Möhlmann ] . * Standards-Version: 3.9.4 (no changes needed) * Move files used by dbconfig-common to /usr/share/PACKAGE (Closes: #710360) * Upstream fixes self notification (Closes: #374779) * Added Brazilian Portuguese translation, thanks to Adriano Rafael Gomes (Closes: #718713) * All other nameservers are optional in insserv, so make that happen for pdns too. (Closes: #714145) * Update the default schema for the PostgreSQL backend (Closes: #698911) * Reworked README fixes also #717356 (Closes: #717356) * Add a SQL script for updating the database scheme in PostgreSQL, this will be applied automatically by dbconfig-common if chosen to do so (Closes: #685808, #707761) . [ Marc Haber ] * be more robust with chmod in pdns-server.postinst. Thanks to Peter van Dijk (Closes: #716859) * fix exit code of init script to be more LSB compliant. (Closes: #708861) * remove unnecessary MySQL dependency (Upstream #1032). Adapt patches. (Closes: #725073) * remove double code from postinst. Thanks to Peter van Dijk (Closes: #725195) . pdns (3.3-1~exp1) experimental; urgency=low . * New Upstream Release * Fix for Upstream #555 (patch 2720) to build with botan. This might address #675410, thanks to Florian Obser and Marcus 'darix' Rueckert. * fix ECDSA (upstream patch 3036). (Closes: #697904) * sqlite backend removed upstream. Suggest migration to sqlite3 * remove --disable-recursor, it's a no-op anyway * build with --enable-tools and --enable-unit-tests * remove local manpages that have been incorporated upstream * remove lazy-recursion from default config * refresh patches, remove obsolete patches * disable dnssec in default configuration to not break updates * upstream now has include-dir * Use it instead of include * remove our patch for include * rename config files to .conf * remove --with autotools-dev (see dh-autoreconf(7)) * zap dnslabeltext.cc in clean (see Upstream #554) * ship dnsreplay, dnswasher and dnsscope * add PDNSDEBUG environment variable to all postinst scripts * properly handle pdns.simplebind.conf on installation and purge * re-work conffile handling in postinst and postrm scripts * document changes in configuration syntax/semantics for updaters * depend on lsb-base (>= 3.2-14) * do not call in /lib/init/vars.sh any more (lintian) pdns-recursor (3.6.2-2+deb8u1) jessie-security; urgency=high . * Security update: apply patch for CVE-2015-1868 pdns-recursor (3.6.2-2+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports (including the security fix for CVE-2015-1868). . pdns-recursor (3.6.2-2+deb8u1) jessie-security; urgency=high . * Security update: apply patch for CVE-2015-1868 . pdns-recursor (3.6.2-2~bpo70+2) wheezy-backports; urgency=medium . * Fix secpoll version. * Fix incorrect dpkg-dev dependency. . pdns-recursor (3.6.2-2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Adapt for wheezy's dpkg-parsechangelog. * Remove systemd support because dh-systemd is unavailable. . pdns-recursor (3.6.2-2) unstable; urgency=medium . * Set package vendor for security status polling. Requires directly including buildflags.mk so d/rules can modify CXXFLAGS. (Closes: #767701) * d/control: Update Vcs-Git and Vcs-Browser * Fix "smoke" autopkgtest. The test definition was incorrectly copied from the pdns-server package. . pdns-recursor (3.6.2-1) unstable; urgency=high . * Imported Upstream version 3.6.2, a bugfix release (Closes: #767368) * Remove API key patch, which has been incorporated upstream. . pdns-recursor (3.6.1-3) unstable; urgency=medium . * Apply API key patch from upstream * Bump Standards-Version to 3.9.6 (no further changes) . pdns-recursor (3.6.1-2) unstable; urgency=medium . * Drop patch 'pdns-recursor-less-chatty' * Ship native systemd unit file * Enable extra hardening flags (PIE, bindnow) * Add smoke test, testing example.org resolution . pdns-recursor (3.6.1-1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . pdns-recursor (3.6.1-1) unstable; urgency=high . * Imported Upstream version 3.6.1 Fixes security issue: CVE-2014-3614 . pdns-recursor (3.6.0-2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . pdns-recursor (3.6.0-2) unstable; urgency=medium . [ Christian Hofstaedtler ] * Update debian/copyright file * Remove boilerplate from debian/watch * Update init script options: Removed X-Start-After and X-Stop-Before, which were sent to irrelevant services, and updated Description fields. * Add status target to init script. Thanks to Iain Georgeson (Closes: #730684) . [ SATOH Fumiyasu ] * Enable resolvconf hooks only when $RESOLVCONF is set to 'yes' (Closes: #722659) . pdns-recursor (3.6.0-1) unstable; urgency=medium . * Imported Upstream version 3.6.0 * Drop upstream applied patches 1443, 1444, 1445 . pdns-recursor (3.6.0~rc1-2) unstable; urgency=medium . * Switch to Lua 5.2 . pdns-recursor (3.6.0~rc1-1) unstable; urgency=medium . * Imported Upstream version 3.6.0~rc1 * Replace local patches with upstream PRs do-not-strip-binaries, hurd-ftbfs-patch, kfreebsd-ftbfs-patch and remove-pdns_hw-patch are now pending upstream approval and merge. * Add myself to Uploaders * Bump Standards-Version to 3.9.5 . pdns-recursor (3.5.3-1) unstable; urgency=low . * New upstream version . pdns-recursor (3.5.2-2) unstable; urgency=low . * Enable on all architectures (Closes: #579194) . pdns-recursor (3.5.2-1) unstable; urgency=low . * New upstream version (Closes: #710048, #682851, #671592, #697355, #649724) - Refresh patches * Improve the patch to make pdns-recursor less chatty * Standards-Version: 3.9.4 (no changes necessary) * Remove pdns_hw on cleanup (Closes: #652833) perl (5.20.2-3+deb8u1) jessie; urgency=medium . * Make the perl debugger work with threaded programs again. Thanks to James McCoy. (Closes: #779357) pgbouncer (1.5.4-6+deb8u1) jessie; urgency=medium . * Fix remote crash - invalid packet order causes lookup of NULL pointer. Not exploitable, just DoS. (CVE-2015-4054) Cherry-picked from upstream 1.5.5. php-horde (5.2.1+debian0-2+deb8u1) stable; urgency=medium . * Fix XSS in group administration (Closes: #785364) php-horde-passwd (5.0.2-3+deb8u1) stable; urgency=medium . * Fix Kolab driver password change (Closes: #780670) phpbb3 (3.0.12-5+deb8u1) jessie; urgency=medium . * Fix possible redirection on Chrome: an insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login) [CVE-2015-3880] postgresql-9.1 (9.1.16-0+deb8u1) stable-security; urgency=medium . * New upstream version, relevant PL/Perl change: . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . * Repository moved to git, update Vcs headers. postgresql-9.1 (9.1.16-0+deb7u2) wheezy-security; urgency=medium . * Fix fsync-at-startup code to not treat errors as fatal. (Abhijit Menon-Sen and Tom Lane, Closes: #786874) postgresql-9.1 (9.1.16-0+deb7u1) wheezy-security; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . * Repository moved to git, update Vcs headers. postgresql-9.4 (9.4.3-0+deb8u1) jessie; urgency=medium . * New upstream version: Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane; Closes: #786874) postgresql-9.4 (9.4.2-1) unstable; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . + Protect against wraparound of multixact member IDs (Álvaro Herrera, Robert Haas, Thomas Munro) . Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound. . + pg_dump -Fd -Z compression level fixed. (Closes: #781361) . * Make postgresql-9.4 Recommends: postgresql-contrib-9.4. * Enable TAP tests. * Repository moved to git, update Vcs headers. postgresql-9.4 (9.4.2-0+deb8u1) stable-security; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . + Protect against wraparound of multixact member IDs (Álvaro Herrera, Robert Haas, Thomas Munro) . Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound. . * Repository moved to git, update Vcs headers. pound (2.6-6+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the security team with maintainer approval. * Add missing part of anti_beast patch to fix disabling of client renegotiation. (Closes: #765649) proftpd-dfsg (1.3.5-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team * Fix CVE-2015-3306: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy (Closes: #782781) python-dbusmock (0.11.4-1+deb8u1) stable; urgency=medium . * SECURITY FIX: When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files. By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. . Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories. (Closes: #786858, LP: #1453815, CVE-2015-1326) * Add debian/gbp.conf for "jessie" packaging branch. qcontrol (0.5.4-1+deb8u1) jessie; urgency=medium . * Wait for necessary devices to appear before starting. (Closes: #781886). This works around an issue exposed by systemd LSB compatibility mode. Proper systemd support will come later. qemu (1:2.1+dfsg-12) jessie-security; urgency=high . * CVE-2015-1779 (#781250) fix from upstream (Closes: #781250) * ide-correct-handling-of-malformed-short-PRDTs-CVE-2014-9718.patch (Closes: CVE-2014-9718) * CVE-2015-2756-xen-limit-guest-control-of-PCI-command-register.patch (Closes: CVE-2015-2756) * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch (Closes: CVE-2015-3456) * fix the OSABI binfmt mask for x86_64 arch, to actually fix #763043. Original fix didn't work, because "someone" forgot arithmetics. (Really Closes: #763043) qemu (1:2.1+dfsg-12~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports: - disable seccomp (not in wheezy) - build-depend on iasl|acpica-tools - s/python:any/python/ in build-depends . qemu (1:2.1+dfsg-12) jessie-security; urgency=high . * CVE-2015-1779 (#781250) fix from upstream (Closes: #781250) * ide-correct-handling-of-malformed-short-PRDTs-CVE-2014-9718.patch (Closes: CVE-2014-9718) * CVE-2015-2756-xen-limit-guest-control-of-PCI-command-register.patch (Closes: CVE-2015-2756) * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch (Closes: CVE-2015-3456) * fix the OSABI binfmt mask for x86_64 arch, to actually fix #763043. Original fix didn't work, because "someone" forgot arithmetics. (Really Closes: #763043) . qemu (1:2.1+dfsg-11) unstable; urgency=medium . * bump epoch and reupload to cancel 2.2+dfsg-1exp upload mistakenly done to unstable. No other changes. . qemu (2.1+dfsg-10) unstable; urgency=medium . * make (debian-specific) x86 data path (with seabios and ipxe in it) non-x86-specific, since other arches use firmware files too (Closes: #772127) * add seabios to Recommends to qemu-system-misc, qemu-system-mips, qemu-system-ppc and qemu-system-sparc packages, because these packages contains emulators using vgabios which is part of seabios package (#772127). * add ipxe-qemu to Recommends to qemu-system-misc, qemu-system-arm, qemu-system-mips, qemu-system-ppc, qemu-system-sparc packages, because these packages contains emulators using network boot roms (#772127), in a similar way. . qemu (2.1+dfsg-9) unstable; urgency=high . * apply upstream patches for CVE-2014-8106 (cirrus: insufficient blit region checks) (Closes: #772025 CVE-2014-8106) qt4-x11 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) stable-proposed-updates; urgency=medium . * Add fixes_crash_in_gif_image_decoder.patch and fixes_crash_in_bmp_and_ico_image_decoder.patch to fix CVE-2015-1858, CVE-2015-1859 and CVE-2015-1860 (Closes: #783133). qtbase-opensource-src (5.3.2+dfsg-4+deb8u1) stable-proposed-updates; urgency=medium . [ Dmitry Shachnev ] * Fix several DoS vulnerabilities in the image handlers. - CVE-2015-0295, CVE-2015-1858, CVE-2015-1859, CVE-2015-1860. - Closes: #779580. qtbase-opensource-src (5.3.2+dfsg-4+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Backport latest upload to Jessie which fixes several CVEs. . qtbase-opensource-src (5.3.2+dfsg-4+deb8u1) stable-proposed-updates; urgency=medium . [ Dmitry Shachnev ] * Fix several DoS vulnerabilities in the image handlers. - CVE-2015-0295, CVE-2015-1858, CVE-2015-1859, CVE-2015-1860. - Closes: #779580. . qtbase-opensource-src (5.3.2+dfsg-4~bpo70+1) wheezy-backports; urgency=medium . * Set xkb-config-root as we are currently not using libxkbcommon because it has not been backported (Closes: #766239). . qtbase-opensource-src (5.3.2+dfsg-4) unstable; urgency=medium . * Move QPlatformSupport stuff from qtbase5-dev to qtbase5-private-dev, as it belongs there. Update Breaks+Replaces. * Backport fix_bug_in_internal_comparison_operator.patch to fix a UTF-8 problem on QJson (Closes: #764452). . qtbase-opensource-src (5.3.2+dfsg-3~bpo70+1) wheezy-backports; urgency=medium . * Upload to wheezy-backports. * Use embedded harfbuzz lib. Backport requested in #750427. * Use embedded libxkbcommon-x11. Backport requested in #757174. * The KMS plugin is not built in Wheezy, remove it from the install file. * Update symbols files with current build log. . qtbase-opensource-src (5.3.2+dfsg-3) unstable; urgency=medium . * Do not use precompiled headers on arm64 (Closes: #762702). * Update symbols files with buildds' logs. . qtbase-opensource-src (5.3.2+dfsg-2) unstable; urgency=medium . * Upload to unstable. * Add Adam Majer's fix_sparc_atomics.patch to let Sparc use C++11's atomics. * Add libxext-dev as build dependency: it's currently being pulled by something else, but adding it here will make things more robust. * Make qtbase5-dev depend on libxext-dev. Some mkspecs require it and it seems it's not a false positive. * Update symbols files with buildds' logs. . qtbase-opensource-src (5.3.2+dfsg-1) experimental; urgency=medium . [ Dmitry Shachnev ] * Update my e-mail address. * Update Vcs-Browser field to point to cgit interface. * Use correct exception syntax in debian/copyright. . [ Lisandro Damián Nicanor Pérez Meyer ] * New upstream release. * Remove patches applied upstream: - support_mips_atomic_on_pre-mips32_archs.patch, applied upstream with a fix. - Remove-Wcast-align-from-QMAKE_CXXFLAGS.patch. - cmake_dont_check_existence_of_gl_filesin_qt5gui.patch. * Refresh patches. * Bump qtbase-abi to 5-3-2. * Remove libgstreamer* build dependencies, they are not really needed as there is no usage of them by grepping the code. * Update install files. * Update symbols files with buildds' and current logs. * Build conflict against libmariadbclient-dev until the fix for #759309 enters unstable. * Mark private symbols as such. . qtbase-opensource-src (5.3.1+dfsg-6) unstable; urgency=medium . * Release to unstable. * Update symbols files with buildds' logs. . qtbase-opensource-src (5.3.1+dfsg-5) experimental; urgency=medium . [ Julián Moreno Patiño ] * Add support for non-sse2 processors (Closes: #754894). . [ Lisandro Damián Nicanor Pérez Meyer ] * Disable the usage of system proxies by default due to https://bugreports.qt-project.org/browse/QTBUG-41053 * Make libqt5core5a recommend qttranslations5-l10n. Thanks Felix Geyer for the pointer. * Build SSE2 enabled libraries in override_dh_auto_install-arch in order to avoid rewriting the previously built versions before installing them. * Disable pre compiled headers support when building both non SEE2 and SSE2 libraries, as it is not compatible. * Create new install files for archs which uses i386 processor. . qtbase-opensource-src (5.3.1+dfsg-3) unstable; urgency=medium . * Improve NEWS wording. * Add cmake_dont_check_existence_of_gl_filesin_qt5gui.patch to avoid Qt GUI requiring libegl1-mesa-dev (Closes: #752847). * Update symbols files with buildds' and mips64el's logs. . qtbase-opensource-src (5.3.1+dfsg-2) unstable; urgency=medium . * Enable using system network proxies by default. - Add NEWS file with this information. * Make qtbase5-dev suggest libegl1-mesa-dev and libgl1-mesa-dev, as they might be needed by those using EGL. * Bump qtbase-abi to 5-3-1. Sune found that there is a runtime check that forces us to do a transition for private symbols even on point releases without symbols changes (Closes: #752889). * Update symbols files with buildds' and mips64el's logs. * Add multitouch protocol translation support. . qtbase-opensource-src (5.3.1+dfsg-1) unstable; urgency=medium . * New upstream release. * Update symbols files with buildds' and current logs. * Clear the list of archs that should not use pre compiled headers. We've been told that with GCC 4.9 this should not be necessary anymore. * Remove link to a favicon in a dead url, part of an example. The Trolltech site is down and so there is no possible privacy breach in it, so just removing the link should suffice. . qtbase-opensource-src (5.3.0+dfsg-5) unstable; urgency=medium . * Remove enable_sparc_detection.patch. This is causing a FTBFS in sparc now. I've contacted upstream to know the best way to go from here, in the meantime we just don't detect it. * Update symbols files with buildds' and current logs. * Install only the last (and more relevant) changelog. We were trying (and failing) to install all of them, but only the first one would end up as changelog. As the listing order varies between archs, the final changelog will also be different between them, thus not allowing the package to be really Multi-Arch: same. Thanks Jakub Wilk for the bug report. (Closes: #750730). . qtbase-opensource-src (5.3.0+dfsg-4) unstable; urgency=medium . * Upload to unstable. * Update symbols files with buildds' logs. . qtbase-opensource-src (5.3.0+dfsg-3) experimental; urgency=medium . [ Lisandro Damián Nicanor Pérez Meyer ] * Search for private symbols at build time and produce a diff so as to be able to get the changes from build logs. - Modify mark_private_symbols.sh. - Run mark_private_symbols.sh from debian/rules. * Do not override dh_builddeb: xz compression is now the default method. * Backport Remove-Wcast-align-from-QMAKE_CXXFLAGS.patch. This totally disables -Wcast-align (Closes: #744311). - Remove do_not_pass_wcast-align_on_sparc.patch, it s now not needed anymore. * Update symbols files with buildds' logs. . [ Peter Michael Green ] * arm64 changes cherry picked from ubuntu (Closes: #750047). + Add arm64 to list of 64-bit architectures that should not use -m64 * Remove .device.vars and .qmake.vars in clean target. . qtbase-opensource-src (5.3.0+dfsg-2) experimental; urgency=medium . * Add revert_upstream_bsymbolic_change.patch by Timo Jyrinki which reenables -Bsymbolic-functions on non-x86 since Debian has a recent enough binutils. * Mark private symbols as such. . qtbase-opensource-src (5.3.0+dfsg-1) experimental; urgency=medium . [ Timo Jyrinki ] * Make qt5-qmake Multi-Arch: same since it moved from shipping files in /usr/share to /usr/lib/. . [ Dmitry Shachnev ] * Build-depend on libxkbcommon-x11-dev, as the new patch includes . * Add arm64 to no_pch_architectures. . [ Lisandro Damián Nicanor Pérez Meyer ] * New upstream release. - Fixes CVE-2014-0190. * Install the headers in a Multi-Arch qualified directory (Closes: #734677). - Fix related install files. - Mark qtbase5-dev, qtbase5-private-dev and libqt5opengl5-dev as Multi-Arch: same. * Override Lintian warning about torrent.qdoc being under an RFC license, it's just a false positive coming from the fact that the documentation is listing the license, but it's really not licensed under the RFC license. * Update symbols files with buildds' and current logs. * Refresh patches: - hurd_opengl_incldir.diff - support_mips_atomic_on_pre-mips32_archs.patch - qatomic_mips.h - enable_sparc_detection.patch * Remove patches: - fix_power_atomic_code.patch, the code it patches has been removed. - enable_s390_detection.patch, applied upstream. - change_sparc_qatomic.patch, the code it patches has been removed. * Adjust install files. * Bump qtbase-abi to qtbase-abi-5-3-0 due to private symbols changes. * Make qtbase5-dev-tools-dbg Multi-Arch: same due to qt5-qmake also becoming Multi-Arch: same. * Add a lintian override for qtbase5-examples: there is no possibility of privacy breach in the way trolltech_com.html is used, as it is just parsed, but not rendered nor any of the things it points at it's retrieved. . qtbase-opensource-src (5.2.1+dfsg-3) unstable; urgency=medium . * Release to unstable. * Add license to mark_private_symbols.sh and corresponding entry in debian/copyright. * Remove linux_no_perf.diff used to disable perf events on Linux/IA64. We no longer have IA64 around. . qtbase-opensource-src (5.2.1+dfsg-2) experimental; urgency=medium . [ Pino Toscano ] * Disable eglfs on any non-Linux architecture; while the dependencies for it might be satisfied, the code seems tied to/requiring Linux stuff. . [ Dmitry Shachnev ] * Update remove_google_adsense.patch to also remove ProspectXtractor tracker script. . [ Lisandro Damián Nicanor Pérez Meyer ] * Update symbols files with buildd's logs. . qtbase-opensource-src (5.2.1+dfsg-1) experimental; urgency=medium . * New upstream release. * Remove sha3_64bit_BE.diff, uname_include.diff and fix_crash_stale_pointer_dereferencing.patch, applied upstream. * Update symbols files with buildd's logs. * Do not install any CMake file for any plugin. * The egl/kms plugins have been built on amd64 too. Move them to the linux install files and see what happens with other archs. * Remove private headers no longer installed. * QtCore's QNoImplicitBoolCast header is no longer installed. It only had an include to qtglobal.h in it and no public symbols are missing. * Update symbols files with current build log. All missing symbols where private. Private symbols where [re]marked in symbols files. * Bump qtbase-abi to qtbase-abi-5-2-1 due to private symbols changes. . qtbase-opensource-src (5.2.0+dfsg-7) unstable; urgency=medium . [ Dmitry Shachnev ] * Use canonical Vcs-Browser field. . [ Lisandro Damián Nicanor Pérez Meyer ] * Install qmake's arch-specific data in an arch-specific path by using the hostdatadir option while calling configure. * Upload to unstable. . qtbase-opensource-src (5.2.0+dfsg-6) experimental; urgency=medium . [ Dmitry Shachnev ] * Build-depend on libxcb-xkb-dev, to get more input languages support. * Also, build-depend on libxcb-sync-dev instead of removed libxcb-sync0-dev. * Fix misspelled DEB_HOST_ARCH_OS in debian/rules comments. * Re-introduce qtbase5-doc-html package. . [ Lisandro Damián Nicanor Pérez Meyer ] * Backport fix_crash_stale_pointer_dereferencing.patch to solve a crash while using harfbuzz-ng. * Update symbols files with buildd's logs. . qtbase-opensource-src (5.2.0+dfsg-5) experimental; urgency=medium . * Workaround sparc's FTBFS due to it's qatomic code. * Build Qt against system's harfbuzz (Closes: #733972). * Update symbol's files unsing buildd's logs. . qtbase-opensource-src (5.2.0+dfsg-4) experimental; urgency=medium . [ Dmitry Shachnev ] * Remove unused piece of code in debian/rules. . [ Lisandro Damián Nicanor Pérez Meyer ] * Enable processor detection for s390[x] and sparc. - Do not use Wcast-align on header's tests on sparc, thus avoiding a FTBFS. * Update symbols files using buildds' logs. * Patch out Google-AdSense tracker from examples. * Update Standars-Version to 3.9.5, no changes required. . qtbase-opensource-src (5.2.0+dfsg-3) experimental; urgency=low . [ Pino Toscano ] * Further fix for MIPS, also in the orderedMemoryFence implementation; patch mips_more_pre-mips32.diff. * rules: small simplification in the platform_arg (mkspec) selection. * Initial support for GNU/kFreeBSD: - provide qmake mkspec, and use LD_LIBRARY_PATH; patch gnukfreebsd.diff - rules: use the gnukfreebsd-g++ when configure'ing * Get rid of our glibc-g++ qmake mkspec: it was a mistake with Qt4 (3?) already, and it is no more working with non-Linux OSes; as a consequence, error out for OSes with no qmake mkspec explicitly set in rules. * Remove the Pre-Depends on dpkg >= 1.15.6~, since that version is available in Squeeze already. . [ Lisandro Damián Nicanor Pérez Meyer ] * Update symbols files with buildds' logs. . [ Dmitry Shachnev ] * Explicitly define all DEB_HOST_ARCH{,_BITS} variables and remove duplicate variables. . qtbase-opensource-src (5.2.0+dfsg-2) experimental; urgency=medium . [ Pino Toscano ] * Simplify and sort qtbase5-dev.install-armel and qtbase5-dev.install-armhf. * Include sys/utsname.h for uname(3); patch uname_include.diff. * Move few Linux-only files from qtbase5-dev.install-common to qtbase5-dev.install-linux. * Remove the cmake files of QtSql plugins on dh_auto_install phase instead of dh_install. . qtbase-opensource-src (5.2.0+dfsg-1) experimental; urgency=low . [ Dmitry Shachnev ] * Fix two wrongly sorted lines in qtbase5-private-dev.install (thanks Timo). * Do not list armhf-specific paths in qtbase5-dev.install-armel. . [ Lisandro Damián Nicanor Pérez Meyer ] * New upstream release. * Update install files. * Update symbols files, marking private symbols as such. * Remove Disallow_deep_or_widely_nested_entity_references.patch, it has been applied upstream. * Upstream made all archs use double for qreal (see #731261 for more context). - Rename libqt5core5 to libqt5core5a to help in the transition: - Make libqt5core5a break and replace libqt5core5 << 5.2.0+dfsg~. - Rename the associated files (install, lintian-overrides and symbols). - Adjust dependencies in debian/control. - Add lintian override for package not matching SONAME. - Re create symbols that used the qreal subst, they are now all doubles. * A user of Qt built by a distro doesn't needs to find where the SQL plugins are via CMake. Do not install them (Closes: #729602). . qtbase-opensource-src (5.2.0~beta1+dfsg-3) experimental; urgency=low . [ Lisandro Damián Nicanor Pérez Meyer ] * Also install KSM/EGL CMake's configuration files for armel: - Create debian/qtbase5-dev.install-armel. * Install the QEvdev CMake related files only in Linux, as they are not present in Hurd. * Update symbols files. . qtbase-opensource-src (5.2.0~beta1+dfsg-2) experimental; urgency=low . * Install KMS/EGL CMake's configuration files for armhf. - Create debian/qtbase5-dev.install-armhf. - Move debian/qtbase5-dev.install to debian/qtbase5-dev.install-common. * Update symbols files. * Import upstream's fix_power_atomic_code.patch for fixing PowerPC's FTBFS (Closes: #729265). Thanks Aurelien Jarno for the patch. * Import upstream's support_mips_atomic_on_pre-mips32_archs.patch for fixing MIPS's FTBFS (Closes: #729187). Thanks Aurelien Jarno for the patch. . qtbase-opensource-src (5.2.0~beta1+dfsg-1) experimental; urgency=low . [ Dmitry Shachnev ] * New upstream beta release. * Drop fix_usr-move_workaround_in_the_presence_of_multi-arch.patch, applied upstream. * Update .install files for new upstream release. * Make libqt5core5 provide qtbase-abi-5-2-0. * Update symbols files. * Add myself to Uploaders. . [ Lisandro Damián Nicanor Pérez Meyer ] * Use newer qtbase-abi-5-2-0 in lintian-overrides files. . qtbase-opensource-src (5.1.1+dfsg-6) unstable; urgency=high . * Backport Disallow_deep_or_widely_nested_entity_references.patch to fix CVE-2013-4549: XML Entity Expansion Denial of Service. Set severity to high. * Update symbols files with buildds' logs. . qtbase-opensource-src (5.1.1+dfsg-5) unstable; urgency=low . * Add mips64 and mipsel64 to the list of archs that should use linux-g++ instead of linux-g++-64 (Closes: #727139). . qtbase-opensource-src (5.1.1+dfsg-4) unstable; urgency=low . [ Pino Toscano ] * Limit the libasound2-dev build dependency as linux-any, as the oss-alsa replacement is not usable for qt5 anyway. * Remove X11R6 library- and include-dirs from the hurd-g++ mkspec, as they might cause issues; patch hurd_opengl_incldir.diff. * Update symbols files. . qtbase-opensource-src (5.1.1+dfsg-3) unstable; urgency=low . [ Pino Toscano ] * Move libcomposeplatforminputcontextplugin.so, libqoffscreen.so and libqgtk2.so from libqt5gui5.install-linux to libqt5gui5.install-common, as they are compiled also on non-Linux OSes. . qtbase-opensource-src (5.1.1+dfsg-2) unstable; urgency=low . * Add upstream patch fix_usr-move_workaround_in_the_presence_of_multi-arch.patch to solve a CMake paths issue that involved a workaround for other distros (Closes: #721176). * Update symbols files with symbols from other archs. . qtbase-opensource-src (5.1.1+dfsg-1) unstable; urgency=low . * New upstream release. * Remove patches applied upstresm: - deppath_gnu.diff, the fix is now included upstream. - Dont_check_for_the_existence_of_priv_inc_dirs.patch * Update amd64 symbols and mark the private ones. * Update lintian overrides. . qtbase-opensource-src (5.1.0+dfsg-5) unstable; urgency=low . [ Pino Toscano ] * Extend patch sha3_64bit_BE.diff with another needed function; should really fix build on s390x and ppc64 now. . qtbase-opensource-src (5.1.0+dfsg-4) unstable; urgency=low . [ Pino Toscano ] * Fix build of the SHA3 implementation on 64bit big endian architectures (e.g. s390x and ppc64); patch sha3_64bit_BE.diff. * Update/simplify lintian overrides. * Fix build on ia64 by disabling the use of Linux perf events, which do not seem present on linux/ia64 kernels; patch linux_no_perf.diff. . qtbase-opensource-src (5.1.0+dfsg-3) unstable; urgency=low . * Upload to unstable. . qtbase-opensource-src (5.1.0+dfsg-2) experimental; urgency=low . * Add libxkbcommon-dev as build dependency, thus avoiding using the bundled lib. * Minor improvement of mark_private_symbols.sh. * Add Dont_check_for_the_existence_of_priv_inc_dirs.patch that avoids making our users install private headers in order to compile with CMake (Closes: #718348). * Armel also builds libqkms.so, added to the proper install file. * Update symbols files. . qtbase-opensource-src (5.1.0+dfsg-1) experimental; urgency=low . * New upstream release. * Do not build depend on libopenvg1-mesa-dev on hurd, it's not available there. * Fix watch file with new url. * Make libqt5core5 provide qtbase-abi-5-1-0. * Update symbols files with latest 5.0.2 build logs. * Remove patches applied upstream: - undef_B0.diff - Rename-qAbs-Function-for-timeval.patch - build_examples.patch, adding the new -compile-examples switch. * Refresh patches: deppath_gnu.diff. * Bump Build-Depends-Indep qttools5-dev-tools dependency to << 5.1.0~. * Do not remove the include dir on cleaning the sources. Prior to Qt 5.1 perl would be run and re-create the includes. In 5.1, perl only runs if .git is found and the build is done out-of-source. Thanks Pino and Thiago for the hints. * Fix typo in -no-direcfb switch in configure. * Update install files. * Update symbols files with current build. The missing symbols seemed to be internal/private stuff and optional ones, so everything should be OK. * Mark private symbols in symbols files. * Add a lintian override for libqt5core5. Symbols should declare a dependency on qtbase-abi-5-1-0. * Change symbols files and lintian overrides to provide qtbase-abi-5-1-0. * Minimal improve of README.source with private symbols handling. * Remove doc packages. The build system has changed and I can't build them anymore. - Remove independent build deps. - Remove the doc packages from debian/control. - Remove their asociated install files. - Remove the indep targets in debian/rules. . qtbase-opensource-src (5.0.2+dfsg1-7) experimental; urgency=low . * Mark libgbm-dev as linux-any. Other OSs do not have it. * Add the qkms plugin to the armhf list of files to install. * Update symbols files. * From the armhf build log: "The -arch and -host-arch options are obsolete". Remove the relevant armv6 option from debian/rules. * Add a lintian override for libqt5xml5, which rightfully declares a dependency on qtbase-abi-5-0-2. . qtbase-opensource-src (5.0.2+dfsg1-6) experimental; urgency=low . [ Lisandro Damián Nicanor Pérez Meyer ] * Make packages that ship a binary managed by qtchooser depend on it. * Build the documentation shipped with this submodule as a build-indep task: - Add the necessary indep build dependencies: * qttools5-dev-tools to use qhelpgenerator. * libqt5sql5-sqlite to generate qch doc. - Build and create a packages for qch and HTML doc formats. - Document how to bootstrap the packages in order to be able to build the documentation. * Update symbols files. * Add build dependencies to build support for: - ALSA. - PulseAudio. - OpenVG. - GStreamer. * Add libgbm-dev as Build-Dep, necessary for KMS support. * Apply Rename-qAbs-Function-for-timeval.patch taken from upstream to solve FTBFS with GCC 4.8. * Update Standards-Version to 3.9.4. No changes needed. * Make qtbase5-dbg M-A same. . qtbase-opensource-src (5.0.2+dfsg1-5) experimental; urgency=low . [ Pino Toscano ] * Update symbols files. . [ Lisandro Damián Nicanor Pérez Meyer ] * Also ship 5.conf. This makes calls to qtchooser prettier: qtchooser -qt5. * Add lintian overrides for packages that depend on the private API/ABI, it's totally correct for them to do so. . [ Sune Vuorela ] * Prepare symbol files to track private symbols. * Make libqt5core5 provide a virtual package to track the non-public api/abi. * Create a script to mark symbols as private. * Mark private symbols as private. . qtbase-opensource-src (5.0.2+dfsg1-4) experimental; urgency=low . [ Pino Toscano ] * Update lintian overrides. * Drop check of old hppa kernel bug, which has been fixed many years ago. * Update Vcs-Browser and Vcs-Git headers. . [ Timo Jyrinki ] * libqt5sql5-sqlite listed as first in recommends, being the lightest. . [ Lisandro Damián Nicanor Pérez Meyer ] * Add qt5-triplet.conf and arch-qualified qt5.conf. See qtchooser's README.Debian for more details. * Fix typo in qtbase5-private-dev's Breaks+Replaces. * Changed qt5-default to arch: all. Should have been like this from start, as it contains arch-qualified paths in it. * Update symbols files. . qtbase-opensource-src (5.0.2+dfsg1-3) experimental; urgency=low . [ Pino Toscano ] * debian/control: remove extra ${misc:Pre-Depends} from qt5-qmake. * debian/control: remove extra qtbase5-dev suggest from libqt5sql5, libqt5sql5-mysql, libqt5sql5-odbc, libqt5sql5-psql, libqt5sql5-sqlite, libqt5sql5-tds. * debian/control: make libqt5printsupport5 recommend libcups2 (which is dlopen'ed). * Move the private qsqlresult_p.h from qtbase5-dev to qtbase5-private-dev, adding proper breaks/replaces in the latter. * Use LD_LIBRARY_PATH on any GNU system; patch deppath_gnu.diff. * debian/control: remove extra ${shlibs:Depends} from qtbase5-private-dev and libqt5opengl5-dev. . [ Lisandro Damián Nicanor Pérez Meyer ] * Update symbols files for hurd-i386, i386, ia64 and powerpc. . [ Timo Jyrinki ] * Use -opengl es2 correctly on arm * Allow EGL support also on desktop, on Linux only for now. * List no_pch_architectures separately . qtbase-opensource-src (5.0.2+dfsg1-2) experimental; urgency=low . [ Lisandro Damián Nicanor Pérez Meyer ] * Remove the licenses of the removed fonts from debian/copyright. * Patch out commit 2b397f985e4ef6ae5c0571a928bb1320fb048c61 to allow building examples without calling -developer-build with build_examples.patch (Closes: #705836). . qtbase-opensource-src (5.0.2+dfsg1-1) experimental; urgency=low . * Remove non-free fonts: - Fonts under Luxi font license. - Fonts under Adobe Copyright license. * Be verbose on what we are removing. . qtbase-opensource-src (5.0.2+dfsg-2) experimental; urgency=low . * Make qtbase5-dev depend on qtchooser, as it is needed for using qmake and friends. . qtbase-opensource-src (5.0.2+dfsg-1) experimental; urgency=low . * Initial release. (Closes: #697509) quassel (1:0.10.0-2.3+deb8u1) jessie-security; urgency=high . * Fix CVE-2015-3427: SQL injection vulnerability in PostgreSQL backend. (Closes: #783926) - Add debian/patches/CVE-2015-3427.patch, cherry-picked from upstream. - The original issue was CVE-2013-4422 which had an incomplete fix. ruby-defaults (1:2.1.5+deb8u1) jessie; urgency=medium . * ruby: add `Conflicts: ruby-activesupport-2.3` to help with several Rails-related upgrade issues, e.g. when upgrading redmine from wheezy (Closes: #784336). ruby-defaults (1:2.1.5+1) experimental; urgency=medium . * Add support for Ruby 2.2 (not the default yet) * debian/ruby-all-dev-depends: automatically generate dependencies for ruby-all-dev based on the contents of ruby_debian_dev.rb ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high . * Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL extension [CVE-2015-1855] - applied revision 50296 of upstream svn repository. semi (1.14.7~0.20120428-14+deb8u1) jessie; urgency=medium . * New patch 020_encrypt.patch to fix incorrect keys in encryption (closes: #784712) smstools (3.1.15-1.1+deb8u1) stable; urgency=high . * NMU by Jonas Meurer to push the fix into Jessie. * Fix initscript (debian/init.d): * drop action 'reload' as it does not what policy demands it to do. Use 'force-reload' in logrotate post-rotate action. This fixes 'force-reload' action when used through systemd tools and prevents the smsd daemon process from being killed at every log rotation. (closes: #782996) * source /lib/lsb/init-functions in order to make systemd tools aware of status changes to the daemon that have been caused by invoking the initscript directly. sqlite3 (3.8.7.1-1+deb8u1) jessie-security; urgency=high . * Fix CVE-2015-3414 , use of uninitialized memory when parsing collation sequences. * Fix CVE-2015-3415 , properly implement comparison operators in sqlite3VdbeExec() . * Fix CVE-2015-3416 , properly handle precision and width values during floating-point conversions in sqlite3VXPrintf() . suricata (2.0.7-2+deb8u1) jessie-security; urgency=high . * Backport fix for CVE-2015-0971 (Integer overflow in the DER parser) systemd (215-17+deb8u1) stable; urgency=medium . [ Michael Biebl ] * manager: Pass correct errno to strerror(), have_ask_password contains negative error values which have to be negated when being passed to strerror(). . [ Martin Pitt ] * Revert upstream commit 743970d which immediately SIGKILLs units during shutdown. This leads to problems like bash not being able to write its history, mosh not saving its state, and similar failed cleanup actions. (Closes: #784720, LP: #1448259) * write_net_rules: Escape '{' and '}' characters as well, to make this work with busybox grep. Thanks Faidon Liambotis! (Closes: #765577) * debian/gbp.conf: Point to jessie branch. tasksel (3.31+deb8u1) jessie; urgency=medium . * Make task-xfce-desktop recommend evince-gtk | evince instead of just evince-gtk, making the GNOME and Xfce desktop tasks co-installable (Closes: #783571). tecnoballz (0.93.1-4+deb8u1) jessie; urgency=medium . * Fix multiple gameplay issues which could impair the fun. * Add bouncer-restriction.patch. Fix minimum distance of bouncers to walls in boss levels. (Closes: #776262) * gigablitz-gauge.patch: Fix gigablitz gauge was not working. (Closes: #776342) * right-click-game-over.patch: Fix right click game over bug. (Closes: #776263) tlsdate (0.0.13-1~deb8u1) jessie; urgency=high . * Upload to stable to switch from www.ptb.de to www.google.com as the former is now sending randomized gmt values. (Closes: #783174, #783193) . tlsdate (0.0.13-1) unstable; urgency=high . * New upstream release . tlsdate (0.0.12-3) unstable; urgency=high . * Switch from www.ptb.de to www.google.com as the former is now sending randomized gmt values. (Closes: #783174) (Closes: #783193) tlsdate (0.0.13-1~deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . tlsdate (0.0.13-1~deb8u1) jessie; urgency=high . * Upload to stable to switch from www.ptb.de to www.google.com as the former is now sending randomized gmt values. (Closes: #783174, #783193) . tlsdate (0.0.13-1) unstable; urgency=high . * New upstream release . tlsdate (0.0.12-3) unstable; urgency=high . * Switch from www.ptb.de to www.google.com as the former is now sending randomized gmt values. (Closes: #783174) (Closes: #783193) torbrowser-launcher (0.1.9-1+deb8u1) jessie; urgency=high . * Apply 3d9f4ed and 5f833d7 from 0.2.0 upstream release to deal with changed pathes in the 4.5 torbrowser release. (Closes: #784041) * 3d9f4ed also removes the accept links feature (as it has stopped worked with 4.5.) * Apply f219f35 from 0.2.0 to stop acting as default browser, because a default browser should be captable of accepting links. torbrowser-launcher (0.1.9-1+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . torbrowser-launcher (0.1.9-1+deb8u1) jessie; urgency=high . * Apply 3d9f4ed and 5f833d7 from 0.2.0 upstream release to deal with changed pathes in the 4.5 torbrowser release. (Closes: #784041) * 3d9f4ed also removes the accept links feature (as it has stopped worked with 4.5.) * Apply f219f35 from 0.2.0 to stop acting as default browser, because a default browser should be captable of accepting links. translate-shell (0.8.21-1+deb8u1) jessie; urgency=medium . * switch to new Google Translate API Closes: #782811 tzdata (2015d-0+deb8u1) stable; urgency=medium . * New upstream version: - Remove DST rule for Egypt starting in 2015. * Install leap-seconds.list to /usr/share/zoneinfo (Closes: #775166) tzdata (2015d-0+deb7u1) oldstable; urgency=medium . * New upstream version: - Remove DST rule for Egypt starting in 2015. tzdata (2015d-0+deb6u1) squeeze-lts; urgency=medium . * New upstream version: - Remove DST rule for Egypt starting in 2015. ulogd2 (2.0.4-2+deb8u1) stable; urgency=medium . * Begin a new debian-jessie branch: update debian/gbp.conf. * Add upstream patch Fix-JSON-output-on-big-endian-systems.patch: - Corrects JSON output of integer types on big-endian systems. (Closes: #784935) unattended-upgrades (0.83.3.1) stable; urgency=low . * fix default configuration to match the jessie security server configuration (closes: #783690) usemod-wiki (1.0.5-3+deb8u1) jessie; urgency=medium . * Adjust startform/endform to start_form/end_form. (Closes: #784256) * Update repository URLs. virtualbox (4.3.18-dfsg-3+deb8u3) jessie; urgency=medium . * d/p/39-crash-raw-mode.patch fix crash in raw mode. (Closes: #785689) from upstream changeset 53083 thanks Frank for the hint! virtualbox (4.3.18-dfsg-3+deb8u2) jessie-security; urgency=high . * d/p/CVE-2015-3456.patch fix for CVE-2015-3456 a.k.a. VENOM (Closes: #785424) virtualbox (4.3.18-dfsg-3+deb8u1) jessie; urgency=medium . [ Moritz Mühlenhoff ] * d/p/37-disable-smap.patch, cherry-pick upstream patch to fix a kernel paging issue (LP: #1437845, Closes: #783142). win32-loader (0.7.8+deb8u1) jessie; urgency=low . * Replace the Joy screenshot by a recent Lines screenshot * Replace http.debian.net with httpredir.debian.org wordpress (4.1+dfsg-1+deb8u1) jessie-security; urgency=high . * Backports of 4.1.2 security fixes Closes: #783347 - Changeset 32163 sanity checks - Changeset 32165 sanitize order by - Changeset 32172 filename check - Changeset 32174 multisite change extra checks - Changeset 32176 Dashboard escapes titles - Changeset 32234 More WPDB query sanity * Backport of 4.2.1 for security fixes Closes: #783554 - Changeset 32307: XSS for long 64k+ comments wpa (2.3-1+deb8u1) jessie-security; urgency=high . * import "P2P: Validate SSID element length before copying it (CVE-2015-1863)" from upstream (Closes: #783148). zendframework (1.12.9+dfsg-2+deb8u2) jessie-security; urgency=high . * Update ZF2015-04 patch. Use the final upstream patch instead of the initial one. No actual change other than spaces, comments and tests. It will ease cherry-picking further fixes if needed. * Fix regression in headers creation. Non-string and non-stringable objects were not allowed anymore with the ZF2015-04 patch. This broke a number of other classes, however, which required integer and/or float values (e.g., to set a Content-Length header). zendframework (1.12.9+dfsg-2+deb8u1) jessie-security; urgency=high . * Track Jessie update in the jessie branch * Fix ZF2015-04: CRLF injections in HTTP and Mail http://framework.zend.com/security/advisory/ZF2015-04 [CVE-2015-3154] zeromq3 (4.0.5+dfsg-2+deb8u1) jessie-security; urgency=high . * V3 protocol handler vulnerable to downgrade attacks, use upstream backported fix for this issue. ========================================= Sat, 25 Apr 2015 - Debian 8.0 released =========================================