====================================== Sat, 09 Dec 2017 - Debian 8.10 released ====================================== ========================================================================= [Date: Sat, 09 Dec 2017 09:40:02 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: aiccu | 20070115-15.2 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 869273 ------------------- Reason ------------------- useless since shutdown of SixXS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 09 Dec 2017 09:41:29 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libnet-ping-external-perl | 0.13-1 | source, all Closed bugs: 881202 ------------------- Reason ------------------- unmaintained, security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 09 Dec 2017 09:51:06 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firefox-esr-l10n-be | 45.9.0esr-1~deb8u1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 09 Dec 2017 09:51:27 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: iceweasel-l10n-be | 1:45.9.0esr-1~deb8u1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 09 Dec 2017 09:51:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: enigmail | 2:1.8.2-4~deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= apache2 (2.4.10-10+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method (Closes: #876109) apache2 (2.4.10-10+deb8u10) jessie-security; urgency=medium . * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory asterisk (1:11.13.1~dfsg-2+deb8u4) jessie-security; urgency=high . * CVE-2017-14603 / AST-2017-008 This is a follow-up for AST-2017-005: RTP/RTCP information leak improving robustness of the security fix and fixing a regression with re-INVITEs (Closes: #876328) asterisk (1:11.13.1~dfsg-2+deb8u3) jessie-security; urgency=high . * CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) * CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) atril (1.8.1+dfsg1-4+deb8u1) jessie-security; urgency=high . * Non-maintainer upload * Add 0003-CVE-2017-1000083-evince-comics-remove-tar-commands-support-3-10-3.patch Fixes a command injection vulnerability in CBT handler. CVE-2017-1000083 (Closes: #868500) augeas (1.2.0-0.2+deb8u2) jessie-security; urgency=high . * Add patch to fix CVE-2017-7555 (Closes: #872400) bareos (14.2.1+20141017gitc6c5b56-3+deb8u3) jessie; urgency=medium . * Fix permissions of bareos-dir logrotate config. (Closes: #864926) * Fix file corruption when using SHA1 signature. (Closes: #869608) * Add autopkgtest for SHA1 signature. base-files (8+deb8u10) oldstable; urgency=medium . * Changed /etc/debian_version to 8.10, for Debian 8.10 point release. bchunk (1.2.0-12+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2017-15953, CVE-2017-15954 and CVE-2017-15955. bchunk was vulnerable to a heap-based buffer overflow with an resultant invalid free when processing a malformed CUE (.cue) file that may lead to the execution of arbitrary code or a application crash. (Closes: #880116) bind9 (1:9.9.5.dfsg-9+deb8u14) jessie; urgency=high . [ Bernhard Schmidt ] * Import upcoming DNSSEC KSK-2017 from 9.10.5 . [ Ondřej Surý ] * Non-maintainer upload. bind9 (1:9.9.5.dfsg-9+deb8u13) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to fix regression introduced by patch for CVE-2017-3042. closes: #868952 bluez (5.23-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req (Closes: #875633) botan1.10 (1.10.8-2+deb8u2) jessie-security; urgency=medium . * CVE-2017-2801 bzr (2.6.0+bzr6595-6+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Use 'localhost' rather than '127.0.0.1' in SSL certificates, as the latter trips up pycurl (Closes: #868966) * Ship a refreshed copy of the ssl certs used in testsuite * Prevent SSH command line options from being specified in bzr+ssh:// URLs (CVE-2017-14176) (Closes: #874429) catdoc (0.94.4-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-11110: Heap buffer overflow in ole_init (Closes: #867717) connman (1.21-1.2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12865: Fix crash on malformed DNS response (Closes: #872844) cups (1.7.5-11+deb8u2) jessie; urgency=high . * Disable SSLv3 and RC4 by default to address POODLE vulnerability (Closes: #839226) - Implement SSLOptions to permit the use of AllowSSL3 and AllowRC4 respectively * Refresh patches curl (7.38.0-4+deb8u8) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816 https://curl.haxx.se/docs/adv_2017-11e7.html * Fix FTP wildcard out of bounds read as per CVE-2017-8817 https://curl.haxx.se/docs/adv_2017-ae72.html curl (7.38.0-4+deb8u7) jessie-security; urgency=medium . * Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257 https://curl.haxx.se/docs/adv_20171023.html curl (7.38.0-4+deb8u6) jessie-security; urgency=medium . * Fix TFTP sends more than buffer size as per CVE-2017-1000100 https://curl.haxx.se/docs/adv_20170809B.html * Fix URL globbing out of bounds read as per CVE-2017-1000101 https://curl.haxx.se/docs/adv_20170809A.html * Fix FTP PWD response parser out of bounds read as per CVE-2017-1000254 https://curl.haxx.se/docs/adv_20171004.html cvs (2:1.12.13+real-15+deb8u1) jessie-security; urgency=high . * Fix CVE-2017-12836 (Closes: #871810) db (5.1.29-9+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * CVE-2017-10140: Reads DB_CONFIG from the current working directory. Do not access DB_CONFIG when db_home is not set. db5.3 (5.3.28-9+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * CVE-2017-10140: Reads DB_CONFIG from the current working directory. Do not access DB_CONFIG when db_home is not set. (Closes: #872436) debian-installer-netboot-images (20150422+deb8u4.b5) jessie; urgency=medium . * Update to 20150422+deb8u4+b5 images, from jessie-proposed-updates debmirror (1:2.16+deb8u1) jessie; urgency=medium . * Tolerate unknown lines in *.diff/Index (closes: #808216, #815149). * Mirror DEP-11 metadata files (closes: #814416). * Prefer xz over gz, and cope with either being missing as long as we can get some version of the index file in question. * Use check_lists to check Translation files rather than a similar custom function; this allows use of stronger hashes. * Mirror and validate InRelease files (closes: #619188). dns-root-data (2017072601~deb8u1) jessie; urgency=high . * Add KSK-2017 to root.key file * Update root.hints to 2017072601 version * Add gbp.conf for master-jessie branch dns-root-data (2017071401) unstable; urgency=medium . * Update the root.hints to 2017060102 version * Change the state of KSK-2017 to VALID dns-root-data (2017041102) unstable; urgency=high . [ Robert Edmonds ] * Change DS creation to omit TTL and use spaces instead of tabs (Closes: #864016) dns-root-data (2017041101) unstable; urgency=medium . * Fix parse-root-anchors.sh in non-dash shells (Closes: #862252) * Update to 2017041101 version of root zone * Remove timestamps from root.key to make the build reproducible * Shell syntax cleanup dns-root-data (2017020200) unstable; urgency=medium . * Update to 2016102001 version of the root.zone * Add KSK-2017 (valid from 2017-02-02) into root.key file * Reduce number of IANA files as they don't exist at upstream anymore * draft-icann-dnssec-trust-anchor is now RFC 7958 * Update all other IANA DNSSEC files to 2017-02-02 versions * Strip the GPG verification as IANA doesn't provide the GPG signatures anymore * Rewrite DS creation check to xml2 and ldnsutils, as neither xmllint nor bind9utils handle multiple DNSKEY in one file correctly dns-root-data (2015052300+h+1) unstable; urgency=medium . * Update root.hints to 2015052300 version * Move the package under Debian DNS Maintainers umbrella * Implement the H.ROOT-SERVERS.NET IP addresses changes that's scheduled for December 1st, but operational now dnsmasq (2.72-3+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-14491: DNS heap buffer overflow * CVE-2017-14492: DHCPv6 RA heap overflow * CVE-2017-14493: DHCPv6 - Stack buffer overflow * CVE-2017-14494: Infoleak handling DHCPv6 forwarded requests * CVE-2017-14491: DNS heap buffer overflow (further fix) dput (0.9.6.4+deb8u1) jessie; urgency=medium . * dput.cf: replace security-master.d.o with ftp.upload.security.d.o (Closes: #863348) dwww (1.12.1+deb8u1) jessie; urgency=medium . * Fix an old typo in the `Last-Modified' header name that prevents dwww from working correctly on systems running the latest available jessie version of apache2, which as a part its security update for CVE-2016-8743 started enforcing HTTP headers conformance with the appropriate standards (closes: #850016, #850885). elog (2.9.2+2014.05.11git44800a7-2+deb8u2) jessie; urgency=medium . * update patch 0005_elogd_CVE-2016-6342_fix to grant access to logbooks also as normal login user (Closes: #851909) emacs24 (24.4+1-5+deb8u1) jessie-security; urgency=medium . * Remove unsafe enriched mode translations enigmail (2:1.9.8.1-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security (Closes: #869774) . enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.8-1) unstable; urgency=medium . * New upstream release. * Standards-Version to 4.0.0 (no changes needed) * use dpkg/pkg-info.mk instead of dpkg-parsechangelog * use wrap-and-sort -ast . enigmail (2:1.9.7-2) unstable; urgency=medium . * enable re-certifying keys with expired certs (Closes: #863273) . enigmail (2:1.9.7-1) unstable; urgency=medium . * new upstream bugfix release . enigmail (2:1.9.6-2) unstable; urgency=medium . * pulled a bugfix from upstream, refreshed patches . enigmail (2:1.9.6-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.5-7) unstable; urgency=medium . * fix "exchange repair" variant format of e-mail . enigmail (2:1.9.5-6) unstable; urgency=medium . * refresh patches from upstream enigmail-1.9-branch . enigmail (2:1.9.5-5) unstable; urgency=medium . * fix query for getKeyFileType (Closes: #842212) . enigmail (2:1.9.5-4) unstable; urgency=medium . * avoid parallel build failures . enigmail (2:1.9.5-3) unstable; urgency=medium . * more patches from upstream * bump to debhelper 10 (no changes needed) . enigmail (2:1.9.5-2) unstable; urgency=medium . * include two patches from upstream . enigmail (2:1.9.5-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.4-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.3-2) unstable; urgency=medium . * pulled more fixes from upstream . enigmail (2:1.9.3-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.2-1) unstable; urgency=medium . * new upstream release * drop old upstream patches, pull more fixes from upstream . enigmail (2:1.9.1-2) unstable; urgency=medium . * changed dependencies to acknowledge newer versions of gnupg. * bumped Standards-Version to 3.9.8 (no changes needed) . enigmail (2:1.9.1-1) unstable; urgency=medium . * new upstream release * incorporated some additional minor patches from upstream's enigmial-1.9-branch as well. . enigmail (2:1.9-1) unstable; urgency=medium . * new upstream release * include upstream fix for excessive dumping * bumped Standards-Version to 3.9.7 (no changes needed) . enigmail (2:1.9~beta2+16.gd99b-1) experimental; urgency=medium . * new upstream snapshot . enigmail (2:1.9~beta2-1) experimental; urgency=medium . * new upstream beta release. * depend directly on gnupg2 -- 1.9 and later won't work with gpg1. . enigmail (2:1.9~beta1-1) experimental; urgency=medium . * package new upstream beta for experimental. . enigmail (2:1.8.2-4) unstable; urgency=medium . * pass through {GTK,QT}_IM_MODULE, XMODIFIERS, and DBUS_SESSION_BUS_ADDRESS so that modern pinentry works. (Closes: #794627) * correct reported version number of enigmail enigmail (2:1.9.8-1) unstable; urgency=medium . * New upstream release. * Standards-Version to 4.0.0 (no changes needed) * use dpkg/pkg-info.mk instead of dpkg-parsechangelog * use wrap-and-sort -ast enigmail (2:1.9.7-2) unstable; urgency=medium . * enable re-certifying keys with expired certs (Closes: #863273) enigmail (2:1.9.7-1) unstable; urgency=medium . * new upstream bugfix release enigmail (2:1.9.6-2) unstable; urgency=medium . * pulled a bugfix from upstream, refreshed patches enigmail (2:1.9.6-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.5-7) unstable; urgency=medium . * fix "exchange repair" variant format of e-mail enigmail (2:1.9.5-6) unstable; urgency=medium . * refresh patches from upstream enigmail-1.9-branch enigmail (2:1.9.5-5) unstable; urgency=medium . * fix query for getKeyFileType (Closes: #842212) enigmail (2:1.9.5-4) unstable; urgency=medium . * avoid parallel build failures enigmail (2:1.9.5-3) unstable; urgency=medium . * more patches from upstream * bump to debhelper 10 (no changes needed) enigmail (2:1.9.5-2) unstable; urgency=medium . * include two patches from upstream enigmail (2:1.9.5-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.4-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.3-2) unstable; urgency=medium . * pulled more fixes from upstream enigmail (2:1.9.3-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.2-1) unstable; urgency=medium . * new upstream release * drop old upstream patches, pull more fixes from upstream enigmail (2:1.9.1-2) unstable; urgency=medium . * changed dependencies to acknowledge newer versions of gnupg. * bumped Standards-Version to 3.9.8 (no changes needed) enigmail (2:1.9.1-1) unstable; urgency=medium . * new upstream release * incorporated some additional minor patches from upstream's enigmial-1.9-branch as well. enigmail (2:1.9-1) unstable; urgency=medium . * new upstream release * include upstream fix for excessive dumping * bumped Standards-Version to 3.9.7 (no changes needed) enigmail (2:1.9~beta2-1) experimental; urgency=medium . * new upstream beta release. * depend directly on gnupg2 -- 1.9 and later won't work with gpg1. enigmail (2:1.9~beta1-1) experimental; urgency=medium . * package new upstream beta for experimental. enigmail (2:1.8.2-4) unstable; urgency=medium . * pass through {GTK,QT}_IM_MODULE, XMODIFIERS, and DBUS_SESSION_BUS_ADDRESS so that modern pinentry works. (Closes: #794627) * correct reported version number of enigmail firefox-esr (52.5.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.4.0esr-2) unstable; urgency=medium . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. firefox-esr (52.4.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-22, also known as: CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, CVE-2017-7805, CVE-2017-7814, CVE-2017-7823, CVE-2017-7810. * debian/rules: Really build with gcc 6 on unstable. Closes: #871583. . * js/src/jsmath.cpp: Add GETRANDOM_NR definition for powerpc and mips. bz#1389281. * media/libcubeb/tests/moz.build: Fixup workaround for binutil assertion on mips. firefox-esr (52.4.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-22, also known as: CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, CVE-2017-7805, CVE-2017-7814, CVE-2017-7823, CVE-2017-7810. * debian/rules: Really build with gcc 6 on unstable. Closes: #871583. firefox-esr (52.3.0esr-2) unstable; urgency=medium . * debian/rules: Really build with gcc 6. Closes: #871583. firefox-esr (52.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-19, also known as: CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7784, CVE-2017-7802, CVE-2017-7785, CVE-2017-7786, CVE-2017-7753, CVE-2017-7787, CVE-2017-7807, CVE-2017-7792, CVE-2017-7791, CVE-2017-7803, CVE-2017-7779. . * debian/upstream.mk: Set DIST differently for experimental. * debian/control*, debian/rules: Build with gcc 6 because display is broken with gcc 7. . * FTBFS fixes: - js/src/jsmath.cpp: Define GETRANDOM_NR on more artitectures. bz#1352236, bz#1357874. - media/libyuv/source/row_mips.cc: Only use the perf opcode on mips arches that support it. bz#1012232. firefox-esr (52.3.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-19, also known as: CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7784, CVE-2017-7802, CVE-2017-7785, CVE-2017-7786, CVE-2017-7753, CVE-2017-7787, CVE-2017-7807, CVE-2017-7792, CVE-2017-7791, CVE-2017-7803, CVE-2017-7779. . * debian/upstream.mk: - Consider testing/unstable as buster, which implies build depending on system nspr, nss and sqlite again. - Support DEB_DISTRIBUTION being bustersomething or sid. Closes: #865650. . * debian/upstream.mk: Set DIST differently for experimental. * debian/control*, debian/rules: Build with gcc 6 because display is broken with gcc 7. . * FTBFS fixes: - js/src/jsmath.cpp: Define GETRANDOM_NR on more artitectures. bz#1352236, bz#1357874. - media/libyuv/source/row_mips.cc: Only use the perf opcode on mips arches that support it. bz#1012232. firefox-esr (52.3.0esr-1~deb8u2) jessie-security; urgency=medium . * js/src/jsmath.cpp: Add GETRANDOM_NR definition for powerpc and mips. bz#1389281. * media/libcubeb/tests/moz.build: Fixup workaround for binutil assertion on mips. firefox-esr (52.2.0esr-2) unstable; urgency=medium . * debian/upstream.mk: - Consider testing/unstable as buster, which implies build depending on system nspr, nss and sqlite again. - Support DEB_DISTRIBUTION being bustersomething or sid. Closes: #865650. firefox-esr (52.2.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-16, also known as: CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7778, CVE-2017-7758, CVE-2017-7764, CVE-2017-5470. . * debian/rules, debian/control.in: Switch to GCC 4.8 on wheezy. * debian/rules: Don't remove debian/control on clean. Thanks to Emilio Pozuelo Monfort for those two changes for wheezy LTS support. * debian/control.in: Bump nss build dependency. * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk: Rename the BACKPORT variable to DIST, and set it to "stretch" for unstable/testing targetted builds. * debian/rules: Normalize the system libraries used depending on the Debian version. firefox-esr (52.2.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-16, also known as: CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7778, CVE-2017-7758, CVE-2017-7764, CVE-2017-5470. . * debian/rules, debian/control.in: Switch to GCC 4.8 on wheezy. * debian/rules: Don't remove debian/control on clean. Thanks to Emilio Pozuelo Monfort for those two changes for wheezy LTS support. * debian/control.in: Bump nss build dependency. * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk: Rename the BACKPORT variable to DIST, and set it to "stretch" for unstable/testing targetted builds. * debian/rules: Normalize the system libraries used depending on the Debian version. . firefox-esr (52.1.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-12, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459, CVE-2017-5466, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5469, CVE-2017-5445, CVE-2017-5449, CVE-2017-5451, CVE-2017-5462, CVE-2017-5467, CVE-2017-5430, CVE-2017-5429. . firefox-esr (52.0.2esr-1) experimental; urgency=medium . * New upstream release. * debian/browser.mozconfig.in, debian/mls.key: Enable geolocation using Mozilla's Location Service. Closes: #726230. . * browser/app/profile/firefox.js: Use the Mozilla Location Service when the Google Key is not there. . firefox-esr (52.0.1esr-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2017-08, also known as CVE-2017-5428. . * debian/browser.mozconfig.in: Build with --enable-alsa. Closes: #857281. . firefox-esr (52.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-05, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5406, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5426, CVE-2017-5427, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5405, CVE-2017-5421, CVE-2017-5422, CVE-2017-5399, CVE-2017-5398. . * debian/control*: - Bump nss and sqlite build dependencies. - Build depend on libjsoncpp-dev. * debian/rules: - Update ICU_DATA_FILE version. - Don't build against system sqlite until we have the right version in Debian. * debian/browser.lintian-overrides.in: Add a lintian override for NSPR and NSS. * debian/browser.install.in: - Install chrome.manifest, libmozsandbox.so and minidump-analyzer. - Remove browser/components. . * browser/installer/allowed-dupes.mn, toolkit/mozapps/installer/find-dupes.py, toolkit/mozapps/installer/packager.mk: Preprocess find-dupes exception list. bz#1315309. * config/system-headers, toolkit/crashreporter/jsoncpp/src/lib_json/moz.build, toolkit/crashreporter/minidump-analyzer/moz.build: Build against system libjsoncpp. . firefox (51.0.1-3) unstable; urgency=medium . * js/src/jit/mips-shared/Assembler-mips-shared.h, js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp, js/src/jit/mips-shared/CodeGenerator-mips-shared.h, js/src/jit/mips-shared/MacroAssembler-mips-shared-inl.h, js/src/jit/mips-shared/MacroAssembler-mips-shared.cpp, js/src/jit/mips-shared/MacroAssembler-mips-shared.h, js/src/jit/mips32/MacroAssembler-mips32-inl.h, js/src/jit/mips32/MacroAssembler-mips32.cpp, js/src/jit/mips32/MacroAssembler-mips32.h, js/src/jit/mips64/MacroAssembler-mips64-inl.h, js/src/jit/mips64/MacroAssembler-mips64.cpp, js/src/jit/mips64/MacroAssembler-mips64.h: Apply patch from bz#1303688 hopefully fixing the FTBFS on mips*. . firefox (51.0.1-2) unstable; urgency=medium . * debian/symbols.mk: - Better handle downloading symbols from packages with epochs. - Don't filter file names when getting symbols. - Add experimental buildd apt source for symbols download. - Avoid apt-get download being re-run when the file is already there. - Adjust DBGTYPE depending on package version, not whether it's a backport. - Only dump symbols for files of type application/x-sharedlib. This covers binary executables too because they are PIE and undistinguishable from shared libraries as a consequence. * debian/rules: - Add -fno-schedule-insns2 back. Closes: #854258. - Build with -fno-schedule-insns on armel and armhf when building with GCC6. Closes: #854640. - Hack to disable --gc-sections when building NSS, working around bug #844357 again. Should fix FTBFS on mips*. * debian/browser.desktop.in, debian/rules: Followup for the StartupWMClass changes in 51.0.1-1: Use the same name in desktop file and application.ini RemotingName. Closes: #854397. . firefox (51.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/browser.desktop.in: - Use the application name as StartupWMClass in the desktop file. Along the change to nsAppRunner.cpp, this prevents e.g. GNOME Shell from making Firefox appear as Firefox ESR when both are used. - Remove Encoding key from desktop file. Closes: #812493 * debian/rules: Remove -fno-schedule-insns2 and add -fno-lifetime-dse when building with GCC6. * debian/rules, debian/control*: Build with GCC6 on arm*. Closes: #852009. AFAIK, that will lead to FTBFS on at least armhf, but let's already see how it goes. * debian/upstream.mk: Use pkg-info.mk to figure out source name and version. Closes: #850720. * debian/control*: - Remove build dependency and suggest on libgnome*. It hasn't actually been used for a long time. Closes: #850265. - Bump Standards-Version to 3.9.8. No changes required. - Bump libvpx build dependency. * debian/rules: Resize the symbolic icon. * Move the -l10n-all package to the metapackages section. Closes: #824784. * debian/browser.postrm.in, debian/browser.preinst.in, debian/rules: Don't install preinst and postrm at all for the firefox package. * debian/symbols.apt.conf, debian/symbols.mk, debian/symbols.sources.list: Add scripts to create symbols archive to upload to Mozilla crash servers. * debian/browser-dev.links.in, debian/browser.install.in, debian/browser.mozconfig.in, debian/control*, debian/make.mk, debian/rules: Add more granularity as to what system libraries are used and only disable NSPR/NSS until we have the right versions in Debian. . * gfx/2d/BorrowedContext.h, gfx/layers/composite/LayerManagerComposite.*, gfx/layers/moz.build: Fix --disable-skia builds. bz#1319374. * gfx/skia/moz.build: Build Skia NEON code on arm64. * toolkit/xre/nsAppRunner.cpp: Set program name from the remoting name. * config/recurse.mk: Work around race condition between building NSPR and NSS. bz#1115944, bz#1315882. . firefox (51.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-01, also known as: CVE-2017-5375, CVE-2017-5376, CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5390, CVE-2017-5389, CVE-2017-5396, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5391, CVE-2017-5393, CVE-2017-5387, CVE-2017-5388, CVE-2017-5374, CVE-2017-5373. . * debian/upstream.mk: Don't rely on FIREFOX_*_RELEASE tags to pull some files to determine all source urls. * debian/browser.bug-presubj.in: Add a note about submitting crash reports upstream and pasting the url to Debian bug reports. * debian/rules, debian/control*: Adjust rust build configure to new upstream. It requires rustc >= 1.10 and cargo, the latter of which is not available on arm64. Also depend on cargo >= 0.13, that doesn't access the network with the Cargo.toml files in the source. Note rust code is still not enabled unless building a beta release. * debian/control*: Bump nspr, nss and sqlite build dependencies. * debian/rules, debian/control: Use more embedded libraries until the required versions of NSPR and NSS can be in unstable. . * build/moz.configure/rust.configure: Force use the i686 rust target. * gfx/skia/skia/include/core/SkPreConfig.h: Generically set SK_CPU_[BL]ENDIAN based on __BYTE_ORDER__ when available. bz#1319389. . firefox (50.1.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-95, also known as: CVE-2016-9894, CVE-2016-9899, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9904, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903, CVE-2016-9080, CVE-2016-9893. . firefox (50.0.2-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{91-92}, also known as: CVE-2016-9078, CVE-2016-9079. . * widget/gtk/mozgtk/mozgtk.c: work around race in system Cairo's XShm usage. bz#1271100. . firefox (50.0-3) unstable; urgency=medium . * media/libjpeg/simd/jsimd_mips.c: Pull libjpeg-turbo upstream fix for FTBFS on mips. * widget/gtk/mozgtk/gtk3/moz.build: Work around Debian bug #844357. . firefox (50.0-2) unstable; urgency=medium . * debian/rules: Use mach to run icu_source_data.py. This should fix FTBFS on big endian platforms. . * js/src/jit/mips64/CodeGenerator-mips64.cpp: Fix CodeGenerator::visitAsmSelectI64. bz#1290811. . firefox (50.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{87,89} also known as: CVE-2016-5287, CVE-2016-5288, CVE-2016-5296, CVE-2016-5292, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-9067, CVE-2016-9068, CVE-2016-9075, CVE-2016-9077, CVE-2016-5291, CVE-2016-9070, CVE-2016-9073, CVE-2016-9076, CVE-2016-9063, CVE-2016-9071, CVE-2016-5289, CVE-2016-5290. . * debian/rules: Only generate configure files on nightlies, and use client.mk to generate them instead of using autoconf manually (which, while compatible, is wrong nowadays). * debian/control*: - Remove outdated alternative build dependencies. - Bump sqlite and nss build dependency. - Add build dependency on libx11-xcb-dev. * debian/browser.mozconfig.in, debian/control*, debian/rules: Enable rust on non-release/ESR. * debian/browser.install.in: Add the EmojiOneMozilla font. . firefox (49.0-5) unstable; urgency=medium . * debian/rules: - Don't install crashreporter files on arm64, where it's not built. Should fix FTBFS on arm64. - Ship a symbolic icon from the silhouette icon from branding. Closes: #832297. - Remove old workaround for GCC 4.5 on armel. - Remove old workarounds for ia64. - Remove GENSYMBOLS_FLAGS, which hasn't been used for 5 years. - Remove CMP_AWK, which hasn't been used since xulrunner packages were removed. - Remove dh_builddeb override forcing xz compression, which is the default since dpkg 1.15.6. - Remove old workaround for ppc64. - Disable both baseline JIT and ion on mips via prefs. * debian/rules, debian/control: Re-enable Gtk+3 to see how it goes. Closes: #832301. . * security/sandbox/linux/SandboxFilter.cpp: Allow media plugins to call madvise with MADV_FREE. bz#1303813. Closes: #838911. * js/src/jit/AtomicOperations.h: Fix crashes in AtomicOperations-none on s390x. Should fix FTBFS on s390x. . firefox (49.0-4) unstable; urgency=medium . * debian/rules, dbeian/browser.install.in: Always install GMP clearkey. Should fix FTBFSes on non-x86/x86-64, this time. * debian/browser.js.in: Unset media.gmp-manager.url.override. Closes: #838902. * debian/compat, debian/control*: Bump debhelper compat and dependency to 9. * debian/rules, debian/control*: Generate debug symbols debs when not backporting. * debian/browser.install.in, browser.mozconfig.in, debian/rules: Don't disable the crash reporter. . firefox (49.0-3) unstable; urgency=medium . * debian/browser.desktop.in: Use the full path to the real Firefox executable in the .desktop file. Closes: #832298 . * toolkit/moz.configure: Ensure we don't enable Widevine unintentionally. bz#1299694. Should fix FTBFSes on non-x86/x86-64. . firefox (49.0-2) unstable; urgency=medium . * debian/rules, debian/control*: Only force GCC 5 on arm when building for stretch+. * debian/browser.mozconfig.in, debian/browser.install.in, debian/rules: Do not disable EME. Closes: #838478. * debian/rules, debian/browser.install.in: Build and use big-endian ICU data on big-endian architectures. Fixes FTBFS on big-endian architectures. . * build/autoconf/icu.m4: Allow to override ICU_DATA_FILE from the environment. * js/src/jit/mips-shared/MacroAssembler-mips-shared.cpp: OdinMonkey: MIPS: Fix nop-jump patching code. bz#1277478. Fixes FTBFS on mips*el. * media/libjpeg/moz.build: Fix CPU_ARCH test for libjpeg on mips. Fixes FTBFS on mips. . firefox (49.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa-2016-85, also known as: CVE-2016-2827, CVE-2016-5270, CVE-2016-5271, CVE-2016-5272, CVE-2016-5273, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5275, CVE-2016-5278, CVE-2016-5279, CVE-2016-5280, CVE-2016-5281, CVE-2016-5282, CVE-2016-5283, CVE-2016-5284, CVE-2016-5256, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) * debian/control*: Force build against libnss3-dev >= 2:3.26-2~, which fixed its symbols file. Closes: #833719. . * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) . firefox (48.0-2) unstable; urgency=medium . * debian/rules: Build with -fno-schedule-insns2 and -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles Firefox. Closes: #836533. . firefox (48.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa-2016-{62-68,70-81,83-84}, also known as: CVE-2016-2836, CVE-2016-2835, CVE-2016-2830, CVE-2016-2838, CVE-2016-2839, CVE-2016-5251, CVE-2016-5252, CVE-2016-0718, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-2837, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5268, CVE-2016-5250. . * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --build from configure invocation. * debian/browser.mozconfig.in: s/NATIVE/SYSTEM/. The variables set for --enable-system flags have changed upstream. * debian/browser.install.in, debian/browser.links.in: Don't install webapprt files, they are gone. * debian/browser.install.in: - Install ICU data file. - libfreebl3 changed name. - Take mozicon128.png from dist/firefox instead of dist/bin. . firefox (47.0.1-1) unstable; urgency=medium . * New upstream release. . firefox (47.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa-2016-{49-52,54,56-60}, also known as: CVE-2016-2815, CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2825, CVE-2016-2828, CVE-2016-2829, CVE-2016-2831, CVE-2016-2832, CVE-2016-2833. . * debian/rules: Read default toolkit from old-configure.in, but still keep Gtk+3 disabled. * debian/upstream.mk: Use l10n_changesets.txt from last candidate build for L10N_REV. . firefox (46.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/control*: Remove build dependencies that were only required for the iceweasel branding. * debian/control*, debian/browser.mozconfig.in: Remove configure flags and build dependencies related to gnomevfs. They have been ignored for close to a year. * debian/browser.mozconfig.in: - Remove configure flags explicitly enabling gio, it has been enabled by default for more than 3 years. - Remove --enable-svg, the option has been ignored for more than 5 years. - Remove --enable-mathml, the option has been ignored for more than 4 years. - Remove --enable-pango, the option has been ignored for 2 years. - Remove --disable-pedantic, the option has been ignored for 3 years. - Remove --disable-long-long-warning, the option has been ignored for almost 5 years. - Remove --disable-gnomeui, it is the default. - Remove --disable-mochitest, the option has been ignored for more than 7 years. - Remove --disable-debug, it is the default. - Remove --enable-canvas, the option has been ignored for more than 6 years. - Remove --disable-installer, the option has been ignored for close to 4 years. - Remove --disable-javaxpcom, the option has been ignored for close to 5 years. - Remove --disable-elf-dynstr-gc, the option has been ignored for more than 2 years. - Remove --enable-url-classifier, it is the default. - Remove --with-user-appdir=.mozilla, it is the default. - Remove --enable-single-profile, the option has been ignored for more than 7 years. - Remove --disable-profilesharing, the option has been ignored for more than 7 years. * debian/rules: Use the mach compare-locales command for l10n. * debian/upstream.mk, debian/watch: Remove "mozilla.org" from path in archive.mozilla.org urls. * debian/upstream.mk: Don't use get a separate source tarball for compare-locales. There is a copy in-tree that we now use. * debian/browser.desktop.in, debian/control*, debian/rules: Allow to distinguish between firefox and firefox-esr. Closes: #821952. * debian/control, debian/rules: Disable Gtk+3 for now. Closes: #822807. . firefox (46.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,42,44-48}, also known as: CVE-2016-2807, CVE-2016-2806, CVE-2016-2804, CVE-2016-2811, CVE-2016-2812, CVE-2016-2814, CVE-2016-2816, CVE-2016-2817, CVE-2016-2808, CVE-2016-2820. . * debian/browser.install.in: Add ffmpeg vp9 libraries. * debian/browser.lintian-overrides.in: Add a lintian override for libmozavutil.so, which is not exactly libavutil. * debian/control*: Bump nss and sqlite3 build dependencies. * debian/browser.mozconfig.in, debian/control*, debian/rules: Remove gstreamer dependencies and such, gstreamer support was removed upstream. firefox-esr (52.1.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-12, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459, CVE-2017-5466, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5469, CVE-2017-5445, CVE-2017-5449, CVE-2017-5451, CVE-2017-5462, CVE-2017-5467, CVE-2017-5430, CVE-2017-5429. firefox-esr (52.0.2esr-1) experimental; urgency=medium . * New upstream release. * debian/browser.mozconfig.in, debian/mls.key: Enable geolocation using Mozilla's Location Service. Closes: #726230. . * browser/app/profile/firefox.js: Use the Mozilla Location Service when the Google Key is not there. firefox-esr (52.0.1esr-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2017-08, also known as CVE-2017-5428. . * debian/browser.mozconfig.in: Build with --enable-alsa. Closes: #857281. firefox-esr (52.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-05, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5406, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5426, CVE-2017-5427, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5405, CVE-2017-5421, CVE-2017-5422, CVE-2017-5399, CVE-2017-5398. . * debian/control*: - Bump nss and sqlite build dependencies. - Build depend on libjsoncpp-dev. * debian/rules: - Update ICU_DATA_FILE version. - Don't build against system sqlite until we have the right version in Debian. * debian/browser.lintian-overrides.in: Add a lintian override for NSPR and NSS. * debian/browser.install.in: - Install chrome.manifest, libmozsandbox.so and minidump-analyzer. - Remove browser/components. . * browser/installer/allowed-dupes.mn, toolkit/mozapps/installer/find-dupes.py, toolkit/mozapps/installer/packager.mk: Preprocess find-dupes exception list. bz#1315309. * config/system-headers, toolkit/crashreporter/jsoncpp/src/lib_json/moz.build, toolkit/crashreporter/minidump-analyzer/moz.build: Build against system libjsoncpp. firefox-esr (45.9.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-11, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5469, CVE-2017-5445, CVE-2017-5462, CVE-2017-5429. . * accessible/generic/ApplicationAccessible.h: Add missing null checks causing crashes with accessibility. Closes: #852149. flightgear (3.0.0-5+deb8u3) jessie; urgency=high . [ Florent Rougon ] * Add two patches for CVE-2017-13709: - call-fgInitAllowedPaths-earlier-c7a2ae.patch (required by the next patch) - CVE-2017-13709-FGLogger-2a5e3d.patch Closes: #873439. . [ Markus Wanner ] * Massage patch meta information to fit DEP-3. fontforge (20120731.b-5+deb8u1) jessie-security; urgency=high . * Import upstream patches fixing following CVE's CVE-2017-11577, CVE-2017-11576, CVE-2017-11575, CVE-2017-11574, CVE-2017-11572, CVE-2017-11571, CVE-2017-11569, CVE-2017-11568. freeradius (2.2.5+dfsg-0.2+deb8u1) jessie-security; urgency=high . * Apply upstream patches: fr-ad-001.patch fr-gv-201.patch (CVE-2017-10978) fr-gv-202.patch (CVE-2017-10979) fr-gv-203.patch (CVE-2017-10980) fr-gv-204.patch (CVE-2017-10981) fr-gv-205.patch (CVE-2017-10982) fr-gv-206.patch (CVE-2017-10983) fr-gv-207.patch (Closes: #868765) freexl (1.0.0g-1+deb8u4) jessie-security; urgency=high . * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. (closes: #875690, #875691) gajim (0.16-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-10376: XEP-0146 extension can be abused by malicious XMPP servers. Add config option to activate XEP-0146 commands. (Closes: #863445) gdk-pixbuf (2.31.1-2+deb8u6) jessie-security; urgency=medium . * CVE-2017-2862 (Closes: #874552) gdk-pixbuf (2.31.1-2+deb8u5+kbsd8u2) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd gdk-pixbuf (2.31.1-2+deb8u5+kbsd8u1) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd ghostscript (9.06~dfsg-2+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Bounds check the array allocations methods (CVE-2017-9835) (Closes: #869907) * Bounds check zone pointer in Ins_MIRP() (CVE-2017-9611) (Closes: #869917) * Bounds check zone pointers in Ins_IP() (CVE-2017-9612) (Closes: #869916) * Bounds check zone pointer in Ins_MDRP (CVE-2017-9726) (Closes: #869915) * Make bounds check in gx_ttfReader__Read more robust (CVE-2017-9727) (Closes: #869913) * Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910) * Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977) git (1:2.1.4-2.1+deb8u5) jessie-security; urgency=high . * Fix remote shell command execution via CVS protocol: - git-shell: drop cvsserver support by default - git-cvsserver: harden backtick captures against user input * Avoid shell command injection in other commands as well: - git-cvsimport: harden backtick captures against user input - git-archimport: harden backtick captures against user input . Thanks to joernchen of Phenoelit for discovering, reporting, and fixing this vulnerability, and to Junio C Hamano and Jeff King for the fixes to related issues. git (1:2.1.4-2.1+deb8u4) jessie-security; urgency=high . * Fix CVE-2017-1000117, arbitrary code execution issues via URLs: - reject ssh hostname that begins with a dash - add test for hostname starting with dash to the testsuite - factor out "looks like command line option" check - reject dashed arguments to $GIT_PROXY_COMMAND - ssh:// and local URLs: reject path to repositories that look like command line options . Thanks to Joern Schneeweisz of Recurity Labs for discovering this vulnerability, Brian Neel at GitLab for reporting it to the Git project, and Junio Hamano and Jeff King for writing the patches to address it. gnupg (1.4.18-7+deb8u4) jessie-security; urgency=high . * Backport fixes for CVE-2017-7526 from STABLE-BRANCH-1-4 branch gsoap (2.8.17-1+deb8u1) jessie; urgency=medium . * Fix for CVE-2017-9765 Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via a large XML document. hexchat (2.10.1-1+deb8u2) jessie; urgency=medium . * Fix segfault on /server, by adding missing braces around an `if`. (Closes: #779892) icu (52.1-8+deb8u6) jessie; urgency=high . * Backport upstream security fix for CVE-2017-14952: double free in createMetazoneMappings() (closes: #878840). imagemagick (8:6.8.9.9-5+deb8u11) jessie-security; urgency=medium . * Multiple security fixes CVE-2017-12983 (Closes: #873134) CVE-2017-13134 (Closes: #873099) CVE-2017-13769 (Closes: #878507) CVE-2017-14224 (Closes: #876097) CVE-2017-14607 (Closes: #878527) CVE-2017-14682 (Closes: #876488) CVE-2017-14989 (Closes: #878562) CVE-2017-15277 (Closes: #878578) CVE-2017-11352 (Closes: #868469) CVE-2017-11640 (Closes: #870067) CVE-2017-12431 (Closes: #869715) CVE-2017-12640 (Closes: #870106) CVE-2017-13139 (Closes: #870109) CVE-2017-13144 (Closes: #869728) CVE-2017-13758 (Closes: #878508) CVE-2017-16546 (Closes: #881392) CVE-2017-12877 (Closes: #872373) imagemagick (8:6.8.9.9-5+deb8u10) jessie-security; urgency=high . * Fix security bugs: + Previous CVE-2017-9144 fix was incomplete. A crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c (Closes: #863126) + CVE-2017-10928: A heap-based buffer over-read in the GetNextToken function in token.c allows remote attackers to obtain sensitive information from process memory or possibly have unspecified other impact via a crafted SVG document that is mishandled in the GetUserSpaceCoordinateValue function in coders/svg.c. (Closes: #867367). + CVE-2017-9500: An assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file. (Closes: #867778). + CVE-2017-9501: An assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file. (Closes: #867721). + CVE-2017-9440: A memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file. (Closes: 864273). + CVE-2017-9439: A memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file. (Closes: #864274). + CVE-2017-11188: CPU exhaustion in ReadDPXImage Because dpx.file.image_offset is a unsigned int, it can be controlled as large as 4294967295. This will cause ImageMagick spend a lot of time to process a crafted DPX imagefile, even if the imagefile is very small. (Closes: #867806) + CVE-2017-11141: memory exhaustion in ReadMATImage When identify MAT file, imagemagick will allocate memory to store data in function ReadMATImage. Modifying MAT's MATLAB_HDR field can cause ImageMagick to allocate a anysize amount of memory, this may cause a memory exhaustion (Closes: #868264) + CVE-2017-11170: memory exhaustion in ReadTGAImage When identify VST file, imagemagick will allocate memory to store data in function ReadTGAImage in coders/tga.c using tga_info.bits_per_pixel field diretly from VST file without checking in tga.c By review the founction code, tga_info.bits_per_pixel max valid value is 32. On 32bit os, size_t one will be 32bit, so image->colors can be overflow to 0. On 64bit os, size_t one will be 64bit, so image->colors can be large as 0x100000000(64GB). (Closes: #868184) + Memory exhaustion in ReadCINImage When identify CIN file that contains User defined data, imagemagick will allocate memory to store the data in function ReadCINImage in coders\inc.c There is a security checking in the function SetImageExtent, but it after memory allocation, so IM can not control the memory usage (Closes: #867810) + CPU exhaustion in ReadRLEImage A corrupted rle file could trigger a DOS (Closes: #867808) + Memory leak in ReadDIBImage in dib.c The ReadDIBImage function in dib.c allows attackers to cause a denial of service (memory leak) via a small crafted dib file. (Closes: #867811) + Memory exhaustion in ReadDPXImage in dpx.c When identify DPX file that contains user header data, imagemagick will allocate memory to store the data in function ReadDPXImage in coders\dpx.c There is a security checking in the function SetImageExtent, but it is too late, so IM can not control the memory usage. (Closes: #867812) + Enable heap overflow check for stdin for mpc files Enabling seekable streams is required to ensure checking the blob size works when an image is streamed on stdin. (Closes: #867896) + Assertion failure in WriteBlob A crafted file revealed an assertion failure in blob.c. (Closes: #867798) + Memory exhaustion in ReadEPTImage in ept.c When identify EPT file , imagemagick will allocate memory to store the data. There is a security checking in the function SetImageExtent, but it is not used in the allocation function, so IM can not control the memory usage. (Closes: #867821) + CPU exhaustion in ReadOneJNGImage Due to lack of validation of PNG format, imagemagick could loop 2^32 in a CPU intensive loop. (Closes: #867824, #867825). + CPU exhaustion in ReadOneDJVUImag Due to lack of format validation, a crafted file will cause a loop to run endless. (Closes: #867826). + Zero pixel buffer Avoid a data leak in case of incorrect file by clearing a buffer (Closes: #867893). + memory leak in ReadMATImage in mat.c The ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a small crafted mat file. (Closes: #867823). + Avoid heap based overflow for jpeg A corrupted jpeg file could trigger an heap overflow (Closes: #867894). + Fix a memory leak in screenshot coder (Closes: #867897) + CVE-2017-9409: Memory leak in the icon file coder. (Closes: #864087) + CVE-2017-9407: the ReadPALMImage function in palm.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #864089). + CVE-2017-9409: the ReadMPCImage function in mpc.c allows attackers to cause a denial of service (memory leak) + CVE-2017-9262: Memory leak in the ReadJNGImage function (Closes: #863834). + CVE-2017-9261: Memory leak in the ReadMNGImage function (Closes: #863833). ioquake3 (1.36+u20140802+gca9eebb-2+deb8u2) jessie-security; urgency=medium . * Add patch from upstream: + Address read buffer overflow in MSG_ReadBits (CVE-2017-11721) (Closes: #870725) + Check buffer boundary exactly in MSG_WriteBits, instead of potentially failing with a few bytes still available irssi (0.8.17-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Address IRSSI-SA-2017-07. - CVE-2017-10965: NULL pointer dereference when receiving messages with invalid timestamp. - CVE-2017-10966: Use after free after nicklist structure has been corrupted while updating a nick group. (Closes: #867598) * Address IRSSI-SA-2017-10. - CVE-2017-15228: Unterminated colour formatting sequences may cause data access beyond the end of the buffer. - CVE-2017-15227: Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on. - CVE-2017-15721: Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. - CVE-2017-15723: Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. - CVE-2017-15722: Read beyond end of buffer may occur if a Safe channel ID is not long enough. (Closes: #879521) jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high . * Team upload * CVE-2017-15095: incomplete fixes for CVE-2017-7525 jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper. (Closes: #870848) kdepim (4:4.14.1-1+deb8u1) jessie; urgency=high . * Team upload. * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864804) - Added upstream patch 78c5552be2f00a4ac25bd77ca39386522fca70a8 in file fix-CVE-2017-9604.patch - Added upstream patch c54706e990bbd6498e7b1597ec7900bc809e8197 in file fix-CVE-2017-9604.p2.patch (nowadays messagelib) kedpm (1.0+deb8u1) jessie; urgency=high . * CVE-2017-8296: fix information leak via command history file (Closes: #860817) keyringer (0.3.7-1+deb8u1) jessie-proposed-updates; urgency=medium . * debian/patches backported from version 0.5.0 * Handle subkeys without expiration date (Closes: #847963) * Handle public keys listed multiple times (Closes: #847964) konversation (1.5-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-15923: Crash in parsing IRC color formatting codes (Closes: #881586) krb5 (1.12.1+dfsg-19+deb8u4) jessie; urgency=medium . * New version number; same code as deb8u3 but rebuilt to build arch all packages and because dgit doesn't deal well with reusing a version number when a package is rejected libav (6:11.11-1~deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the Security Team. * New upstream release fixing multiple security issues. - dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks (CVE-2017-9992) - pictor: Correctly check frame dimensions (CVE-2017-7862) - h264_cavlc: check the value of run_before - dvbsubdec: improve error checking - dvbsubdec: Fixed segfault when decoding subtitles - rmdec: don't ignore the return value of av_get_packet() - caf: add an Opus tag - yadif: Account for the buffer alignment while processing the frame edges - mov: log and return early on non-positive stsd entry counts - arm: Fix SIGBUS on ARM when compiled with binutils 2.29 - smacker: return meaningful error codes on failure - smacker: fix integer overflow with pts_inc - mm: Skip unexpected audio packets - aacsbr: Turnoff in the event of over read. - smacker: Check that the data size is a multiple of a sample vector (CVE-2015-8365) - build: Add an option for passing linker flags to the shared library build - flv: Validate the packet size - mjpeg: Report non-3 component rgb lossless as not supported - vc1dec: raise an error if sprite picture data is missing - doc: Drop the legacy symlink to README libdatetime-timezone-perl (1:1.75-2+2017c) jessie; urgency=medium . * Update to Olson database version 2017c. This update contains contemporary changes for Northern Cyprus, Fiji, Namibia, Sudan, Tonga, and Turks & Caicos. libdbi (0.9.0-4+deb8u1) jessie; urgency=medium . * Backport fix to re-enable a call to _error_handler() that was commented out for no obvious reason in dbi_result_next_row() . libembperl-perl (2.5.0-4+deb8u1) jessie; urgency=medium . [ Axel Beckert ] * Change hard dependency on mod_perl in zembperl.load to Recommends. mod_perl is not required, and is enabled by default anyway if it is installed. This change matches the package dependencies and fixes an installation failure when libapache2-mod-perl2 is not installed. (Closes: #810655) libgd2 (2.1.0-5+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-6362: Double-free in gdImagePngPtr() libgd2 (2.1.0-5+deb8u10) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7890: Fix unitialized memory read vulnerability in GIF reading (Closes: #869263) libidn2-0 (0.10-2+deb8u1) jessie-security; urgency=high . * CVE-2017-14062: Fix integer overflow in decode_digit (Closes: #873902) * Add myself to Uploaders: * Update d/gbp.conf for jessie updates libio-socket-ssl-perl (2.002-2+deb8u3) jessie; urgency=medium . * Fix segfault using malformed client certificates (Closes: #881711) liblouis (2.5.3-3+deb8u1) jessie; urgency=medium . * Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621). * Fix RedHat's patch. libmspack (0.5-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Correct rejection of empty strings. * Fix mis-handling of sys->read() errors in cabd_read_string() (CVE-2017-11423) (Closes: #868956). * Reject negative output length in SpanInfo (CVE-2017-6419) (Closes: #871263). libofx (1:0.9.10-1+deb8u1) jessie; urgency=medium . * Add upstream patches to fix: - CVE-2017-2816 (Closes: #875801). - CVE-2017-14731 (Closes: #877442). libpam4j (1.4-2+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-12197 (Closes: #879001): It was discovered that libpam4j does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account was able to log in. libraw (0.16.0-9+deb8u3) jessie-security; urgency=high . * debian/patches/: patchset updated - 0003-Fix_CVE-2017-6886.patch added | CVE-2017-6886, CVE-2017-6887: | Fix various buffer overflows that can be exploited | via crafted input files. Thanks to Emilio Pozuelo Monfort (pochu) for the patch. libreoffice (1:4.3.3-2+deb8u9) jessie-security; urgency=medium . * debian/patches/CVE-2017-1260{6,7}.diff: don't create empty test files * debian/patches/CVE-2017-12608.diff: remove filters-test.cxx hunk libreoffice (1:4.3.3-2+deb8u8) jessie-security; urgency=medium . * debian/rules: - make i386 make check notfatal for now given the i386 Java Stack Clash regression * debian/patches/CVE-2017-12607.diff, debian/patches/CVE-2017-12608.diff. debian/patches/series: apply patches for above CVEs libsoup2.4 (2.48.0-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix chunked decoding buffer overrun (CVE-2017-2885) libspring-ldap-java (1.3.1.RELEASE-5+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-8028: Tobias Schneider discovered that Spring-LDAP would allow authentication with an arbitrary password when the username is correct, no additional attributes are bound and when using LDAP BindAuthenticator with DefaultTlsDirContextAuthenticationStrategy as the authentication strategy and setting userSearch. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect. libwnckmm (0.1.1-1+deb8u1) jessie; urgency=medium . * Make libwnckmm-1.0-0-dev depend on the same version of libwnckmm-1.0-0. (closes: #796530) * Use jquery.js from libjs-jquery. libwpd (0.10.0-2+deb8u1) jessie; urgency=medium . * debian/patches/libwpd-tdf112269.diff: backport patch to fix CVE-2017-14226 (closes: #876001) libx11 (2:1.6.2-3+deb8u1) jessie; urgency=medium . * Insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts()). Addresses CVE-2016-7942 and CVE-2016-7943. libxfixes (1:5.0.1-2+deb8u1) jessie; urgency=high . * Integer overflow on illegal server response (CVE-2016-7944) libxfont (1:1.5.1-1+deb8u1) jessie-security; urgency=high . * Check for end of string in PatternMatch (CVE-2017-13720) * pcfGetProperties: Check string boundaries (CVE-2017-13722) libxi (2:1.7.4-1+deb8u1) jessie; urgency=medium . * Insufficient validation of data from the X server can cause out of boundary memory access or endless loops. Addresses CVE-2016-7945 and CVE-2016-7946. libxml-libxml-perl (2.0116+dfsg-1+deb8u2) jessie-security; urgency=high . * Team upload. * CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call (Closes: #866676) libxml2 (2.9.1+dfsg1-5+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Increase buffer space for port in HTTP redirect support (CVE-2017-7376) Incorrect limit was used for port values. (Closes: #870865) * Prevent unwanted external entity reference (CVE-2017-7375) Missing validation for external entities in xmlParsePEReference. (Closes: #870867) * Fix handling of parameter-entity references (CVE-2017-9049, CVE-2017-9050) - Heap-based buffer over-read in function xmlDictComputeFastKey (CVE-2017-9049). - Heap-based buffer over-read in function xmlDictAddString (CVE-2017-9050). (Closes: #863019, #863018) * Fix buffer size checks in xmlSnprintfElementContent (CVE-2017-9047, CVE-2017-9048) - Buffer overflow in function xmlSnprintfElementContent (CVE-2017-9047). - Stack-based buffer overflow in function xmlSnprintfElementContent (CVE-2017-9048). (Closes: #863022, #863021) * Fix type confusion in xmlValidateOneNamespace (CVE-2017-0663) Heap buffer overflow in xmlAddID. (Closes: #870870) libxrandr (2:1.4.2-1+deb8u1) jessie; urgency=medium . * Avoid out of boundary accesses on illegal responses. Addresses CVE-2016-7947 and CVE-2016-7948. libxtst (2:1.2.2-1+deb8u1) jessie; urgency=medium . * Insufficient validation of data from the X server can cause out of boundary memory access or endless loops. Addresses CVE-2016-7951 and CVE-2016-7952. libxv (2:1.0.10-1+deb8u1) jessie; urgency=high . * Protocol handling issues in libXv (CVE-2016-5407) libxvmc (2:1.0.8-2+deb8u1) jessie; urgency=medium . * Avoid buffer underflow on empty strings (CVE-2016-7953) linux (3.16.51-2) jessie; urgency=medium . * [mips*] inst: Avoid ABI change in 3.16.51 linux (3.16.51-1) jessie; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.49 - sched/topology: Refactor function build_overlap_sched_groups() - sched/topology: Fix building of overlapping sched-groups - sched/topology: Fix overlapping sched_group_mask - sched/topology: Fix overlapping sched_group_capacity - mwifiex: fixup error cases in mwifiex_add_virtual_intf() - f2fs: load inode's flag from disk - f2fs: try to freeze in gc and discard threads - [arm64] Preventing READ_IMPLIES_EXEC propagation - [x86] drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail - mceusb: fix memory leaks in error path - [x86] kvm: vmx: Do not disable intercepts for BNDCFGS - [x86] kvm: Guest BNDCFGS requires guest MPX support - [x86] kvm: vmx: Check value written to IA32_BNDCFGS - e1000e: Fix Runtime PM blocks EEE link negotiation in S5 - e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails - perf/core: Correct event creation with PERF_FORMAT_GROUP - Bluetooth: use constant time memory comparison for secret values - vxlan: dont migrate permanent fdb entries during learn - usb: usbip: set buffer pointers to NULL after free - usb: Fix typo in the definition of Endpoint[out]Request - PCI: Correct PCI_STD_RESOURCE_END usage - md: don't use flush_signals in userspace processes - udf: Fix races with i_size changes during readpage - udf: Fix deadlock between writeback and udf_setsize() - NFC: fix broken device allocation - ASoC: compress: Derive substream from stream based on direction - Btrfs: skip commit transaction if we don't have enough pinned bytes - [x86] xhci: Limit USB2 port wake support for AMD Promontory hosts - [x86] nmi: Fix timeout test in test_nmi_ipi() - Btrfs: fix invalid extent maps due to hole punching - iwlwifi: mvm: fix the recovery flow while connecting - staging: comedi: fix clean-up of comedi_class in comedi_init() - [s390*] af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers - scsi: virtio_scsi: let host do exception handling - scsi: bnx2i: missing error code in bnx2i_ep_connect() - [mips*] Bail on unsupported module relocs - [mips*] module: Ensure we always clean up r_mips_hi16_list - [mips*] Fix mips_atomic_set() retry condition - [mips*] Save static registers before sysmips - ath9k: fix tx99 use after free - ath9k: fix tx99 bus error - libertas: Fix lbs_prb_rsp_limit_set() - vfio: Fix group release deadlock - vfio: New external user group/file match - [x86] PCI: Mark Haswell Power Control Unit as having non-compliant BARs - [x86] PCI: Work around poweroff & suspend-to-RAM issue on Macbook Pro 11 - PM / Domains: Fix unsafe iteration over modified list of device links - [mips*] math-emu: Prevent wrong ISA mode instruction emulation - [mips*] Actually decode JALX in `__compute_return_epc_for_insn' - [mips*] Fix unaligned PC interpretation in `compute_return_epc' - [mips*] Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' - Add USB quirk for HVR-950q to avoid intermittent device resets - [arm64] ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails - mwifiex: do not update MCS set from hostapd - PCI/PM: Restore the status of PCI devices across hibernation - scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails. - scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state - ipv6: always add flag an address that failed DAD with DADFAILED - ipv6: dad: don't remove dynamic addresses if link is down - [x86] xen: allow userspace access during hypercalls - [x86] drm/i915: Disable MSI for all pre-gen5 - RDMA/uverbs: Check port number supplied by user verbs cmds - net: reflect mark on tcp syn ack packets - [s390*] syscalls: Fix out of bounds arguments access - CIFS: fix circular locking dependency - tpm: fix a kernel memory leak in tpm-sysfs.c - target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce - cfg80211: Check if PMKID attribute is of expected size - cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE - cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES - [x86] drm/radeon: Fix eDP for single-display iMac10,1 (v2) - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (Closes: #865416) - fs/dcache.c: fix spin lockup issue on nlru->lock - [powerpc*] asm: Mark cr0 as clobbered in mftb() - [mips*] Negate error syscall return in trace - iscsi-target: Add login_keys_workaround attribute for non RFC initiators - [powerpc*] Fix emulation of mfocrf in emulate_step() - [powerpc*/*64*] Fix atomic64_inc_not_zero() to return an int - PM / QoS: return -EINVAL for bogus strings - Input: i8042 - fix crash at boot time - sysctl: fix lax sysctl_check_table() sanity check - sunrpc: use constant time memory comparison for mac - ubifs: Correctly evict xattr inodes - ubifs: Don't leak kernel memory to the MTD - mm: fix overflow check in expand_upwards() - reiserfs: preserve i_mode if __reiserfs_set_acl() fails - jfs: preserve i_mode if __jfs_set_acl() fails - f2fs: preserve i_mode if __f2fs_set_acl() fails - btrfs: preserve i_mode if __btrfs_set_acl() fails - saa7164: fix double fetch PCIe access condition (CVE-2017-8831) - l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv - net/route: enforce hoplimit max value - ipv4/fib: don't warn when primary address is missing if in_dev is dead - net_dbg_ratelimited: turn into no-op when !DEBUG - net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case - net: Don't forget pr_fmt on net_dbg_ratelimited for CONFIG_DYNAMIC_DEBUG - net sched filters: fix notification of filter delete with proper handle - Revert "ACPI / EC: Add support to disallow QR_EC to be issued before completing previous QR_EC" - drm/irq: BUG_ON() -> WARN_ON() - [x86] efi: Avoid triple faults during EFI mixed mode calls - [armhf] usb: musb: cppi41: correct the macro name EP_MODE_AUTOREG_* - [armhf] usb: musb: cppi41: improve rx channel abort routine - v4l2-dv-timings.h: fix polarity for 4k formats - Input: ads7846 - correct the value got from SPI - Btrfs: don't use src fd for printk - [armhf] serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() - misc: ad525x_dpot: Fix the enabling of the "otpXen" attributes - [x86] perf: Honor the architectural performance monitoring version - [i386] perf: Fix undefined shift on 32-bit kernels - [powerpc*] macintosh/therm_windtunnel: Export I2C module alias information - [arm64] Rework valid_user_regs - mm/swap.c: flush lru pvecs on compound page arrival - [s390*] seccomp: fix error return for filtered system calls - mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED - PCI: Support PCIe devices with short cfg_size - PCI: Limit config space size for Netronome NFP6000 family - PCI: Limit config space size for Netronome NFP4000 - [x86] netvsc: fix incorrect receive checksum offloading - fs/cifs: make share unaccessible at root level mountable - cifs: Fix memory leaks in cifs_do_mount() - cifs: Compare prepaths when comparing superblocks - cifs: Move check for prefix path to within cifs_get_root() - cifs: Fix regression which breaks DFS mounting - cifs: Fix match_prepath() - sched: move no_new_privs into new atomic flags - sched: fix confusing PFA_NO_NEW_PRIVS constant - sched: add macros to define bitops for task atomic flags - cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags - dm: flush queued bios when process blocks to avoid deadlock https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.50 - fuse: initialize the flock flag in fuse_file on allocation - md: Raid5 should update rdev->sectors after reshape - net: bridge: fix dest lookup when vlan proto doesn't match - net/packet: Fix Tx queue selection for AF_PACKET - usb: storage: return on error to avoid a null pointer dereference - libceph: potential NULL dereference in ceph_msg_data_create() - ASoC: do not close shared backend dailink - [x86] drm/vmwgfx: Fix gcc-7.1.1 warning - netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry - libata: array underflow in ata_find_dev() - workqueue: restore WQ_UNBOUND/max_active==1 to be ordered - nfs: mount: copy the port field into the cloned nfs_server structure. - [x86] acpi: Prevent out of bound access caused by broken ACPI tables - [armel,armhf] kexec: Make .text R/W in machine_kexec - [armel,armhf] kexec: fix failure to boot crash kernel - xhci: Fix NULL pointer dereference when cleaning up streams for removed host - xhci: Bad Ethernet performance plugged in ASM1042A host - xhci: fix 20000ms port resume timeout - xhci: fix memleak in xhci_run() - tracing: Fix kmemleak in instance_rmdir - cxgb4: Fix error codes in c4iw_create_cq() - IB/cxgb3: Fix error codes in iwch_alloc_mr() - RDMA/ocrdma: Fix an error code in ocrdma_alloc_pd() - RDMA/ocrdma: Fix error codes in ocrdma_create_srq() - IB/cma: Fix a race condition in iboe_addr_get_sgid() - IB/cma: Fix reference count leak when no ipv4 addresses are set - RDMA/uverbs: Fix the check for port number - RDMA/core: Initialize port_num in qp_attr - ipv4: initialize fib_trie prior to register_netdev_notifier call. - perf/core: Fix locking for children siblings group read - iwlwifi: dvm: prevent an out of bounds access - IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp - IB/ipoib: Set IPOIB_NEIGH_TBL_FLUSH after flushed completion initialization - IB/ipoib: Remove double pointer assigning - [powerpc*] KVM: Book3S HV: Enable TM before accessing TM registers - [x86] kprobes: Release insn_slot in failure path - md/raid5: add thread_group worker async_tx_issue_pending_all - workqueue: implicit ordered attribute should be overridable - [powerpc*] pseries: Fix of_node_put() underflow during reconfig remove - media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds - [x86] iommu/amd: Fix schedule-while-atomic BUG in initialization code - [powerpc*] mm/hash: Free the subpage_prot_table correctly - sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() - sctp: fix the check for _sctp_walk_params and _sctp_walk_errors - net/mlx5: Fix command bad flow on command entry allocation failure - USB: hcd: Mark secondary HCD as dead if the primary one died - batman-adv: fix TT sync flag inconsistencies - iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw - USB: serial: option: add D-Link DWM-222 device ID - [x86] KVM: async_pf: make rcu irq exit if not triggered from idle task - net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support - ocfs2: don't clear SGID when inheriting ACLs - ipv6: set rt6i_protocol properly in the route when it is installed - RDMA/uverbs: Prevent leak of reserved field - IB/uverbs: Fix device cleanup - ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize - ext4: fix overflow caused by missing cast in ext4_resize_fs() - iscsi-target: Fix iscsi_np reset hung task during parallel delete - [s390*] qeth: fix L3 next-hop in xmit qeth hdr - scsi: st: fix blk_get_queue usage - net: reduce skb_warn_bad_offload() noise - net: skb_needs_check() accepts CHECKSUM_NONE for tx - net: avoid skb_warn_bad_offload false positives on UFO - [x86] crypto: sha1 - Fix reads beyond the number of blocks passed - [amd64] asm: Clear AC on NMI entries - USB: Check for dropped connection before switching to full speed - mm: migrate: prevent racy access to tlb_flush_pending - xfs: fix inobt inode allocation search optimization - af_key: do not use GFP_KERNEL in atomic contexts - audit: Fix use after free in audit_remove_watch_rule() - dst: Increase alignment of metrics to allow extra flag on pointers - ipv4: add reference counting to metrics - ipv4: fix NULL dereference in free_fib_info_rcu() - net_sched/sfq: update hierarchical backlog when drop packet - netxen: fix incorrect loop counter decrement - mm/mempolicy: fix use after free when calling get_mempolicy - ipv6: reset fn->rr_ptr when replacing route - net_sched: fix order of queue length updates in qdisc_replace() - drm: Release driver tracking before making the object available again - ALSA: core: Fix unexpected error at replacing user TLV - [arm64] fpsimd: Prevent registers leaking across exec - [arm64] mm: abort uaccess retries upon fatal signal - ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() - ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) - cifs: Fix df output for users with quota limits - cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() - tracing: Fix freeing of filter in create_filter() when set_str is false - qlge: avoid memcpy buffer overflow - nfsd: Limit end of page list when decoding NFSv4 WRITE - mtd: nandsim: remove debugfs entries in error path - [x86] netvsc: fix deadlock betwen link status and removal - perf/core: Fix group {cpu,task} validation - PM/hibernate: touch NMI watchdog when creating snapshot - ipv6: add rcu grace period before freeing fib6_node - ipv6: Fix may be used uninitialized warning in rt6_check - r8169: Do not increment tx_dropped in TX ring cleaning - r8169: Be drop monitor friendly - vfs: Clarify (and fix) MAX_LFS_FILESIZE macros - xfrm_user: fix info leak in xfrm_notify_sa() - xfrm_user: fix info leak in build_aevent() - dm: fix printk() rate limiting code - l2tp: initialise session's refcount before making it reachable - l2tp: hold tunnel while looking up sessions in l2tp_netlink - l2tp: hold tunnel while processing genl delete command - l2tp: hold tunnel while handling genl tunnel updates - l2tp: hold tunnel while handling genl TUNNEL_GET commands - l2tp: hold tunnel used while creating sessions with netlink - ipv6: fix sparse warning on rt6i_node - [x86] ldt: Fix off by one in get_segment_base() - [x86] i2c: ismt: Don't duplicate the receive length for block reads - [x86] i2c: ismt: Return EMSGSIZE for block reads with bogus length - CIFS: Fix maximum SMB2 header size - CIFS: remove endian related sparse warning - net_sched: fix error recovery at qdisc creation - sch_htb: fix crash on init failure - sch_multiq: fix double free on init failure - sch_hhf: fix null pointer dereference on init failure - sch_hfsc: fix null pointer deref and double free on init failure - sch_cbq: fix null pointer dereferences on init failure - sch_fq_codel: avoid double free on init failure - sch_netem: avoid null pointer deref on init failure - sch_tbf: fix two null pointer dereferences on init failure - epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ ep_remove() - cifs: check MaxPathNameComponentLength != 0 before using it - brcmfmac: add length check in brcmf_cfg80211_escan_handler() (CVE-2017-0786) - fix unbalanced page refcounting in bio_map_user_iov (CVE-2017-12190) - KEYS: prevent KEYCTL_READ on negative key - assoc_array: Fix a buggy node-splitting case (CVE-2017-12193) - mac80211: accept key reinstall without changing anything (CVE-2017-13080) - ALSA: seq: Fix use-after-free at creating a port (CVE-2017-15265) - KEYS: don't let add_key() update an uninstantiated key (CVE-2017-15299) - packet: hold bind lock when rebinding to fanout hook (CVE-2017-15649) - packet: in packet_do_bind, test fanout with bind_lock held (CVE-2017-15649) - ALSA: usb-audio: Kill stray URB at exiting (CVE-2017-16527) - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (CVE-2017-16529) - USB: uas: fix bug in handling of alternate settings (CVE-2017-16530) - USB: fix out-of-bounds in usb_set_configuration (CVE-2017-16531) - usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) - HID: usbhid: fix out-of-bounds bug (CVE-2017-16533) - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() (CVE-2017-16535) - ALSA: seq: Enable 'use' locking in all configurations - [x86] platform: samsung-laptop: Initialize loca variable - mm/init: fix zone boundary creation - module: fix types of device tables aliases - mm/hugetlb: improve locking in dissolve_free_huge_pages() - cpumask_set_cpu_local_first => cpumask_local_spread, lament - [arm64] Input: joystick - use get_cycles on ARMv8 - [armhf] ASoC: fsl-ssi: fix do_div build warning in fsl_ssi_set_bclk() - i2o: hide unsafe ioctl on 64-bit - paride: fix the "verbose" module param - aic94xx: Skip reading user settings if flash is not found - i40e: Reduce stack in i40e_dbg_dump_desc - mISDN: avoid arch specific __builtin_return_address call - net: am2150: fix nmclan_cs.c shared interrupt handling - am2150: Update nmclan_cs.c to use update PCMCIA API - net: tulip: turn compile-time warning into dev_warn() - hostap: avoid uninitialized variable use in hfa384x_get_rid - Staging: lustre: missing curly braces in ll_setattr_raw() - [x86] Staging: wlan-ng: fix sparse warning in prism2fw.c - [x86] xen: fix upper bound of pmd loop in xen_cleanhighmap() - [x86] boot: Add CONFIG_PARAVIRT_SPINLOCKS quirk to arch/x86/boot/compressed/misc.h - [armhf] 8296/1: cache-l2x0: clean up aurora cache handling - staging: r8192ee: prorperly format warning message - mtd: cfi: reduce stack size - perf: Avoid horrible stack usage - e1000e: fix call to do_div() to use u64 arg - [x86] i2c: ismt: Separate I2C block read from SMBus block read https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.51 - IB/core: Fix the validations of a multicast LID in attach or detach operations - fcntl: Don't use ambiguous SIG_POLL si_codes - printk: only unregister boot consoles when necessary - printk/console: Always disable boot consoles that use init memory before it is freed - [x86] rtlwifi: rtl8821ae: Fix HW_VAR_NAV_UPPER operation - [powerpc*] mm: Fix check of multiple 16G pages from device tree - [x86] PCI: shpchp: Enable bridge bus mastering if MSI is enabled - dlm: avoid double-free on error path in dlm_device_{register,unregister} - media: v4l2-compat-ioctl32: Fix timespec conversion - [armhf] OMAP2+: omap_device: drop broken RPM status update from suspend_noirq - [amd64] fsgsbase: Report FSBASE and GSBASE correctly in core dumps - [s390*] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled - [s390*] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path - [s390*] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records - [s390*] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA - [s390*] scsi: zfcp: fix missing trace records for early returns in TMF eh handlers - [s390*] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records - [s390*] scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response - [i386] cs5536: add support for IDE controller variant - btrfs: resume qgroup rescan on rw remount - drm/ttm: Fix accounting error when fail to get pages for pool - block: Relax a check in blk_start_queue() - skd: Avoid that module unloading triggers a use-after-free - skd: Submit requests to firmware before triggering the doorbell - net: don't decrement kobj reference count on init failure - media: uvcvideo: Prevent heap overflow when accessing mapped controls - [x86] media: lirc_zilog: driver only sends LIRCCODE - [x86] staging/rts5208: fix incorrect shift to extract upper nybble - [armhf] pwm: tiehrpwm: Fix runtime PM imbalance at unbind - [armhf] pwm: tiehrpwm: fix clock imbalance in probe error path - f2fs: check hot_data for roll-forward recovery - RDMA/usnic: Fix remove address space warning - IB/mlx5: Fix integer overflow when page_shift == 31 - media: em28xx: calculate left volume level correctly - staging: lustre: obdclass: return -EFAULT if copy_from_user() fails - USB: core: Avoid race of async_completed() w/ usbdev_release() - usb:xhci:Fix regression when ATI chipsets detected - ACPI, APEI, EINJ: Subtract any matching Register Region from Trigger resources - IB/{qib, hfi1}: Avoid flow control testing for RDMA write operation - IB/usnic: check for allocation failure - [armel,armhf] 8692/1: mm: abort uaccess retries upon fatal signal - net/mlx4_core: Make explicit conversion to 64bit value - scsi: aacraid: Fix command send race condition - iwlwifi: mvm: Avoid deferring non bufferable frames - [powerpc*] Fix DAR reporting when alignment handler faults - [powerpc*] Correct instruction code for xxlor instruction - xen/events: events_fifo: Don't use {get,put}_cpu() in xen_evtchn_fifo_init() - driver core: bus: Fix a potential double free - md/bitmap: disable bitmap_resize for file-backed bitmaps. - xfs: fix incorrect log_flushed on fsync - Revert "net: use lib/percpu_counter API for fragmentation mem accounting" - l2tp: prevent creation of sessions on terminated tunnels - l2tp: pass tunnel pointer to ->session_create() - [armhf] mfd: omap-usb-tll: Fix register offsets - mac80211_hwsim: Use proper TX power - mac80211: flush hw_roc_start work before cancelling the ROC - [s390*] mm: fix race on mm->context.flush_mm - bcache: Fix leak of bdev reference - bcache: fix sequential large write IO bypass - bcache: do not subtract sectors_to_gc for bypassed IO - bcache: correct cache_dirty_target in __update_writeback_rate() - bcache: Correct return value for sysfs attach errors - bcache: fix crash on shutdown in passthrough mode - bcache: fix for gc and write-back race - bcache: fix bch_hprint crash and improve output - tracing: Apply trace_clock changes to instance max buffer - genirq: Make sparse_irq_lock protect what it should protect - bcache: initialize dirty stripes in flash_dev_run() - ipv6: fix memory leak with multiple tables during netns destruction - ipv6: fix typo in fib6_net_exit() - Input: xpad - don't depend on endpoint order - Input: xpad - validate USB endpoint type during probe - smsc95xx: Configure pause time to 0xffff when tx flow control enabled - [x86] KVM: SVM: Add a missing 'break' statement - IB/mlx4: fix sprintf format warning - [x86] KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously - sctp: do not peel off an assoc from one netns to another one (CVE-2017-15115) - USB: serial: console: fix use-after-free after failed setup (CVE-2017-16525) - cx231xx-cards: fix NULL-deref on missing association descriptor (CVE-2017-16536) - media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) - Input: gtco - fix potential out-of-bound access (CVE-2017-16643) - net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649) - net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650) - mac80211: use constant time comparison with keys - mac80211: don't compare TKIP TX MIC key in reinstall prevention (CVE-2017-13080) - [x86] VSOCK: sock_put wasn't safe to call in interrupt context - [x86] VSOCK: Detach QP check should filter out non matching QPs. - [x86] kvm: Handle async PF in RCU read-side critical sections - [x86] kvm: Avoid async PF preempting the kernel incorrectly . [ Salvatore Bonaccorso ] * KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags (Closes: #877760) * mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() (CVE-2017-1000405) . [ Ben Hutchings ] * [s390*] qeth: Ignore ABI changes * Revert "[SCSI] aic94xx: Remove broken fallback for missing 'Ctrl-A' user settings", as the fallback has been fixed upstream * [x86] kvm: Ignore ABI change * l2tp: Ignore ABI change * perf: Ignore ABI change * sched: Avoid ABI change in 3.16.49 * cpumask: Avoid ABI change in 3.16.50 * dm: Avoid ABI change in 3.16.50 * gpio: Avoid ABI change in 3.16.50 * ip6_fib: Avoid ABI change in 3.16.50 * ip_fib: Avoid ABI change in 3.16.50 * mm: Avoid ABI change in 3.16.50 * inet_frag: Limit ABI change in 3.16.51 * [s390*] mm: Avoid ABI change in 3.16.51 * mm/mmap.c: expand_downwards: don't require the gap if !vm_prev * mmap: Remember the MAP_FIXED flag as VM_FIXED * [x86] mmap: Add an exception to the stack gap for Hotspot JVM compatibility (Closes: #865303) linux (3.16.48-1) jessie; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.44 - [x86] drm/i915: relax uncritical udelay_range() - adm80211: return an error if adm8211_alloc_rings() fails - iio: st_pressure: Fix data sign - rtlwifi: Fix alignment issues - [mips*] Clear ISA bit correctly in get_frame_info() - [mips*] Prevent unaligned accesses during stack unwinding - [mips*] Fix get_frame_info() handling of microMIPS function size - [mips*] Fix is_jump_ins() handling of 16b microMIPS instructions - [mips*] Calculate microMIPS ra properly when unwinding the stack - [mips*] Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps - [x86] scsi: storvsc: use tagged SRB requests if supported by the device - [x86] scsi: storvsc: Fix a bug in the handling of SRB status flags - [x86] scsi: storvsc: properly handle SRB_ERROR when sense message is present - [x86] scsi: storvsc: properly set residual data length on errors - IB/mlx5: Fix retrieval of index to first hi class bfreg - samples/seccomp: fix 64-bit comparison macros - clk: wm831x: fix usleep_range with bad range - [x86] hv: vmbus_post_msg: retry the hypercall on some transient errors - [x86] hv_vmbus: Add gradually increased delay for retries in vmbus_post_msg() - [x86] Drivers: hv: vmbus: Reduce the delay between retries in vmbus_post_msg() - [x86] Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg() - [x86] hv: allocate synic pages for all present CPUs - [x86] hv: init percpu_list in hv_synic_alloc() - perf evlist: Fix typo in perf_evlist__start_workload() - ext4: avoid deadlock when expanding inode size - ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea() - tty: serial: msm: Fix module autoload - ath5k: drop bogus warning on drv_set_key with unsupported cipher - ASoC: rt5640: use msleep() for long delays - RDMA/core: Fix incorrect structure packing for booleans - IB/ipoib: Set device connection mode only when needed - IB/ipoib: Fix deadlock over vlan_mutex - IB/ipoib: Fix deadlock between rmmod and set_mode - IB/ipoib: rtnl_unlock can not come after free_netdev - IB/ipoib: Replace list_del of the neigh->list with list_del_init - IB/ipoib: Change list_del to list_del_init in the tx object - locking/ww_mutex: Fix compilation of __WW_MUTEX_INITIALIZER - USB: serial: ch341: fix modem-status handling - USB: serial: ark3116: fix register-accessor error handling - USB: serial: ark3116: fix open error handling - USB: serial: ftdi_sio: fix modem-status error handling - USB: serial: ftdi_sio: fix latency-timer error handling - USB: serial: io_edgeport: fix epic-descriptor handling - USB: serial: io_edgeport: fix descriptor error handling - USB: serial: mct_u232: fix modem-status error handling - USB: serial: quatech2: fix control-message error handling - USB: serial: spcp8x5: fix modem-status handling - USB: serial: ssu100: fix control-message error handling - USB: serial: ti_usb_3410_5052: fix control-message error handling - USB: serial: opticon: fix CTS retrieval at open - staging: rtl: fix possible NULL pointer dereference - mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print - blk-mq: Make bt_clear_tag() easier to read - sbitmap: fix wakeup hang after sbq resize - [armhf] usb: dwc3: gadget: skip Set/Clear Halt when invalid - usb: gadget: define free_ep_req as universal function - usb: gadget: f_hid: fix: Free out requests - usb: gadget: f_hid: fix: Prevent accessing released memory - usb: gadget: f_hid: Use spinlock instead of mutex - W1: ds2490: Increase timeout when waiting for status - w1: ds2490: USB transfer buffers need to be DMAable - w1: don't leak refcount on slave attach failure in w1_attach_slave_device() - USB: serial: ftdi_sio: fix extreme low-latency setting - iwlwifi: mvm: rs: Remove unused 'mcs' variable - drm/ttm: Make sure BOs being swapped out are cacheable - [armhf] clk: samsung: mark s3c...._clk_sleep_init() as __init - drm/radeon: handle vfct with multiple vbios images - ext4: trim allocation requests to group size - ext4: use private version of page_zero_new_buffers() for data=journal mode - ext4: fix data corruption in data=journal mode - [arm*] KVM: Enforce unconditional flush to PoC when mapping to stage-2 - bcma: use (get|put)_device when probing/removing device driver - staging: wlan-ng: add missing byte order conversion - [x86] iommu/vt-d: Don't over-free page table directories - uvcvideo: Fix a wrong macro - USB: serial: digi_acceleport: fix OOB data sanity check - USB: serial: digi_acceleport: fix incomplete rx sanity check - USB: serial: keyspan_pda: fix receive sanity checks - usb: misc: adutux: remove redundant error check on copy_to_user return code - [s390*] qdio: clear DSCI prior to scanning multiple input queues - [x86] pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0 - ext4: fix inline data error paths - jbd2: don't leak modified metadata buffers on an aborted journal - ext4: preserve the needs_recovery flag when the journal is aborted - ext4: return EROFS if device is r/o and journal replay is needed - [s390*] KVM: Disable dirty log retrieval for UCONTROL guests - USB: serial: ftdi_sio: fix line-status over-reporting - USB: serial: sierra: fix bogus alternate-setting assumption - mwifiex: Avoid skipping WEP key deletion for AP - ath9k: fix race condition in enabling/disabling IRQs - NFSv4: Fix memory and state leak in _nfs4_open_and_get_state - USB: serial: mos7840: fix another NULL-deref at open - i2c: i2c-mux-gpio: rename i2c-gpio-mux to i2c-mux-gpio - KEYS: Fix an error code in request_master_key() - serial: exar: Fix initialization of EXAR registers for ports > 0 - [x86] drivers: hv: Turn off write permission on the hypercall page - [armhf] mmc: host: omap_hsmmc: avoid possible overflow of timeout value - md linear: fix a race between linear_add() and linear_congested() - md: ensure md devices are freed before module is unloaded. - nlm: Ensure callback code also checks that the files match - IB/mlx5: Fix out-of-bound access - IB/mlx5: Return error for unsupported signature type - [powerpc*] xmon: Fix data-breakpoint - ath9k: use correct OTP register offsets for the AR9340 and AR9550 - dm cache: fix corruption seen when using cache > 2TB - [mips*] Fix special case in 64 bit IP checksumming. - [mips*] OCTEON: Fix copy_from_user fault handling for large buffers - sfc: do not device_attach if a reset is pending - PM / QoS: Fix memory leak on resume_latency.notifiers - mlx4: reduce OOM risk on arches with large pages - [x86] KVM: VMX: use correct vmcs_read/write for guest segment selector/base - nfsd: update mtime on truncate - nfsd: minor nfsd_setattr cleanup - nfsd: special case truncates some more - batman-adv: Fix double free during fragment merge error - batman-adv: Fix transmission of final, 16th fragment - drm/ttm: fix use-after-free races in vm fault handling - NFSv4: Fix the underestimation of delegation XDR space reservation - fuse: add missing FR_FORCE - rdma_cm: fail iwarp accepts w/o connection params - l2tp: Avoid schedule while atomic in exit_net - net/dccp: fix use after free in tw_timer_handler() - tcp: account for ts offset only if tsecr not zero - scsi: aacraid: Fix memory leak in fib init path - scsi: aacraid: Reorder Adapter status check - mm: fix stray kernel-doc notation - [s390*] chsc: Add exception handler for CHSC instruction - net/mlx4: Spoofcheck and zero MAC can't coexist - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs - net/mlx4_en: Use __skb_fill_page_desc() - f2fs: use for_each_set_bit to simplify the code - f2fs: add ovp valid_blocks check for bg gc victim to fg_gc - NFSv4: fix getacl head length estimation - NFSv4: fix getacl ERANGE for some ACL buffer sizes - vxlan: correctly validate VXLAN ID against VXLAN_N_VID - mm/page_alloc: fix nodes for reclaim in fast path - mm: vmpressure: fix sending wrong events on underflow - mm: do not access page->mapping directly on page_endio - ipv4: mask tos for input route - net sched actions: decrement module reference count after table flush. - mac80211: flush delayed work when entering suspend - drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS - ALSA: timer: Reject user params with too small ticks - ALSA: ctxfi: Fallback DMA mask to 32bit - ALSA: seq: Fix link corruption by event error handling - net/mlx4: && vs & typo - net: net_enable_timestamp() can be called from irq contexts - can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer - virtio-console: avoid DMA from stack - net: ipv6: check route protocol when deleting routes - [x86] platform: acer-wmi: setup accelerometer when machine has appropriate notify event https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.45 - Allow stack to grow up to address space limit https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.46 - xfrm: policy: init locks early - xen: do not re-use pirq number cached in pci device msi msg data - scsi: libiscsi: add lock around task lists to fix list corruption regression - [x86] kprobes: Fix kernel panic when certain exception-handling addresses are probed - [s390*] KVM: Fix guest migration for huge guests resulting in panic - batman-adv: Keep fragments equally sized - net: phy: Do not perform software reset for Generic PHY - [armhf] usb: dwc3: gadget: make Set Endpoint Configuration macros safe - usb: gadget: function: f_fs: pass companion descriptor along - USB: serial: digi_acceleport: fix OOB-event processing - scsi: aacraid: Fix typo in blink status - libceph: don't set weight to IN when OSD is destroyed - [powerpc*] boot: Fix zImage TOC alignment - scsi: lpfc: Add shutdown method for kexec - target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export - target: Fix VERIFY_16 handling in sbc_parse_cdb - [mips*] End spinlocks with .insn - USB: serial: io_ti: fix NULL-deref in interrupt callback - USB: serial: safe_serial: fix information leak in completion handler - dvb-usb: don't use stack for firmware load - dvb-usb-firmware: don't do DMA on stack - USB: iowarrior: fix NULL-deref in write - md/raid1/10: fix potential deadlock - udp: avoid ufo handling on IP payload compression packets - [x86] platform/intel-mid: Correct MSI IRQ line for watchdog device - NFSv4: fix a reference leak caused WARNING messages - ipv6: make ECMP route replacement less greedy - isdn/gigaset: fix NULL-deref at probe - net: wimax/i2400m: fix NULL-deref at probe - dccp/tcp: fix routing redirect race - USB: idmouse: fix NULL-deref at probe - USB: uss720: fix NULL-deref at probe - USB: wusbcore: fix NULL-deref at probe - uwb: hwa-rc: fix NULL-deref at probe - uwb: i1480-dfu: fix NULL-deref at probe - usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI - futex: Add missing error handling to FUTEX_REQUEUE_PI - ext4: mark inode dirty after converting inline directory - [armhf] iio: adc: ti_am335x_adc: fix fifo overrun recovery - net: properly release sk_frag.page - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting - nl80211: fix dumpit error path RTNL deadlocks - perf/core: Fix event inheritance on fork() - mmc: ushc: fix NULL-deref at probe - Input: iforce - validate number of endpoints before using them - Input: cm109 - validate number of endpoints before using them - Input: ims-pcu - validate number of endpoints before using them - Input: yealink - validate number of endpoints before using them - Input: hanwang - validate number of endpoints before using them - Input: kbtab - validate number of endpoints before using them - Input: sur40 - validate number of endpoints before using them - net: ipv6: set route type for anycast routes - USB: usbtmc: add missing endpoint sanity check - ACM gadget: fix endianness in notifications - usb: hub: Fix crash after failure to read BOS descriptor - perf symbols: Fix symbols__fixup_end heuristic for corner cases - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call - scsi: libsas: fix ata xfer length - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() - net: unix: properly re-increment inflight counter of GC discarded candidates - bpf: try harder on clones when writing into skb - sch_dsmark: fix invalid skb_cow() usage - bna: integer overflow bug in debugfs - [s390*] decompressor: fix initrd corruption caused by bss clear - usb: gadget: uvc: Fix endianness mismatches - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval - net/mlx5: Increase number of max QPs in default profile - mmc: sdhci: Do not disable interrupts while waiting for clock - libceph: force GFP_NOIO for socket allocations - xen/acpi: upload PM state from init-domain to Xen - [x86] KVM: clear bus pointer when destroyed - KVM: kvm_io_bus_unregister_dev() should never fail - hwmon: (asus_atk0110) fix uninitialized data access - ALSA: seq: Fix race during FIFO resize - net: phy: handle state correctly in phy_stop_machine - IB/qib: fix false-postive maybe-uninitialized warning - ext4: lock the xattr block before checksuming it - USB: fix linked-list corruption in rh_call_control() - netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register - [powerpc*] Disable HFSCR[TM] if TM is not supported - virtio_balloon: init 1st buffer in stats vq - virtio_balloon: prevent uninitialized variable use - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC - ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal - ACPI: Fix incompatibility with mcount-based function graph tracing - xhci: Manually give back cancelled URB if we can't queue it for cancel - l2tp: purge socket queues in the .destruct() callback - [s390x] uaccess: get_user() should zero on failure (again) - ubi/upd: Always flush after prepared for an update - iscsi-target: Fix TMR reference leak during session shutdown - [x86] drm/vmwgfx: Type-check lookups of fence objects - [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl() - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces - [x86] drm/vmwgfx: Remove getparam error message - mmc: sdhci: Disable runtime pm when the sdio_irq is enabled - l2tp: fix race in l2tp_recv_common() - l2tp: ensure session can't get removed during pppol2tp_session_ioctl() - l2tp: fix duplicate session creation - l2tp: take a reference on sessions used in genetlink handlers - kernel.h: make abs() work with 64-bit types - include/linux/kernel.h: change abs() macro so it uses consistent return type - iio: core: Fix IIO_VAL_FRACTIONAL_LOG2 for negative values - iio: hid-sensor-attributes: Fix sensor property setting failure. - iscsi-target: Drop work-around for legacy GlobalSAN initiator - af_key: Add lock to key dump - [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd - [powerpc*] Don't try to fix up misaligned load-with-reservation instructions - l2tp: take reference on sessions being dumped - [powerpc*] kernel: Use kprobe blacklist for asm functions - [powerpc*/*64*] Fix flush_(d|i)cache_range() called from modules - crypto: caam - fix RNG deinstantiation error checking - ring-buffer: Fix return value check in test_ringbuffer() - CIFS: Handle mismatched open calls - CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT - virtio_console: fix uninitialized variable use - xen, fbfront: fix connecting to backend - scsi: sr: Sanity check returned mode data - ptrace: fix PTRACE_LISTEN race corrupting task->state - l2tp: don't mask errors in pppol2tp_setsockopt() - l2tp: don't mask errors in pppol2tp_getsockopt() - [x86] vdso: Ensure vdso32_enabled gets set to valid values only - [x86] vdso: Plug race between mapping and ELF header setup - CIFS: remove bad_network_name flag - [s390x] mm: fix CMMA vs KSM vs others - [mips*] KGDB: Use kernel context for sleeping threads - ALSA: seq: Don't break snd_use_lock_sync() loop by timeout - zram: do not use copy_page with non-page aligned address - [x86] perf: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32() - [x86] ftrace: Fix triple fault with graph tracing and suspend-to-ram - p9_client_readdir() fix - cifs: Do not send echoes before Negotiate is complete - KEYS: Change the name of the dead type to ".dead" to prevent user access - [x86] Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled - tracing: Allocate the snapshot buffer before enabling probe - ACPI / power: Avoid maybe-uninitialized warning - ring-buffer: Have ring_buffer_iter_empty() return true when empty - mac80211: reject ToDS broadcast data frames - smsc75xx: use skb_cow_head() to deal with cloned skbs - cx82310_eth: use skb_cow_head() to deal with cloned skbs - sr9700: use skb_cow_head() to deal with cloned skbs - net: ipv6: send unsolicited NA if enabled for all interfaces - [x86] Input: i8042 - add Clevo P650RS to the i8042 reset list - macvlan: Fix device ref leak when purging bc_queue - team: fix memory leaks - ipv6: move stub initialization after ipv6 setup completion - ceph: fix recursion between ceph_set_acl() and __ceph_setattr() https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.47 - pvrusb2: reduce stack usage pvr2_eeprom_analyze() - [x86] staging: comedi: jr3_pci: fix possible null pointer dereference - [x86] staging: comedi: jr3_pci: cope with jiffies wraparound - zd1211rw: fix NULL-deref at probe - usb: hub: Fix error loop seen after hub communication errors - usb: hub: Do not attempt to autosuspend disconnected devices - serial_ir: iommap is a memory address, not bool - mceusb: fix NULL-deref at probe - USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously - cdc-acm: fix possible invalid access when processing notification - ath9k_htc: fix NULL-deref at probe - IPoIB: Remove unnecessary test for NULL before debugfs_remove() - IB/IPoIB: ibX: failed to create mcg debug file - gspca: konica: add missing endpoint sanity check - dib0700: fix NULL-deref at probe - usbvision: fix NULL-deref at probe - cx231xx-cards: fix NULL-deref at probe - cx231xx-audio: fix init error path - cx231xx-audio: fix NULL-deref at probe - uvcvideo: Fix empty packet statistic - padata: free correct variable - [armhf] serial: omap: fix runtime-pm handling on unbind - [armhf] serial: omap: suspend device on probe errors - PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms - vfio/type1: Remove locked page accounting workqueue - [x86] perf/pebs: Fix handling of PEBS buffer overflows - [x86] perf: Fix spurious NMI with PEBS Load Latency event - ftrace: Fix removing of second function probe - net: ipv6: send unsolicited NA on admin up - digitv: limit messages to buffer size - zr364xx: enforce minimum size when reading header - PCI: Ignore write combining when mapping I/O port space - PCI: Fix another sanity check bug in /proc/pci mmap - PCI: Only allow WC mmap on prefetchable resources - PCI: Freeze PME scan before suspending devices - ttusb2: limit messages to buffer size - dw2102: limit messages to buffer size - ov2640: fix vflip control - ath9k: off by one in ath9k_hw_nvram_read_array() - [armhf,arm64] KVM: fix races in kvm_psci_vcpu_on - usb: host: xhci: print correct command ring address - mwifiex: pcie: fix cmd_buf use-after-free in remove/reset - [x86] boot: Fix BSS corruption/overwrite bug in early x86 kernel startup - NFS: Use GFP_NOIO for two allocations in writeback - IB/ipoib: Update broadcast object if PKey value was changed in index 0 - HSI: ssi_protocol: double free in ssip_pn_xmit() - IB/mlx4: Fix ib device initialization error flow - [powerpc*] pseries: Fix of_node_put() underflow during DLPAR remove - [powerpc*] sysfs: Fix reference leak of cpu device_nodes present at boot - netfilter: ctnetlink: fix deadlock due to acquire _expect_lock twice - netfilter: ctnetlink: make it safer when updating ct->status - dm btree: fix for dm_btree_find_lowest_key() - dm era: save spacemap metadata root after the pre-commit - PCI: Disable boot interrupt quirk for ASUS M2N-LR - fanotify: don't expose EOPENSTALE to userspace - usb: Make sure usb/phy/of gets built-in - [x86] mm: Fix flush_tlb_page() on Xen - usb: misc: legousbtower: Fix buffers on stack - mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode - dm ioctl: prevent stack leak in dm ioctl call - staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data() - IB/core: If the MGID/MLID pair is not on the list return an error - IB/core: For multicast functions, verify that LIDs are multicast LIDs - libata: reject passthrough WRITE SAME requests - ext4: evict inline data when writing to memory map - Bluetooth: Fix user channel for 32bit userspace on 64bit kernel - [armhf] Input: twl4030-pwrbutton - use correct device for irq request - ip6_tunnel: Fix missing tunnel encapsulation limit option - ipv6: Need to export ipv6_push_frag_opts for tunneling now. - dm bufio: avoid a possible ABBA deadlock - [arm64] KVM: Fix decoding of Rt/Rt2 when trapping AArch32 CP accesses - [x86] drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2 - [powerpc*] eeh: Avoid use after free in eeh_handle_special_event() - tcp: fix wraparound issue in tcp_lp - cifs: small underflow in cnvrtDosUnixTm() - CIFS: Set unicode flag on cifs echo request to avoid Mac error - tg3: don't clear stats while tg3_close - CIFS: fix oplock break deadlocks - CIFS: SMB3: Work around mount failure when using SMB3 dialect to Macs - ceph: fix memory leak in __ceph_setxattr() - of: fix sparse warning in of_pci_range_parser_one - target/fileio: Fix zero-length READ and WRITE handling - fs/xattr.c: zero out memory copied to userspace in getxattr - [i386] mm: Set the '__vmalloc_start_set' flag in initmem_init() - virtio_net: fix support for small rings - net/mlx4_en: Change the error print to debug print - net/mlx4_en: Avoid adding steering rules with invalid ring - [arm64] ensure extension of smp_store_release value - [arm64] uaccess: ensure extension of access_ok() addr - usb: misc: legousbtower: Fix memory leak - net/mlx4: Fix the check in attaching steering rules https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.48 - xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY - af_key: Fix slab-out-of-bounds in pfkey_compile_policy. - netxen_nic: set rcode to the return status from the call to netxen_issue_cmd - [s390x] qeth: handle sysfs error during initialization - ]s390x] qeth: unbreak OSM and OSN support - netem: fix skb_orphan_partial() - tcp: avoid fragmenting peculiar skbs in SACK - SMB2: Fix share type handling - pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes - pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes() - PowerCap: Fix an error code in powercap_register_zone() - USB: serial: ftdi_sio: fix setting latency for unprivileged users - staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory. - staging: rtl8192e: fix 2 byte alignment of register BSSIDR. - staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD. - USB: serial: ir-usb: fix big-endian baud-rate debug printk - USB: serial: mct_u232: fix big-endian baud-rate handling - USB: serial: io_ti: fix div-by-zero in set_termios - [x86] KVM: Fix load damaged SSEx MXCSR register - dm thin metadata: call precommit before saving the roots - dm space map disk: fix some book keeping in the disk space map - [armhf,arm64] kvm: Fix race in resetting stage2 PGD - [armhf,arm64] kvm: Force reading uncached stage2 PGD - [armhf,arm64] kvm: Fix use after free of stage2 page table - usb: dwc3: gadget: Prevent losing events in event cache - btrfs: fix incorrect error return ret being passed to mapping_set_error - tcp: eliminate negative reordering in tcp_clean_rtx_queue - uio: add missing error codes - uio: fix incorrect memory leak cleanup - uwb: fix device quirk on big-endian hosts - USB: iowarrior: fix info ioctl on big-endian hosts - USB: gadget: dummy_hcd: fix hub-descriptor removable fields - [x86] USB: usbip: fix nonconforming hub descriptor - USB: hub: fix SS hub-descriptor handling - USB: hub: fix non-SS hub-descriptor handling - USB: hub: fix SS max number of ports - mac80211: strictly check mesh address extension mode - tracing/kprobes: Enforce kprobes teardown after testing - xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton - usb: host: xhci-mem: allocate zeroed Scratchpad Buffer - usb: host: xhci: simplify irq handler return - USB: xhci: fix lock-inversion problem - usb: host: xhci-plat: propagate return value of platform_get_irq() - drivers: char: mem: Check for address space wraparound with mmap() - watchdog: pcwd_usb: fix NULL-deref at probe - [powerpc*] mm: Fix virt_addr_valid() etc. on 64-bit hash - batman-adv: Fix rx packet/bytes stats on local ARP reply - [x86] KVM: Fix read out-of-bounds vulnerability in kvm pio emulation - [x86] KVM: zero base3 of unusable segments - ext4: fix SEEK_HOLE - ext4: keep existing extra fields when inode expands - ext4: use __GFP_NOFAIL in ext4_free_blocks() - ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors - i2c: i2c-tiny-usb: fix buffer not being DMA capable - crypto: gcm - wait for crypto op not signal safe - block: fix an error code in add_partition() - libceph: NULL deref on crush_decode() error path - [x86] drm/gma500/psb: Actually use VBT mode when it is found - netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize - ASoC: Fix use-after-free at card unregistration - scsi: qla2xxx: don't disable a not previously enabled PCI device - net: phy: marvell: Limit errata to 88m1101 - drm/radeon/ci: disable mclk switching for high refresh rates (v2) - drm/radeon: Unbreak HPD handling for r600+ - xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff() - xfs: Fix missed holes in SEEK_HOLE implementation - tcp: avoid fastopen API to be used on AF_UNSPEC - net: ethernet: ax88796: don't call free_irq without request_irq first - ext4: fix data corruption for mmap writes - ext4: fix fdatasync(2) after extent manipulation operations - net: phy: fix marvell phy status reading - iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race - target/iscsi: Fix indentation in iscsi_target_start_negotiation() - iscsi-target: Fix initial login PDU asynchronous socket close OOPs - iscsi-target: Always wait for kthread_should_stop() before kthread exit - [powerpc*] spufs: Fix coredump of SPU contexts - btrfs: use correct types for page indices in btrfs_page_exists_in_range - btrfs: fix memory leak in update_space_info failure path - bnx2x: Fix Multi-Cos - usb: gadget: f_mass_storage: Serialize wake and sleep execution - mm/migrate: fix refcount handling when !hugepage_migration_supported() - mlock: fix mlock count can not decrease in race condition - [x86] staging/lustre/lov: remove set_fs() call from lov_getstripe() - drivers: char: mem: Fix wraparound check to allow mappings up to the end - alarmtimer: Prevent overflow of relative timers - alarmtimer: Rate limit periodic intervals - rc-core: race condition during ir_raw_event_register() - fs/ufs: Set UFS default maximum bytes per file - net: ping: do not abuse udp_poll() - tags: honor COMPILED_SOURCE with apart output directory - vb2: Fix an off by one error in 'vb2_plane_vaddr' - kvm: async_pf: fix rcu_irq_enter() with irqs enabled - [x86] KVM: nVMX: Fix exception injection - [arm64] KVM: Preserve RES1 bits in SCTLR_EL2 - [arm64] KVM: Allow unaligned accesses at EL2 - [armhf] KVM: Allow unaligned accesses at HYP - [x86] drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() - [x86] KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation - [mips*] kprobes: flush_insn_slot should flush only if probe initialised - [powerpc*] net: emac: fix reset timeout with AR8035 phy - rcu: Move preemption disabling out of __srcu_read_lock() - srcu: Allow use of Classic SRCU from both process and interrupt context - KEYS: fix dereferencing NULL payload with nonzero length - target: Fix kref->refcount underflow in transport_cmd_finish_abort - can: gs_usb: fix memory leak in gs_cmd_reset() - ufs: fix ufs_isblockset() - ufs: restore maintaining ->i_blocks - ufs: set correct ->s_maxsize - ufs: excessive checks in ufs_write_failed() and ufs_evict_inode() - l2tp: cast l2tp traffic counter to unsigned - KVM: async_pf: avoid async pf injection when in guest mode - configfs: Fix race between create_link and configfs_rmdir - cpufreq: conservative: Allow down_threshold to take values from 1 to 10 - genirq: Release resources in __setup_irq() error path - [powerpc*] KVM: Book3S HV: Context-switch EBB registers properly - selinux: fix double free in selinux_parse_opts_str() - mac80211: don't look at the PM bit of BAR frames - mac80211/wpa: use constant time memory comparison for MACs - xfrm: Oops on error in pfkey_msg2xfrm_state() - xfrm: NULL dereference on allocation failure - IB/ipoib: Fix memory leak in create child syscall - [powerpc*] KVM: Book3S HV: Preserve userspace HTM state properly - [x86] i2c: ismt: fix wrong device address when unmap the data buffer - [powerpc*] kprobes: Pause function_graph tracing during jprobes handling - mm/memory-failure.c: use compound_head() flags for huge pages - swap: cond_resched in swap_cgroup_prepare() - mm: numa: avoid waiting on freed migrated pages - signal: Only reschedule timers on signals timers have sent - ipv6: Do not leak throw route references - rtnetlink: add IFLA_GROUP to ifla_policy - [armhf] i2c: imx: Use correct function to write to register - ipv6: initialize route null entry in addrconf_init() - ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf - ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER - ipv6: avoid unregistering inet6_dev for loopback - [powerpc*/*64*] Initialise thread_info for emergency stacks - ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output - net: account for current skb length when deciding about UFO - autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL - tcp: reset sk_rx_dst in tcp_disconnect() - net: prevent sign extension in dev_get_stats() - ALSA: hda - set input_path bitmap to zero after moving it to new place - net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish() - [armel,armhf] 8685/1: ensure memblock-limit is pmd-aligned - [mips*] pm-cps: Drop manual cache-line alignment of ready_count - [mips*] Fix IRQ tracing & lockdep when rescheduling - tracing/kprobes: Allow to create probe with a module name starting with a digit - ptrace: use fsuid, fsgid, effective creds for fs access checks . [ Ben Hutchings ] * SCSI: Revert "scsi: scsi_error: count medium access timeout only once per EH run" to avoid ABI change * ttm: Avoid ABI change for ttm_ref_object_add() require_existing param * cxgbi, IB, libiscsi, l2tp, rds: Ignore ABI changes * ptrace, xfrm: Avoid ABI changes in 3.16.48 * Fix regressions caused by fix for CVE-2016-7097 (Closes: #873026): - ext2: Don't clear SGID when inheriting ACLs - hfsplus: Don't clear SGID when inheriting ACLs - reiserfs: Don't clear SGID when inheriting ACLs - btrfs: Don't clear SGID when inheriting ACLs - jfs: Don't clear SGID when inheriting ACLs - xfs: Don't clear SGID when inheriting ACLs - f2fs: Don't clear SGID when inheriting ACLs - ext4: preserve i_mode if __ext4_set_acl() fails - ext4: Don't clear SGID when inheriting ACLs * vfs: avoid creation of inode number 0 in get_next_ino (Closes: #876762) linux (3.16.43-2+deb8u5) jessie-security; urgency=medium . * [amd64] mm: revert ELF_ET_DYN_BASE base changes (fixes regression of ASan) linux (3.16.43-2+deb8u4) jessie-security; urgency=high . * [x86] KVM: fix singlestepping over syscall (CVE-2017-7518) * binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370, CVE-2017-1000371) * ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380) * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (CVE-2017-1000380) * timerfd: Protect the might cancel mechanism proper (CVE-2017-10661) * xfrm: policy: check policy direction value (CVE-2017-11600) * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111) * ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output * udp: consistently apply ufo or fragmentation (CVE-2017-1000112) * xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511) * nl80211: check for the required netlink attributes presence (CVE-2017-12153) * [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154) * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051) * tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (CVE-2017-14106) * Sanitize 'move_pages()' permission checks (CVE-2017-14140) * video: fbdev: aty: do not leak uninitialized padding in clk to userspace (CVE-2017-14156) * xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present (CVE-2017-14340) * scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (CVE-2017-14489) * Bluetooth: Properly check L2CAP config option output buffer length (CVE-2017-1000251) (Closes: #875881) linux (3.16.43-2+deb8u3) jessie-security; urgency=high . * regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing (CVE-2014-9940) * [x86] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() (CVE-2017-7346) * rxrpc: Fix several cases where a padded len isn't checked in ticket decode (CVE-2017-7482) * brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541) * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542) * [x86] mm: Tighten x86 /dev/mem with zeroing reads (CVE-2017-7889) * [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605) * xen-blkback: don't leak stack data via response ring (CVE-2017-10911) * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176) * char: lp: fix possible integer overflow in lp_setup() (CVE-2017-1000363) * fs/exec.c: account for argv/envp pointers (CVE-2017-1000365) . [ Ben Hutchings ] * dentry name snapshots (CVE-2017-7533) mercurial (3.1.2-2+deb8u4) jessie-security; urgency=medium . * CVE-2017-1000115: path traversal via symlink * CVE-2017-1000116: command injection on clients through malicious ssh URLs mupdf (1.5-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-15587: Integer overflow was discovered in pdf_read_new_xref_section (Closes: #879055) mysql-5.5 (5.5.58-0+deb8u1) jessie-security; urgency=high . * Imported upstream version 5.5.58 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html - CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384 (Closes: #878402) mysql-5.5 (5.5.57-0+deb8u1) jessie-security; urgency=high . * Imported upstream version 5.5.57 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html - CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648 - CVE-2017-3651 CVE-2017-3652 CVE-2017-3653 (Closes: #868788) ncurses (5.9+20140913-1+deb8u2) jessie; urgency=medium . * Re-upload with no changes to work around #826161. ncurses (5.9+20140913-1+deb8u1) jessie; urgency=medium . * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels for various crash bugs in the tic library and the tic binary (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113). * Apply termcap-format fix from openSUSE's ncurses-5.9-55.6.1 package, repairing a regression from the above security fixes (see #868266). * Cherry-pick upstream fixes from the 20170826 patchlevel for more crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734, Closes: #873723). * Cherry-pick upstream fixes from the 20170902 patchlevel to fix another crash bug in the tic program (CVE-2017-13733, Closes: #873746). newsbeuter (2.8-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Work around shell code in podcast names (CVE-2017-14500) Remote code execution in podbeuter. (Closes: #876004) newsbeuter (2.8-2+deb8u1) jessie-security; urgency=high . * Fix RCE on bookmark. (CVE-2017-12904) nginx (1.6.2-5+deb8u5) jessie-security; urgency=high . * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109) nss (2:3.26-1+debu8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7805: Potential use-after-free in TLS 1.2 server when verifying client authentication openjpeg2 (2.1.0-2+deb8u3) jessie-security; urgency=medium . * CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch * CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch * CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch * CVE-2016-10504: not needed * CVE-2017-14039: CVE-2017-14039.patch * CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch * CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch * CVE-2017-14151: not needed * CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch * CVE-2016-5157: CVE-2016-5157.patch opensaml2 (2.5.3-2+deb8u2) jessie-security; urgency=high . * [28c33b1] Adjust my name and email in Uploaders * [4be47e7] New patch: Security fix from V2.6.1 (CPPOST-105) Thanks to Scott Cantor openssh (1:6.7p1-5+deb8u4) jessie; urgency=medium . * Test configuration before starting or reloading sshd under systemd (closes: #865770). * Make "--" before the hostname terminate argument processing after the hostname too (closes: #873201). openssl (1.0.1t-1+deb8u7) jessie-security; urgency=medium . * Fix CVE-2017-3735.patch otrs2 (3.3.18-1+deb8u2) jessie-security; urgency=high . * Add patch 16-OSA-2017-06 which fixes OSA-2017-06, also known as CVE-2017-15864: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the disclosure of any configuration information, including database credentials. * Add patch 17-OSA-2017-07 which fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user. Closes: #882370 otrs2 (3.3.18-1+deb8u1) jessie-security; urgency=high . * New upstream release. - Refresh patches 03-backup, 04-opt, 05-database, 06-no-installer, 09-disable-DashboardProductNotify, 10-nice-packagemanager-permissions-message, 12-use-debian-libjs-packages, 13-load-debian-libjs, 14-font-paths and 15-dbupdate-as-root. - This fixes OSA-2017-04, also known as CVE-2017-14635: An attacker who is logged into OTRS as an agent with write permissions for statistics can inject arbitrary code into the system. This can lead to serious problems like privilege escalation, data loss, and denial of service. Closes: #876462 . otrs2 (3.3.11-1) experimental; urgency=low . * New upstream release. - Fixes CVE-2014-9324, also known as OSA-2014-06. - Refresh hunky patch 03-backup. - Refresh hunky patch 07-dont-chown-links. - Refresh hunky patch 10-nice-packagemanager-permissions-message. - Refresh hunky patch 11-fix-SetPermissions-to-include-some-more-dirs. * Watch again all releases. * Do not install auto_build.sh. Closes: #772287 * Merge 3.3.9-3 changelog. . otrs2 (3.3.10-1) experimental; urgency=low . * New upstream release. - Refresh hunky patch 03-backup. - non-free flash files have been removed. - Remove an extra license file. * Move database servers from recommends to suggest and add Postgres and MySQL clients to recommends. Closes: #767517 otrs2 (3.3.11-1) experimental; urgency=low . * New upstream release. - Fixes CVE-2014-9324, also known as OSA-2014-06. - Refresh hunky patch 03-backup. - Refresh hunky patch 07-dont-chown-links. - Refresh hunky patch 10-nice-packagemanager-permissions-message. - Refresh hunky patch 11-fix-SetPermissions-to-include-some-more-dirs. * Watch again all releases. * Do not install auto_build.sh. Closes: #772287 * Merge 3.3.9-3 changelog. otrs2 (3.3.10-1) experimental; urgency=low . * New upstream release. - Refresh hunky patch 03-backup. - non-free flash files have been removed. - Remove an extra license file. * Move database servers from recommends to suggest and add Postgres and MySQL clients to recommends. Closes: #767517 pdns (3.4.1-4+deb8u8) jessie; urgency=medium . * Add patch fixing security issue: * Missing check on API operations: CVE-2017-15091 pdns-recursor (3.6.2-2+deb8u4) jessie; urgency=medium . * Add upstream patch fixing security issue: * Configuration file injection in the API. CVE-2017-15093 perl (5.20.2-3+deb8u9) jessie-security; urgency=high . * Update upstream base.pm no-dot-in-inc fix patch description. * [SECURITY] CVE-2017-12837: Fix a heap buffer overflow in regular expression compiler. (Closes: #875596) * [SECURITY] CVE-2017-12883: Fix a buffer over-read in regular expression parser. (Closes: #875597) + also includes a separate upstream fix from the 5.23 cycle pjproject (2.1.0.0.ast20130823-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-9359 CVE-2017-9372 postgresql-9.4 (9.4.15-0+deb8u1) jessie-security; urgency=medium . * New upstream version. . + Fix crash due to rowtype mismatch in json{b}_populate_recordset() (Michael Paquier, Tom Lane) . These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. (CVE-2017-15098) postgresql-9.4 (9.4.14-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. postgresql-9.4 (9.4.13-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. + Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. See the release notes for instructions for applying the fix to existing database clusters. (CVE-2017-7547; extends fix for CVE-2017-7486) + Disallow empty passwords in all password-based authentication methods. (CVE-2017-7546) + Make lo_put() check for UPDATE privilege on the target large object. (CVE-2017-7548) postgresql-common (165+deb8u3) jessie-security; urgency=medium . * pg_ctlcluster, pg_createcluster, pg_upgradecluster: Use lchown instead of chown to mitigate privilege escalation via symlinks. (CVE-2017-8806. Related to CVE-2017-12172 in PostgreSQL; extends our earlier fix for CVE-2016-1255.) procmail (3.22-24+deb8u1) jessie-security; urgency=high . * Fix buffer overflow in loadbuf(). Closes: #876511. Reported by Jakub Wilk using American Fuzzy Lop. For reference, this is CVE-2017-16844. pyjwt (0.2.1-1+deb8u2) jessie-security; urgency=medium . * CVE-2017-11424 python-tablib (0.9.11-2+deb8u1) jessie; urgency=low . * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818). quagga (0.99.23.1-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * bgpd: Fix AS_PATH size calculation for long paths (CVE-2017-16227) (Closes: #879474) request-tracker4 (4.2.8-3+deb8u3) jessie; urgency=medium . * Fix regression in previous security release where incorrect SHA256 passwords could trigger an error ruby-ox (2.1.1-2+deb8u1) jessie; urgency=medium . * Team upload * Add fix_parse_obj_segfault.patch picked from upstream + fix CVE-2017-15928: segmentation fault in parse_obj (Closes: #881445) sam2p (0.49.2-3+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2017-14628, CVE-2017-14629, CVE-2017-14630, CVE-2017-14631, CVE-2017-14636, CVE-2017-14637, CVE-2017-16663: Several integer overflow or heap-based buffer overflow issues were discovered in sam2p that may lead to an application crash or other unspecified impact. (Closes: #876744) samba (2:4.2.14+dfsg-0+deb8u9) jessie-security; urgency=high . * This is a security release in order to address the following defects: - CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. - CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug. samba (2:4.2.14+dfsg-0+deb8u8) jessie-security; urgency=high . * This is a security release in order to address the following defects: - CVE-2017-12150: Some code path don't enforce smb signing, when they should - CVE-2017-12151: Keep required encryption across SMB3 dfs redirects - CVE-2017-12163: Server memory information leak over SMB1 samba (2:4.2.14+dfsg-0+deb8u7) jessie-security; urgency=high . * This is a security release in order to address the following defect: - CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation (Closes: #868209) shibboleth-sp2 (2.5.3+dfsg-2+deb8u1) jessie-security; urgency=high . * [19b043c] Adjust my name and email in Uploaders * [cf997f0] New patch: Security fix from V2.6.1 (SSPCPP-763) Thanks to Scott Cantor slurm-llnl (14.03.9-5+deb8u1) jessie; urgency=high . * Fix security issue caused by insecure file path handling triggered by the failure of a Prolog script (CVE-2016-10030) smb4k (1.2.1-2~deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Backport version 1.2.1-2 from Stretch and fix CVE-2017-8849. Previous versions of smb4k allowed local users to gain root privileges by leveraging failure to verify arguments to the mount helper DBUS service. smb4k (1.2.1-1) unstable; urgency=medium . * Team upload. * New upstream release. * Drop menu file, since smb4k already provides a .desktop file. * Use https for the Vcs-Browser field. * Bump Standards-Version to 3.9.7, no changes required. * Improve description; also drop the reference to the Plasma widget, since it has never been built, and it will not work anyway in a Plasma 5 environment. (Closes: #763624) * Link in as-needed mode. strongswan (5.2.1-6+deb8u5) jessie-security; urgency=medium . * debian/patches: - CVE-2017-11185 added, fix insufficient validation in gmp plugin (CVE-2017-11185) subversion (1.8.10-6+deb8u5) jessie-security; urgency=high . * patches/CVE-2016-8734: Unrestricted XML entity expansion in HTTP clients * patches/CVE-2017-9800: Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url sudo (1.8.10p3-1+deb8u5) jessie; urgency=medium . * Non-maintainer upload. * Use /proc/self consistently on Linux * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897) supervisor (3.0r1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Disable object traversal in XML-RPC dispatch (CVE-2017-11610) (Closes: #870187) syslinux (3:6.03+dfsg-5+deb8u2) jessie; urgency=medium . * Add patch from upstream to fix boot problem for old BIOS firmware from around 2005 by correcting the C/H/S order (thanks Thomas Schmitt, Closes: #879004). tcpdump (4.9.2-1~deb8u1) jessie-security; urgency=high . * New upstream release, fixing 90 new CVEs. See the upstream changelog for the full list (closes: #867718, #873804, #873805, #873806). tcpdump (4.9.1-3) unstable; urgency=high . * Cherry-pick three upstream commits to fix the following: + CVE-2017-11541: buffer over-read in safeputs() (closes: #873804) + CVE-2017-11542: buffer over-read in pimv1_print() (closes: #873805) + CVE-2017-11543: buffer overflow in sliplink_print() (closes: #873806) * Urgency high due to security fixes. tcpdump (4.9.1-2) unstable; urgency=medium . * Disable IKEv2 test which mysteriously fails on ppc64el (closes: #873377). tcpdump (4.9.1-1) unstable; urgency=medium . * New upstream release, fixes CVE-2017-11108 (closes: #867718). * Bump Standards-Version to 4.1.0. * debian/watch: add pgpsigurlmangle option. * Add upstream signing key in debian/upstream. tcpdump (4.9.0-3) unstable; urgency=medium . [ intrigeri ] * Include AppArmor profile from Ubuntu (closes: #866682). . [ Romain Francoise ] * Bump Standards-Version to 4.0.0. tcpdump (4.9.0-2) unstable; urgency=medium . * Re-enable crypto support, targeting OpenSSL 1.0 as upstream still doesn't support OpenSSL 1.1. * Drop --enable-ipv6 from configure line, it has been the default for years now. tcpdump (4.9.0-1) unstable; urgency=high . * New upstream security release, fixing the following: + CVE-2016-7922: buffer overflow in print-ah.c:ah_print(). + CVE-2016-7923: buffer overflow in print-arp.c:arp_print(). + CVE-2016-7924: buffer overflow in print-atm.c:oam_print(). + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print(). + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print(). + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print(). + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print(). + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header(). + CVE-2016-7930: buffer overflow in print-llc.c:llc_print(). + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print(). + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum(). + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print(). + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print(). + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print(). + CVE-2016-7936: buffer overflow in print-udp.c:udp_print(). + CVE-2016-7937: buffer overflow in print-udp.c:vat_print(). + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame(). + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions. + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions. + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions. + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions. + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print(). + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print(). + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print(). + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print(). + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions. + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print(). + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print(). + CVE-2016-8575: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print(). + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print(). + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print(). + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print(). + CVE-2017-5341: buffer overflow in print-otv.c:otv_print(). + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). + CVE-2017-5482: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse(). + CVE-2017-5484: buffer overflow in print-atm.c:sig_print(). + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap(). + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print(). * Re-enable all tests and bump build-dep on libpcap0.8-dev to >= 1.8 accordingly. * Switch Vcs-Git URL to the https one. * Adjust lintian override name about dh 9. tomcat8 (8.0.14-1+deb8u11) jessie-security; urgency=high . * Fix CVE-2017-7674: The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. tor (0.2.5.15-1) jessie; urgency=medium . * New upstream version: - update directory authority set transfig (1:3.2.5.e-4+deb8u1) jessie; urgency=medium . * CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG files (Closes: #881143, #881144). * 34_fill-style-overflow: Sanitize input of fill patterns (Closes: #881396). tzdata (2017c-0+deb8u1) jessie; urgency=medium . * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. tzdata (2017b-2) unstable; urgency=medium . [ Aurelien Jarno ] * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #861700. * debian/control: provide tzdata-buster instead of tzdata-stretch. tzdata (2017b-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - Haiti resumed observance of DST in 2017. unbound (1.4.22-3+deb8u3) jessie; urgency=high . * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes installs between sep11 and oct11 2017." * Cherry-pick upstream commit svn r4000, "Include root trust anchor id 20326 in unbound-anchor". varnish (4.0.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Correctly handle bogusly large chunk sizes. This fixes a denial of service attack vector where bogusly large chunk sizes in requests could be used to force restarts of the Varnish server. vlc (2.2.7-1~deb8u1) jessie-security; urgency=high . * New upstream release. - Fix crash in libavcodec module (heap write out-of band). (CVE-2017-10699) - Fix flac heap write overflow on format change. (CVE-2017-9300) - Fix AVI read/write overflow. vlc (2.2.6-6) unstable; urgency=medium . * Update to ffmpeg 2.8.13. vlc (2.2.6-5) unstable; urgency=medium . * debian/control: Bump Standards-Version. * debian/patches: Add support for libupnp 1.8. (Closes: #868936) vlc (2.2.6-4) unstable; urgency=medium . * debian/upstream: Add DEP-12 metadata. * debian/control: - Restrict Recommends on vlc-plugin-samba to linux-any kfreebsd-any. - Switch to timgm6mb-soundfont. (Closes: #870790) - Bump Standards-Version. * debian/{rules,control,vlc-plugin-base}: No longer build directfb plugin. directfb upstream is inactive and the plugin got removed for vlc 3.0. * debian/vlc-plugin-base.lintian-overrides: Override shlibs-with-non-pic-code. See lintian overrides of ffmpeg for more details. vlc (2.2.6-3) unstable; urgency=medium . [ Mateusz Łukasik ] * debian/patches: avcodec: Check visible sizes (CVE-2017-10699). . [ Sebastian Ramacher ] * debian/patches: flac: Fix heap write overflow on frame format change. (CVE-2017-9300) vlc (2.2.6-2) unstable; urgency=medium . * Upload to unstable. * Update to ffmpeg 2.8.12. * debian/control: - Remove Build-Conflicts. - Bump Standards-Version. * debian/rules: Build with hardening=+all. vlc (2.2.6-1) experimental; urgency=medium . * New upstream release. - demuxer: Fix heap buffer overflows (CVE-2017-8312). vlc (2.2.6-1~deb9u1) unstable; urgency=high . * New upstream release. - demux: Fix heap buffer overflows (CVE-2017-8312) * debian/*.maintscript: Bump all versions to 2.2.6-1~z. This is necessary to properly handle symlink to directory conversions once 2.2.6 is available in jessie. * debian/control: Bump Breaks + Replaces to 2.2.6-1~deb9u1 where necessary to ensure proper upgrades from jessie. weechat (1.0.1-1+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * logger: call strftime before replacing buffer local variables (CVE-2017-14727) (Closes: #876553) wget (1.16-1+deb8u4) jessie-security; urgency=medium . * CVE-2017-13089 / CVE-2017-13090 wordpress (4.1+dfsg-1+deb8u15) jessie-security; urgency=medium . * Backport security patches from 4.8.2 - CVE-2017-14723 $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) Changeset 41472, 41498 - CVE-2017-14726 Cross-site scripting (XSS) vulnerability in the visual editor Changeset 41436 - CVE-2017-14719 Path traversal vulnerability in the file unzipping code Changeset 41459 - CVE-2017-14721 Cross-site scripting (XSS) vulnerability in the plugin editor Changeset 41413 - CVE-2017-14725 Open redirect in the user edit screens The term/tag edit screen does not have this issue. Changeset 41424 - CVE-2017-14722 Path traversal vulnerability in the customizer Changeset 41430 - CVE-2017-14720 Cross-site scripting (XSS) vulnerability in template names Changeset 41413 (same as plugin editor) - CVE-2017-14718 Cross-site scripting (XSS) vulnerability in the link modal * Not vulnerable: - CVE-2017-14724 Cross-site scripting (XSS) vulnerability in the oEmbed discovery oEmbed feature not present in this version * Hash user activation key Closes: #877629 Fixes CVE-2017-14990 wordpress-shibboleth (1.4-2+deb8u1) jessie-security; urgency=high . * [CVE-2017-14313]: Fix XSS in login form (Closes: #874416) wpa (2.3-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to fix WPA protocol vulnerabilities (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088): - hostapd: Avoid key reinstallation in FT handshake - Prevent reinstallation of an already in-use group key - Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases - Fix PTK rekeying to generate a new ANonce - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used - WNM: Ignore WNM-Sleep Mode Response without pending request - FT: Do not allow multiple Reassociation Response frames - TDLS: Ignore incoming TDLS Setup Response retries xen (4.4.1-9+deb8u10) jessie-security; urgency=medium . Security updates, including some very important fixes: * XSA-217 CVE-2017-10912 * XSA-218 CVE-2017-10913 CVE-2017-10914 * XSA-219 CVE-2017-10915 * XSA-221 CVE-2017-10917 * XSA-222 CVE-2017-10918 * XSA-224 CVE-2017-10919 * XSA-226 CVE-2017-12135 * XSA-227 CVE-2017-12137 * XSA-230 CVE-2017-12855 * XSA-235 no CVE assigned yet . Bugfixes: * evtchn: don't reuse ports that are still "busy" (for XSA-221 patch) . FYI, XSAs which remain outstanding because no patch is available. * XSA-223: armhf/arm64 guest-induced host crash vulnerability . FYI, inapplicable XSAs, for which no patch is included: * XSA-216: Bugs are in Linux and Qemu, not Xen * XSA-220: Xen 4.4 is not vulnerable * XSA-225: Xen 4.4 is not vulnerable * XSA-228: Xen 4.4 is not vulnerable * XSA-229: Bug is in Linux, not Xen xorg-server (2:1.16.4-1+deb8u2) jessie-security; urgency=high . * render: Fix out of boundary heap access * Xext/shm: Validate shmseg resource id (CVE-2017-13721) * xkb: Escape non-printable characters correctly. * xkb: Handle xkb formated string output safely (CVE-2017-13723) * os: Make sure big requests have sufficient length. * Unvalidated lengths in - XFree86-VidModeExtension (CVE-2017-12180) - XFree86-DGA (CVE-2017-12181) - XFree86-DRI (CVE-2017-12182) - XFIXES (CVE-2017-12183) - XINERAMA (CVE-2017-12184) - MIT-SCREEN-SAVER (CVE-2017-12185) - X-Resource (CVE-2017-12186) - RENDER (CVE-2017-12187) * Xi: Test exact size of XIBarrierReleasePointer * Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer (CVE-2017-12179) * Xi: Silence some tautological warnings * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178) * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177) * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) * Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES (CVE-2017-2624) * Xwayland: enable access control and default to just the local user (CVE-2015-3164) zabbix (1:2.2.7+dfsg-2+deb8u3) jessie-security; urgency=medium . * CVE-2017-2824 CVE-2017-2825 ====================================== Sat, 22 Jul 2017 - Debian 8.9 released ====================================== ========================================================================= [Date: Sat, 22 Jul 2017 09:47:36 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: ears | 1.0.1-2.1 | source, all Closed bugs: 862406 ------------------- Reason ------------------- requires unavailable python-musicbrainz ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:48:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: gnuvd | 1.0.12-1 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x gnuvd-gnome | 1.0.12-1 | all Closed bugs: 862486 ------------------- Reason ------------------- broken by upstream site changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:48:46 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: hbro-contrib | 1.1.1.0-1 | source libghc-hbro-contrib-dev | 1.1.1.0-1+b18 | powerpc libghc-hbro-contrib-dev | 1.1.1.0-1+b23 | i386 libghc-hbro-contrib-dev | 1.1.1.0-1+b24 | amd64 libghc-hbro-contrib-doc | 1.1.1.0-1 | all libghc-hbro-contrib-prof | 1.1.1.0-1+b18 | powerpc libghc-hbro-contrib-prof | 1.1.1.0-1+b23 | i386 libghc-hbro-contrib-prof | 1.1.1.0-1+b24 | amd64 Closed bugs: 868811 ------------------- Reason ------------------- build-depends on to-be-removed hbro ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:49:08 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: hbro | 1.1.2.2-2 | source hbro | 1.1.2.2-2+b8 | powerpc hbro | 1.1.2.2-2+b14 | i386 hbro | 1.1.2.2-2+b15 | amd64 libghc-hbro-dev | 1.1.2.2-2+b8 | powerpc libghc-hbro-dev | 1.1.2.2-2+b14 | i386 libghc-hbro-dev | 1.1.2.2-2+b15 | amd64 libghc-hbro-doc | 1.1.2.2-2 | all libghc-hbro-prof | 1.1.2.2-2+b8 | powerpc libghc-hbro-prof | 1.1.2.2-2+b14 | i386 libghc-hbro-prof | 1.1.2.2-2+b15 | amd64 Closed bugs: 862503 ------------------- Reason ------------------- segfaults on all usage ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:49:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: pgsnap | 0.7.0-1 | source, all Closed bugs: 863339 ------------------- Reason ------------------- incompatible with current PostgreSQL versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:49:55 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: lshell | 0.9.16-1 | source, all Closed bugs: 864520 ------------------- Reason ------------------- security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:50:18 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: rant | 0.5.8-8 | source, all Closed bugs: 865383 ------------------- Reason ------------------- broken ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:50:44 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: django-authority | 0.5-2 | source python-django-authority | 0.5-2 | all Closed bugs: 865385 ------------------- Reason ------------------- incompatible with Django 1.7 ---------------------------------------------- ========================================================================= 3dchess (0.8.1-18+deb8u1) jessie; urgency=medium . * Team upload. * Add wasteful-CPU-consumption.patch. The game always consumed 100 % CPU resources due to a missing sleep call in its main loop. (Closes: #866378) apache2 (2.4.10-10+deb8u9) jessie-security; urgency=medium . * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw() * CVE-2017-3169: mod_ssl NULL pointer dereference * CVE-2017-7668: Buffer overrun in ap_find_token() * CVE-2017-7679: mod_mime buffer overread apt-cacher (1.7.10+deb8u2) jessie; urgency=medium . * Backport of fix for #786661: ensure /var/run/apt-cacher is created in inetd mode. apt-cacher (1.7.10+deb8u1) jessie; urgency=medium . * Prevent HTTP response splitting with encoded newlines in request. Backport of fix for #858739. base-files (8+deb8u9) oldstable; urgency=low . * Changed /etc/debian_version to 8.9, for Debian 8.9 point release. * Distribution is now oldstable instead of stable. bind9 (1:9.9.5.dfsg-9+deb8u12) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to fix CVE-2017-3042 and CVE-2017-3043 CVE-2017-3042: error in TSIG authentication can permit unauthorized zone transfers. An attacker may be able to circumvent TSIG authentication of AXFR and Notify requests. CVE-2017-3043: error in TSIG authentication can permit unauthorized dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) signature for a dynamic update. bind9 (1:9.9.5.dfsg-9+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Dns64 with "break-dnssec yes;" can result in a assertion failure. (CVE-2017-3136) (Closes: #860224) * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190. If not cherry-picking this change the fix for CVE-2017-3137 can cause an assertion failure to appear in name.c. * Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures (CVE-2017-3137) (Closes: #860225) * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) * Fix regression introduced when handling CNAME to referral below the current domain * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) (Closes: #860226) bitlbee (3.2.2-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team * Patches issues about remote DoS and potential arbitrary code execution (Closes: CVE-2016-10188, CVE-2016-10189) boinc (7.4.23+dfsg-1+deb8u1) jessie; urgency=medium . [ Tom Downes ] * Try both oom_score_adj and oom_adj when adjusting the OOM score (Closes: #843663). . [ Mike Brennan ] * Fix xhost syntax. (Closes: #841665) - the xhost permissions syntax requires a "localuser" keyword for locally specified users. boinc (7.4.23+dfsg-1exp3) experimental; urgency=medium . [ Nelson A. de Oliveira ] * Fix wrong chown binary path (Closes: #768429). boinc (7.4.23+dfsg-1exp2) experimental; urgency=medium . * Fix other dependencies on dbg packages. * Reorder debian patches, drop useless and old ones. * Add pre-depends on shared multiarch packages. * Add service file, tweaked from the fedora one. boinc (7.4.23+dfsg-1exp1) experimental; urgency=medium . * Upload to experimental, with the boinc-server-* packages. c-ares (1.10.0-2+deb8u2) jessie; urgency=medium . * Add patch for CVE-2017-1000381 (Closes: #865360) cfitsio (3.370-2+deb8u1) jessie; urgency=medium . * Add patches/09-memcpy-overlap.diff to use memmove instead of memcpy where memory area might overlap (closes: #800819). chkrootkit (0.50-3.2~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. chkrootkit (0.50-3.1) unstable; urgency=medium . * Non-maintainer upload. * Add missing dependency on openssh-client. Closes: #785322 * Add Built-Using field to track the source package required to rebuild the statically linked binary. Closes: #769353 cqrlog (1.8.2-1.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * tools/cqrlog-apparmor-fix, debian/postrm: Check for /etc/init.d/apparmor before restarting apparmor. (Closes: #864549) debconf (1.5.56+deb8u1) jessie; urgency=medium . [ Niko Tyni ] * Use File::Temp instead of the deprecated POSIX::tmpnam() in Debconf::TmpFile (closes: #863071). debian-archive-keyring (2017.5~deb8u1) jessie; urgency=medium . * Team upload. * Update jessie with 2017.5, closes: #860831, 860830, 863303 debian-installer-netboot-images (20150422+deb8u4.b4) jessie; urgency=medium . * Update to 20150422+deb8u4+b4 images, from jessie-proposed-updates debian-security-support (2017.06.02~deb8u1) jessie; urgency=medium . * Rebuild for jessie. debian-security-support (2017.01.03) unstable; urgency=medium . * Add Teeworlds to security-support-ended.deb7 because games are not * In the test suite, don't use dates past 2038, some archs cannot handle it. Closes: #849650 . debian-security-support (2016.05.30~7) UNRELEASED; urgency=medium . * Team upload . [ Santiago Ruano Rincón ] * Unify msgstrs in check-support-status.in and in debconf templates to avoid duplicated translations. * New po/{Makefile,PACKAGE,POTFILES} files taken from libintl-perl. - debian/rules: clean and install translation files using po/Makefile. * Enable updating po debconf templates during build time: - debian/control: add Build-Depends on po-debconf. - debian/rules: dh_clean: run debconf-updatepo. * Bump Standards-Version: 3.9.8. * Update Italian debconf templates translation. Thanks to Beatrice Torracca (Closes: #825726) * Update Japanese debconf template translation (Closes: #826640) * Avoiding printing blanck lines when there is nothing to report and no --type is specified. (Closes: #819275) . [ Markus Koschany ] * Mark trn as unsupported in Wheezy LTS . [ Salvatore Bonaccorso ] * Update Dutch debconf templates translation. Thanks to Frans Spiesschaert (Closes: #832277) . [ Chris Lamb ] * Add inspircd to unsupported in wheezy. * Add matrixssl to unsupported in Debian 7.0/wheezy. . [ Salvatore Bonaccorso ] * Drop pidgin from packages list with limited security support. Thanks to Raphaël Hertzog (Closes: #838906) * Mark virtualbox as end-of-life for Debian 8 (Jessie) (Closes: #842051) debian-security-support (2016.05.24) unstable; urgency=medium . * Team upload. . [ Santiago Ruano Rincón ] * check-support-status.hook, debian-security-support.postinst: only invoke --type earlyend when running a version that supports it, i.e. >= 2016.03.30. * check-support-status.hook: Make sure to run check-support-status from an accessibe directory. Thanks to Raphaël Hertzog (Closes: #824081). * Include missing earlyend debconf template. * Update Spanish debconf template translation. * Update French debconf template translation. * Mark as not supported in Wheezy LTS: - libv8 - mediawiki (also not supported in Jessie) - vlc * Update Danish debconf templates translation. Thanks to Joe Dalton (Closes: #824467) * Update Telugu debconf templates translation. Thanks to Praveen Illa (Closes: #824638) * Update Polish debconf templates translation. Thanks to Łukasz Dulny (Closes: #824245) * Update Portuguese debconf template translations. Thanks to Américo Monteiro (Closes: #824145) * Updated German debconf template translation. Thanks to Chris Leick (Closes: #824488) * Update Brazilian Portuguese debconf templates translation. Thanks to Adriano Rafael Gomes (Closes: #824643) debootstrap (1.0.67+deb8u1) jessie; urgency=medium . * Add support for buster and bullseye. deluge (1.3.10-3+deb8u1) jessie-security; urgency=medium . * CVE-2017-7178 / new directory traversal (currently CVE-less) dropbear (2014.65-1+deb8u2) stable-security; urgency=high . * Backport security fixes from 2017.75 (closes: #862970): - Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. - Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. drupal7 (7.32-1+deb8u9) jessie-security; urgency=high . * Backported from 7.41: SA-CORE-2015-004: Open redirect (CVE-2015- 7943) * Backported from 7.56: SA-CORE-2017-003: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users. (CVE-2017-6922) (Closes: #865498) * Updated patches noting the CVE IDs they address (many were sent out before a CVE was assigned) eterm (0.9.6-1+deb8u1) jessie; urgency=medium . * QA upload. * Apply patch from Arnaud Ceyrolle to fix problems when starting or stopping the shell caused by an integer overflow. (Closes: #770369) ettercap (1:0.8.1-3+deb8u1) jessie-security; urgency=medium . * SECURITY UPDATE: * debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch: - upstream fix fox CVE-2017-6430 (Closes: #857035) (crash fix when a corrupted filter is used) * debian/patches/803.patch: - fix buffer overflow/underflow with bad filters (Closes: #861604). CVE-2017-8366 (Buffer overflow/underflow issue) - CVE-2017-6430 - CVE-2017-8366 evince (3.14.1-2+deb8u2) jessie-security; urgency=medium . * CVE-2017-1000083 exim4 (4.84.2-2+deb8u4) jessie-security; urgency=medium . * CVE-2017-1000369 expat (2.1.0-6+deb8u4) jessie-security; urgency=high . * Use upstream fix for the following vulnerabilities: - CVE-2017-9233, external entity infinite loop bug, - CVE-2016-9063, undefined behavior from signed integer overflow. flightgear (3.0.0-5+deb8u2) jessie; urgency=high . * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent overriding arbitrary files from the "save-flightplan" FGCommand. Closes: #862689 (CVE-2017-8921). fop (1:1.1.dfsg2-1+deb8u1) jessie-security; urgency=high . * Team upload. * Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567) galternatives (0.13.5+nmu3+deb8u1) jessie; urgency=medium . * Adopt package, switch maintainer information. * Fix the bug which causes properties window blank. Closes: #325172 git (1:2.1.4-2.1+deb8u3) jessie-security; urgency=high . * Do not allow git helpers run via git-shell to launch a pager (CVE-2017-8386). gitolite3 (3.6.1-2+deb8u2) jessie; urgency=medium . * Bug fix: "gitolite3 should depend on openssh-client", thanks to Keller Fuchs (Closes: #834153). glibc (2.19-18+deb8u10) jessie-security; urgency=medium . * debian/patches/any/local-CVE-2017-1000366-rtld-LD_AUDIT.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_LIBRARY_PATH.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_PRELOAD.diff: add patches to protect the dynamic linker against stack clashes (CVE-2017-1000366). * debian/patches/any/cvs-hwcap-AT_SECURE.diff: patch backported from upstream to disable HWCAP for AT_SECURE programs. gnats (4.1.0-3+deb8u1) jessie; urgency=medium . * QA upload. * gnats-user.postrm: Do not fail to purge if /var/lib/gnats/gnats-db is not empty. (Closes: #661015) gnutls28 (3.3.8-6+deb8u7) jessie; urgency=medium . * 57_urandom-use-st_ino-and-st_rdev-to-determine-device-u.patch from upstream gnutls_3_3_x branch: Improve check for /dev/urandom uniqueness. Ensure that when gnutls_global_init() is called for a second time that /dev/urandom is re-opened when the inode or device ID has changed. Closes: #865297 gnutls28 (3.3.8-6+deb8u6) jessie-security; urgency=high . * 56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch 56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch 56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch from upstream gnutls_3_3_x branch: Fix crash upon receiving well-formed status_request extension. GNUTLS-SA-2017-4/CVE-2017-7507 Closes: #864560 graphite2 (1.3.10-1~deb8u1) jessie-security; urgency=high . * rebuild for jessie-security * revert ddeb-migration * revert s/asciidoc, dblatex/asciidoc-dblatex/ in Build-Depends-Indep graphite2 (1.3.9-4) unstable; urgency=medium . * add -ffloat-store to COMPILE_FLAGS; enable awami tests again graphite2 (1.3.9-3) unstable; urgency=medium . * s/asciidoc, dblatex/asciidoc-dblatex/ in Build-Depends-Indep (closes: #850995) graphite2 (1.3.9-2) unstable; urgency=medium . * [30ae987] disable awami tests, rounding errors (suggested by upstream) graphite2 (1.3.9-1) unstable; urgency=medium . * [5ca6f6e] Imported Upstream version 1.3.9 graphite2 (1.3.8-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.7-1) unstable; urgency=medium . * New upstream release . * add debian/watch, update debian/copyright to point to github * add Homepage: (http://graphite.sil.org/) graphite2 (1.3.6-1) unstable; urgency=medium . * New upstream release gtk+2.0 (2.24.25-3+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * debian/patches/100-GtkMenuShell-always-activate-menu-shells.patch: + Backport patch from GTK+3 to fix stuck grabs in some situations. Thanks Colomban Wendling. Closes: #847438. heimdal (1.6~rc2+dfsg-9+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation (Closes: #868208) imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high . * Security fixes various: + CVE-2017-7606: Undefined behavior in rle (Closes: #859771). + CVE-2017-7619: Infinite loop due to rounding error (Closes: #859769). + CVE-2017-7941 memory leak in sgi (Closes: #860734). + CVE-2017-7943 memory leak in svg (Closes: #860736). * Security fixes DOS: + Fix CVE-2017-8343: The ReadAAIImage function in aai.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #862572). + Fix CVE-2017-8344: Fix DOS in PCX file coders. (Closes: #862574). + Fix CVE-2017-8345: The ReadMNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #862573) + Fix CVE-2017-8346: The ReadDCMImage function in dcm.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #862575). + Fix CVE-2017-8347: Fix DOS in EXR file coders. (Closes: #862577). + Fix CVE-2017-8348: Fix DOS in MAT file coders. (Closes: #862578). + Fix CVE-2017-8349: Fix DOS in SWF file coders. (Closes: #862579). + Fix CVE-2017-8350: Fix DOS in png file coders. (Closes: #862587). + Fix CVE-2017-8351: Fix DOS in pcd file coders. (Closes: #862589). + Fix CVE-2017-8352: Fix DOS in xwd file coders. (Closes: #862590). + Fix CVE-2017-8353: Fix DOS in pict file coders. (Closes: #862632). + Fix CVE-2017-8354: Fix DOS in bmp file coders. (Closes: #862633). + Fix CVE-2017-8355: Fix DOS in mtv file coders. (Closes: #862634). + Fix CVE-2017-8356: Fix DOS in sun file coders. (Closes: #862635). + Fix CVE-2017-8357: Fix DOS in ept file coders. (Closes: #862636). + Fix CVE-2017-8765: Fix DOS in icon file coders. (Closes: #862653). + Fix CVE-2017-8830: Fix DOS in bmp file coders. (Closes: #862637). * Security fixes assertion failure and memory leaks: + Check for EOF conditions for RLE image format. (Closes: #863126). Fix CVE-2017-9144. + A crafted file revealed an assertion failure in blob.c. (Closes: #863125). Fix CVE-2017-9142. + A crafted file revealed an assertion failure in profile.c. (Closes: #863124). Fix CVE-2017-9142. + Specially crafted arts file could lead to memory leak. (Closes: #863123). Fix CVE-2017-9143. * Fix an information leak due to the use of uninitialized memory in RLE decoder. (Closes: #862967). Fix CVE-2017-9098. * Fix a regression in memory allocation due to a previous security fix. (Closes: #859772). * Change my mail adress to the debian one. init-select (1.20140921+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * /etc/default/grub.d/init-select.cfg: Check for /usr/lib/init-select/get-init before calling it. The package may have been removed, but not purged. (Closes: #858528) intel-microcode (3.20170707.1~deb8u1) jessie; urgency=high . * Upload to jessie (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 . intel-microcode (3.20170511.1) unstable; urgency=medium . * New upstream microcode datafile 20170511 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + This release fixes undisclosed errata on the desktop, mobile and server processor models from the Haswell, Broadwell, and Skylake families, including even the high-end multi-socket server Xeons + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and similar) on several processor families + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + Likely fix serious or critical Skylake errata: SKL138/144, SKL137/145, SLK149 * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, either this erratum is very-low-hitting, or gcc/clang/icc/msvc won't usually issue the affected opcode pattern and it ends up being rare. SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" * source: remove unneeded intel-ucode/ directory Since release 20170511, upstream ships the microcodes both in .dat format, and as Linux-style split /lib/firmware/intel-ucode files. It is simpler to just use the .dat format file for now, so remove the intel-ucode/ directory. Note: before removal, it was verified that there were no discrepancies between the two microcode sets (.dat and intel-ucode/) * source: remove superseded upstream data file: 20161104 intel-microcode (3.20170707.1~bpo9+1) stretch-backports; urgency=high . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 intel-microcode (3.20170707.1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes). . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 intel-microcode (3.20170511.1) unstable; urgency=medium . * New upstream microcode datafile 20170511 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + This release fixes undisclosed errata on the desktop, mobile and server processor models from the Haswell, Broadwell, and Skylake families, including even the high-end multi-socket server Xeons + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and similar) on several processor families + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + Likely fix serious or critical Skylake errata: SKL138/144, SKL137/145, SLK149 * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, either this erratum is very-low-hitting, or gcc/clang/icc/msvc won't usually issue the affected opcode pattern and it ends up being rare. SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" * source: remove unneeded intel-ucode/ directory Since release 20170511, upstream ships the microcodes both in .dat format, and as Linux-style split /lib/firmware/intel-ucode files. It is simpler to just use the .dat format file for now, so remove the intel-ucode/ directory. Note: before removal, it was verified that there were no discrepancies between the two microcode sets (.dat and intel-ucode/) * source: remove superseded upstream data file: 20161104 intel-microcode (3.20170511.1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20170511.1) unstable; urgency=medium . * New upstream microcode datafile 20170511 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + This release fixes undisclosed errata on the desktop, mobile and server processor models from the Haswell, Broadwell, and Skylake families, including even the high-end multi-socket server Xeons + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and similar) on several processor families + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + Likely fix serious or critical Skylake errata: SKL138/144, SKL137/145, SLK149 * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, either this erratum is very-low-hitting, or gcc/clang/icc/msvc won't usually issue the affected opcode pattern and it ends up being rare. SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" * source: remove unneeded intel-ucode/ directory Since release 20170511, upstream ships the microcodes both in .dat format, and as Linux-style split /lib/firmware/intel-ucode files. It is simpler to just use the .dat format file for now, so remove the intel-ucode/ directory. Note: before removal, it was verified that there were no discrepancies between the two microcode sets (.dat and intel-ucode/) * source: remove superseded upstream data file: 20161104 intel-microcode (3.20161104.1) unstable; urgency=medium . * New upstream microcode datafile 20161104 + New Microcodes: sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480 sig 0x00050664, pf_mask 0x10, 2016-06-02, rev 0xf00000a, size 21504 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2016-10-07, rev 0x0039, size 32768 sig 0x000406f1, pf_mask 0xef, 2016-10-07, rev 0xb00001f, size 25600 + Removed Microcodes: sig 0x000106e4, pf_mask 0x09, 2013-07-01, rev 0x0003, size 6144 + This update fixes critical errata on Broadwell-DE V2/Y0 (Xeon D-1500 family), including one that can crash VMWare ESXi 6 with #PF (VMWare KB2146388), and could affect Linux as well. This same issue was fixed for the E5v4 Xeons in release 20160607 + This update fixes undisclosed (and likely critical) errata on Broadwell-E Core i7-68xxK/69xxK/6950X, Broadwell-EP/EX B0/R0/M0 Xeon E5v4 and Xeon E7v4, and Haswell-EP Xeon E5v3 + This release deletes the microcode update for the Jasper Forest embedded Xeons (Xeon EC35xx/LC35xx/EC35xx/LC55xx), for undisclosed reasons. The deleted microcode is outdated when compared with the updates for the other Nehalem Xeons * Makefile: always exclude microcode sig 0x206c2 just in case Intel is quite clear in the Intel SA-00030 advisory text that recent revisions (0x14 and later?) of the 0x206c2 microcode updates must be installed along with updated SINIT ACM on vPro systems (i.e. through an UEFI/BIOS firmware update). This is a defensive change so that we don't ship such a microcode update in the future by mistake * source: remove partially superseded upstream data file: 20160714 * source: remove superseded upstream data file: 20101123 * changelog: replace "pf mask" with "pf_mask" * control, compat: switch debhelper compatibility level to 9 * control: bump standards-version, no changes required irssi (0.8.17-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix dcc_request where addr is NULL (CVE-2017-9468) (Closes: #864400) * Fix oob read of one byte in get_file_params_count{,_resume} (CVE-2017-9469) (Closes: #864400) jbig2dec (0.13-4~deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent integer overflow vulnerability (CVE-2017-7885) (Closes: #860460) * Prevent SEGV due to integer overflow (CVE-2017-7975) (Closes: #860788) * Bounds check before reading from image source data (CVE-2017-7976) (Closes: #860787) jython (2.5.3-3+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2016-4000: (Closes: #864859) Unsafe deserialization may lead to arbitrary code execution. kde4libs (4:4.14.2-5+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Sanitize URLs before passing them to FindProxyForURL (CVE-2017-6410) (Closes: #856890) * Verify that whoever is calling us is actually who he says he is (CVE-2017-8422) knot (1.6.0-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches: - 0001-tsig-move-signature-validity-period-check-after-the- added, fix TSIG signature validation bypass (CVE-2017-11104) closes: #865678 libapache2-mod-perl2 (2.0.9~1624218-2+deb8u2) jessie; urgency=medium . * Patch the test suite for apache2_2.4.10-10+deb8u8 compatibility. (Closes: #864316) libcgi-application-plugin-anytemplate-perl (0.18-1+deb8u1) jessie; urgency=medium . * Add missing dependency on libclone-perl | libclone-pp-perl. (Closes: #788008) libclamunrar (0.99-0+deb8u3) jessie; urgency=medium . * Team upload. . [ Sebastian Andrzej Siewior ] * Cherry pick fix for arbitrary memory write. CVE-2012-6706 (Closes: #867223). libdata-faker-perl (0.10-1+deb8u1) jessie; urgency=medium . * Set C locale for tests. Thanks to Chris Lamb for the bug report. (Closes: #808454) libdvdnav (5.0.1-1+deb8u1) jessie; urgency=medium . * debian/control: Uploader e-mail address updated * debian/patches/: new patchset started - 0001-dvdnav_get_position.patch added (Closes: #763279) libffi (3.1-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches: - 01_add_missing_GNU_STACK_markings, fix requirement on an executable stack on x86_32 (CVE-2017-1000376) closes: #751907 * debian/rules: - enable pax_emutramp libgcrypt20 (1.6.3-2+deb8u4) jessie-security; urgency=high . * 22_CVE-2017-752*.patch from upstream 1.7.8 release: Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see . [CVE-2017-7526] libgcrypt20 (1.6.3-2+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * ecc: Store EdDSA session key in secure memory (CVE-2017-9526) * secmem: Fix SEGV and stat calculation libhtml-microformats-perl (0.105-2+deb8u1) jessie; urgency=medium . * Add buildtime and runtime dependency on libmodule-pluggable-perl. (Closes: #783656) libhttp-proxy-perl (0.301-1+deb8u1) jessie; urgency=medium . * Add patch to fix broken custom 'via' handling. (Patch taken from upstream release 0.304.) (Closes: #788350) libmwaw (0.3.1-2+deb8u1) jessie-security; urgency=medium . * backport upstream patch to fix CVE-2017-9433 (closes: #864366) libonig (5.9.5-3.2+deb8u1) jessie; urgency=medium . * New debian/patches/0500-CVE-2017-922[4-9].patch: - Cherrypicked from upstream to correct: + CVE-2017-9224 (Closes: #863312) + CVE-2017-9226 (Closes: #863314) + CVE-2017-9227 (Closes: #863315) + CVE-2017-9228 (Closes: #863316) + CVE-2017-9229 (Closes: #863318) libosinfo (0.2.11-1.1+deb8u1) jessie; urgency=medium . * [4b4388e] Add Debian Jessie and Stretch * [335f18d] Adjust gbp.conf for Debian Jessie libosip2 (4.1.0-2+deb8u1) jessie-security; urgency=medium . * CVE-2016-10324 CVE-2016-10325 CVE-2016-10326 CVE-2017-7853 libsys-syscall-perl (0.25-2+deb8u1) jessie; urgency=medium . * Add patches (from -3, -4, and -6) to support more architectures. aarch64.patch, hppa.patch, mips.patch, ppc64le.patch, s390x.patch. (Closes: #824843, #824936, #826136) libtasn1-6 (4.2-3+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * CVE-2017-6891 (Closes: #863186) two errors in the "asn1_find_node()" function (lib/parser_aux.c) can be exploited to cause a stacked-based buffer overflow. libterralib (4.3.0+dfsg.1-2+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Remove superfluous Conflicts/Replaces: libterralib3 since that causes problems upgrading to stretch which has that package. (Closes: #863885) libtirpc (0.2.5-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-8779 libx11-protocol-other-perl (28-1+deb8u1) jessie; urgency=medium . * Disable t/XSetRoot.t during build and autopkgtest. This test is known to have problems with xvfb. Thanks to Santiago Vila for the bug report. (Closes: #848060) libxstream-java (1.4.7-2+deb8u2) jessie-security; urgency=high . * Fixed CVE-2017-7957: Attempts to create an instance of the primitive type 'void' during unmarshalling lead to a remote application crash. (Closes: #861521) libytnef (1.5-6+deb8u1) jessie-security; urgency=high . * Security upload. * Fixes for the following vulnerabilities: [CVE-2017-6298] Null pointer dereference [CVE-2017-6299] Infinite loop / DoS in TNEFFillMapi function [CVE-2017-6300] Buffer overflow [CVE-2017-6301] Out of bounds read [CVE-2017-6302] Integer overflow [CVE-2017-6303] Invalid write and integer overflow [CVE-2017-6304] Out of bounds read [CVE-2017-6305] Out of bounds read and write [CVE-2017-6306] Directory traversal in SanitizeFilename function [CVE-2017-6800] Invalid memory access (heap overrun) in handling LONG data types [CVE-2017-6801] Missing check for fields of size 0 [CVE-2017-6802] Potential buffer overrun in compressed RTF streams linux (3.16.43-2+deb8u2) jessie-security; urgency=high . * Revert previous fixes for CVE-2017-1000364 (Closes: #865303) * mm: larger stack guard gap, between vmas (CVE-2017-1000364) * mm: fix new crash in unmapped_area_topdown() linux (3.16.43-2+deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() (CVE-2017-0605) * ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487) * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645) * nfsd4: minor NFSv2/v3 write decoding cleanup * nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895) * media: dvb-usb-v2: avoid use-after-free (CVE-2017-8064) * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890) * USB: serial: io_ti: fix information leak in completion handler (CVE-2017-8924) * USB: serial: omninet: fix reference leaks at open (CVE-2017-8925) * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074) * ipv6: Check ip6_find_1stfragopt() return value properly. * ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() * ipv6: Fix leak in ipv6_gso_segment(). * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075) * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076, CVE-2017-9077) * ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242) . [ Salvatore Bonaccorso ] * mm: enlarge stack guard gap (CVE-2017-1000364) * mm: allow to configure stack gap size * mm, proc: cap the stack gap for unpopulated growing vmas * mm: do not collapse stack gap into THP * fold me "mm: allow to configure stack gap size" lxterminal (0.2.0-1+deb8u1) jessie; urgency=high . * Fix improper use of /tmp for a socket file (CVE-2016-10369) (Closes: #862098) mosquitto (1.3.4-2+deb8u1) jessie-security; urgency=high . * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id set to '+' or '#'. - debian/patches/mosquitto-1.3.4_cve-2017-7650.patch: Reject send/receive of messages to/from clients with a '+', '#' or '/' in their username/client id. - CVE-2017-7650 mysql-connector-java (5.1.42-1~deb8u1) jessie-security; urgency=medium . * Team upload. * Fix CVE-2017-3586 and CVE-2017-3589 by backporting the latest stable release. mysql-connector-java (5.1.41-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches mysql-connector-java (5.1.41-1~deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-3523 by backporting the latest stable release. Difficult to exploit vulnerability allowing low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. mysql-connector-java (5.1.40-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Build with the DH sequencer instead of CDBS * Switch to debhelper level 10 mysql-connector-java (5.1.39-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 3.9.8 (no changes) * Use a secure Vcs-Git URL netcfg (1.131+deb8u2) jessie; urgency=medium . * IPv6 autoconfiguration: fix NTP server name handling, which would be stored as the DHCP-provided hostname, with many thanks to Malcolm Scott for the bug report and the patch (Closes: #862745). * Stop queueing rdnssd's installation with IPv6 setups. This component conflicts with network-manager and installing it from the network configuration step might prevents large parts of desktop environments from being installed. This isn't a perfect solution but this should be way better than the current status quo (Closes: #854801). netcfg (1.131+deb8u1+kbsd8u1) jessie-kfreebsd; urgency=medium . * Run the ISC DHCPv6 client (only used on kfreebsd) with the -1 flag so that it eventually times out. Similar issue to #767188 but having a different cause, this is much more easily fixed. nss (2:3.26-1+debu8u2) jessie-security; urgency=medium . * CVE-2017-5461 CVE-2017-5462 CVE-2017-7502 offlineimap (6.3.4-1+deb8u1) jessie; urgency=medium . * Prevent the usage of maxage. The implementation of maxage is broken in this version of OfflineIMAP (v6.3.4) and may even result in data loss. Document the above behavior in the example conf file and also warn the user every time this feature is being used (Closes: #859478). * Set myself as the maintainer. Package has already been adopted in unstable. openldap (2.4.40+dfsg-1+deb8u3) jessie-security; urgency=high . * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free in the MDB backend on a search including the Paged Results control with a page size of 0. (ITS#8655) (CVE-2017-9287) (Closes: #863563) openvpn (2.3.4-5+deb8u2) jessie-security; urgency=high . * SECURITY UPDATE: authenticated remote DoS vulnerability due to packet ID rollover. CVE-2017-7479. Kudos to Steve Beattie for doing all the backporting work for this patch. - debian/patches/CVE-2017-7479-prereq.patch: merge packet_id_alloc_outgoing() into packet_id_write() - debian/patches/CVE-2017-7479.patch: do not assert when packet ID rollover occurs * SECURITY UPDATE: (Closes: #865480) - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a crash for invalid input data. - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks. os-prober (1.65+deb8u1) jessie; urgency=medium . * os-probes/mounted/x86/05efi: Fix check on ID_PART_ENTRY_SCHEME, to look for "dos" instead of "msdos" (Closes: #817023). * Add -a flag to grep -qs for Windows Vista detection. It appears the file isn't always considered as a text file, so this should be more robust. Thanks to Gianluigi Tiesi for the report and the suggestion (Closes: #791383). * Add support for Windows 10 (otherwise reported as Windows Recovery Environment). Thanks, Philipp Wolfer! (Closes: #801278). otrs2 (3.3.9-3+deb8u1) jessie-security; urgency=high . * Add patch 17-CVE-2017-9324: This fixes OSA-2017-03, also known as CVE-2017-9324: An attacker with agent permission is capable by opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. Closes: #864319 partman-ext3 (84+deb8u1) jessie; urgency=low . [ Christian Perrier ] * Force ext3|ext4 filesystem creation with "-F" so that D-I doesn't "hang" when re-using an existing partition in some situations. Closes: #767682 perl (5.20.2-3+deb8u8) jessie; urgency=medium . * Apply upstream base.pm no-dot-in-inc fix (from 5.24.2-RC1) (Closes: #867170) perl (5.20.2-3+deb8u7) jessie-security; urgency=high . * [CVE-2017-6512] Fix file permissions race condition in File-Path; patch from John Lightsey (Closes: #863870) * Also fix test logic in ExtUtils-MakeMaker required for the above polarssl (1.3.9-2.1+deb8u2) jessie; urgency=high . * Fix CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve. (Closes: #857561) postgresql-9.4 (9.4.12-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. + Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (CVE-2017-7486) + Prevent exposure of statistical information via leaky operators (CVE-2017-7484) + Restore libpq's recognition of the PGREQUIRESSL environment variable (CVE-2017-7485) postgresql-9.4 (9.4.12-0+deb8u1~bpo7+1) wheezy-backports; urgency=medium . * Rebuild for jessie-backports. . postgresql-9.4 (9.4.12-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. + Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (CVE-2017-7486) + Prevent exposure of statistical information via leaky operators (CVE-2017-7484) + Restore libpq's recognition of the PGREQUIRESSL environment variable (CVE-2017-7485) . postgresql-9.4 (9.4.11-0+deb8u2) jessie; urgency=medium . * Paper over ULP regression test differences in the "point" test on 32-bit powerpc on Debian Jessie. The very same code worked previously and in fact continues to work on Debian Sid, so it doesn't seem to be PostgreSQL's fault that these test results now suffer from rounding differences. proftpd-dfsg (1.3.5-1.1+deb8u2) jessie-proposed-updates; urgency=high . * Fix CVE-2017-7418: AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks. Fix proftpd#4295. Closes: #859592 * Fix CVE-2016-3125: TLSDHParamFile directive appears ignored because unexpected DH is chosen. puppet (3.7.2-4+deb8u1) jessie-security; urgency=high . * master: accept facts only in PSON format (CVE-2017-2295). Note that the fix for CVE-2017-2295 unfortunately breaks backward compatibility with agent versions prior to 3.2.2. (Closes: #863212) + Document compatibility issues in d/NEWS. * Add myself to Uploaders. puppet (3.7.2-4+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * d/gbp.conf: set debian branch for wheezy-backports * puppetmaster-passenger: use the correct site name with apache 2.2 and handle config rename for apache 2.4. . puppet (3.7.2-4+deb8u1) jessie-security; urgency=high . * master: accept facts only in PSON format (CVE-2017-2295). Note that the fix for CVE-2017-2295 unfortunately breaks backward compatibility with agent versions prior to 3.2.2. (Closes: #863212) + Document compatibility issues in d/NEWS. * Add myself to Uploaders. python-colorlog (2.4.0-1+deb8u1) jessie; urgency=medium . * Fix python3 dependencies (Closes: #867422) python-plumbum (1.4.2-1+deb8u1) jessie; urgency=medium . * Fix python3 dependencies (Closes: #867449) request-tracker4 (4.2.8-3+deb8u2) jessie-security; urgency=high . * Fix FTBFS due to base.pm changes (Closes: #864302) * Fix multiple security issues: - [CVE-2017-5943] CSRF verification token information leak - [CVE-2016-6127] XSS in file uploads - [CVE-2017-5361] Timing side-channel vulnerability in password verification - [CVE-2017-5944] Remote code execution in dashboard interface - Add check for incorrect RestrictLoginReferrer configuration setting * Work around a DoS vulnerability in Email::Address (CVE-2015-7686) rkhunter (1.4.2-0.4+deb8u1) jessie; urgency=high . * Disable remote updates to fix CVE-2017-7480 and prevent bugs like it in the future (closes: #765895, #866677) rpcbind (0.2.1-6+deb8u2) jessie-security; urgency=medium . * CVE-2017-8779 rt-authen-externalauth (0.25-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload for the security team * [CVE-2017-5361] Fix timing side-channel vulnerability in password verification rtmpdump (2.4+20150115.gita107cef-1+deb8u1) jessie-security; urgency=medium . * CVE-2015-8270 CVE-2015-8271 CVE-2015-8272 samba (2:4.2.14+dfsg-0+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside shadow (1:4.2-3+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Reset pid_child only if waitpid was successful. This is a regression fix for CVE-2017-2616. If su receives a signal like SIGTERM, it is not propagated to the child. (Closes: #862806) shutter (0.92-0.1+deb8u2) jessie; urgency=medium . [ Dominique Dumont ] * add patch to fix CVE-2016-10081 (Closes: #849777) * add patch to secure system() calls spice (0.12.5-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7506: Possible buffer overflow via invalid monitor configurations squirrelmail (2:1.4.23~svn20120406-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team (CVE-2017-7692: post-auth RCE) strongswan (5.2.1-6+deb8u4) jessie-security; urgency=medium . * debian/rules: - revert disabling of vectors test * debian/patches: - 0001-openssl-Don-t-pre-initialize-OpenSSL-HMAC-with-an-em added, backported from upstream, fix HMAC initialization with recent OpenSSL. strongswan (5.2.1-6+deb8u3) jessie-security; urgency=medium . * debian/patches: - CVE-2017-9022_insufficient_input_validation_gmp_plugin added, fix insufficient input validation in gmp plugin which could lead to denial of service (CVE-2017-9022). - CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser added, fix incorrect handling of CHOICE types in ASN.1 parser and x509 plugin whch could lead to an infinite loop and a denial of service (CVE-2017-9023). * debian/rules: - disable the vectors test which is failing right now for unknown reason (maybe due to an OpenSSL regression) sudo (1.8.10p3-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-1000367: Fix parsing of /proc/[pid]/stat tcpdf (6.0.093+dfsg-1+deb8u1) jessie; urgency=medium . * Fix CVE-2017-6100 by disallowing tcpdf calls in HTML (Closes: #814030) tiff (4.0.3-12.3+deb8u4) jessie-security; urgency=high . * Backport fix for the following vulnerabilities: - CVE-2017-9403: fix memory leak in non DEFER_STRILE_LOAD mode, - CVE-2017-9404: memory leak vulnerability was found in the function OJPEGReadHeaderInfoSecTablesQTable(), - CVE-2016-10095 and CVE-2017-9147: add _TIFFCheckFieldIsValidForCodec() and use it in TIFFReadDirectory() (closes: #850316, #863185), - CVE-2017-9936: memory leak in error code path of JBIGDecode() (closes: #866113), - prevent out of memory in gtTileContig() on corrupted files, - CVE-2017-10688, assertion failure in TIFFWriteDirectoryTagCheckedXXXX() (closes: #866611). * Add required _TIFFCheckFieldIsValidForCodec@LIBTIFF_4.0 and _TIFFReadEncodedStripAndAllocBuffer@LIBTIFF_4.0 symbols to the libtiff5 package. tiff (4.0.3-12.3+deb8u3) jessie-security; urgency=high . * Backport fix for the following vulnerabilities: - CVE-2014-8127 and CVE-2016-3658: out-of-bounds read in the tiffset tool, - CVE-2016-9535: replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode, - CVE-2016-10266: divide-by-zero in TIFFReadEncodedStrip, - CVE-2016-10267: divide-by-zero in OJPEGDecodeRaw, - CVE-2016-10269: heap-based buffer overflow in _TIFFmemcpy, - CVE-2016-10270: heap-based buffer overflow in TIFFFillStrip, - CVE-2017-5225: heap buffer overflow via a crafted BitsPerSample value, - CVE-2017-7592: left-shift undefined behavior issue in putagreytile, - CVE-2017-7593: unitialized-memory access from tif_rawdata, - CVE-2017-7594: leak in OJPEGReadHeaderInfoSecTablesAcTable, - CVE-2017-7595: divide-by-zero in JPEGSetupEncode, - CVE-2017-7596, CVE-2017-7597, CVE-2017-7598, CVE-2017-7599, CVE-2017-7600, CVE-2017-7601 and CVE-2017-7602: multiple UBSAN crashes. * Add required _TIFFcalloc@LIBTIFF_4.0 symbol to the libtiff5 package. . [ Tobias Lippert ] * Fix a regression introduced by patch CVE-2014-8128-5 where enabling compression of tif files results in corrupt files (closes: #783555, #818360). tnef (1.4.9-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * CVE-2017-8911 (Closes: #862442) An integer underflow has been identified in the unicode_to_utf8() function in tnef 1.4.14. This might lead to invalid write operations, controlled by an attacker. tomcat7 (7.0.56-3+deb8u11) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-5664. The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. (Closes: #864447) tomcat7 (7.0.56-3+deb8u10) jessie-security; urgency=high . * Team upload. * Fix the following security vulnerabilities: - CVE-2017-5647: A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. - CVE-2017-5648: It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. tomcat8 (8.0.14-1+deb8u10) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-5664. The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. (Closes: #864447) tomcat8 (8.0.14-1+deb8u9) jessie-security; urgency=high . * Team upload. * Fix the following security vulnerabilities: - CVE-2017-5647: A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. - CVE-2017-5648: It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. tor (0.2.5.14-1) jessie-security; urgency=medium . * New upstream version, fixing a hidden service related Denial of Service bug: - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. (closes: #864424) * The previous release, 0.2.5.13, already incorporates the changes made in Debian's updates of the 0.2.5.12 version. Therefore, drop - debian/patches/tor-bug-20384-TROVE-2016-10-001 - debian/patches/tor-bug-21018-TROVE-2016-12-002-CVE-2016-1254 - debian/patches/update-authority-set unrar-nonfree (1:5.2.7-0.1+deb8u1) jessie; urgency=medium . * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters. - Backported from 5.5.5 - CVE-2012-6706 - Closes: #865461 vlc (2.2.6-1~deb8u1) jessie-security; urgency=high . * New upstream release. - subtitle: Fix heap buffer overflows (CVE-2017-8312). - subtitle: Fix invalid double increment (CVE-2017-8311). - flac: Fix potential out-of-band dereference. - mpeg: Fix potential out-of-band reads. - subtitle: Fix infinite loop. - ogg: Fix incorrect memory free. - subtitle: Fix potential out-of-band reads (CVE-2017-8310, CVE-2017-8313). vlc (2.2.5.1-1) experimental; urgency=medium . [ Mateusz Łukasik ] * New upstream release. . [ Sebastian Ramacher ] * debian/patches: Refreshed. vlc (2.2.5.1-1~deb9u2) unstable; urgency=medium . * debian/control: - Bump Breaks + Replaces to 2.2.5.1-1~deb9u1 also in vlc-plugin-qt and vlc-plugin-skins2. Files moved from vlc to those two packages since jessie. - Remove Breaks + Replaces from libvlc-bin. While files moved from vlc-nox to libvlc-bin, they also changed their path. vlc (2.2.5.1-1~deb9u1) unstable; urgency=medium . * New upstream release. * debian/patches/fix-translation.patch: Refreshed. * debian/*.maintscript: Bump all versions to 2.2.5.1-1~z. This is necessary to properly handle symlink to directory conversions once 2.2.5.1 is available in jessie. * debian/control: Bump Breaks + Replaces to 2.2.5.1-1~deb9u1 where necessary to ensure proper upgrades from jessie. (Closes: #862474) vlc (2.2.5-4) experimental; urgency=medium . * debian/rules: Revert "Also enable NEON on arm64". (LP: #1685444) vlc (2.2.5-3) experimental; urgency=medium . * Fix typos in changelog. * debian/rules: Also enable NEON on arm64. * debian/control: Build-Conflict with Qt in experimental to work around #858762. * debian/patches: - Use gbp-pq for patch management. - Apply upstream patch for WebVTT support. (Closes: #858963) vlc (2.2.5-2) experimental; urgency=medium . [ Mateusz Łukasik ] * debian/{control,rules,vlc-plugin-video-output.install}: Disable OpenGL ES 1 support, mesa has dropped it. (Closes: #855117) . [ Sebastian Ramacher ] * debian/: Major package clean up. - Remove vlc-nox binary package. - Update tests to new package layout. - Remove obsolete Breaks+Replaces. * debian/rules: Be explicit about GLES 1 * debian/{rules,libvlc-bin.*}: Fix warning from about non-empty directory (Closes: #854928) vlc (2.2.5-1) unstable; urgency=medium . * New upstream releases. (Closes: #850529) * debian/patches: - fix-translation.patch: Refreshed. - Removed patches taken from upstream included in 2.2.5. * debian/*.maintscript: Bump all versions to 2.2.5-1~z. This is necessary to properly handle symlink to directory conversions once 2.2.5 is available in stretch. w3m (0.5.3-19+deb8u2) jessie; urgency=medium . * Fix multiple vulnerabilities (closes: #850432) - New patch 934_menu.patch to fix buffer overflow (tats/w3m#49) - New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62) - New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63) - New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67) - New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61) - New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58) - New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60) - New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70) - New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71) - New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66) - New patch 944_lineproc0.patch to fix use after free (tats/w3m#65) - New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57) - New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72) - New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69) - New patch 948_getmclen.patch to fix buffer overflow (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84) - New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77) - New patch 950_textarea.patch to fix infinite loop (tats/w3m#85) - New patch 951_lineproc0.patch to fix use after free (tats/w3m#81) - New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82) - New patch 953_formupdateline.patch to fix buffer overflow (tats/w3m#68#issuecomment-266214643) - New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68) wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium . * Backport patches from 4.7.5 Closes: #862816 - CVE-2017-9062 Improper handling of post meta data values in the XML-RPC API. Changeset 40699 - CVE-2017-9065 Lack of capability checks for post meta data in the XML-RPC API. Changeset 40684 - CVE-2017-9064 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Changeset 40730 - CVE-2017-9061 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Changeset 40743 - CVE-2017-9063 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Changeset 40711 * CVE-2017-9066 not fixed as the relevant code has changed dramatically and there is no upstream patch for it. Insufficient redirect validation in the HTTP class. * CVE-2017-8295 Don't use client-provided data to form password reset from email address, from WordPress ticket #23239 Closes: #862053 xarchiver (1:0.5.4-1+deb8u2) jessie; urgency=medium . [ Chris Lamb ] * Fix data-loss issue where adding files to a tar-based archive removed all existing content when the target filename included shell metacharacters. The test to see whether it already existed to determine whether to create a new archive or simply add a new file incorrectly used an escaped path. Thanks to Nikolaus Rath for the report and Chris Lamb for the patch. (Closes: #862593) xen (4.4.1-9+deb8u9) jessie-security; urgency=medium . Security updates: * XSA-200: Closes:#848081: CVE-2016-9932: x86 emulation operand size * XSA-202: CVE-2016-10024: x86 PV guests may be able to mask interrupts * XSA-204: CVE-2016-10013: x86: Mishandling of SYSCALL singlestep * XSA-212: Closes:#859560: CVE-2017-7228: x86: broken memory_exchange() * XSA-213: Closes:#861659: 64bit PV guest breakout * XSA-214: Closes:#861660: grant transfer PV privilege escalation * XSA-215: Closes:#861662: memory corruption via failsafe callback xfce4-weather-plugin (0.8.3-3) jessie; urgency=medium . * debian/patches: - 0001-Make-plugin-ready-for-met.no-locationforecast-1.2-AP, 0002-Switch-to-met.no-locationforecastLTS-1.2-API-bug-109, 0003-Update-NEWS-and-README, 0004-Update-URL-for-sunrise-API-to-point-to-version-1.1-b, 0005-Update-http-api.yr.no-URLs-to-https-api.met.no, 0006-Bump-LocationforecastLTS-version-to-1.3, 0007-Change-more-URLs-from-http-yr.no-to-https-met.no added, backported from ustream to support met.no new APIs - git_use-locationforecast-1.2 and debian/patches/git_use-locationforecast-1.2 dropped, included in backports above. xorg-server (2:1.16.4-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-10971 CVE-2017-10972 zookeeper (3.4.5+dfsg-2+deb8u2) jessie-security; urgency=medium . * CVE-2017-5637 zziplib (0.13.62-3+deb8u1) jessie-security; urgency=medium . * CVE-2017-5981 CVE-2017-5980 CVE-2017-5979 CVE-2017-5978 CVE-2017-5976 CVE-2017-5975 CVE-2017-5974 ====================================== Sat, 06 May 2017 - Debian 8.8 released ====================================== ========================================================================= [Date: Sat, 06 May 2017 09:49:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cgiemail | 1.6-37 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 852432 ------------------- Reason ------------------- RC buggy, unmaintained ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:50:53 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ccache-dbgsym | 3.1.12-1 | amd64 Closed bugs: 852435 ------------------- Reason ------------------- cruft ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:51:39 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: owncloud-apps | 0~~20141022-1 | source, all Closed bugs: 858103 ------------------- Reason ------------------- unsupportable ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:52:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: owncloud | 7.0.4+dfsg-4~deb8u4 | source, all Closed bugs: 858086 ------------------- Reason ------------------- unsupportable ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:53:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: live-f1 | 0.2.10-1.1 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 860856 ------------------- Reason ------------------- broken due to third party changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:54:18 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libwww-dict-leo-org-perl | 1.39-1 | source, all Closed bugs: 860914 ------------------- Reason ------------------- broken due to upstream changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:55:03 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libapache2-authenntlm-perl | 0.02-7 | source, ppc64el libapache2-authenntlm-perl | 0.02-7+b1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc libapache2-authenntlm-perl | 0.02-7+b3 | s390x Closed bugs: 860973 ------------------- Reason ------------------- broken with Apache 2.4 ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:55:53 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: grive | 0.2.0-1.1 | source grive | 0.2.0-1.1+b1 | arm64, ppc64el grive | 0.2.0-1.1+b2 | amd64, armel, armhf, i386, mips, mipsel, powerpc, s390x Closed bugs: 861399 ------------------- Reason ------------------- broken due to Google API changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:06:44 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-dev | 1:45.5.1-1~deb8u1 | armhf ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:06:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-dbg | 1:45.6.0-1~deb8u1 | amd64, arm64, armel, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-dev | 1:45.6.0-1~deb8u1 | amd64, arm64, armel, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:17 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-dbg | 1:45.5.1-1~deb8u1 | armhf ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:30 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceowl-extension | 1:45.5.1-1~deb8u1 | armhf ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove | 1:45.5.1-1~deb8u1 | armhf ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove | 1:45.6.0-1~deb8u1 | amd64, arm64, armel, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:08:03 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceowl-extension | 1:45.6.0-1~deb8u1 | amd64, arm64, armel, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= activemq (4.6.0+dfsg1-4+deb8u3) jessie; urgency=medium . * Team upload. * Fix CVE-2015-7559: DoS in activemq-core via shutdown command. (Closes: #860866) apache2 (2.4.10-10+deb8u8) jessie-security; urgency=medium . * CVE-2016-8743: Enforce more HTTP conformance for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. If this causes problems with non-conforming clients, some checks can be relaxed by adding the new directive 'HttpProtocolOptions unsafe' to the configuration. Differently than the upstream 2.4.25 release which will also be in the Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts underscores in host and domain names even while 'HttpProtocolOptions strict' is in effect. More information is available at http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions * CVE-2016-0736: mod_session_crypto: Prevent padding oracle attack. * CVE-2016-2161: mod_auth_digest: Prevent segfaults when the shared memory space is exhausted. * Activate mod_reqtimeout in new installs and during updates from before 2.4.10-10+deb8u8. It was wrongly not activated in new installs since jessie. This made the default installation vulnerable to some DoS attacks. * Don't run 2.2 to 2.4 upgrade logic again when upgrading from 2.4.10-10+deb8u*. Closes: #836818 apf-firewall (9.7+rev1-3+deb8u1) jessie; urgency=medium . * QA upload. * Set maintainer field to Debian QA Group. * Add patch from Christoph Biedl to make it work with kernel 3.x and newer. (Closes: #701674) apt-xapian-index (0.47+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Remove call to update-python-modules (Closes: #793681) audiofile (0.3.6-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Address several vulnerabilities (Closes: #857651) - Always check the number of coefficients (CVE-2017-6827 CVE-2017-6828 CVE-2017-6832 CVE-2017-6833 CVE-2017-6835 CVE-2017-6837) - clamp index values to fix index overflow in IMA.cpp (CVE-2017-6829) - Check for multiplication overflow in sfconvert (CVE-2017-6830 CVE-2017-6834 CVE-2017-6836 CVE-2017-6838) - Actually fail when error occurs in parseFormat (CVE-2017-6831) - Check for multiplication overflow in MSADPCM decodeSample (CVE-2017-6839) * Fix signature of multiplyCheckOverflow. It returns a bool, not an int * Check for division by zero in BlockCodec::runPull base-files (8+deb8u8) stable; urgency=low . * Changed /etc/debian_version to 8.8, for Debian 8.8 point release. bind9 (1:9.9.5.dfsg-9+deb8u10) jessie-security; urgency=medium . * Fix regression caused by the fix for CVE-2016-8864 (closes: #855540). * Fix CVE-2017-3135: a malicously crafted query can cause named to crash if both DNS64 and RPZ are being used (closes: #855520). bind9 (1:9.9.5.dfsg-9+deb8u9) jessie-security; urgency=medium . * Apply patches from ISC. * CVE-2016-9131: Assertion failure related to caching of TKEY records in upstream DNS responses. * CVE-2016-9147: Processing of RRSIG records in upstream DNS response without corresponding signed data could lead to an assertion failure. * CVE-2016-9444: Missing RRSIG records in the authority section of upstream responses could lead to an assertion failure. * RT #43779: Fix handling of CNAME/DNAME responses. (Regression due to the CVE-2016-8864 fix.) bind9 (1:9.9.5.dfsg-9+deb8u8+kbsd8u1~reallyis+deb8u7) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd * This and the previous upload to jessie-kfreebsd are based off +deb8u7, not +deb8u8 binutils (2.25-5+deb8u1) stable; urgency=medium . * Apply patch from upstream to fix gold on arm64. The ABI specifies using a pagesize of 64k for ELF binaries. Closes: #850814 bouncycastle (1.49+dfsg-3+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2015-6644: An information disclosure vulnerability was discovered in Bouncy Castle, a Java library which consists of various cryptographic algorithms. The Galois/Counter mode (GCM) implementation was missing a boundary check that could enable a local application to gain access to user's private information. ca-certificates (20141019+deb8u3) jessie; urgency=medium . [ Michael Shuler ] * sbin/update-ca-certificates: Update local certificates directory when calling --fresh. Closes: #783615 . [ Andreas Beckmann ] * Backport another commit to make running update-certificates without hooks actually work (instead of showing a usage message). Closes: #825730 chromium-browser (57.0.2987.98-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release. - CVE-2017-5030: Memory corruption in V8. Credit to Brendon Tiszka - CVE-2017-5031: Use after free in ANGLE. Credit to Looben Yang - CVE-2017-5032: Out of bounds write in PDFium. Credit to Ashfaq Ansari - CVE-2017-5029: Integer overflow in libxslt. Credit to Holger Fuhrmannek - CVE-2017-5034: Use after free in PDFium. Credit to Ke Liu - CVE-2017-5035: Incorrect security UI in Omnibox. Credit to Enzo Aguado - CVE-2017-5036: Use after free in PDFium. Credit to Anonymous - CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer. Credit to Yongke Wang - CVE-2017-5039: Use after free in PDFium. Credit to jinmo123 - CVE-2017-5040: Information disclosure in V8. Credit to Choongwoo Han - CVE-2017-5041: Address spoofing in Omnibox. Credit to Jordi Chancel - CVE-2017-5033: Bypass of Content Security Policy in Blink. Credit to Nicolai Grødum - CVE-2017-5042: Incorrect handling of cookies in Cast. Credit to Mike Ruddy - CVE-2017-5038: Use after free in GuestView. Credit to Anonymous - CVE-2017-5043: Use after free in GuestView. Credit to Anonymous - CVE-2017-5044: Heap overflow in Skia. Credit to Kushal Arvind Shah - CVE-2017-5045: Information disclosure in XSS Auditor. Credit to Dhaval Kapil - CVE-2017-5046: Information disclosure in Blink. Credit to Masato Kinugawa * Configure with fieldtrial_testing_like_official_build=true to avoid building with experimental features enabled (closes: #855434). chromium-browser (56.0.2924.76-5) unstable; urgency=medium . * Configure with fieldtrial_testing_like_official_build=true to avoid building with experimental features enabled (closes: #855434). * Do not disable background networking when remote extensions are enabled, since that option also blocks updates to extensions (closes: #841401). - Thanks to Tarmo Huuhka. chromium-browser (56.0.2924.76-4) unstable; urgency=medium . * Do not create a dbgsym package for widevine (closes: #855529). chromium-browser (56.0.2924.76-3) unstable; urgency=medium . * Upload to unstable. chromium-browser (56.0.2924.76-2) experimental; urgency=medium . * Backport upstream bugfix for non-NEON builds, closes: #853108 * Fix seccomp sandboxing on arm64 platforms with DRI3 chromium-browser (56.0.2924.76-1) experimental; urgency=medium . * New upstream stable release: - CVE-2017-5007: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5006: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5008: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5010: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5011: Unauthorised file access in Devtools. Credit to Khalil Zhani - CVE-2017-5009: Out of bounds memory access in WebRTC. Credit to Sean Stanek and Chip Bradford - CVE-2017-5012: Heap overflow in V8. Credit to Gergely Nagy - CVE-2017-5013: Address spoofing in Omnibox. Credit to Haosheng Wang - CVE-2017-5014: Heap overflow in Skia. Credit to sweetchip - CVE-2017-5015: Address spoofing in Omnibox. Credit to Armin Razmdjou - CVE-2017-5019: Use after free in Renderer. Credit to Wadih Matar - CVE-2017-5016: UI spoofing in Blink. Credit to Haosheng Wang - CVE-2017-5017: Uninitialised memory access in webm video. Credit to danberm - CVE-2017-5018: Universal XSS in chrome://apps. Credit to Rob Wu - CVE-2017-5020: Universal XSS in chrome://downloads. Credit to Rob Wu - CVE-2017-5021: Use after free in Extensions. Credit to Rob Wu - CVE-2017-5022: Bypass of Content Security Policy in Blink. Credit to PKAV Team. - CVE-2017-5023: Type confusion in metrics. Credit to the UK's National Cyber Security Centre (NCSC) - CVE-2017-5026: UI spoofing. Credit to Ronni Skansing chromium-browser (56.0.2924.76-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2017-5007: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5006: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5008: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5010: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5011: Unauthorised file access in Devtools. Credit to Khalil Zhani - CVE-2017-5009: Out of bounds memory access in WebRTC. Credit to Sean Stanek and Chip Bradford - CVE-2017-5012: Heap overflow in V8. Credit to Gergely Nagy - CVE-2017-5013: Address spoofing in Omnibox. Credit to Haosheng Wang - CVE-2017-5014: Heap overflow in Skia. Credit to sweetchip - CVE-2017-5015: Address spoofing in Omnibox. Credit to Armin Razmdjou - CVE-2017-5019: Use after free in Renderer. Credit to Wadih Matar - CVE-2017-5016: UI spoofing in Blink. Credit to Haosheng Wang - CVE-2017-5017: Uninitialised memory access in webm video. Credit to danberm - CVE-2017-5018: Universal XSS in chrome://apps. Credit to Rob Wu - CVE-2017-5020: Universal XSS in chrome://downloads. Credit to Rob Wu - CVE-2017-5021: Use after free in Extensions. Credit to Rob Wu - CVE-2017-5022: Bypass of Content Security Policy in Blink. Credit to PKAV Team. - CVE-2017-5023: Type confusion in metrics. Credit to the UK's National Cyber Security Centre (NCSC) - CVE-2017-5026: UI spoofing. Credit to Ronni Skansing * Fix regression in pulseaudio (closes: #848029). chromium-browser (55.0.2883.75-6) unstable; urgency=medium . * Organize patches. * Move widevine package to contrib (closes: #851917). * Conflict with very old versions of libsecret (closes: #838864). * Support --enable-remote-extensions option passed through CHROMIUM_FLAGS (closes: #851927). chromium-browser (55.0.2883.75-5) unstable; urgency=medium . * Fix new lintian warnings. * Fix quoting error in run script (closes: #851634). chromium-browser (55.0.2883.75-4) unstable; urgency=medium . * Add chromium-shell package. * Rename chromedriver package to chromium-driver. * Add chromium-widevine package (closes: #838515). - Thanks to Felix Geyer. * Add initial upstream metadata (closes: #848228). * Set more options at runtime instead of build time. * Install chromedriver to /usr/bin (closes: #845312). * Update webkit copyright information (closes: #849264). - Thanks to Sandro Knauß. * Better handling of browser extensions (closes: #841401). - Only support locally installed extensions by default. - Add new command line flag --enable-remote-extensions, which bypasses the new default, allowing remote extensions and automatic updating. chromium-browser (55.0.2883.75-3) unstable; urgency=medium . * Merge experimental branch. * Respect parallel setting in DEB_BUILD_OPTIONS while bootstrapping gn. * Conflict libnettle4 rather than depend on libnettle6 (closes: #841213). * Disable builtin media router since it only works with official Google Chrome builds, not chromium (closes: #833477). chromium-browser (55.0.2883.75-2+exp3) experimental; urgency=medium . * Correct typo from last build chromium-browser (55.0.2883.75-2+exp2) experimental; urgency=medium . * Set arm_use_neon=false on armhf until we enable a neon-supporting buildd in Debian. chromium-browser (55.0.2883.75-2+exp1) experimental; urgency=medium . * Add patches from upstream for gn builds on arm64 * Enable arm64/armhf builds chromium-browser (55.0.2883.75-2) unstable; urgency=medium . * Don't set FF_API_CONVERGENCE_DURATION since it is not a part of ffmpeg's public API, and when defined leads to crashes (closes: #846648). chromium-browser (55.0.2883.75-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-9651: Private property access in V8. Credit to Guang Gong - CVE-2016-5208: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5207: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5206: Same-origin bypass in PDFium. Credit to Rob Wu - CVE-2016-5205: Universal XSS in Blink. Credit to Anonymous - CVE-2016-5204: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5209: Out of bounds write in Blink. Credit to Giwan Go - CVE-2016-5203: Use after free in PDFium. Credit to Anonymous - CVE-2016-5210: Out of bounds write in PDFium. Credit to Ke Liu - CVE-2016-5212: Local file disclosure in DevTools. Credit to Khalil Zhani - CVE-2016-5211: Use after free in PDFium. Credit to Anonymous - CVE-2016-5213: Use after free in V8. Credit to Khalil Zhani - CVE-2016-5214: File download protection bypass. Credit to Jonathan Birch and MSVR - CVE-2016-5216: Use after free in PDFium. Credit to Anonymous - CVE-2016-5215: Use after free in Webaudio. Credit to Looben Yang - CVE-2016-5217: Use of unvalidated data in PDFium. Credit to Rob Wu - CVE-2016-5218: Address spoofing in Omnibox. Credit to Abdulrahman Alqabandi - CVE-2016-5219: Use after free in V8. Credit to Rob Wu - CVE-2016-5221: Integer overflow in ANGLE. Credit to Tim Becker - CVE-2016-5220: Local file access in PDFium. Credit to Rob Wu - CVE-2016-5222: Address spoofing in Omnibox. Credit to xisigr - CVE-2016-9650: CSP Referrer disclosure. Credit to Jakub Żoczek - CVE-2016-5223: Integer overflow in PDFium. Credit to Hwiwon Lee - CVE-2016-5226: Limited XSS in Blink. Credit to Jun Kokatsu - CVE-2016-5225: CSP bypass in Blink. Credit to Scott Helme - CVE-2016-5224: Same-origin bypass in SVG. Credit to Roeland Krak - CVE-2016-9652: Various fixes from internal audits, fuzzing and other initiatives * Make it possible to pass build flags into gn (closes: #845785). commons-daemon (1.0.15-6+deb8u1) jessie; urgency=medium . * Team upload. * jsvc fails on ppc64el showing "Cannot find any VM in Java Home". (Closes: #856560) crafty (23.4-6+deb8u1) jessie; urgency=medium . * QA upload. * Do not generate CPU specific code. Should fix "Illegal instruction" on some Pentium 4 CPUs. Closes: #850979. debian-edu-doc (1.6~20170429+deb8u4) jessie; urgency=medium . [ Jessie Manual translation updates ] * Norwegian Bokmål: Ingrid Yrvin, Ole-Erik Yrvin, Petter Reinholdtsen. * German: Wolfgang Schweer. * Dutch: Frans Spiesschaert. . [ Wheezy Manual translation updates ] * Norwegian Bokmål: Petter Reinholdtsen. . [ Holger Levsen ] * Merge Jessie and Wheezy manual translation from master branch (which is maintained and uploaded to Stretch now). Starting 2017-03-25, the jessie branch is also the only one where we still maintain the Wheezy manual. debian-installer-netboot-images (20150422+deb8u4.b3) jessie; urgency=medium . * Update to 20150422+deb8u4+b3 images, from jessie-proposed-updates dovecot (1:2.2.13-12~deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Revert "auth: Do not double-expand key in passdb dict when authenticating (CVE-2017-2669)" This reverts the applied patch which resulted in no longer interpreting placeholders in the keys even once with dict-based userdb or passdb. The actual vulnerability was introduced later with "auth-db-dict: Allow key name expansion" in 2.2.26. Thanks to Nick Thomas and Aki Tuomi dovecot (1:2.2.13-12~deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * auth: Do not double-expand key in passdb dict when authenticating (CVE-2017-2669) dropbear (2014.65-1+deb8u1) stable; urgency=medium . * New maintainer. * Backport security fix from 2016.72: If X11 forwarding is enabled a user could bypass any "command=" restrictions in authorized_keys and run any command as their own user (CVE-2016-3116). * Backport security fixes from 2016.74: - Message printout was vulnerable to format string injection (CVE-2016-7406). - dropbearconvert import of OpenSSH keys could run arbitrary code as the local dropbearconvert user when parsing malicious key files (CVE-2016-7407). - dbclient could run arbitrary code as the local dbclient user if particular -m or -c arguments are provided (CVE-2016-7408). eject (2.1.5+deb1+cvs20081104-13.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-6964: Check the return values when dropping privileges (Closes: #858872) erlang (1:17.3-dfsg-4+deb8u1) stable-proposed-updates; urgency=medium . * Applied a patch from the PCRE upstream which fixes CVE-2016-10253 vulnerability (heap overflow while compiling certain regular expressions). The patch is taken from https://github.com/erlang/otp/pull/1108 and modified to match the original patch by PCRE developers (closes: #858313). firebird2.5 (2.5.3.26778.ds4-5+deb8u1) jessie-security; urgency=high . * Add two commits from upstream fixing authenticated remote code execution (CVE-2017-6369 / CORE-5474) (Closes: #858641) firefox-esr (45.9.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-11, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5461, CVE-2017-5459, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5469, CVE-2017-5445, CVE-2017-5462, CVE-2017-5429. . * accessible/generic/ApplicationAccessible.h: Add missing null checks causing crashes with accessibility. Closes: #852149. firefox-esr (45.8.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-06, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5405, CVE-2017-5398. firefox-esr (45.8.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-06, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5405, CVE-2017-5398. . * debian/browser.desktop.in, debian/rules: Use the application name as StartupWMClass in the desktop file. Along the change to nsAppRunner.cpp, this prevents e.g. GNOME Shell from making Firefox appear as Firefox ESR when both are used. * debian/browser.desktop.in: Remove Encoding key from desktop file. Closes: #812493 * debian/rules, debian/control*: Build with GCC6 on arm*/unstable. Closes: #852009. * debian/rules: - Add -fno-lifetime-dse when building with GCC6. - Build with -fno-schedule-insns on armel and armhf when building with GCC6. Closes: #854640. . * memory/mozjemalloc/jemalloc.c: Don't set 64KB page size on aarch64. bz#1091515. Closes: #819059, #825355. * toolkit/xre/nsAppRunner.cpp: Set program name from the remoting name. * js/src/jit/AtomicOperations.h, js/src/jit/arm64/AtomicOperations-arm64.h: Use jit/arm64/Architecture-arm64.h on non-JIT aarch64. bz#1257055. Closes: #854079. firefox-esr (45.7.0esr-4) unstable; urgency=medium . * debian/rules: Build with -fno-schedule-insns on armel and armhf when building with GCC6. Hopefully closes: #854640. * debian/browser.desktop.in, debian/rules: Followup for the StartupWMClass changes in 45.7.0esr-2: Use the same name in desktop file and application.ini RemotingName. Closes: #854397. . * js/src/jit/AtomicOperations.h, js/src/jit/arm64/AtomicOperations-arm64.h: Use jit/arm64/Architecture-arm64.h on non-JIT aarch64. bz#1257055. Closes: #854079. firefox-esr (45.7.0esr-3) unstable; urgency=medium . * debian/rules: Add -fno-schedule-insns2 back. Closes: #854258. firefox-esr (45.7.0esr-2) unstable; urgency=medium . * debian/browser.desktop.in: - Use the application name as StartupWMClass in the desktop file. Along the change to nsAppRunner.cpp, this prevents e.g. GNOME Shell from making Firefox appear as Firefox ESR when both are used. - Remove Encoding key from desktop file. Closes: #812493 * debian/rules: Remove -fno-schedule-insns2 and add -fno-lifetime-dse when building with GCC6. * debian/rules, debian/control*: Build with GCC6 on arm*. Closes: #852009. AFAIK, that will lead to FTBFS on at least armhf, but let's already see how it goes. . * memory/mozjemalloc/jemalloc.c: Don't set 64KB page size on aarch64. bz#1091515. Closes: #819059, #825355. * toolkit/xre/nsAppRunner.cpp: Set program name from the remoting name. firefox-esr (45.7.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-02, also known as: CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5390, CVE-2017-5396, CVE-2017-5383, CVE-2017-5386, CVE-2017-5373. . * debian/upstream.mk: Don't rely on FIREFOX_*_RELEASE tags to pull some files to determine all source urls. * debian/browser.bug-presubj.in: Add a note about submitting crash reports upstream and pasting the url to Debian bug reports. firefox-esr (45.7.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-02, also known as: CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5390, CVE-2017-5396, CVE-2017-5383, CVE-2017-5386, CVE-2017-5373. . * debian/upstream.mk: Don't rely on FIREFOX_*_RELEASE tags to pull some files to determine all source urls. * debian/browser.bug-presubj.in: Add a note about submitting crash reports upstream and pasting the url to Debian bug reports. firefox-esr (45.6.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-95, also known as: CVE-2016-9899, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905, CVE-2016-9901, CVE-2016-9902, CVE-2016-9893. . * debian/browser.install.in, browser.mozconfig.in, debian/rules: Don't disable the crash reporter. freetype (2.5.2-3+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Moritz Mühlenhoff ] * CVE-2016-10244 (Closes: #856971) . [ Salvatore Bonaccorso ] * [psaux] Better protect `flex' handling (CVE-2017-8105) (Closes: #861220) * t1_builder_close_contour: Add safety guard (CVE-2017-8287) (Closes: #861308) ghostscript (9.06~dfsg-2+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Avoid divide by 0 in scan conversion code (CVE-2016-10219) (Closes: #859666) * fix crash with bad data supplied to makeimagedevice (CVE-2016-10220) (Closes: #859694) * use the correct param list enumerator (CVE-2017-5951) (Closes: #859696) * Ensure a device has raster memory, before trying to read it (CVE-2017-7207) (Closes: #858350) * -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" substring (CVE-2017-8291) (Closes: #861295) glibc (2.19-18+deb8u9) stable; urgency=medium . * Remove patches/any/cvs-resolv-internal-qtype.diff, it breaks the libnss/libnss-dns ABI. Reopens: #796106. glibc (2.19-18+deb8u8) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fix PowerPC sqrt inaccuracy. Closes: #855606. * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106. gnome-media (3.4.0-2+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Add missing Breaks: gnome-media-common, libgnome-media-dev, libgnome-media0 to match Replaces and not leave mutilated packages behind. (Closes: #861102) gnome-screenshot (3.14.0-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * filename-builder-use-dash-for-time-format-separator.patch: Combination of the patch from upstream bug #698740 and upstream commit aa23783 to achieve the behaviour intended by successive upstream releases. (Closes: #850836) gnome-settings-daemon (3.14.2-3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * screenshot-utils-dont-use-spaces-or-colons-in-file.patch: Patch from upstream: https://bugzilla.gnome.org/show_bug.cgi?id=740520 Screenshots are often uploaded to web services or copied to (possibly FAT) external drives. Don't use characters that would be incompatible with those. (Closes: #850837) gnutls28 (3.3.8-6+deb8u5) jessie; urgency=medium . * Pull multiple fixes from gnutls_3_3_x branch: + 55_00_pkcs12-fixed-the-calculation-of-p_size.patch Fixed issue in PKCS#12 password encoding, which truncated passwords over 32-characters. Reported by Mario Klebsch. + 55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch Fix double free in certificate information printing. If the PKIX extension proxy was set with a policy language set but no policy specified, that could lead to a double free. [GNUTLS-SA-2017-1] CVE-2017-5334 + 55_02_auth-rsa-eliminated-memory-leak-on-pkcs-1-formatting.patch Addressed memory leak in server side error path (issue found using oss-fuzz project) + 55_03_opencdk-Fixes-to-prevent-undefined-behavior-found-wi.patch 55_04_Do-not-infinite-loop-if-an-EOF-occurs-while-skipping.patch 55_05_Attempt-to-fix-a-leak-in-OpenPGP-cert-parsing.patch 55_06_Corrected-a-leak-in-OpenPGP-sub-packet-parsing.patch 55_07_opencdk-read_attribute-added-more-precise-checks-whe.patch 55_08_opencdk-cdk_pk_get_keyid-fix-stack-overflow.patch 55_09_opencdk-added-error-checking-in-the-stream-reading-f.patch 55_10_opencdk-improved-error-code-checking-in-the-stream-r.patch 55_11_opencdk-read-packet.c-corrected-typo-in-type-cast.patch Addressed memory leaks and an infinite loop in OpenPGP certificate parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) Addressed invalid memory accesses in OpenPGP certificate parsing. (issues found using oss-fuzz project) [GNUTLS-SA-2017-2] CVE-2017-5335 / CVE-2017-5336 / CVE-2017-5337 + 55_12_gnutls_pkcs11_obj_list_import_url2-Always-return-an-.patch When returning success, but no elements, gnutls_pkcs11_obj_list_import_url4, could have returned zero number of elements with a pointer that was uninitialized. Ensure that an initialized (i.e., null in that case), pointer is always returned. + 55_13_cdk_pkt_read-enforce-packet-limits.patch Addressed integer overflow resulting to invalid memory write in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A] CVE-2017-7869 + 55_14_opencdk-read_attribute-account-buffer-size.patch Addressed read of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 (This patch is from gnutls_3_5_x branch.) + 55_15_opencdk-do-not-parse-any-secret-keys-in-packet-when-.patch Addressed crashes in OpenPGP certificate parsing, related to private key parser. No longer allow OpenPGP certificates (public keys) to contain private key sub-packets. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B] + 55_16_Enforce-the-max-packet-length-for-OpenPGP-subpackets.patch Addressed large allocation in OpenPGP certificate parsing, that could lead in out-of-memory condition. Issue found using oss-fuzz project, and was fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C] groovy (1.8.6-4+deb8u2) jessie; urgency=medium . * Team upload. * Fix CVE-2016-6814: It was found that a flaw in Apache Groovy, a dynamic language for the Java Virtual Machine, allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. groovy2 (2.2.2+dfsg-3+deb8u2) jessie; urgency=medium . * Team upload. * Fix CVE-2016-6814: It was found that a flaw in Apache Groovy, a dynamic language for the Java Virtual Machine, allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. gst-plugins-bad1.0 (1.4.4-2.1+deb8u2) jessie-security; urgency=medium . * debian/patches/0001-psdemux-Rewrite-PSM-parsing-using-GstByteReader.patch + The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. https://bugzilla.gnome.org/show_bug.cgi?id=777957 . Fixes CVE-2017-5848 . * debian/patches/0002-mxfdemux-Set-stream-tags-to-NULL-after-unreffing.patch + Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unref, (2) gst_tag_list_unref, and (3) gst_mxf_demux_update_essence_tracks functions in GStreamer before 1.10.3 allow remote attackers to cause a denial of service (crash) via vectors involving stream tags, as demonstrated by 02785736.mxf. https://bugzilla.gnome.org/show_bug.cgi?id=777503 . Fixes CVE-2017-5843 . * debian/patches/0003-mpegtssection-Fix-PAT-parsing.patch + The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. https://bugzilla.gnome.org/show_bug.cgi?id=775120 . Fixes CVE-2016-9813 . * debian/patches/0004-mpegtssection-Add-more-section-size-checks.patch + The gst_mpegts_section_new function in the mpegts decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a too small section. https://bugzilla.gnome.org/show_bug.cgi?id=775048 . Fixes CVE-2016-9812 . * debian/patches/0005-h264parse-Ensure-codec_data-has-the-required-size-wh.patch, debian/patches/0006-h265parse-Ensure-codec_data-has-the-required-size-wh.patch: + Off-by-one error in the gst_h264_parse_set_caps function in GStreamer before 1.10.2 allows remote attackers to have unspecified impact via a crafted file, which triggers an out-of-bounds read. https://bugzilla.gnome.org/show_bug.cgi?id=774896 . Fixes CVE-2016-9809 gst-plugins-base1.0 (1.4.4-2+deb8u1) jessie-security; urgency=medium . * debian/patches/0001-riff-media-Check-for-valid-channels-rate-before-usin.patch: + The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted ASF file. https://bugzilla.gnome.org/show_bug.cgi?id=777525 . Fixes CVE-2017-5837 . * debian/patches/0002-riff-media-Don-t-divide-block-align-by-zero-channels.patch: + The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted video file. https://bugzilla.gnome.org/show_bug.cgi?id=777262 . Fixes CVE-2017-5844 . * debian/patches/0003-riff-media-Don-t-recurse-in-for-nested-WAVEFORMATEX.patch: + The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 does not properly limit recursion, which allows remote attackers to cause a denial of service (stack overflow and crash) via vectors involving nested WAVEFORMATEX. https://bugzilla.gnome.org/show_bug.cgi?id=777265 . Fixes CVE-2017-5839 . * debian/patches/0004-samiparse-Check-that-the-string-has-a-non-zero-lengt.patch: + The html_context_handle_element function in gst/subparse/samiparse.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted SMI file, as demonstrated by OneNote_Manager.smi. https://bugzilla.gnome.org/show_bug.cgi?id=777502 . Fixes CVE-2017-5842 . * debian/patches/0005-typefind-bounds-check-windows-ico-detection.patch: + The windows_icon_typefind function in gst-plugins-base in GStreamer before 1.10.2, when G_SLICE is set to always-malloc, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ico file. https://bugzilla.gnome.org/show_bug.cgi?id=774902 . Fixes CVE-2016-9811 gst-plugins-good1.0 (1.4.4-2+deb8u3) jessie-security; urgency=medium . * debian/patches/0001-aacparse-Make-sure-we-have-enough-data-in-the-codec_.patch: + The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted audio file. https://bugzilla.gnome.org/show_bug.cgi?id=775450 . Fixes CVE-2016-10198 . * debian/patches/0002-avidemux-Fix-various-out-of-bounds-reads-when-parsin.patch: + The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving ncdt tags. https://bugzilla.gnome.org/show_bug.cgi?id=777500 . Fixes CVE-2017-5841 . * debian/patches/0003-avidemux-Stop-reading-a-ncdt-sub-tag-if-it-goes-behi.patch: + The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a ncdt sub-tag that "goes behind" the surrounding tag. https://bugzilla.gnome.org/show_bug.cgi?id=777532 . Fixes CVE-2017-5845 . * debian/patches/0004-qtdemux-Fix-out-of-bounds-read-in-tag-parsing-code.patch: + The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted tag value. https://bugzilla.gnome.org/show_bug.cgi?id=775451 . Fixes CVE-2016-10199 . * debian/patches/0005-qtdemux-Increment-current-stts-index-whenever-we-fin.patch: + The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving the current stts index. https://bugzilla.gnome.org/show_bug.cgi?id=777469 . Fixes CVE-2017-5840 gst-plugins-ugly1.0 (1.4.4-2+deb8u1) jessie-security; urgency=medium . * debian/patches/0001-asfdemux-Check-that-we-have-enough-data-available-be.patch: + The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors. https://bugzilla.gnome.org/show_bug.cgi?id=777955 . Fixes CVE-2017-5847 . * debian/patches/0002-asfdemux-Reset-number-of-languages-to-0-when-freeing.patch: + The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors related to the number of languages in a video file. https://bugzilla.gnome.org/show_bug.cgi?id=777937 . Fixes CVE-2017-5846 gstreamer1.0 (1.4.4-2+deb8u1) jessie-security; urgency=high . * debian/patches/0001-datetime-fix-potential-out-of-bound-read-on-malforme.patch: + The gst_date_time_new_from_iso8601_string function in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a malformed datetime string. https://bugzilla.gnome.org/show_bug.cgi?id=777263 . Fixes CVE-2017-5838 guile-2.0 (2.0.11+1-9+deb8u1) jessie; urgency=high . * Fix REPL server vulnerability (CVE-2016-8606). Add 0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch to incorporate the fix. See that file for further information. (Closes: 840555) . * Fix mkdir umask-related vulnerability (CVE-2016-8605). Previously, whenever the second argument to mkdir was omitted, it would temporarily change the umask to 0, a change which would also affect any concurrent threads. Add 0018-Remove-umask-calls-from-mkdir.patch to incorporate the fix. See that file for further information. (Closes: 840556) hunspell-en-us (20070829-6+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Drop unversioned conflict on thunderbird icedove (1:45.8.0-3~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * New upstream version 45.8.0: CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP CVE-2017-5401: Memory Corruption when handling ErrorResult CVE-2017-5402: Use-after-free working with events in FontFace objects CVE-2017-5404: Use-after-free working with ranges in selections CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping CVE-2017-5408: Cross-origin reading of video captions in violation of CORS CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP CVE-2017-5376: Use-after-free in XSL CVE-2017-5378: Pointer and frame data leakage of Javascript objects CVE-2017-5380: Potential use-after-free during DOM manipulations CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer CVE-2017-5396: Use-after-free with Media Decoder CVE-2017-5383: Location bar spoofing with unicode characters CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7 * debian/rules: don't set MOZ_APP_PROFILE in jessie or wheezy. We don't need a special diffrent default profile folder in jessie or wheezy. We will use always ~/.thunderbird in all available releases. * tb-wrapper: call thunderbird starting with exec . [ Guido Günther ] * Register components in gbp.conf * Drop superfluous iceowl-l10n files * Copy-edit thunderbird-wrapper-helper.sh . icedove (1:45.8.0-3) unstable; urgency=medium . [ Carsten Schoenert ] * [d923505] AppArmor: be more flexible on profile folders (Closes: #858735, #858737) * [1e04099] tb-wrapper: use readlink also on ${ID_PROFILE_FOLDER} (Closes: #858771) * [9f6b771] tb-wrapper: correct check for -dbg package (Closes: #858804) * [8b5271a] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1273020-Add-missing-null-checks-in-ApplicationAccessi.patch . icedove (1:45.8.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [c2a1d77] tb-helper: pass arguments correctly through tb call (Closes: #855334) * [5c49348] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1340724-fix-SMTP-server-name-output-in-SMTP-logging.patch (Closes: #855470) * [9d420c0] Revert "register MIME type application/octet-stream for Thunderbird" (Closes: #857755) * [c9960e5] tb-helper: pass arguments by using a array to TB call . icedove (1:45.8.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3388899] New upstream version 45.8.0 * [24d25e9] tb-helper*: fix up that silly comments behind the if statement (Closes: #857029, #857032, #857098, #857112) * [788b7fa] bash-completion: adding a completion script for /u/b/thunderbird * [9ac9d07] rebuild patch queue from patch-queue branch added patches: - p-arm64/Bug-1091515-Don-t-set-64KB-page-size-on-aarch64.-r-glandi.patch - p-arm64/Bug-1257055-Use-jit-arm64-Architecture-arm64.h-on-non-JIT.patch * [ad0860b] copyright: small updates reflecting upstream changes . [ Christoph Goehre ] * [69577cf] lintian: replace hardlink in thunderbird-dev with symbolic link . icedove (1:45.7.1-2) unstable; urgency=medium . [ Christoph Goehre ] * [5e2c618] crashreporter: build only on amd64, armel, armhf and i386 * [36a922f] Apparmor: replace '·' with spaces (Closes: #855343) * [bbbc917] rebuild patch queue from patch-queue branch added patches: - p-hppa/FTBFS-hppa-xpcshell-segfaulting-during-make-install.patch * [8b5d601] icedove|thunderbird.desktop: update danish (da) translation . [ Carsten Schoenert ] * [f8debbd] debian/control: separate transitional mark by extra line (Closes: #855806) * [583c798] {tb,id}.maintscript: modify start-version (Closes: #854587) * [94e557c] thunderbird: adding x11-utils to Depends (Closes: #854488) * [dc878e7] thunderbird-wrapper.sh: fix command line transfer to TB (Closes: #855334) * [9734349] thunderbird helper: split helper function into extra file (Closes: #855286) * [3089a97] tb-helper*: wrapping X11 dialog calls * [e0331e1] tb-helper*: rework option parsing for wrapper script (Closes: #855872) * [31d9899] thunderbird.postinst: try to remove empty profile folder (Closes: #855228) * [c9e5b70] tb-wrapper*: complete rework and moving over for symlinking (Closes: #855265, #855391, #855501, #856490) * [9ef920f] README.Debian: adopt content to current wrapper script behavior * [4cf88e5] icedove|thunderbird.desktop: adopt binary call * [101e0ad] tb-helper*: call subfunctions not within the case loop * [c061107] register MIME type application/octet-stream for Thunderbird . icedove (1:45.7.1-1) unstable; urgency=medium . * Bye-bye Icedove (Closes: #749965, #776359, #816679, #363811) . [ Carsten Schoenert ] * [90c0d6f] New upstream version 45.7.1 * [a6d21de] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-497488-Implement-verify-mode-in-the-subscribe-dialog-.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit-1.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit.patch (Closes: #837177) removed patches (fixed upstream): - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [8572e34] lintian: adding a semi automated lintian-override * [aa2bda2] crashreporter: enable the reporter for thunderbird * [b96ae57] move icedove.desktop into package icedove (Closes: #850865, #851829) * [304921f] debian/rules: set SHELL explicit to /bin/bash (Closes: #852867) * [072b899] thunderbird: adding extra check while migration * [284912d] debian/README.Debian: update after recent changes * [6dc7e32] icedove-l10n-bn-bd: fix typo in Depends field (Closes: #854135) * [c5d4bf5] {tb,id}.maintscript: modify start-version (Closes: #854587) * [f3d64ae] thunderbird-wrapper.sh: adding extra information window (Closes: #854488) * [6b432c7] README.Debian: hint about issue in global configuration . [ Douglas Bagnall ] * [e2c8a23] Apparmor: allowing exo-open-ixr launcher (Closes: #853929) . [ Christoph Goehre ] * [ef36e0b] thunderbird-wrapper.sh: fix typos * [f98d5d1] thunderbird-wrapper.sh: add small changes from Guido and Carsten * [7dd6841] README.Debian: fix/correct spelling * [e038694] debian/control: remove depends-on-essential-package 'sed' . [ Jens Reyer ] * [ea58e17] thunderbird-wrapper.sh: add extra function for migration (Closes: #849592) . icedove (1:45.6.0-3) experimental; urgency=medium . [ Carsten Schoenert ] * [78b3296] rebuild patch queue from patch-queue branch added patch: - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [a272f85] thunderbird-wrapper.sh: also migrate mimeapps.list (Closes: #850864) * [3d4e303] icedove.desktop: don't use categories and mimetypes (Closes: #850866) * [db15d43] icedove: link icedove to thunderbird * [59a9e05] debian/control: change Replaces and Breaks versions . [ Christoph Goehre ] * [55cce4a] thunderbird-wrapper.sh: remove 'set -e' icedove (1:45.8.0-3~deb7u1) wheezy-security; urgency=medium . * New upstream version 45.8.0: CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP CVE-2017-5401: Memory Corruption when handling ErrorResult CVE-2017-5402: Use-after-free working with events in FontFace objects CVE-2017-5404: Use-after-free working with ranges in selections CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping CVE-2017-5408: Cross-origin reading of video captions in violation of CORS CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP CVE-2017-5376: Use-after-free in XSL CVE-2017-5378: Pointer and frame data leakage of Javascript objects CVE-2017-5380: Potential use-after-free during DOM manipulations CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer CVE-2017-5396: Use-after-free with Media Decoder CVE-2017-5383: Location bar spoofing with unicode characters CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7 * Switch back to debhelper version 9 * dh-exec: avoid multiple spaces around filenames since they break the wheezy version of dh-exec * Drop crash reporter. The syntax is not supported by dh-exec and we don't want to send reports from weezy to Mozilla. * Don't drop deps on libspr,nss * Drop replaces on packages no longer in any release * Copy-edit thunderbird-wrapper-helper.sh . icedove (1:45.8.0-3) unstable; urgency=medium . [ Carsten Schoenert ] * [d923505] AppArmor: be more flexible on profile folders (Closes: #858735, #858737) * [1e04099] tb-wrapper: use readlink also on ${ID_PROFILE_FOLDER} (Closes: #858771) * [9f6b771] tb-wrapper: correct check for -dbg package (Closes: #858804) * [8b5271a] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1273020-Add-missing-null-checks-in-ApplicationAccessi.patch . icedove (1:45.8.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [c2a1d77] tb-helper: pass arguments correctly through tb call (Closes: #855334) * [5c49348] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1340724-fix-SMTP-server-name-output-in-SMTP-logging.patch (Closes: #855470) * [9d420c0] Revert "register MIME type application/octet-stream for Thunderbird" (Closes: #857755) * [c9960e5] tb-helper: pass arguments by using a array to TB call . icedove (1:45.8.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3388899] New upstream version 45.8.0 * [24d25e9] tb-helper*: fix up that silly comments behind the if statement (Closes: #857029, #857032, #857098, #857112) * [788b7fa] bash-completion: adding a completion script for /u/b/thunderbird * [9ac9d07] rebuild patch queue from patch-queue branch added patches: - p-arm64/Bug-1091515-Don-t-set-64KB-page-size-on-aarch64.-r-glandi.patch - p-arm64/Bug-1257055-Use-jit-arm64-Architecture-arm64.h-on-non-JIT.patch * [ad0860b] copyright: small updates reflecting upstream changes . [ Christoph Goehre ] * [69577cf] lintian: replace hardlink in thunderbird-dev with symbolic link . icedove (1:45.7.1-2) unstable; urgency=medium . [ Christoph Goehre ] * [5e2c618] crashreporter: build only on amd64, armel, armhf and i386 * [36a922f] Apparmor: replace '·' with spaces (Closes: #855343) * [bbbc917] rebuild patch queue from patch-queue branch added patches: - p-hppa/FTBFS-hppa-xpcshell-segfaulting-during-make-install.patch * [8b5d601] icedove|thunderbird.desktop: update danish (da) translation . [ Carsten Schoenert ] * [f8debbd] debian/control: separate transitional mark by extra line (Closes: #855806) * [583c798] {tb,id}.maintscript: modify start-version (Closes: #854587) * [94e557c] thunderbird: adding x11-utils to Depends (Closes: #854488) * [dc878e7] thunderbird-wrapper.sh: fix command line transfer to TB (Closes: #855334) * [9734349] thunderbird helper: split helper function into extra file (Closes: #855286) * [3089a97] tb-helper*: wrapping X11 dialog calls * [e0331e1] tb-helper*: rework option parsing for wrapper script (Closes: #855872) * [31d9899] thunderbird.postinst: try to remove empty profile folder (Closes: #855228) * [c9e5b70] tb-wrapper*: complete rework and moving over for symlinking (Closes: #855265, #855391, #855501, #856490) * [9ef920f] README.Debian: adopt content to current wrapper script behavior * [4cf88e5] icedove|thunderbird.desktop: adopt binary call * [101e0ad] tb-helper*: call subfunctions not within the case loop * [c061107] register MIME type application/octet-stream for Thunderbird . icedove (1:45.7.1-1) unstable; urgency=medium . * Bye-bye Icedove (Closes: #749965, #776359, #816679, #363811) . [ Carsten Schoenert ] * [90c0d6f] New upstream version 45.7.1 * [a6d21de] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-497488-Implement-verify-mode-in-the-subscribe-dialog-.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit-1.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit.patch (Closes: #837177) removed patches (fixed upstream): - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [8572e34] lintian: adding a semi automated lintian-override * [aa2bda2] crashreporter: enable the reporter for thunderbird * [b96ae57] move icedove.desktop into package icedove (Closes: #850865, #851829) * [304921f] debian/rules: set SHELL explicit to /bin/bash (Closes: #852867) * [072b899] thunderbird: adding extra check while migration * [284912d] debian/README.Debian: update after recent changes * [6dc7e32] icedove-l10n-bn-bd: fix typo in Depends field (Closes: #854135) * [c5d4bf5] {tb,id}.maintscript: modify start-version (Closes: #854587) * [f3d64ae] thunderbird-wrapper.sh: adding extra information window (Closes: #854488) * [6b432c7] README.Debian: hint about issue in global configuration . [ Douglas Bagnall ] * [e2c8a23] Apparmor: allowing exo-open-ixr launcher (Closes: #853929) . [ Christoph Goehre ] * [ef36e0b] thunderbird-wrapper.sh: fix typos * [f98d5d1] thunderbird-wrapper.sh: add small changes from Guido and Carsten * [7dd6841] README.Debian: fix/correct spelling * [e038694] debian/control: remove depends-on-essential-package 'sed' . [ Jens Reyer ] * [ea58e17] thunderbird-wrapper.sh: add extra function for migration (Closes: #849592) . icedove (1:45.6.0-3) experimental; urgency=medium . [ Carsten Schoenert ] * [78b3296] rebuild patch queue from patch-queue branch added patch: - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [a272f85] thunderbird-wrapper.sh: also migrate mimeapps.list (Closes: #850864) * [3d4e303] icedove.desktop: don't use categories and mimetypes (Closes: #850866) * [db15d43] icedove: link icedove to thunderbird * [59a9e05] debian/control: change Replaces and Breaks versions . [ Christoph Goehre ] * [55cce4a] thunderbird-wrapper.sh: remove 'set -e' icedove (1:45.8.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [c2a1d77] tb-helper: pass arguments correctly through tb call (Closes: #855334) * [5c49348] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1340724-fix-SMTP-server-name-output-in-SMTP-logging.patch (Closes: #855470) * [9d420c0] Revert "register MIME type application/octet-stream for Thunderbird" (Closes: #857755) * [c9960e5] tb-helper: pass arguments by using a array to TB call icedove (1:45.8.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3388899] New upstream version 45.8.0 * [24d25e9] tb-helper*: fix up that silly comments behind the if statement (Closes: #857029, #857032, #857098, #857112) * [788b7fa] bash-completion: adding a completion script for /u/b/thunderbird * [9ac9d07] rebuild patch queue from patch-queue branch added patches: - p-arm64/Bug-1091515-Don-t-set-64KB-page-size-on-aarch64.-r-glandi.patch - p-arm64/Bug-1257055-Use-jit-arm64-Architecture-arm64.h-on-non-JIT.patch * [ad0860b] copyright: small updates reflecting upstream changes . [ Christoph Goehre ] * [69577cf] lintian: replace hardlink in thunderbird-dev with symbolic link icedove (1:45.7.1-2) unstable; urgency=medium . [ Christoph Goehre ] * [5e2c618] crashreporter: build only on amd64, armel, armhf and i386 * [36a922f] Apparmor: replace '·' with spaces (Closes: #855343) * [bbbc917] rebuild patch queue from patch-queue branch added patches: - p-hppa/FTBFS-hppa-xpcshell-segfaulting-during-make-install.patch * [8b5d601] icedove|thunderbird.desktop: update danish (da) translation . [ Carsten Schoenert ] * [f8debbd] debian/control: separate transitional mark by extra line (Closes: #855806) * [583c798] {tb,id}.maintscript: modify start-version (Closes: #854587) * [94e557c] thunderbird: adding x11-utils to Depends (Closes: #854488) * [dc878e7] thunderbird-wrapper.sh: fix command line transfer to TB (Closes: #855334) * [9734349] thunderbird helper: split helper function into extra file (Closes: #855286) * [3089a97] tb-helper*: wrapping X11 dialog calls * [e0331e1] tb-helper*: rework option parsing for wrapper script (Closes: #855872) * [31d9899] thunderbird.postinst: try to remove empty profile folder (Closes: #855228) * [c9e5b70] tb-wrapper*: complete rework and moving over for symlinking (Closes: #855265, #855391, #855501, #856490) * [9ef920f] README.Debian: adopt content to current wrapper script behavior * [4cf88e5] icedove|thunderbird.desktop: adopt binary call * [101e0ad] tb-helper*: call subfunctions not within the case loop * [c061107] register MIME type application/octet-stream for Thunderbird icedove (1:45.7.1-1) unstable; urgency=medium . * Bye-bye Icedove (Closes: #749965, #776359, #816679, #363811) . [ Carsten Schoenert ] * [90c0d6f] New upstream version 45.7.1 * [a6d21de] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-497488-Implement-verify-mode-in-the-subscribe-dialog-.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit-1.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit.patch (Closes: #837177) removed patches (fixed upstream): - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [8572e34] lintian: adding a semi automated lintian-override * [aa2bda2] crashreporter: enable the reporter for thunderbird * [b96ae57] move icedove.desktop into package icedove (Closes: #850865, #851829) * [304921f] debian/rules: set SHELL explicit to /bin/bash (Closes: #852867) * [072b899] thunderbird: adding extra check while migration * [284912d] debian/README.Debian: update after recent changes * [6dc7e32] icedove-l10n-bn-bd: fix typo in Depends field (Closes: #854135) * [c5d4bf5] {tb,id}.maintscript: modify start-version (Closes: #854587) * [f3d64ae] thunderbird-wrapper.sh: adding extra information window (Closes: #854488) * [6b432c7] README.Debian: hint about issue in global configuration . [ Douglas Bagnall ] * [e2c8a23] Apparmor: allowing exo-open-ixr launcher (Closes: #853929) . [ Christoph Goehre ] * [ef36e0b] thunderbird-wrapper.sh: fix typos * [f98d5d1] thunderbird-wrapper.sh: add small changes from Guido and Carsten * [7dd6841] README.Debian: fix/correct spelling * [e038694] debian/control: remove depends-on-essential-package 'sed' . [ Jens Reyer ] * [ea58e17] thunderbird-wrapper.sh: add extra function for migration (Closes: #849592) . icedove (1:45.6.0-3) experimental; urgency=medium . [ Carsten Schoenert ] * [78b3296] rebuild patch queue from patch-queue branch added patch: - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [a272f85] thunderbird-wrapper.sh: also migrate mimeapps.list (Closes: #850864) * [3d4e303] icedove.desktop: don't use categories and mimetypes (Closes: #850866) * [db15d43] icedove: link icedove to thunderbird * [59a9e05] debian/control: change Replaces and Breaks versions . [ Christoph Goehre ] * [55cce4a] thunderbird-wrapper.sh: remove 'set -e' . icedove (1:45.6.0-1) experimental; urgency=medium . [ Carsten Schoenert ] * [26f8f2d] New upstream version 45.6.0 * [15b7797] iceowl-l10n-*: rearrange Recommends field for various packages (Closes: #824727, #824750, #824763, #824764, #824768, #824780) * [3f75b56] debian/vendor.js: adjust to new version related wiki site * [6bd7f89] d/c-id-l10n: adjusting download URL for stable versions * [f15d1a2] icedove-l10n-all: change Section into metapackages (Closes: #824785) * [25c3ba1] debian/README.source: info about import of multitarballs * [3ebcf59] debian/control: adding Recommends to icedove-l10n-uk (Closes: #825806) * [3e57d5e] debian/control: Icedove, adding dependency on libatk-adaptor * [e19c59d] debian/control: rework Recommends for icedove-l10n-* * [4741d80] debian/control: small fixup Recommends on iceowl-l10n-* * [f9f5193] debian/control: sort iceowl-l10n-* alphabetical * [5220187] de-branding: move iceowl* back to lightning* * [6e28ce5] de-branding: remove Icedove naming from icedove-l10n* * [3dc3b4b] de-branding: remove Icedove branding in the main binary * [8b715cf] de-branding: remove hard name branding in addon managger * [9f609fa] de-branding: adopting dh files for icedove package * [caba322] de-branding: adopting dh files for icedove-dev package * [6538f66] de-branding: change debian/rules to reflect appname change * [871588d] de-branding: adopting dh files for iceowl-extension package * [a0b20e7] debian/tests/*: adopt change of the binary icedove * [29025cc] de-branding: adjust icedove-l10n installation folder * [2b8dd99] de-branding: adjust iceowl-l10n installation folder * [1f3043c] de-branding: remove the Debian visual branding * [272e420] de-branding: removing icedove branding files and folder * [093bc58] de-branding: revitalize *.desktop file with Thunderbird * [4a35d9d] de-branding: move iceowl-l10n-* into lightning-l10n-* * [68d8d79] de-branding: adding transitional iceowl-l10n packages * [4b2febd] de-branding: adding 'Breaks', 'Replaces', 'Provides' to lightning-l10n-* * [9cdb427] de-branding: rework d/r to reflect changes for lightning-l10n * [ec3b427] de-branding: move icedove-l10n-* into thunderbird-l10n-* * [387bfa2] de-branding: adding transitional icedove-l10n packages * [f3cfecb] de-branding: adding 'Breaks', 'Replaces', 'Provides' to thunderbird-l10n-* * [03b222e] de-branding: rework d/r to reflect changes for thunderbird-l10n * [0c9a6ab] de-branding: (re)adding a wrapper script for TB starting * [f9c8aef] de-branding: move icedove-dev to thunderbird-dev * [a4313e6] de-branding: adding transitional icedove-dev package * [0508866] de-branding: rework d/r to reflect changes for thunderbird-dev * [048b29f] de-branding: move icedove-dbg to thunderbird-dbg * [da01077] de-branding: adding transitional icedove-dbg package * [a371079] de-branding: rework d/r to reflect changes for thunderbird-dbg * [b34b8f8] de-branding: move iceowl-extension to lightning * [fa8f9b3] de-branding: adding transitional iceowl-extension package * [848f178] de-branding: rework d/r to reflect changes for lightning * [a708c35] de-branding: move icedove to thunderbird * [cccef90] de-branding: moving icedove dh files into thunderbird * [8c2b27d] de-branding: rework icedove.1 into thunderbird.1 * [19406fe] de-branding: transition of mozconfig.* * [88ed684] de-branding: rework d/r to reflect changes for thunderbird * [c8011d3] de-branding: adding transitional icedove package * [5e399aa] de-branding: adjusting package calendar-google-provider * [a03329c] debian/tests/help.sh: use absolute path for binary call * [10adb34] move old icedove graphic stuff into own folder * [abc6c8c] create various thunderbird png graphics from SVG file * [a2067ae] debian/copyright: update copyright information * [a9c6f9f] de-branding: add own created thunderbird icons to install * [1d8b524] mozconfig.default: enable the official brandind * [9f3a673] debian/control: adding dh-exec to the Build-Depends * [cddbc63] move Thunderbird install files into thunderbird.install * [5037bb5] de-branding: transition of apparmor profile for TB * [14f094d] de-branding: remove extra URL for What's New inside * [c2a06db] manpage thunderbird; adjust and correct manpage entries * [8fa3365] debian/control: adding package dpkg to Build-Depends * [ba84ede] thunderbird: switching dpkg-maintscript-helper to *.maintscript * [d0e675b] debian/thunderbird.postinst: adding some moving mechanism * [cbae415] de-branding: let helper scripts reflect thunderbird change * [da402a4] thunderbird-wrapper.sh: adding fixing inside mimeTypes.rdf (Closes: #837516) * [030d49e] de-branding: adding some hints about the debranding * [662f7af] debian/README.source: adjusting hints due name changes * [8fbedc1] debian/thunderbird.install: install additional icedove.desktop * [9089d9f] debian/*lintian-overrides: adopt name changes * [b9b7665] debian/rules: use the old profile folder for wheezy and jessie * [f9c137e] fix *.desktop files for proper GNOME app mechanism (Closes: #817973, #832302) * [1c85ff7] debian/rules: chmod certain *.py tb-devel files * [356694a] thunderbird.links: linking the default TB icon to u/s/p . [ Guido Günther ] * [24bbee9] Wrap and sort control information (Closes: #825806) * [fcfe4ac] Add minimalistic autopkgtest * [f7a32e8] Add autopkgtest to test header and typelib generation * [189d835] Add autopkgtest to smoke test xpcshell . [ Christoph Goehre ] * [354f836] turn the reduce of memory usage of the linker on again * [5e48e17] don't build dbgsym packages on unreleased builds * [09679eb] rebuild patch queue from patch-queue branch (Closes: #808183) * [ec3a50b] debian/NEWS: change urgency to medium icedove (1:45.6.0-3) experimental; urgency=medium . [ Carsten Schoenert ] * [78b3296] rebuild patch queue from patch-queue branch added patch: - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [a272f85] thunderbird-wrapper.sh: also migrate mimeapps.list (Closes: #850864) * [3d4e303] icedove.desktop: don't use categories and mimetypes (Closes: #850866) * [db15d43] icedove: link icedove to thunderbird * [59a9e05] debian/control: change Replaces and Breaks versions . [ Christoph Goehre ] * [55cce4a] thunderbird-wrapper.sh: remove 'set -e' icedove (1:45.6.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [26f8f2d] New upstream version 45.6.0 (Closes: #850164) * [2d1d517] rebuild patch queue from patch-queue branch icedove (1:45.6.0-1) experimental; urgency=medium . [ Carsten Schoenert ] * [26f8f2d] New upstream version 45.6.0 * [15b7797] iceowl-l10n-*: rearrange Recommends field for various packages (Closes: #824727, #824750, #824763, #824764, #824768, #824780) * [3f75b56] debian/vendor.js: adjust to new version related wiki site * [6bd7f89] d/c-id-l10n: adjusting download URL for stable versions * [f15d1a2] icedove-l10n-all: change Section into metapackages (Closes: #824785) * [25c3ba1] debian/README.source: info about import of multitarballs * [3ebcf59] debian/control: adding Recommends to icedove-l10n-uk (Closes: #825806) * [3e57d5e] debian/control: Icedove, adding dependency on libatk-adaptor * [e19c59d] debian/control: rework Recommends for icedove-l10n-* * [4741d80] debian/control: small fixup Recommends on iceowl-l10n-* * [f9f5193] debian/control: sort iceowl-l10n-* alphabetical * [5220187] de-branding: move iceowl* back to lightning* * [6e28ce5] de-branding: remove Icedove naming from icedove-l10n* * [3dc3b4b] de-branding: remove Icedove branding in the main binary * [8b715cf] de-branding: remove hard name branding in addon managger * [9f609fa] de-branding: adopting dh files for icedove package * [caba322] de-branding: adopting dh files for icedove-dev package * [6538f66] de-branding: change debian/rules to reflect appname change * [871588d] de-branding: adopting dh files for iceowl-extension package * [a0b20e7] debian/tests/*: adopt change of the binary icedove * [29025cc] de-branding: adjust icedove-l10n installation folder * [2b8dd99] de-branding: adjust iceowl-l10n installation folder * [1f3043c] de-branding: remove the Debian visual branding * [272e420] de-branding: removing icedove branding files and folder * [093bc58] de-branding: revitalize *.desktop file with Thunderbird * [4a35d9d] de-branding: move iceowl-l10n-* into lightning-l10n-* * [68d8d79] de-branding: adding transitional iceowl-l10n packages * [4b2febd] de-branding: adding 'Breaks', 'Replaces', 'Provides' to lightning-l10n-* * [9cdb427] de-branding: rework d/r to reflect changes for lightning-l10n * [ec3b427] de-branding: move icedove-l10n-* into thunderbird-l10n-* * [387bfa2] de-branding: adding transitional icedove-l10n packages * [f3cfecb] de-branding: adding 'Breaks', 'Replaces', 'Provides' to thunderbird-l10n-* * [03b222e] de-branding: rework d/r to reflect changes for thunderbird-l10n * [0c9a6ab] de-branding: (re)adding a wrapper script for TB starting * [f9c8aef] de-branding: move icedove-dev to thunderbird-dev * [a4313e6] de-branding: adding transitional icedove-dev package * [0508866] de-branding: rework d/r to reflect changes for thunderbird-dev * [048b29f] de-branding: move icedove-dbg to thunderbird-dbg * [da01077] de-branding: adding transitional icedove-dbg package * [a371079] de-branding: rework d/r to reflect changes for thunderbird-dbg * [b34b8f8] de-branding: move iceowl-extension to lightning * [fa8f9b3] de-branding: adding transitional iceowl-extension package * [848f178] de-branding: rework d/r to reflect changes for lightning * [a708c35] de-branding: move icedove to thunderbird * [cccef90] de-branding: moving icedove dh files into thunderbird * [8c2b27d] de-branding: rework icedove.1 into thunderbird.1 * [19406fe] de-branding: transition of mozconfig.* * [88ed684] de-branding: rework d/r to reflect changes for thunderbird * [c8011d3] de-branding: adding transitional icedove package * [5e399aa] de-branding: adjusting package calendar-google-provider * [a03329c] debian/tests/help.sh: use absolute path for binary call * [10adb34] move old icedove graphic stuff into own folder * [abc6c8c] create various thunderbird png graphics from SVG file * [a2067ae] debian/copyright: update copyright information * [a9c6f9f] de-branding: add own created thunderbird icons to install * [1d8b524] mozconfig.default: enable the official brandind * [9f3a673] debian/control: adding dh-exec to the Build-Depends * [cddbc63] move Thunderbird install files into thunderbird.install * [5037bb5] de-branding: transition of apparmor profile for TB * [14f094d] de-branding: remove extra URL for What's New inside * [c2a06db] manpage thunderbird; adjust and correct manpage entries * [8fa3365] debian/control: adding package dpkg to Build-Depends * [ba84ede] thunderbird: switching dpkg-maintscript-helper to *.maintscript * [d0e675b] debian/thunderbird.postinst: adding some moving mechanism * [cbae415] de-branding: let helper scripts reflect thunderbird change * [da402a4] thunderbird-wrapper.sh: adding fixing inside mimeTypes.rdf (Closes: #837516) * [030d49e] de-branding: adding some hints about the debranding * [662f7af] debian/README.source: adjusting hints due name changes * [8fbedc1] debian/thunderbird.install: install additional icedove.desktop * [9089d9f] debian/*lintian-overrides: adopt name changes * [b9b7665] debian/rules: use the old profile folder for wheezy and jessie * [f9c137e] fix *.desktop files for proper GNOME app mechanism (Closes: #817973, #832302) * [1c85ff7] debian/rules: chmod certain *.py tb-devel files * [356694a] thunderbird.links: linking the default TB icon to u/s/p . [ Guido Günther ] * [24bbee9] Wrap and sort control information (Closes: #825806) * [fcfe4ac] Add minimalistic autopkgtest * [f7a32e8] Add autopkgtest to test header and typelib generation * [189d835] Add autopkgtest to smoke test xpcshell . [ Christoph Goehre ] * [354f836] turn the reduce of memory usage of the linker on again * [5e48e17] don't build dbgsym packages on unreleased builds * [09679eb] rebuild patch queue from patch-queue branch (Closes: #808183) * [ec3a50b] debian/NEWS: change urgency to medium icedove (1:45.6.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [26f8f2d] New upstream version 45.6.0 - MFSA 2016-96 aka CVE-2016-9899, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905, CVE-2016-9893 icedove (1:45.5.1-1) unstable; urgency=medium . [ Carsten Schoenert ] * [efe836f] New upstream version 45.5.1 * [48999ac] rebuild patch queue from patch-queue branch icedove (1:45.5.1-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [efe836f] New upstream version 45.5.1 - MFSA 2016-92 aka CVE-2016-9079 - MFSA 2016-93 aka CVE-2016-5296, CVE-2016-5294, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-9074, CVE-2016-5290 icedove (1:45.5.0-1) unstable; urgency=medium . [ Guido Günther ] * [d077f46] Copy edit README.source * [52269b9] repack.py: Improve help output . [ Carsten Schoenert ] * [dcd7d9f] New upstream version 45.5.0 * [03c11f1] debian/control: increase B-D on libnss3-dev * [a6cabae] lintian-overrides: expand and move source overrides * [7532930] debhelper: increase version and compatibility to v9 icedove (1:45.4.0-1) unstable; urgency=medium . [ Guido Günther ] * [a159bc9] autopkgtests: let xfvb-run pick the port to avoid clashes with already running servers * [a159bc9] autopkgtests: let xfvb-run pick the port * [5384838] Snapshot 1:45.3.0-1~1.gbpa159bc * [8d3ac18] autopkgtest: Dont print on stderr * [8afc7be] Put test deps on a simgle line . [ Carsten Schoenert ] * [99e9c40] New upstream version 45.4.0 (Closes: #835866, #836798, #837107) * [6195d7b] debian/README.source: update instructions for importing * [5150624] debian/icedove.js: disabling baselinejit functionality (Closes: #837930) icedove (1:45.4.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [99e9c40] New upstream version 45.4.0 * [d68e169] debian/icedove.js: disabling baselinejit functionality (Closes: #837930) icedove (1:45.3.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3cc29ee] Imported Upstream version 45.3.0 * [ed8cf89] Imported icedove-l10n Upstream version 45.3.0 * [bc20676] Imported iceowl-l10n Upstream version 45.3.0 * [54bd9c4] debian/README.source: fix up some hints * [756ec86] mozconfig.default: enable build of PIE binaries * [1cef6f8] rebuild patch queue from patch-queue branch added patch: - porting-mips/libyuv_disable-mips-assembly-for-MIPS64.patch (Closes: #836400) * [7a1ec74] AppArmor: grant access to local mailboxes and enigmail(2) (Closes: #837656) icoutils (0.31.0-2+deb8u3) jessie-security; urgency=medium . * CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 icoutils (0.31.0-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * wrestool: Make check_offset more stringent (CVE-2017-5331) * prevent access to unallocated memory in wrestool (CVE-2017-5332) * wrestool: Fix an index, additional check (CVE-2017-5332 CVE-2017-5333) icoutils (0.31.0-2+deb8u1) jessie-security; urgency=medium . * Fix security issue in wrestool, patch by Colin Watson icu (52.1-8+deb8u5) jessie-security; urgency=high . * Backport upstream security fix for CVE-2017-7867 and CVE-2017-7868, heap-buffer-overflow in utf8TextAccess. ikiwiki (3.20141016.4) jessie-security; urgency=high . * Reference CVE-2016-4561 in 3.20141016.3 changelog * Security: force CGI::FormBuilder->field to scalar context where necessary, avoiding unintended function argument injection analogous to CVE-2014-1572. - passwordauth: prevent authentication bypass via multiple name parameters (CVE-2017-0356, OVE-20170111-0001) - passwordauth: prevent userinfo forgery via repeated email parameter (also CVE-2017-0356) - comments, editpage: prevent commit metadata forgery (CVE-2016-9646, OVE-20161226-0001) - CGI, attachment, comments, editpage, notifyemail, passwordauth, po, rename: harden against similar issues that are not believed to be exploitable * t/passwordauth.t: new automated test for CVE-2017-0356 * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following bugs, including one minor security vulnerability: - Security: try revert operations before approving them. Previously, automatic rename detection could result in a revert writing outside the wiki srcdir or altering a file that the reverting user should not be able to alter, an authorization bypass. (CVE-2016-10026 represents the original vulnerability.) The incomplete fix released in 3.20161219 was not effective for git versions prior to 2.8.0rc0. (CVE-2016-9645 represents that incomplete solution. Debian stable was never vulnerable to this one.) - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such file or directory" seen in the initial fixes for those security issues - If no committer identity is known, set it to "IkiWiki " in .git/config. This resolves commit errors in versions of git that require a non-trivial committer identity. - Use git log --no-renames to generate recentchanges, fixing the git test-case with git 2.9 (Closes: #835612) - Don't issue a warning if the rcsinfo CGI parameter is undefined - Do not fail to commit changes with a recent git version and an anonymous committer - Do not fail on filenames starting with a dash (patch from Florian Wagner) - Don't add a redundant "--" and run "git rev-list ... -- -- ..." * Backport t/git-cgi.t from 3.20170110 to have automated test coverage for using the CGI with git, including tests for CVE-2016-10026 - Build-depend on libipc-run-perl for better build-time test coverage * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression in 3.20141016.3: - img: ignore the case of the extension when detecting image format, fixing the regression that *.JPG etc. would not be displayed (patch from Amitai Schleier) * Backport tests' installed-test (autopkgtest) support from 3.20160121, adjusted for compatibility with the older pkg-perl-autopkgtest in jessie - d/control: add enough build-dependencies to run all tests, except for non-git VCSs imagemagick (8:6.8.9.9-5+deb8u8) jessie-security; urgency=high . * Fix a few security bugs: + Assertion failure in TGA coder (Closes: #856878). Fix CVE-2017-6498. + Out of bound in sun file coder (Closes: #856879). Fix CVE-2017-6500. + Memory leak in libmagick++ library (Closes: #856880). Fix CVE-2017-6499. + Missing null pointer check in xcf coder (Closes: #856881) and psd coder (Closes: #856882). Fix CVE-2017-6501 and CVE-2017-6497. + Fix a memory leak in options handler (Closes: #857426, LP: #1671630) * Fix a regression in jessie, Fix artefacts running -sharpen on CMYK images (Closes: #844594). imagemagick (8:6.8.9.9-5+deb8u7) jessie-security; urgency=medium . * Fix Ipl file missing malloc check (Closes: #851483). Fix CVE-2016-10145. * Fix wpg file off by one (Closes: #851483). Fix CVE-2016-10145. * Fix a memory leak in caption coders (Closes: #851380). Fix CVE-2016-10146. * Fix possible buffer overflow when writing compressed TIFFS. (Closes: #848139). Fix CVE-2016-8707. * Fix a double free in profile due to overflow (Closes: #851383). Fix CVE-2017-5506. * Fix memory leak in MPC file handling (Closes: #851382). Fix CVE-2017-5507 * Fix Heap-Buffer-Overflow in TIFF coder (Closes: #851381). Fix CVE-2017-5508 * Fix improper cast that could cause an overflow. (Closes: #851374). Fix CVE-2017-5511. * Fix memory corruption heap overflow in psb file. (Closes: #851376). Fix CVE-2017-5510. * Detect write error in ReadGROUP4Image. (Closes: #849439). Fix CVE-2016-10062 initramfs-tools (0.120+deb8u3) jessie; urgency=medium . * [6661d01] hook-functions: Include drivers for all keyboards when MODULES=dep (Closes: #639876) * [6afc19f] auto_add_modules: Include most USB host drivers (Closes: #762634) * [eb35e9a] auto_add_modules: Include all bus driver modules * [c9636d5] Remove code that prunes 'broken' symlinks and sometimes /etc/mtab (Closes: #845581) * [50b90a9] auto_add_modules: Add all I2C bus and mux drivers when MODULES=most (Closes: #825687) * [94d23b8] hook-functions: Stop force-loading drivers found through sysfs when MODULES=dep (Closes: #792910) installation-guide (20150423+deb8u3) jessie; urgency=medium . [ Matt Kraai ] * Fix Instructions for creating syslinux.cfg according to syslinux 5.00 change. Closes: #803267. . [ Cyril Brulebois ] * Mass-update po translations (install-methods.po) so that the syslinux example is correct (see #803267): el es fi hu ko ru sv vi zh_CN zh_TW ioquake3 (1.36+u20140802+gca9eebb-2+deb8u1) jessie-security; urgency=high . * d/gbp.conf: switch branch to debian/jessie * d/patches: Add patches from upstream fixing security vulnerabilities - refuse to load potentially auto-downloadable .pk3 files as ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers (mitigation: auto-downloading is off by default, and in Debian we do not dlopen libcurl anyway) - refuse to load default configuration file names from a .pk3 file - protect cl_renderer, cl_curllib, s_aldriver configuration variables so game code cannot set them - refuse to overwrite files other than *.txt with the dump console command - refuse to overwrite files other than *.cfg with the writeconfig console command (Closes: #857699; CVE-2017-6903) irqbalance (1.0.6-3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Only warn once for affinity hint subset empty irqs (Closes: #784391) jasper (1.900.1-debian1-2.4+deb8u3) jessie-security; urgency=medium . * CVE-2016-9591 CVE-2016-10249 CVE-2016-10251 jasper (1.900.1-debian1-2.4+deb8u2) jessie-security; urgency=medium . * CVE-2016-1867 CVE-2016-8654 CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8882 CVE-2016-9560 jbig2dec (0.13-4~deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the Debian Security Team. * Backport latest upstream release to Jessie. * Fixes CVE-2016-9601 and many other unreported issues. * Drop licensecheck from build-depends as it was part of devscripts in the past (and we don't need such a check in stable/oldstable). * Disable multiarch support to not introduce unexpected regression. jbig2dec (0.13-3) unstable; urgency=medium . * Add patch cherry-picked upstream to prevent checking too early for buffer overrun. * Modernize CDBS: Build-depend on licensecheck (not devscripts). jbig2dec (0.13-2) unstable; urgency=medium . * Fix mark libjbig2dec0 as multi-ach: same. Closes: Bug#799916. Thanks to Jacek Szafarkiewicz and Yuriy M. Kaminskiy. * Add patch 2001 to avoid compile unrelated and unusable Memento memory debugging code. Closes: Bug#824483. Thanks to Yuriy M. Kaminskiy. * Drop symbols for dropped Memento code. Thanks to Yuriy M. Kaminskiy. jbig2dec (0.13-1) unstable; urgency=medium . [ upstream ] * New bugfix release. . [ Jonas Smedegaard ] * Update watch file: + Bump file format to version 4. + Mangle scanned page to get tarball URLs from tags, and adapt URL pattern. + Mangle download filename. + Mention gbp in usage comment. * Use https protocol in Vcs-Git URL. * Declare compliance with Debian Policy 3.9.8. * Update copyright info: + Extend coverage for main author to include recent years. + Extend copyright of packaging to cover current year. * Update git-buildpackage config: Filter any .gitignore file. * Drop patch 2001: Applied upstream. * Drop 3 symbols (unused, according to http://codesearch.debian.net/). * Fix remove old lintian overrides file. jbig2dec (0.12+20150918-1) unstable; urgency=medium . [ upstream ] * Snapshot. + Tidy build configuration. + Update for modern libpng. + Commit of build_consolidation branch. + Fixes for Windows build with VS 2015. + Check that cloned image exists before proceeding further. + Release huffman table memory properly. . [ Jonas Smedegaard ] * Fix lintian overrides. * Unfuzz all patches. jbig2dec (0.12-2) unstable; urgency=medium . * Move package maintenance to printing team. * Suppress lintian warning about build-depending unversioned on debhelper. * Update copyright info: Fix strip stray License field. jbig2dec (0.12-1) unstable; urgency=medium . * Update README.source to emphasize that control.in file is *not* a show-stopper for contributions, referring to wiki page for details. * Update upstream URLs to reflect move to git.ghostscript.com and lack of tarball releases. * Declare compliance with Debian Policy 3.9.6. * Update Vcs-* fields. * Bump debhelper compatibility level to 9. * Update copyright info: + Extend coverage for myself. + Bump packaging license to GPL-3+. + Fix use SPDX shortname for X11 license. Thanks to Paul Richards Tagliamonte. + Use file format 1.0. + Use license short-name public-domain. + Bump main license to AGPL-3+. Add NEWS file about that change. + Drop unused Files and License sections for autotools files. + Use License-Grant and License-Reference fields. Thanks to Ben Finney. * Use newest autotools. Build-depend automake (not automake1.11) and on recent cdbs. * Drop patches 1002 1003 applied upstream. * Improve patch 1004: Remove extracted file from script to detect upstream code changes. * Add debian/patches/README documenting patch naming micro-policy. * Add patch 2001 to avoid including problematic and seemingly uneeded pngstruct.h. * Let CDBS move aside upstream cruft during build. * Cleanup more autotools files. * Add symbols file. Closes: bug#694899. Thanks to Logan Rosen. * Fix tie d-shlibs target also to development package (not only library package). * Add lintian overrides regarding license in License-Reference field. See bug#786450. * Update package relations: + Build-depend unversioned on d-shlibs: Needed version satisfied even in oldstable. * Install into multiarch paths. jhead (1:2.97-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3822: Fix possible out of bounds access (Closes: #858213) kup (0.3.2-2) jessie; urgency=medium . * kup: Backport changes needed to work with kernel.org in future (Closes: #859143): - Add support for subcmd config option - Make sure we use sanitized KUP_SUBCMD lcms2 (2.6-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Added an extra check to MLU bounds (CVE-2016-10165) (Closes: #852627) libav (6:11.9-1~deb8u1) jessie-security; urgency=medium . * New upstream release. - mpegvideo_parser: avoid signed overflow in bitrate calculation. (CVE-2016-9821) - mpeg12dec: avoid signed overflow in bitrate calculation. (CVE-2016-9822) * debian/patches/mpegvideo_motion-Handle-edge-emulation-even-without-.patch: Removed, included upstream. libdatetime-timezone-perl (1:1.75-2+2017b) jessie; urgency=medium . * Update to Olson database version 2017b. This update contains contemporary changes for Haiti. libdatetime-timezone-perl (1:1.75-2+2017a) jessie; urgency=medium . * Update to Olson database version 2017a. This update contains contemporary changes to Mongolia and Chile. libevent (2.0.21-stable-2+deb8u1) jessie-security; urgency=high . * Fix three vulnerabilites (Closes: #854092): - DNS remote stack overread vulnerability (CVE-2016-10195) - (Stack) buffer overflow in evutil_parse_sockaddr_port() (CVE-2016-10196) - Out-of-bounds read in search_make_new() (CVE-2016-10197) * Add myself as an uploader libgd2 (2.1.0-5+deb8u9) jessie-security; urgency=high . * [CVE-2016-6906]: Fix OOB reads of the TGA decompression buffer * [CVE-2016-6912]: Fix double-free in gdImageWebPtr() * [CVE-2016-10166]: Fix potential unsigned underflow * [CVE-2016-10167]: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() * [CVE-2016-6906]: Fix OOB reads of the TGA decompression buffer * [CVE-2016-9317]: Check for oversized images * [CVE-2016-10168]: Fix signed integer Overflow gd_io.c libindicate (0.6.92-2+deb8u1) jessie; urgency=medium . * QA upload. * Set maintainer to the QA group. * libindicate-gtk3-dev: Depend on libindicate-gtk3-3 instead of libindicate-gtk3, thanks to Andreas Beckmann for finding this bug. (Closes: #715066) libmateweather (1.8.0-2+deb8u2) jessie-proposed-updates; urgency=medium . [ ZenWalker ] * debian/patches: + Add 002_rename-rangoon-timezone-to-yangon.patch. Follow tzdata 2016g change. (Closes: #848742). libphp-swiftmailer (5.2.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2016-10074: The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer allowed remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the From, ReturnPath, or Sender header. libquicktime (2:1.2.4-7+deb8u1) jessie-security; urgency=medium . * Team Upload * Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399) (Closes: #855099) libreoffice (1:4.3.3-2+deb8u7) jessie-security; urgency=high . * debian/patches/CVE-2017-7870.diff: fix CVE-2017-7870 libreoffice (1:4.3.3-2+deb8u6) jessie-security; urgency=high . * debian/patches/olefix.diff: fix CVE-2017-3157 libreoffice (1:4.3.3-2+deb8u6~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . * debian/rules: - comment out some conditionals and they don't exactly do what we want on wheezy-backports and use hardcoded values - fix coinmp conditional, use internal one on wheezy... - use internal icu - see https://bugs.freedesktop.org/show_bug.cgi?id=82229#c38 - bump libgraphite2-dev build-dep to ensure fixed version from wheezy-lts * debian/rules, debian/shlibs.local.coin: add shlibs.local.coin to override all the internal coin dynamic libraries.... * debian/shlibs.override.icu: update to actual current SOVERSION * debian/rules, debian/shlibs.override.libc: revert libc hack again * debian/patches/icu-icudata-link-fix-armhf.diff: fix internal icu build on armhf ("stolen" from icu package) . libreoffice (1:4.3.3-2+deb8u6) jessie-security; urgency=high . * debian/patches/olefix.diff: fix CVE-2017-3157 . libreoffice (1:4.3.3-2+deb8u5) jessie-security; urgency=medium . * debian/patches/CVE-2016-4324.diff: fix "LibreOffice RTF Stylesheet Code Execution Vulnerability" (TALOS-CAN-0126 / CVE-2016-4324) . libreoffice (1:4.3.3-2+deb8u4) jessie; urgency=medium . * debian/patches/ppc64el-jdk-paths.diff: fix ppc64el FTBFS due to changed OpenJDK paths, thanks Slavek Banko (closes: #819375) . * debian/rules: - fix logic to not install sound files (closes: #780497) libvirt (1.2.9-9+deb8u4) jessie; urgency=medium . [ Guido Günther ] * [7e378ce] Make sure the cgroup update notice is also shown in backports * [bd11c4c] Unbreak compilation of qemuhelptest . [ Hilko Bengen ] * [fffb132] Add patch to improve qemu v2.6+ compatibility (Closes: #841291) libvorbisidec (1.0.2+svn18153-1~deb8u1) jessie; urgency=medium . * QA upload. * Rebuild for jessie. libxpm (1:3.5.12-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 3.5.12 - Fix abs() usage - Fix out out boundary read on unknown colors - Gracefully handle EOF while parsing files - Avoid OOB write when handling malicious XPM files (CVE-2016-10164) - Handle size_t in file/buffer length libxslt (1.1.28-2+deb8u3) jessie; urgency=medium . * Non-maintainer upload. * Check for integer overflow in xsltAddTextString (CVE-2017-5029) (Closes: #858546) linux (3.16.43-2) jessie; urgency=high . * mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" backport (Closes: #861313) linux (3.16.43-1) jessie; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.40 - [x86] drm/i915/vlv: Make intel_crt_reset() per-encoder - [x86] drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init() - fbdev/efifb: Fix 16 color palette entry calculation - [s390*] zfcp: fix fc_host port_type with NPIV - [s390*] zfcp: fix ELS/GS request&response length for hardware data router - [s390*] zfcp: close window with unblocked rport during rport gone - [s390*] zfcp: retain trace level for SCSI and HBA FSF response records - [s390*] zfcp: restore: Dont use 0 to indicate invalid LUN in rec trace - [s390*] zfcp: trace on request for open and close of WKA port - [s390*] zfcp: restore tracing of handle for port and LUN with HBA records - [s390*] zfcp: fix D_ID field with actual value on tracing SAN responses - [s390*] zfcp: fix payload trace length for SAN request&response - [s390*] zfcp: trace full payload of all SAN records (req,resp,iels) - clk: divider: Fix clk_divider_round_rate() to use clk_readl() - [x86] dumpstack: Fix x86_32 kernel_stack_pointer() previous stack access - PCI: Mark Atheros AR9580 to avoid bus reset - netfilter: restart search if moved to other chain - uio: fix dmem_region_start computation - platform: don't return 0 from platform_get_irq[_byname]() on error - [arm64] debug: avoid resetting stepping state machine when TIF_SINGLESTEP - ASoC: dapm: Fix value setting for _ENUM_DOUBLE MUX's second channel - genirq/generic_chip: Add irq_unmap callback - rtlwifi: Update regulatory database - rtlwifi: Fix missing country code for Great Britain - pwm: Unexport children before chip removal - cx231xx: don't return error on success - cx231xx: fix GPIOs for Pixelview SBTVD hybrid - ext4: reinforce check of i_dtime when clearing high fields of uid and gid - pstore/core: drop cmpxchg based updates - pstore/ram: Use memcpy_toio instead of memcpy - pstore/ram: Use memcpy_fromio() to save old buffer - ipv4: accept u8 in IP_TOS ancillary data - [armhf] phy: sun4i-usb: Use spinlock to guard phyctl register access - dm: mark request_queue dead before destroying the DM device - dm mpath: check if path's request_queue is dying in activate_path() - ext4: bugfix for mmaped pages in mpage_release_unused_pages() - [armhf] dts: exynos: Fix mismatched value for SD4 pull up/down configuration on exynos4210 - reiserfs: Unlock superblock before calling reiserfs_quota_on_mount() - sctp: do not return the transmit err back to sctp_sendmsg - pkt_sched: fq: use proper locking in fq_dump_stats() - [x86] iommu/amd: Free domain id when free a domain of struct dma_ops_domain - [powerpc*] nvram: Fix an incorrect partition merge - ALSA: ali5451: Fix out-of-bound position reporting - usb: misc: legousbtower: Fix NULL pointer deference - net/mlx4_en: Fix wrong indentation - net/mlx4_core: Fix deadlock when switching between polling and event fw commands - drm/radeon: narrow asic_init for virtualization - [powerpc*] eeh: Null check uses of eeh_pe_bus_get - ALSA: usb-audio: Extend DragonFly dB scale quirk to cover other variants - netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes - netfilter: nf_tables: validate maximum value of u32 netlink attributes - svcrdma: Tail iovec leaves an orphaned DMA mapping - blkcg: Annotate blkg_hint correctly - ALSA: hda - Adding one more ALC255 pin definition for headset problem - mmc: block: don't use CMD23 with very old MMC cards - [powerpc*] KVM: Book3S: Treat VTB as a per-subcore register, not per-thread - [powerpc*] KVM: BookE: Fix a sanity check - [powerpc*] KVM: Book3s PR: Allow access to unprivileged MMCR2 register - NFSv4: Open state recovery must account for file permission changes - Revert "usbtmc: convert to devm_kzalloc" - drm/radeon/si/dpm: fix phase shedding setup - [powerpc*/*64*] vdso64: Use double word compare on pointers - ext4: release bh in make_indexed_dir - [s390*] con3270: fix use of uninitialised data - [s390*] con3270: fix insufficient space padding - fuse: invalidate dir dentry after chmod - fuse: fix killing s[ug]id in setattr - fuse: listxattr: verify xattr list - crypto: gcm - Fix IV buffer size in crypto_gcm_setkey - staging: rtl8188eu: fix missing unlock on error in rtw_resume_process() - staging: rtl8188eu: fix double unlock error in rtw_resume_process() - UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header - ubi: Deal with interrupted erasures in WL - ubi: Fix races around ubi_refill_pools() - ubi: Fix Fastmap's update_vol() - i40e: avoid NULL pointer dereference and recursive errors on early PCI error - [powerpc*] powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data() - mfd: rtsx_usb: Avoid setting ucr->current_sg.status - async_pq_val: fix DMA memory leak - mm: filemap: fix mapping->nrpages double accounting in fuse - netlink: do not enter direct reclaim from netlink_dump() - IB/srp: Fix infinite loop when FMR sg[0].offset != 0 - [x86] Input: elantech - add Fujitsu Lifebook E556 to force crc_enabled - mm/hugetlb: fix memory offline with hugepage size > memory block size - mm/hugetlb: check for reserved hugepages during memory offline - vfs,mm: fix a dead loop in truncate_inode_pages_range() - [powerpc*] pseries: Fix stack corruption in htpe code - [powerpc*/*64*] Fix incorrect return value from __copy_tofrom_user - [x86] panic: replace smp_send_stop() with kdump friendly version in panic path - [mips*] panic: replace smp_send_stop() with kdump friendly version in panic path - compiler: Allow 1- and 2-byte smp_load_acquire() and smp_store_release() - ipc: remove use of seq_printf return value - ipc/sem.c: fix complex_count vs. simple op race - [mips*] ptrace: Fix regs_return_value for kernel context - cifs: Display number of credits available - cifs: Limit the overall credit acquired - cifs: Set previous session id correctly on SMB3 reconnect - cifs: SMB3: GUIDs should be constructed as random but valid uuids - cifs: Clarify locking of cifs file and tcon structures and make more granular - cifs: Do not send SMB3 SET_INFO request if nothing is changing - cifs: Cleanup missing frees on some ioctls - fs/super.c: fix race between freeze_super() and thaw_super() - scsi: Fix use-after-free - mac80211: discard multicast and 4-addr A-MSDUs - jbd2: fix incorrect unlock on j_list_lock - drm/radeon: change vblank_time's calculation method to reduce computational error. - ipv6: correctly add local routes when lo goes up - [s390*] scsi: zfcp: spin_lock_irqsave() is not nestable - mmc: sdhci: cast unsigned int to unsigned long long to avoid unexpeted error - mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused - mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led - memstick: rtsx_usb_ms: Runtime resume the device when polling for cards - memstick: rtsx_usb_ms: Manage runtime PM when accessing the device - [arm64] kernel: Init MDCR_EL2 even in the absence of a PMU - netfilter: nf_tables: underflow in nft_parse_u32_check() - ALSA: hda - allow 40 bit DMA mask for NVidia devices - isofs: Do not return EACCES for unknown filesystems - bridge: multicast: restore perm router ports on multicast enable - hwrng: core - Don't use a stack buffer in add_early_randomness() - [x86] Input: i8042 - add XMG C504 to keyboard reset table - ubifs: Fix xattr_names length in exit paths - ubifs: Abort readdir upon error - target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT REACHABLE - target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code - [x86] xhci: add restart quirk for Intel Wildcatpoint PCH - xhci: workaround for hosts missing CAS bit - USB: serial: fix potential NULL-dereference at probe - drm/radeon/si_dpm: Limit clocks on HD86xx part - [arm64] KVM: Take S1 walks into account when determining S2 write faults - [powerpc*] Convert cmp to cmpd in idle enter sequence - ipv4: use the right lock for ping_group_range - ACPI / APEI: Fix incorrect return value of ghes_proc() - dm table: fix missing dm_put_target_type() in dm_table_add_target() - [x86] mei: txe: don't clean an unprocessed interrupt cause. - scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices - [x86] hv: do not lose pending heartbeat vmbus packets - ALSA: hda - Fix surround output pins for ASRock B150M mobo - drm/radeon: drop register readback in cayman_cp_int_cntl_setup - drm/radeon/si_dpm: workaround for SI kickers - scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded - scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware - tty: vt, fix bogus division in csi_J - tty: limit terminal size to 4M chars - vt: clear selection before resizing - netfilter: nf_conntrack_sip: extend request line validation - netfilter: nf_tables: fix type mismatch with error return from nft_parse_u32_check - btrfs: fix races on root_log_ctx lists - lib/genalloc.c: start search from start of chunk - [s390*] hypfs: Use get_free_page() instead of kmalloc to ensure page alignment - [x86] KVM: fix wbinvd_dirty_mask use-after-free - GenWQE: Fix bad page access during abort of resource allocation - ubifs: Fix regression in ubifs_readdir() - md: be careful not lot leak internal curr_resync value into metadata. - net/mlx5: Avoid passing dma address 0 to firmware - packet: on direct_xmit, limit tso and csum to supported devices - net/mlx4_core: Fix the resource-type enum in res tracker to conform to FW spec - net/mlx4_en: Resolve dividing by zero in 32-bit system - net/mlx4_en: Process all completions in RX rings after port goes up - net/mlx4_en: Fix potential deadlock in port statistics flow - [x86] iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions - virtio: console: Unlock vqs while freeing buffers - netfilter: nf_tables: destroy the set if fail to add transaction - [x86] mei: bus: fix received data size check in NFC fixup - ipv6: Don't use ufo handling on later transformed packets - can: bcm: fix warning in bcm_connect/proc_register - bgmac: stop clearing DMA receive control register right after it is set - uwb: fix device reference leaks - [armel,armhf] gpio/mvebu: Use irq_domain_add_linear - PM / sleep: fix device reference leak in test_suspend - ip6_tunnel: Clear IP6CB in ip6tunnel_xmit() - firewire: net: fix fragmented datagram_size off-by-one - ipv4: allow local fragmentation in ip_finish_output_gso() - i2c: core: fix NULL pointer dereference under race condition - iio: hid-sensors: Fix compilation warning - iio: hid-sensors: Increase the precision of scale to fix wrong reading interpretation. - [armhf] net: ethernet: ti: cpsw: fix device and of_node leaks - scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression - rtnl: reset calcit fptr in rtnl_unregister() - USB: cdc-acm: fix TIOCMIWAIT - PM / sleep: don't suspend parent when async child suspend_{noirq, late} fails - [x86] ALSA: hda - Fix mic regression by ASRock mobo fixup - swapfile: fix memory corruption via malformed swapfile - coredump: fix unfreezable coredumping task - dib0700: fix nec repeat handling - scsi: mpt3sas: Fix secure erase premature termination - neigh: check error pointer instead of NULL for ipv4_neigh_lookup() - ipv4: use new_gw for redirect neigh lookup - fuse: fix fuse_write_end() if zero bytes were copied - [armhf] usb: chipidea: move the lock initialization to core file - rtnetlink: fix rtnl_vfinfo_size - mfd: core: Fix device reference leak in mfd_clone_cell - nvme/pci: Don't free queues on error - IB/uverbs: Fix leak of XRC target QPs - IB/cm: Mark stale CM id's whenever the mad agent was unregistered - IB/core: Avoid unsigned int overflow in sg_alloc_table - IB/mlx5: Use cache line size to select CQE stride - IB/mlx5: Resolve soft lock on massive reg MRs - IB/mlx5: Fix NULL pointer dereference on debug print - IB/mlx4: Fix create CQ error flow - mwifiex: printk() overflow with 32-byte SSIDs - of_mdio: fix node leak in of_phy_register_fixed_link error path - cfg80211: limit scan results cache size - [armhf] net: ethernet: ti: cpsw: fix bad register access in probe error path - [armhf] net: ethernet: ti: cpsw: fix mdio device reference leak - [armhf] net: ethernet: ti: cpsw: fix secondary-emac probe error path - KVM: Disable irq while unregistering user notifier - [x86] KVM: fix missed SRCU usage in kvm_lapic_set_vapic_addr - ext4: sanity check the block and cluster size at mount time - l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (CVE-2016-10200) - apparmor: fix change_hat not finding hat after policy replacement - [x86] traps: Ignore high word of regs->cs in early_fixup_exception() - xc2028: Fix use-after-free bug properly - [armhf] net: ethernet: mvneta: Remove IFF_UNICAST_FLT which is not implemented - net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode to device managed flow steering - pwm: Fix device reference leak - netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel - [powerpc*] eeh: Fix deadlock when PE frozen state can't be cleared - batman-adv: Check for alloc errors when preparing TT local data - locking/rtmutex: Prevent dequeue vs. unlock race - ipv4: Set skb->protocol properly for local output - ipv6: Set skb->protocol properly for local output - tipc: check minimum bearer MTU - [x86] perf: Fix full width counter, counter overflow - fuse: fix clearing suid, sgid for chown() - can: raw: raw_setsockopt: limit number of can_filter that can be set - can: peak: fix bad memory access and free sequence - ser_gigaset: return -ENOMEM on error instead of success - vfs,mm: fix return value of read() at s_maxbytes https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.41 - mnt: Add a per mount namespace limit on the number of mounts (CVE-2016-6213) - ext4: validate s_first_meta_bg at mount time (CVE-2016-10208) https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.42 - net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames - ite-cir: initialize use_demodulator before using it - usb: gadget: composite: correctly initialize ep->maxpacket - usb: gadget: composite: always set ep->mult to a sensible value - [armhf] usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs - [amd64] drm/gma500: Add compat ioctl - enic: set skb->hash type properly - xfs: fix up xfs_swap_extent_forks inline extent handling - scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits for 30secs before reset - PCI: Check for PME in targeted sleep state - USB: UHCI: report non-PME wakeup signalling for Intel hardware - [armhf] dts: imx6q-cm-fx6: fix fec pinctrl - [powerpc] ibmebus: Fix device reference leaks in sysfs interface - [powerpc] ibmebus: Fix further device reference leaks - [powerpc*] pci/rpadlpar: Fix device reference leaks - usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL - dm rq: fix a race condition in rq_completed() - ext4: fix mballoc breakage with 64k block size - ext4: fix stack memory corruption with 64k block size - IB/core: Save QP in ib_flow structure - IB/mlx5: Put non zero value in max_ah - IB/mlx5: Wait for all async command completions to complete - IB/IPoIB: Remove can't use GFP_NOIO warning - IB/mlx4: Set traffic class in AH - IB/mlx4: Put non zero value in max_ah device attribute - IB/mlx4: Fix port query for 56Gb Ethernet links - scsi: mvsas: fix command_active typo - ssb: Fix error routine when fallback SPROM fails - usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices - [armhf] USB: phy: am335x-control: fix device and of_node leaks - ext4: fix in-superblock mount options processing - ext4: use more strict checks for inodes_per_block on mount - ext4: add sanity checking to count_overhead() - [powerpc*] KVM: Book3S HV: Save/restore XER in checkpointed register state - dm crypt: mark key as invalid until properly loaded - f2fs: set ->owner for debugfs status file's file_operations - xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing - ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() - md/raid5: limit request size according to implementation limits - thermal: hwmon: Properly report critical temperature in sysfs - USB: serial: kl5kusb105: fix open error path - USB: serial: kl5kusb105: abort on open exception path - [powerpc] ps3: Fix system hang with GCC 5 builds - Btrfs: fix tree search logic when replaying directory entry deletes - [armhf,arm64] bus: vexpress-config: fix device reference leak - block: protect iterate_bdevs() against concurrent close - NFS: Fix a performance regression in readdir - xfs: set AGI buffer type in xlog_recover_clear_agi_bucket - mmc: sdhci: Fix recovery from tuning timeout - CIFS: Fix missing nls unload in smb2_reconnect() - CIFS: Fix a possible memory corruption in push locks - CIFS: Fix a possible memory corruption during reconnect - [x86] ALSA: hda - Add inverted internal mic for Asus Aspire 4830T - [x86] ALSA: hda - Add the top speaker pin config for HP Spectre x360 - [x86] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO - drm/radeon: Hide the HW cursor while it's out of bounds - drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor - drm/radeon: add additional pci revision to dpm workaround - [armhf] xen: Use alloc_percpu rather than __alloc_percpu - clk: clk-wm831x: fix a logic error - hotplug: Make register and unregister notifier API symmetric - iw_cxgb4: Fix error return code in c4iw_rdev_open() - dm space map metadata: fix 'struct sm_metadata' leak on failed create - md: MD_RECOVERY_NEEDED is set for mddev->recovery - cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts - hwmon: (ds620) Fix overflows seen when writing temperature limits - [i386] ftrace: Set ftrace_stub to weak to prevent gcc from using short jumps to it - fgraph: Handle a case where a tracer ignores set_graph_notrace - nfs_write_end(): fix handling of short copies - ext4: reject inodes with negative size - ext4: return -ENOMEM instead of success - [s390*] vmlogrdr: fix IUCV buffer allocation - [armhf] hwmon: (g762) Fix overflows and crash seen when writing limit attributes - ALSA: hiface: Fix M2Tech hiFace driver sampling rate change - libceph: verify authorize reply on connect - fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes - fsnotify: Fix possible use-after-free in inode iteration on umount - IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs - IB/mlx4: Fix out-of-range array index in destroy qp flow - Btrfs: delayed-inode: replace root args iff only fs_info used - btrfs: limit async_work allocation and worker func duration - block_dev: don't test bdev->bd_contains when it is not stable - IB/mad: Fix an array index check - IPoIB: Avoid reading an uninitialized member variable - IB/multicast: Check ib_find_pkey() return value - [s390x] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF - [s390x] scsi: zfcp: do not trace pure benign residual HBA responses at default level - [s390x] scsi: zfcp: fix rport unblock race with LUN recovery - scsi: avoid a permanent stop of the scsi device's request queue - target/iscsi: Fix double free in lio_target_tiqn_addtpg() - [x86] drivers/gpu/drm/ast: Fix infinite loop if read fails - NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success. - [x86] drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating - fs: exec: apply CLOEXEC before changing dumpable task flags - [x86] Input: i8042 - add Pegatron touchpad to noloop table - net, sched: fix soft lockup in tc_classify - [armhf] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open - [armhf net: stmmac: Fix error path after register_netdev move - net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach - net/mlx4_en: Fix bad WQE issue - net/mlx4: Remove BUG_ON from ICM allocation routine - [armhf] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb() - [armhf] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb() - [armhf] usb: dwc3: gadget: always unmap EP0 requests - [armhf] usb: gadget: composite: Test get_alt() presence instead of set_alt() - [armhf] usb: gadgetfs: restrict upper bound on device configuration size - [armhf] USB: gadgetfs: fix unbounded memory allocation bug - [armhf] USB: gadgetfs: fix use-after-free bug - [armhf] USB: gadgetfs: fix checks of wTotalLength in config descriptors - btrfs: fix error handling when run_delayed_extent_op fails - btrfs: fix locking when we put back a delayed ref that's too new - xhci: free xhci virtual devices with leaf nodes first - usb: xhci: fix possible wild pointer - usb: host: xhci: Fix possible wild pointer when handling abort command - xhci: Handle command completion and timeout race - usb: xhci: hold lock over xhci_abort_cmd_ring() - USB: serial: cyberjack: fix NULL-deref at open - USB: serial: garmin_gps: fix memory leak on failed URB submit - USB: serial: io_edgeport: fix NULL-deref at open - USB: serial: io_ti: fix NULL-deref at open - USB: serial: io_ti: fix another NULL-deref at open - USB: serial: iuu_phoenix: fix NULL-deref at open - USB: serial: keyspan_pda: verify endpoints at probe - USB: serial: kobil_sct: fix NULL-deref in write - USB: serial: mos7720: fix NULL-deref at open - USB: serial: mos7720: fix use-after-free on probe errors - USB: serial: mos7720: fix parport use-after-free on probe errors - USB: serial: mos7720: fix parallel probe - USB: serial: mos7840: fix NULL-deref at open - USB: serial: mos7840: fix misleading interrupt-URB comment - USB: serial: omninet: fix NULL-derefs at open and disconnect - USB: serial: oti6858: fix NULL-deref at open - USB: serial: pl2303: fix NULL-deref at open - USB: serial: quatech2: fix sleep-while-atomic in close - USB: serial: spcp8x5: fix NULL-deref at open - USB: serial: ti_usb_3410_5052: fix NULL-deref at open - [x86] iommu/amd: Fix the left value check of cmd buffer - [x86] mei: move write cb to completion on credentials failures - ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL - [x86] cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option - [armhf] usb: musb: Fix trying to free already-free IRQ 4 - usb: hub: Move hub_port_disable() to fix warning if PM is disabled - USB: fix problems with duplicate endpoint addresses - selftests: do not require bash to run netsocktests testcase - HID: hid-cypress: validate length of report (CVE-2017-7273) - ata: sata_mv:- Handle return value of devm_ioremap. - drm/radeon: drop verde dpm quirks - [x86] boot: Add missing declaration of string functions - USB: ch341: remove redundant close from open error path - USB: ch341: set tty baud speed according to tty struct - USB: serial: ch341: add register and USB request definitions - USB: serial: ch341: reinitialize chip on reconfiguration - USB: serial: ch341: fix initial modem-control state - USB: serial: ch341: fix open and resume after B0 - USB: serial: ch341: fix modem-control and B0 handling - USB: serial: ch341: fix open error handling - USB: serial: ch341: fix resume after reset - USB: serial: ch341: fix baud rate and line-control handling - gro: Enter slow-path if there is no tailroom - gro: Disable frag0 optimization on IPv6 ext headers - ocfs2: fix crash caused by stale lvb with fsdlm plugin - mm/hugetlb.c: fix reservation race when freeing surplus pages - sysrq: attach sysrq handler correctly for 32-bit kernel - USB: serial: ch341: fix control-message error handling - gro: use min_t() in skb_gro_reset_offset() - [x86] PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F - xhci: fix deadlock at host remove by running watchdog correctly - [x86] KVM: flush pending lapic jump label updates on module unload - i2c: fix kernel memory disclosure in dev interface - svcrpc: don't leak contexts on PROC_DESTROY - netfilter: rpfilter: fix incorrect loopback packet judgment - be2net: fix status check in be_cmd_pmac_add() - net/mlx4_core: Fix racy CQ (Completion Queue) free - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV - clocksource/exynos_mct: Clear interrupt when cpu is shut down - ubifs: Fix journal replay wrt. xattr nodes - qla2xxx: Fix crash due to null pointer access - can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer - ceph: fix bad endianness handling in parse_reply_info_extra - [arm64] ptrace: Preserve previous registers for short regset write - [arm64] ptrace: Avoid uninitialised struct padding in fpr_set() - [arm64] ptrace: Reject attempts to set incomplete hardware breakpoint fields - net: fix harmonize_features() vs NETIF_F_HIGHDMA - [arm64] avoid returning from bad_mode - tcp: initialize max window for a new fastopen socket - nbd: fix use-after-free of rq/bio in the xmit path - nbd: only set MSG_MORE when we have more to send - [powerpc*] ptrace: Preserve previous fprs/vsrs on short regset write - [powerpc*] Ignore reserved field in DCSR and PVR reads and writes - [x86] platform: intel_mid_powerbtn: Set IRQ_ONESHOT - crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg - [arm64] crypto: aes-blk - honour iv_out requirement in CBC and CTR modes - [powerpc*] Add missing error check to prom_find_boot_cpu() - nfs: Don't increment lock sequence ID after NFS4ERR_MOVED - ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() - SUNRPC: cleanup ida information when removing sunrpc module - netfilter: nft_log: restrict the log prefix length to 127 - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp - [x86] drm/i915: Don't leak edid in intel_crt_detect_ddc() - sysctl: fix proc_doulongvec_ms_jiffies_minmax() - nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED" - can: bcm: fix hrtimer/tasklet termination in bcm op removal - perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory - [armel,armhf] 8643/3: ptrace: Preserve previous registers for short regset write - drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval - mmc: sdhci: Ignore unexpected CARD_INT interrupts - svcrpc: fix oops in absence of krb5 module - net: use a work queue to defer net_disable_timestamp() work - mm, fs: check for fatal signals in do_generic_file_read() - netlabel: out of bound access in cipso_v4_validate() - mac80211: Fix adding of mesh vendor IEs - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done() - [x86] drm/i915: fix use-after-free in page_flip_completed() - ALSA: seq: Fix race at creating a queue - target: Use correct SCSI status during EXTENDED_COPY exception - target: Fix early transport_generic_handle_tmr abort scenario - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls - ping: fix a null pointer dereference - [s390x] scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() - l2tp: do not use udp_ioctl() - futex: Move futex_init() to core_initcall - mmc: core: fix multi-bit bus width without high-speed mode - vfs: fix uninitialized flags in splice_to_pipe() - packet: call fanout_release, while UNREGISTERING a netdev - packet: Do not call fanout_release from atomic contexts - printk: use rcuidle console tracepoint - sg: Fix missing sanity check in /dev/sg - sched/cputime: Fix invalid gtime in proc - decnet: Do not build routes to devices without decnet private data. - route: do not cache fib route info on local routes with oif - sch_htb: update backlog as well - sch_dsmark: update backlog as well - netem: Segment GSO packets on enqueue - [x86] VSOCK: do not disconnect socket when peer has shutdown SEND only - net: bridge: fix old ioctl unlocked net device walk - udp: prevent skbs lingering in tunnel socket queues - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid - sit: correct IP protocol used in ipip6_err - ipmr/ip6mr: Initialize the last assert time of mfc entries. - net: alx: Work around the DMA RX overflow issue - cdc_ncm: workaround for EM7455 "silent" data interface - bonding: set carrier off for devices created through netlink - net: fix sk_mem_reclaim_partial() - tcp: fix overflow in __tcp_retransmit_skb() - net: avoid sk_forward_alloc overflows - tcp: fix wrong checksum calculation on MTU probing - net: Add netdev all_adj_list refcnt propagation to fix panic - net: sctp, forbid negative length - net: clear sk_err_soft in sk_clone_lock() - net: mangle zero checksum in skb_checksum_help() - dccp: do not send reset to already closed sockets - dccp: fix out of bound access in dccp_v4_err() - ipv6: dccp: fix out of bound access in dccp_v6_err() - ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped - sctp: assign assoc_id earlier in __sctp_connect - sock: fix sendmmsg for partial sendmsg - ip6_tunnel: disable caching when the traffic class is inherited - net: sky2: Fix shutdown crash - net/sched: pedit: make sure that offset is valid - net/dccp: fix use-after-free in dccp_invalid_packet - [x86] netvsc: reduce maximum GSO size - ipv6: handle -EFAULT from skb_copy_bits - drop_monitor: add missing call to genlmsg_end - drop_monitor: consider inserted data in genlmsg_end - igmp: Make igmp group member RFC 3376 compliant - r8152: fix the sw rx checksum is unavailable - tcp: fix tcp_fastopen unaligned access complaints on sparc - ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock - net: socket: fix recvmmsg not returning error from sock_error - can: Fix kernel panic at security_sock_rcv_skb - ipv6: fix ip6_tnl_parse_tlv_enc_lim() - ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() - tcp: fix 0 divide in __tcp_select_window() - tun: Fix TUN_PKT_STRIP setting - tun: read vnet_hdr_sz once - macvtap: read vnet_hdr_size once - mlx4: Invoke softirqs after napi_reschedule - sit: fix a double free on error path - igmp: do not remove igmp souce list info when set link down - mld: do not remove mld souce list info when set link down - igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() - [x86] Revert "KVM: x86: expose MSR_TSC_AUX to userspace" (regression in 3.16.7-ckt24) https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.43 - crypto: improve gcc optimization flags for serpent and wp512 - mmc: sunxi: avoid invalid pointer calculation - [mips*] Zero variable read by get_user / __get_user in case of an error. - netlink: remove mmapped netlink support - vfs: Commit to never having exectuables on proc and sysfs. - aio: mark AIO pseudo-fs noexec (CVE-2016-10044) - keys: Guard against null match function in keyring_search_aux() (CVE-2017-2647 / CVE-2017-6951) . [ Ben Hutchings ] * locking/mutex: Don't assume TASK_RUNNING (Closes: #841171) * can, tcp: Ignore ABI changes * [arm64] ptrace: Avoid ABI change in 3.16.42 * [x86] Revert "x86/panic: replace smp_send_stop() with kdump friendly version in panic path" to avoid ABI change * net: Avoid ABI change for "net: fix sk_mem_reclaim_partial()" * vfs: Avoid ABI change for "mnt: Add a per mount namespace limit ..." * mmc: Avoid ABI change for "mmc: core: Annotate cmd_hdr as __le32" * ext4: fix fencepost in s_first_meta_bg validation (regression in 3.16.41) * timer: Restrict timer_stats to initial PID namespace (CVE-2017-5967) * mbcache: Reschedule before restarting iteration in mb_cache_entry_alloc() (mitigates CVE-2015-8952) * [powerpc/powerpc64,ppc64*] Enable SCSI_IBMVFC as module (Closes: #859523) - udeb: Add ibmvfc to scsi-modules * mm: Make PIE address randomisation independent of mmap (Closes: #797530) - [armel,armhf] factor out mmap ASLR into mmap_rnd - [arm64] ASLR: Don't randomise text when randomise_va_space == 0 - [arm64] standardize mmap_rnd() usage - [mips*] extract logic for mmap_rnd() - [powerpc*] Use generic PIE randomization - [powerpc*] standardize mmap_rnd() usage - [s390*] Change randomize_et_dyn() to take void and use mmap_rnd() - [s390*] standardize mmap_rnd() usage - mm: expose arch_mmap_rnd when available - [s390*] redefine randomize_et_dyn for ELF_ET_DYN_BASE - mm: split ET_DYN ASLR from mmap ASLR - mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE * ping: implement proper locking (CVE-2017-2671) * xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (CVE-2017-7184) * xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184) * [x86] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() (CVE-2017-7261) * [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294) * net/packet: Fix integer overflow in various range checks (CVE-2017-7308) * mm/mempolicy.c: fix error handling in set_mempolicy and mbind (CVE-2017-7616) * crypto: ahash - Fix EINPROGRESS notification callback (CVE-2017-7618) * USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188) * ixgbe: do not call check_link for ethtool in ixgbe_get_settings() (Closes: #851952) * Fix bugs in ipv6 peer address cleanup (Closes: #854348): - ipv6: fix a refcnt leak with peer addr - ipv6: use addrconf_get_prefix_route() to remove peer addr * KEYS: special dot prefixed keyring name bug fix * KEYS: Reinstate EPERM for a key type name beginning with a '.' * KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (CVE-2016-9604) * KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings (CVE-2017-7472) . [ Salvatore Bonaccorso ] * sunrpc: fix refcounting problems with auth_gss messages. Thanks to Raphael Geissert (Closes: #852708) linux (3.16.39-1+deb8u2) jessie-security; urgency=high . [ Salvatore Bonaccorso ] * ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669) * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986) * sctp: deny peeloff operation on asocs with threads sleeping on it (CVE-2017-6353) * tcp: avoid infinite loop in tcp_splice_read() (CVE-2017-6214) * net/sock: Add sock_efree() function * net/llc: avoid BUG_ON() in skb_orphan() (CVE-2017-6345) * packet: fix races in fanout_add() (CVE-2017-6346) * TTY: n_hdlc, fix lockdep false positive * tty: n_hdlc: get rid of racy n_hdlc.tbuf (CVE-2017-2636) . [ Ben Hutchings ] * [x86] kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (CVE-2016-9588) * irda: Fix locking in hashbin_delete() (CVE-2017-6348) linux (3.16.39-1+deb8u1) jessie-security; urgency=high . [ Salvatore Bonaccorso ] * perf: Fix event->ctx locking (CVE-2016-6786 CVE-2016-6787) * perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (CVE-2017-6001) * dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074) . [ Ben Hutchings ] * perf: Do not double free (dependency of fix for CVE-2017-6001) * fbdev: color map copying bounds checking (CVE-2016-8405) * sysctl: Drop reference added by grab_header in proc_sys_readdir (CVE-2016-9191) * [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583) * [x86] KVM: Introduce segmented_write_std (CVE-2017-2584) * selinux: fix off-by-one in setprocattr (CVE-2017-2618) * USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549) * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551) * ip6_gre: fix ip6gre_err() invalid reads (CVE-2017-5897) * [x86] kvm: fix page struct leak in handle_vmon (CVE-2017-2596) * ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970) linux (3.16.39-1+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.39-1+deb8u1) jessie-security; urgency=high . [ Salvatore Bonaccorso ] * perf: Fix event->ctx locking (CVE-2016-6786 CVE-2016-6787) * perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (CVE-2017-6001) * dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074) . [ Ben Hutchings ] * perf: Do not double free (dependency of fix for CVE-2017-6001) * fbdev: color map copying bounds checking (CVE-2016-8405) * sysctl: Drop reference added by grab_header in proc_sys_readdir (CVE-2016-9191) * [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583) * [x86] KVM: Introduce segmented_write_std (CVE-2017-2584) * selinux: fix off-by-one in setprocattr (CVE-2017-2618) * USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549) * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551) * ip6_gre: fix ip6gre_err() invalid reads (CVE-2017-5897) * [x86] kvm: fix page struct leak in handle_vmon (CVE-2017-2596) * ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970) logback (1:1.1.2-1+deb8u1) jessie; urgency=high . * Team upload. * Fix CVE-2017-5929: It was discovered that logback, a flexible logging library for Java, would deserialize data from untrusted sockets. This issue has been resolved by adding a whitelist to use only trusted classes. (Closes: #857343) lxc (1:1.0.6-6+deb8u6) jessie; urgency=medium . * CVE-2017-5985: Ensure target netns is caller-owned (Closes: #857295) mapserver (6.4.1-5+deb8u3) jessie-security; urgency=high . * Add upstream patch to fix CVE-2017-5522 (stack buffer overflow). mariadb-10.0 (10.0.30-0+deb8u2) jessie; urgency=medium . * Remove the excessive server stopping and only-cleanup on purge when this is the last MySQL package (Closes: #858941) mariadb-10.0 (10.0.30-0+deb8u1) jessie-security; urgency=high . * New upstream release 10.0.30. Includes fixes for the following security vulnerabilities: - CVE-2017-3313 - CVE-2017-3302 * New upstream also includes fix to logrotate so that it no longer risks interrupting binary/relay log processing on the server. https://github.com/MariaDB/server/commit/156cf86defdc59353f37f6 mariadb-10.0 (10.0.29-0+deb8u1) jessie-security; urgency=high . * New upstream release 10.0.29. Includes fixes for the following security vulnerabilities (Closes: #851755, #842895): - CVE-2017-3318 - CVE-2017-3317 - CVE-2017-3312 - CVE-2017-3291 - CVE-2017-3265 - CVE-2017-3258 - CVE-2017-3257 - CVE-2017-3244 - CVE-2017-3243 - CVE-2017-3238 - CVE-2016-6664 mariadb-10.0 (10.0.28-3) unstable; urgency=low . [ Otto Kekäläinen ] * Move libmariadbd and -dev next to each other for a more logical flow in d/control * Move mariadb-test to last in file for a more logical flow in d/control * Clean away unused Lintian overrides * Add Lintian override for impossible mysql_config multi-arch requirement * Update Debian copyright based on the 2016 git log author list * Remove unnecessary /var/lib/mysql-upgrade (Closes: #848620) . [ Vicențiu Ciorbaru ] * Fix connect.upd test in armhf * Fix mroonga/storage.index_read_multiple_double test in armhf mariadb-10.0 (10.0.28-2) unstable; urgency=low . [ Samuel Thibault ] * patches/hurd_socket.patch: Also avoid non-working socket path length check on hurd-i386. * rules: Drop symbols on hurd-i386 too (Closes: #842696). . [ Daniel Black ] * Don't install private mysql header files in libmariadbclient-dev . [ Otto Kekäläinen ] * Update libmariadbd18 description and contents to match latest upstream * Mark missing Multi-Arch as suggested by Multiarch hinter * Move plugins to $ARCH/*/mariadb18 to meet multiarch needs (Closes: #739452) mariadb-10.0 (10.0.28-1) unstable; urgency=low . [ Vicențiu Ciorbaru ] * Fix tokudb jemalloc linking . [ Otto Kekäläinen ] * New upstream release 10.0.28. Includes fixes for the following security vulnerabilities: - CVE-2016-8283 - CVE-2016-7440 - CVE-2016-6663 - CVE-2016-5629 - CVE-2016-5626 - CVE-2016-5624 - CVE-2016-5616 - CVE-2016-5584 - CVE-2016-3492 * Drop 4 patches that have been applied upstream. * Delete runnable files from mariadb-test-data as they were only needed at build time to generate tests. mariadb-10.0 (10.0.28-0+deb8u1) jessie-security; urgency=high . * New upstream release 10.0.28. Includes fixes for the following security vulnerabilities: - CVE-2016-8283 - CVE-2016-7440 - CVE-2016-6663 - CVE-2016-5629 - CVE-2016-5626 - CVE-2016-5624 - CVE-2016-5616 - CVE-2016-5584 - CVE-2016-3492 * Update old changelog entries to include new CVE identifiers mariadb-10.0 (10.0.27-2) unstable; urgency=low . [ Dieter Adriaenssens ] * Fix typo in README.Contributor * Improve documentation on how to clean the build env . [ James Cowgill ] * Mips build and testsuite fixes (Closes: #838557, Closes: #838914) - Permit 93 as a valid value of the ENOTEMPTY error in the testsuite - Correctly fix mips64 multiplication in taocrypt - Ensure groonga is built with libatomic - Handle unaligned buffers in connect's TYPBLK class - Fix DEFAULT_MACHINE on mips - Remove various tests from unstable-tests which now pass on MIPS - Update debian/unstable-tests.mips* . [ Kristian Nielsen ] * Fix missing path for perl in autopkgtest (Closes: #809022) * Fix test failures on hppa due to wrong enoempty (Closes: #837369) mariadb-10.0 (10.0.27-1) unstable; urgency=low . * New upstream release 10.0.27 * Remove 3 patches after 10.0.27 import as they have been applied upstream. minicom (2.7-1+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Add ARRAY_SIZE macro * CVE-2017-7467: Out of bounds write in vt100.c (Closes: #860940) modsecurity-crs (2.2.9-1+deb8u1) stable; urgency=medium . * Fix typo in modsecurity_crs_16_session_hijacking.conf. (Closes: #838009) mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium . * Redact key and nonce from auth attempt logs (Closes: #833087) * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908) munin (2.0.25-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * cgi: use Scalar::Util::looks_like_number. Fix regression, causing munin-cgi-graph to spam munin logs with Perl warnings of uninitialized value use for $size_x, $size_y, $upper_limit or $lower_limit. (Closes: #856536) munin (2.0.25-1+deb8u3~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Revert c2628d67 to not use dh-systemd, which is not available in wheezy. . munin (2.0.25-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * cgi: use Scalar::Util::looks_like_number. Fix regression, causing munin-cgi-graph to spam munin logs with Perl warnings of uninitialized value use for $size_x, $size_y, $upper_limit or $lower_limit. (Closes: #856536) . munin (2.0.25-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * cgi: handle the empty string in CGI arguments. Fix regression in zooming functionality via munin-cgi-graph introduced by the original fix for CVE-2017-6188. (Closes: #856455) munin (2.0.25-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * cgi: handle the empty string in CGI arguments. Fix regression in zooming functionality via munin-cgi-graph introduced by the original fix for CVE-2017-6188. (Closes: #856455) munin (2.0.25-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix wrong parameter expansion in CGI (CVE-2017-6188) Fixes local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the user running the CGI script. Thanks to Tomaž Šolc (Closes: #855705) munin (2.0.25-1+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Revert c2628d67 to not use dh-systemd, which is not available in wheezy. . munin (2.0.25-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix wrong parameter expansion in CGI (CVE-2017-6188) Fixes local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the user running the CGI script. Thanks to Tomaž Šolc (Closes: #855705) mupdf (1.5-1+deb8u2) jessie-security; urgency=high . * CVE-2016-8674: heap-use-after-free in pdf_to_num (pdf-object.c) (Closes: #840957) * CVE-2017-5896: use-after-free in fz_subsample_pixmap() (Closes: #854734) * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject() mysql-5.5 (5.5.55-0+deb8u1) jessie-security; urgency=high . * Imported upstream version 5.5.55 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html - CVE-2017-3302 CVE-2017-3305 CVE-2017-3308 CVE-2017-3309 - CVE-2017-3329 CVE-2017-3453 CVE-2017-3456 CVE-2017-3461 - CVE-2017-3462 CVE-2017-3463 CVE-2017-3464 CVE-2017-3600 (Closes: #860544, #854713) * d/patches: refreshed 62_disable_tests.patch * d/patches: dropped fix_test_events_2.patch. Issue fixed upstream mysql-5.5 (5.5.54-0+deb8u1) jessie-security; urgency=high . * Imported upstream version 5.5.54 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html - CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258 - CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 - CVE-2017-3317 CVE-2017-3318 (Closes: #851233) * Fix failing test main.events_2 The test was failing due to hardcoded date (2017-01-01). Added patch pending upstream fix. ndisc6 (1.0.1-1+deb8u1) jessie; urgency=medium . * Use upstream default merge hook when resolvconf is not available (Closes: #767071) ndoutils (1.4b9-1.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * postrm purge: Check for ucf before calling it. (Closes: #677065) * control: Drop DMUA. ntfs-3g (1:2014.2.15AR.2-1+deb8u3) jessie-security; urgency=high . * Fix CVE-2017-0358: modprobe influence vulnerability via environment variables. nvidia-graphics-drivers (340.102-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.102 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855277) . [ Andreas Beckmann ] * unregister_proc_on_failure.patch: New, unregister procfs entries during error unwind if loading the module failed. (Closes: #764639) * Upload to jessie. . [ Luca Boccassi ] * Add deprecated-cpu-events.patch and vmf-address.patch to fix kernel module build on Linux 4.10 and newer. nvidia-graphics-drivers (340.102-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-drivers (340.102-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.102 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855277) . [ Andreas Beckmann ] * unregister_proc_on_failure.patch: New, unregister procfs entries during error unwind if loading the module failed. (Closes: #764639) * Upload to jessie. . [ Luca Boccassi ] * Add deprecated-cpu-events.patch and vmf-address.patch to fix kernel module build on Linux 4.10 and newer. nvidia-graphics-drivers-legacy-304xx (304.135-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.135 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855279) . [ Luca Boccassi ] * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.135-2: - Add deprecated-cpu-events.patch and update disable-mtrr.patch to fix kernel module build on Linux 4.10 and newer. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.134-2: - Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.135-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-drivers-legacy-304xx (304.135-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.135 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855279) . [ Luca Boccassi ] * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.135-2: - Add deprecated-cpu-events.patch and update disable-mtrr.patch to fix kernel module build on Linux 4.10 and newer. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.134-2: - Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.134-2) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.134-0~deb8u1 (jessie). * Add ${nvidia:Deb-Version-After:jessie} substvar to simplify adjusting Breaks/Replaces for new upstream releases in stable. * Switch to debhelper compat level 10. . [ Luca Boccassi ] * Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) nvidia-graphics-drivers-legacy-304xx (304.134-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.134 (2016-12-14). * Fixed CVE-2016-8826. (Closes: #848197) - Added support for X.Org xserver ABI 23 (xorg-server 1.19) (Closes: #845639) * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Synchronize packaging with nvidia-graphics-drivers 370.28-2: - Overhaul package descriptions. * Add xorg-video-abi-23 as alternative dependency (375.20-1). nvidia-graphics-drivers-legacy-304xx (304.134-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers-legacy-304xx (304.134-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.134 (2016-12-14). * Fixed CVE-2016-8826. (Closes: #848197) - Added support for X.Org xserver ABI 23 (xorg-server 1.19) * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.101-1: * Synchronize packaging with nvidia-graphics-drivers 370.28-2: - Overhaul package descriptions. * Add xorg-video-abi-23 as alternative dependency. (Closes: #845639) . nvidia-graphics-drivers-legacy-304xx (304.132-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.132 (2016-09-26). * Fixed CVE-2016-7382, CVE-2016-7389. (Closes: #846333) - Added /var/log/dmesg to the list of paths which are searched by nvidia-bug-report.sh for kernel messages. - Fixed a bug that caused kernel panics when using the NVIDIA driver on v4.5 and newer Linux kernels built with CONFIG_DEBUG_VM_PGFLAGS. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * page-cache-release.patch, get-user-pages.patch: Drop, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.98-1: * Synchronize packaging with nvidia-graphics-drivers 358.16-1: - get-orig-source: Generate .orig-$ARCH.tar.gz for each architecture. nvidia-graphics-modules (340.102+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.102. * Upload to jessie. openchange (1:2.2-6+deb8u1) jessie; urgency=medium . * Use version -6+ instead of -5+ because samba-libs conflicts with openchangeproxy (<< 1:2.2-6), making openchangeproxy -5+ uninstallable. * Include upstream patch to fix FTBFS with samba 4.2 openchange (1:2.2-6) unstable; urgency=medium . * Add dependency on pidl 2:4.1.17+dfsg-4, which has reproducible output. * Bump standards version to 3.9.6 (no changes). * Make openchange-dbg Multi-Arch: same. openjpeg2 (2.1.0-2+deb8u2) jessie-security; urgency=medium . * CVE-2016-5159 CVE-2016-8332 CVE-2016-9572 CVE-2016-9573 openmpi (1.6.5-9.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * libopenmpi1.6: Fix two incorrect soname links. (Closes: #736675) * libopenmpi1.6: Use versioned Conflicts: libopenmpi2 (<< 1.6) to not interfere with upgrades to stretch. (Closes: #859986) openssl (1.0.1t-1+deb8u6) jessie-security; urgency=medium . * Fix CVE-2016-8610 * Fix CVE-2017-3731 * Fix CVE-2016-7056 pdns (3.4.1-4+deb8u7) jessie-security; urgency=high . * Security upload. * Improve TSIG signature check to avoid MITM attacks on AXFR inbound AXFR transfers. CVE-2016-7073 and CVE-2016-7074. * Handle all possible exceptions in webserver thread, avoiding crash of main process when an attacker exhausts file descriptors on the webserver thread. CVE-2016-7072 * Drop incoming queries that contain more than one record, avoiding extra CPU usage. CVE-2016-7068 * Improve validation of unhandled record types, avoiding a crash on outbound query processing. CVE-2016-2120 * Improve handling of invalid TSIG records in packets. (Required prerequisite patch for the above.) pdns-recursor (3.6.2-2+deb8u3) jessie-security; urgency=high . * Security upload. * Drop incoming queries that contain more than one record, avoiding extra CPU usage. CVE-2016-7068 php5 (5.6.30+dfsg-0+deb8u1) jessie-security; urgency=medium . * Allow relaxed ; priority= parsing (Closes: #783246) * New upstream version 5.6.30+dfsg - [CVE-2016-10158] FPE when parsing a tag format. - [CVE-2016-10159] Crash while loading hostile phar archive - [CVE-2016-10160] Memory corruption when loading hostile phar - [CVE-2016-10161] Heap out of bounds read on unserialize in finish_nested_data() * Rebase patches on top of PHP 5.6.30 pidgin (2.11.0-0+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-2640: Out-of-bound memory access fixed by ported upstream patch from 2.12.0 plv8 (1.4.2.ds-2+deb8u1) jessie; urgency=high . * Security bugfix picked from 1.4.9: Check for permission to call functions. postfix (2.11.3-1+deb8u2) stable; urgency=medium . * Add fixes in makedefs to recognize Linux 4 as the LINUX3 system type so the package will build with both jessie and jessie-bpo/stretch kernels postfix (2.11.3-1+deb8u1) stable; urgency=medium . * Add delmap to .prerm for all packages that contain map data types exposed through external .so files so that upgrades to stretch (where the associated files have moved) will be functional (Closes: #859805) postgresql-9.4 (9.4.11-0+deb8u2) jessie; urgency=medium . * Paper over ULP regression test differences in the "point" test on 32-bit powerpc on Debian Jessie. The very same code worked previously and in fact continues to work on Debian Sid, so it doesn't seem to be PostgreSQL's fault that these test results now suffer from rounding differences. postgresql-9.4 (9.4.11-0+deb8u1) jessie; urgency=medium . * New upstream version. . + Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane) . If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows inserted or updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update. postgresql-9.4 (9.4.11-0+deb8u1~bpo7+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Drop logical/reorderbuffer patch. . postgresql-9.4 (9.4.11-0+deb8u1) jessie; urgency=medium . * New upstream version. . + Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane) . If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows inserted or updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update. . postgresql-9.4 (9.4.10-0+deb8u1) jessie; urgency=medium . * New upstream version. . If your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted free space maps. . + Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas) . It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like could not read block XXX: read only 0 of 8192 bytes. Checksum failures in the visibility map are also possible, if checksumming is enabled. . Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems. . postgresql-9.4 (9.4.9-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. . + Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane) . A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423) . + Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier) . Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout. . Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation. . Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts. . pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet. . These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424) . postgresql-9.4 (9.4.8-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. python-bottle (0.12.7-1+deb8u2) jessie-security; urgency=medium . * Add patch for string type bug (Closes: #850176) python-cryptography (0.6.1-1+deb8u1) stable; urgency=high . * Stable update. * Backport the fix for CVE-2016-9243 (HKDF returns an empty byte string for small key sizes). * Fix FTBFS due to SSL2 method detection (closes: #849802). python-django (1.7.11-1+deb8u2) jessie-security; urgency=high . * SECURITY UPDATE: - CVE-2016-9013: User with hardcoded password created when running tests on Oracle - CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (Closes: #842856) - CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (Closes: #859515) - CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (Closes: #859516) python-pysaml2 (2.0.0-1+deb8u1) jessie-security; urgency=medium . * Fix XXE issues on anything where pysaml2 parses XML directly: - CVE-2016-10127: backporting upstream patch (Closes: #850716). - add python-defusedxml as runtime depends. - switch debian/gbp.conf to use debian/jessie as packaging branch. * Add python-pymongo as (build-)depends. r-base (3.1.1-1+deb8u1) jessie-security; urgency=high . * src/library/grDevices/src/devPS.c: Apply upstream commits r71664 and r71667 related to CVE-2016-8714 reported as TALOS-2016-0227 rabbitmq-server (3.3.5-1.1+deb8u1) jessie-security; urgency=medium . * CVE-2016-9877: apply backported upstream patch (Closes: #849849). radare2 (0.9.6-3.1+deb8u1) stable; urgency=medium . * Add patches to fix security bug (Closes: #856063) - CVE-2017-6197 The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by the r_read_le32 function. ruby-archive-tar-minitar (0.5.2-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-10173: directory traversal vulnerability (Closes: #853249) ruby-zip (1.1.6-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Antonio Terceiro ] * debian/patches/ftbfs-jessie.patch: fix build failure on jessie . [ Salvatore Bonaccorso ] * CVE-2017-5946: directory traversal vulnerability in Zip::File component (Closes: #856269) samba (2:4.2.14+dfsg-0+deb8u5) jessie-security; urgency=high . * This is a security release in order to fix regressions from CVE-2017-2619 * Fix "follow symlink = no" (Closes: #858564) - s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619). - s3: smbd: Fix "follow symlink = no" regression part 2. - s3: smbd: Fix "follow symlink = no" regression part 2. * Fix shadow_copy2 (Closes: #858648, #858590) - vfs_shadow_copy: handle non-existant files and wildcards - vfs_shadow_copy2: fix crash in 4.2.x backport - vfs_shadow_copy2: add a blackbox test suite - s3: libsmb: Correctly align create contexts in a create call. - s3: libsmb: Add return args to clistr_is_previous_version_path(). - s3: libsmb: Add cli_smb2_shadow_copy_data() function that gets shadow copy info over SMB2. - s3: libsmb: Plumb new SMB2 shadow copy call into cli_shadow_copy_data(). - s3: libsmb: Add the capability to find a @GMT- path in an SMB2 create and transform to a timewarp token. - s2-selftest: run shadow_copy2 test both in NT1 and SMB3 modes - selftest: add content to files created during shadow_copy2 test - selftest: check file readability in shadow_copy2 test - selftest: test listing directories inside snapshots * Fix `net ads join` freeze when run a second time (Closes: #859101) since 4.2 - libads: Fix deadlock when re-joining a domain and updating keytab samba (2:4.2.14+dfsg-0+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add additional changes required for the CVE-2017-2619 fix - s3/smbd: re-open directory after dptr_CloseDir() - s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag samba (2:4.2.14+dfsg-0+deb8u3) jessie-security; urgency=high . * This is a security release in order to address the following defects: - CVE-2017-2619: symlink race permits opening files outside share directory * CVE-2017-2619 requires the following changes: - s3: vfs: dirsort doesn't handle opendir of "." correctly. - s3: smbd: Correctly canonicalize any incoming shadow copy path. - s3: lib: Add canonicalize_absolute_path(). - s3: smbd: Make set_conn_connectpath() call canonicalize_absolute_path(). - s3: VFS: shadow_copy2: Correctly initialize timestamp and stripped variables. - s3: VFS: shadow_copy2: Ensure pathnames for parameters are correctly relative and terminated. - s3: VFS: shadow_copy2: Fix length comparison to ensure we don't overstep a length. - s3: VFS: shadow_copy2: Add two new variables to the config data. Not yet used. - s3: VFS: shadow_copy2: Add a wrapper function to call the original shadow_copy2_strip_snapshot(). - s3: VFS: shadow_copy2: Change a parameter name. - s3: VFS: shadow_copy2: Add two currently unused functions to make pathnames absolute or relative to $cwd. - s3: VFS: shadow_copy2: Fix chdir to store off the needed private variables. - vfs_shadow_copy2: add shadow_copy2_do_convert() - vfs_shadow_copy2: fix case where snapshots are outside the share - s3: VFS: Allow shadow_copy2_connectpath() to return the cached path derived from $cwd. - s3: VFS: Ensure shadow:format cannot contain a / path separator. - s3: VFS: Add utility function check_for_converted_path(). - s3: VFS: shadow_copy2: Fix module to work with variable current working directory. - s3: VFS: shadow_copy2: Fix a memory leak in the connectpath function. - s3: VFS: shadow_copy2: Fix usage of saved_errno to only set errno on error. - s3: VFS: Don't allow symlink, link or rename on already converted paths. - s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck(). - vfs_streams_xattr: use fsp, not base_fsp - s3: vfs: streams_depot. Use conn->connectpath not conn->cwd. - s3: smbd: Create wrapper function for OpenDir in preparation for making robust. - s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed. - s3: smbd: Create and use open_dir_safely(). Use from OpenDir(). - s3: smbd: OpenDir_fsp() use early returns. - s3: smbd: OpenDir_fsp() - Fix memory leak on error. - s3: smbd: Move the reference counting and destructor setup to just before retuning success. - s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system. - s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing. - s3: smbd: Move special handling of symlink errno's into a utility function. - s3: smbd: Add the core functions to prevent symlink open races. - s3: smbd: Use the new non_widelink_open() function. sane-backends (1.0.24-8+deb8u2) stable; urgency=medium . * CVE-2017-6318: - New debian/patches/0500-CVE-2017-6318.patch + cherry-picked from upstream to fix memory corruption and information leakage (Closes: #854804). sendmail (8.14.4-8+deb8u2) jessie; urgency=medium . * QA upload. * Only touch files as smmsp:smmsp in /var/run/sendmail/stampdir (writable by group smmsp) to avoid possible privilege escalation. (Closes: #841257) * Use lockfile-create (from lockfile-progs) instead of touch to manage the cronjob lockfiles. * sendmail-base: Add Depends: netbase for /etc/services. shadow (1:4.2-3+deb8u3) jessie-security; urgency=high . * Fix integer overflow in getulong.c (CVE-2016-6252) (Closes: #832170) * Refresh patches * Add myself to uploaders replacing Nicolas FRANCOIS (Nekral) shadow (1:4.2-3+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * su: properly clear child PID (CVE-2017-2616) (Closes: #855943) sitesummary (0.1.17+deb8u3) jessie; urgency=medium . [ Wolfgang Schweer ] * Fix d/sitesummary.prerm and provide mandatory facilities. Cherrypicked from commit 3cff262 (master branch / 0.1.21 release). (Closes: #823688). sitesummary (0.1.17+deb8u2) jessie-security; urgency=high . * Backport RC fix from unstable. . [ Wolfgang Schweer ] * Adjust sitesummary-upload to use CRLF (\r\n) line endings to be compliant with apache 2.4.25 security fixes for HTTP requests. (Closes: #852623). smemstat (0.01.10-2) stable; urgency=medium . * Fix null ptr dereference when UID can't be read (Closes: #852070) spice (0.12.5-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent possible DoS attempts during protocol handshake (CVE-2016-9578) * Prevent integer overflows in capability checks (CVE-2016-9578) * main-channel: Prevent overflow reading messages from client (CVE-2016-9577) spip (3.0.17-2+deb8u3) jessie; urgency=medium . * Document CVE in previous changelog entry * Update security screen to 1.3.0 * Backport security fixes from 3.0.23 - Multiple XSS issues * Backport security fixes from 3.0.24 - Server side request forgery (SSRF) attacks via the var_url parameter [CVE-2016-7999] - Directory traversal vulnerability in ecrire/exec/valider_xml.php [CVE-2016-7982] - Execution of arbitrary PHP code by authenticated users [CVE-2016-7998] - Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php [CVE-2016-7980] - Cross-site scripting (XSS) vulnerability in valider_xml.php [CVE-2016-7981] * Backport security fixes from 3.2-alpha-1 - Reflected Cross Site Scripting Vulnerabilities in /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641) - Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php [CVE-2016-9152] (Closes: #847156) * Backport security fix from 3.0.25 - Execution of arbitrary PHP code sus (7.20161013~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. * Revert debhelper to compat level 9. . sus (7.20161013) unstable; urgency=medium . * New upstream release: contains SUSv4 TC2; update checksum (Closes: #840318) * urgency=medium since susv4 is no longer installable * debian/compat: Use debheloper v10 * debian/control: - Bump Standards-Version to 3.9.8 (No changes needed) sus (7.20160312) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 changed; update checksum (Closes: #817819) * urgency=medium since susv4 is no longer installable * debian/control: - Bump Standards-Version to 3.9.7 (No changes needed) svgsalamander (0~svn95-1+deb8u1) jessie-security; urgency=high . * Team upload. * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF). (closes: #853134) synergy (1.4.16-1+deb8u1) jessie; urgency=medium . * Added ensure_non00_cursor.patch to fix a crash when synergyc starts. Closes: #854567 systemd (215-17+deb8u7) stable; urgency=medium . * bus: Fix bus_print_property() to use "int" for booleans. This fixes the problem that on big endian architectures, like mips or powerpc, boolean properties that were retrieved via sd-bus were always set to 0 (no). (Closes: #774430) * systemctl: Add is-enabled support for SysV init scripts. The update-rc.d utility does not provide is-enabled, so implement it ourselves in systemctl using the same logic as systemd-sysv-install from Stretch. (Closes: #809405) * core: If the start command vanishes during runtime don't hit an assert. This can happen when the configuration is changed and reloaded while we are executing a service. Let's not hit an assert in this case. (Closes: #856985) * automount: If an automount unit is masked, don't react to activation anymore. Otherwise we'll hit an assert sooner or later. (Closes: #856035) tcpdump (4.9.0-1~deb8u1) jessie-security; urgency=high . * Backport to jessie: + Re-enable crypto support. + Disable tests that require newer libpcap features: Geneve (1.7) and file format version checks (1.8), and relax B-D on libpcap0.8-dev. . tcpdump (4.9.0-1) unstable; urgency=high . * New upstream security release, fixing the following: + CVE-2016-7922: buffer overflow in print-ah.c:ah_print(). + CVE-2016-7923: buffer overflow in print-arp.c:arp_print(). + CVE-2016-7924: buffer overflow in print-atm.c:oam_print(). + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print(). + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print(). + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print(). + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print(). + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header(). + CVE-2016-7930: buffer overflow in print-llc.c:llc_print(). + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print(). + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum(). + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print(). + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print(). + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print(). + CVE-2016-7936: buffer overflow in print-udp.c:udp_print(). + CVE-2016-7937: buffer overflow in print-udp.c:vat_print(). + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame(). + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions. + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions. + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions. + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions. + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print(). + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print(). + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print(). + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print(). + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions. + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print(). + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print(). + CVE-2016-8575: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print(). + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print(). + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print(). + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print(). + CVE-2017-5341: buffer overflow in print-otv.c:otv_print(). + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). + CVE-2017-5482: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse(). + CVE-2017-5484: buffer overflow in print-atm.c:sig_print(). + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap(). + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print(). * Re-enable all tests and bump build-dep on libpcap0.8-dev to >= 1.8 accordingly. * Switch Vcs-Git URL to the https one. * Adjust lintian override name about dh 9. . tcpdump (4.8.1-2) unstable; urgency=medium . * Disable new HNCP test, which fails on some buildds for some as-of-yet unexplained reason. . tcpdump (4.8.1-1) unstable; urgency=medium . * New upstream release. * Re-enable Geneve tests (disabled in 4.7.4-1) and bump build-dep on libpcap0.8-dev to >= 1.7 accordingly. * Disable new pcap version tests which require libpcap 1.8+. . tcpdump (4.7.4-3) unstable; urgency=medium . * Use dh-autoreconf instead of calling autoconf directly and patching config.{guess,sub}. * Call dh_auto_configure instead of configure in override target, patch by Helmut Grohne (closes: #837951). . tcpdump (4.7.4-2) unstable; urgency=medium . * Disable crypto support as it causes FTBFS with OpenSSL 1.1.x and we don't have a working fix upstream yet (closes: #828569). * Bump Standards-Version to 3.9.8. * Use cgit URL for Vcs-Browser. . tcpdump (4.7.4-1) unstable; urgency=medium . * New upstream release. * Disable two geneve tests that require libpcap 1.7+. * Bump Standards-Version to 3.9.6. tcpdump (4.8.1-2) unstable; urgency=medium . * Disable new HNCP test, which fails on some buildds for some as-of-yet unexplained reason. tcpdump (4.8.1-1) unstable; urgency=medium . * New upstream release. * Re-enable Geneve tests (disabled in 4.7.4-1) and bump build-dep on libpcap0.8-dev to >= 1.7 accordingly. * Disable new pcap version tests which require libpcap 1.8+. tcpdump (4.7.4-3) unstable; urgency=medium . * Use dh-autoreconf instead of calling autoconf directly and patching config.{guess,sub}. * Call dh_auto_configure instead of configure in override target, patch by Helmut Grohne (closes: #837951). tcpdump (4.7.4-2) unstable; urgency=medium . * Disable crypto support as it causes FTBFS with OpenSSL 1.1.x and we don't have a working fix upstream yet (closes: #828569). * Bump Standards-Version to 3.9.8. * Use cgit URL for Vcs-Browser. tcpdump (4.7.4-1) unstable; urgency=medium . * New upstream release. * Disable two geneve tests that require libpcap 1.7+. * Bump Standards-Version to 3.9.6. tcpdump (4.7.4-1~bpo70+1) wheezy-backports-sloppy; urgency=low . * Rebuild for wheezy-backports-sloppy. tcpdump (4.7.4-1~bpo8+1) jessie-backports; urgency=low . * Rebuild for jessie-backports. texlive-base (2014.20141024-2+deb8u1) jessie-security; urgency=high . * remove mpost from list of shell_escape_commands (CVE-2016-10243) tiff (4.0.3-12.3+deb8u2) jessie-security; urgency=high . * Backport fix for the following vulnerabilities: - CVE-2016-5314 , CVE-2016-5315 , CVE-2016-5316, CVE-2016-5317: several out of bound writes in the rgb2ycbcr tool (closes: #830700), - CVE-2016-5320, rgb2ycbcr: command excution, - CVE-2016-5875, heap-based buffer overflow when using the PixarLog compression format, - CVE-2016-6223, information leak in libtiff/tif_read.c (closes: #842270), - CVE-2016-5321: DumpModeDecode() DoS, - CVE-2016-5323: _TIFFFax3fillruns() NULL pointer dereference, - CVE-2016-3945: out-of-bounds write in the tiff2rgba tool, - CVE-2016-3990: out-of-bounds write in horizontalDifference8() in tiffcp tool (closes: #836570), - CVE-2016-3991: heap-based buffer overflow in the loadImage function in the tiffcrop tool, - CVE-2016-5322: extractContigSamplesBytes: out-of-bounds read in the tiffcrop tool, - CVE-2016-3623: rgb2ycbcr tool DoS by setting the (1) '-v' or (2) '-h' parameter to 0 , - CVE-2016-9533: PixarLog horizontalDifference heap-buffer-overflow, - CVE-2016-9534: TIFFFlushData1 heap-buffer-overflow, - CVE-2016-9535: Predictor heap-buffer-overflow, - CVE-2016-9536: t2p_process_jpeg_strip heap-buffer-overflow, - CVE-2016-9537: out-of-bounds write vulnerabilities in buffers of tiffcrop, - CVE-2016-9538: read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow, - CVE-2016-9540: out-of-bounds write on tiled images, - CVE-2016-3624: rgb2ycbcr tool DoS by setting the '-v' option to -1 , - CVE-2016-3622: divide-by-zero error in the tiff2rgba tool (closes: #820365), - CVE-2016-5652: fix write buffer overflow of 2 bytes on JPEG compressed images (closes: #842361), - CVE-2016-9453: out-of-bounds write memcpy in tiff2pdf tool, - CVE-2016-9273: read outsize of array in tiffsplit tool (closes: #844013), - CVE-2016-9532: heap buffer overflow via writeBufferToSeparateStrips in the tiffcrop tool (closes: #844057), - CVE-2016-9297: potential read outside buffer in _TIFFPrintField() (closes: #844226), - CVE-2016-9448: invalid read of size 1 in TIFFFetchNormalTag, regression of CVE-2016-9297 , - CVE-2016-10092: heap-buffer-overflow in tiffcrop, - CVE-2016-10093: uint32 underflow/overflow that can cause heap-based buffer overflow in tiffcp, - CVE-2016-10094: off-by-one error in tiff2pdf. * Fix CVE-2015-8668 (closes: #842046), CVE-2016-3619 (closes: #820362), CVE-2016-3620 (closes: #820363), CVE-2016-3621 (closes: #820364) and CVE-2016-5319 with removing bmp2tiff. * Fix CVE-2016-3186 (closes: #819972) and CVE-2016-5102 with removing gif2tiff. * Fix CVE-2016-3631 (closes: #820366), CVE-2016-3632 , CVE-2016-3633 , CVE-2016-3634 and CVE-2016-8331 with removing thumbnail. * Remove no longer supported ras2tiff tool. tnef (1.4.9-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * while fixing the CVEs, upstream introduced a regression fix-regression-1.patch and fix-regression-2.patch take care of that (Closes: #857342) tnef (1.4.9-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. (Closes: #856117) * CVE-2017-6307 An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker. * CVE-2017-6308 An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation. * CVE-2017-6309 An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker. * CVE-2017-6310 An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker. tomcat7 (7.0.56-3+deb8u9) jessie-security; urgency=high . * Team upload. * Add BZ57544-infinite-loop-part2.patch. Fix regression due to an incomplete fix for CVE-2017-6056. See #854551 for further information. tomcat7 (7.0.56-3+deb8u8) jessie-security; urgency=high . * Team upload. * Add BZ57544-infinite-loop.patch: It was found that https GET requests could trigger an infinite loop and thus cause a denial-of-service. (Closes: #854551) tomcat8 (8.0.14-1+deb8u8) jessie-security; urgency=high . * Team upload. * Add BZ57544-infinite-loop-part2.patch. Fix regression (400 HTTP errors) due to an incomplete fix for CVE-2017-6056. See #854551 for further information. tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high . * Team upload. * Add BZ57544-infinite-loop.patch: It was found that https GET requests could trigger an infinite loop and thus cause a denial-of-service. (Closes: #851304) transmissionrpc (0.11-1+deb8u1) stable; urgency=medium . * Add dependency to python{3,}-six (Closes: #851247) tryton-server (3.4.0-3+deb8u3) jessie-security; urgency=high . * Add 05_CVE-2017-0360_sanitize_file_open.patch (CVE-2017-0360). Sanitize path in file_open against suffix. The patch for CVE-2016-1242 did not cover all cases. Indeed there is a case where an external file could be retrieved if it is stored in a folder next to the root of trytond starting with the same name but with a suffix. Example: '../trytond_suffix'. tzdata (2017b-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future timestamp: - Haiti resumed observance of DST in 2017. tzdata (2017a-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - Mongolia no longer observes DST. - Magallanes region diverges from Santiago starting 2017-05-13, the America/Punta_Arenas zone has been added. * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #849234. * Update Japanese debconf translation, by victory . * Update French debconf translation, by Baptiste Jammet. Closes: #851589. * Remove /etc/localtime on purge. Closes: #854141. * Update Danish debconf translation, by Joe Hansen. Closes: #856785. tzdata (2017a-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future timestamp: - Mongolia no longer observes DST. - Magallanes region diverges from Santiago starting 2017-05-13, the America/Punta_Arenas zone has been added. * Allow partially translated choices in debconf templates. * Update translations from the sid package. tzdata (2016j-2) unstable; urgency=medium . [ Aurelien Jarno ] * Allow partially translated choices in debconf templates. * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #845691. tzdata (2016j-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. * Update templates and translations. unzip (6.0-16+deb8u3) jessie; urgency=medium . * Update patch 12-cve-2014-9636-test-compr-eb to follow revised patch "unzip-6.0_overflow3.diff" from mancha (patch author). * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485. Patch by the author. * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486. Patch by the author. uwsgi (2.0.7-1+deb8u1) jessie; urgency=medium . * Add patch cherry-picked upstream to fix compilation with recent glibc. Closes: Bug#854535. Thanks to Masahiro Yamada. uzbek-wordlist (0.6-3.2+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Drop unversioned conflict on thunderbird viewvc (1.1.22-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload * [SECURITY] Fix "CVE-2017-5938" (escape nav_data name to avoid XSS attack) vim (2:7.4.488-7+deb8u3) jessie; urgency=medium . * Backport upstream patches v8.0.0377 & v8.0.0378, to fix buffer overflows when reading corrupted undo files. (Closes: #856266, CVE-2017-6349, CVE-2017-6350) vim (2:7.4.488-7+deb8u2) jessie-security; urgency=high . * Backport patch 8.0.0322 to fix a buffer overflow if a spellfile has an invalid length in it. (Closes: #854969, CVE-2017-5953) vlc (2.2.5-1~deb8u1) jessie; urgency=medium . * New upstream release. - adpcm: Fix heap corruption. - dvd: Fix heap corruption. - asf: Fix integer overflow. - mp4: Fix divide-by-zero error and heap buffer overflow. - flac: Fix integer overflow and NULL pointer dereference. - ftp: Fix scan string injection. - voc: Fix divide-by-zero error. - xa: Fix divide-by-zero error. - smf: Fix divide-by-zero error. - nsvf: Fix infinite loop. - aiff: Fix infinite loop. vlc (2.2.4-14) unstable; urgency=medium . [ Mateusz Łukasik ] * Update to ffmpeg 2.8.11. vlc (2.2.4-13) unstable; urgency=medium . * debian/control: Switch to libopenmpt's libmodplug comat layer. vlc (2.2.4-12) unstable; urgency=medium . * Update to ffmpeg 2.8.10. vlc (2.2.4-11) unstable; urgency=medium . * debian/patches: Apply upstream to fix VLSub incorrectly announcing HTTP 1.1 support. (Closes: #847559) * debian/control: Make vlc-plugin-skins2 depend on vlc-plugin-qt. vlc (2.2.4-10) unstable; urgency=medium . * debian/{control,*.links,*.install}: Move qvlc and svlc binaries to vlc-plugin-qt and vlc-plugin-skins2. Also add vlc-bin to Recommends. (Closes: #841530) * Update to ffmpeg 2.8.9. vlc (2.2.4-9) unstable; urgency=medium . * debian/control: Drop dh_buildinfo. This is now automatically recorded by dpkg. * debian/bug-control: Update list of packages. * debian/{control,rules,vlc-plugin-base.install}: Remove libschroedinger plugin since the library is about to be removed. See #845037 for details. vlc (2.2.4-8) unstable; urgency=medium . * debian/NEWS: Remove NEWS entry on package split. On upgrade, new Recommends are installed by apt anyway. * debian/control: - Switch from liblircclient-dev to liblirc-dev. - Remove shlibs:Depends from vlc's Depends. * debian/rules: Add --disable-neon when building with noopt. * debian/patches: - drop-check-qt-check.patch: Remove obsolete patches. - multiple: Add upstream patches to generate default skins2 skin reproducibly. (Closes: #841525) vlc (2.2.4-7) unstable; urgency=medium . * Split plugins and binaries into different packages. (Closes: #513177) - libvlc-bin: constains vlc-cache-gen and triggers plugin cache generation. - vlc-bin: the VLC binaries. - vlc-plugin-base: "base" set of plugins. - vlc-plugin-qt: the Qt interface. - vlc-plugin-skins2: the Skins2 interface. - vlc-plugin-access-extra: extra access plugins. - vlc-plugin-visualization: visualization plugins. - vlc-plugin-video-splitter: video splitter plugins. - vlc-plugin-video-output: video output plugins. - vlc-l10n: translations. - vlc: contains desktop integration and pulls in most plugins as before. - vlc-nox: transitional dummy package * Move libraries and plugins to multi-arch locations. - debian/control: + Add M-A: same for library and plugin packages. + Remove most Breaks and Replaces as they are now obsolete. - debian/rules: Do not override libdir. - debian/*.{lintian-overrides,install}: Update paths for M-A locations. vlc (2.2.4-6) unstable; urgency=medium . * debian/*.maintscript: Bump all versions to fix symlink-to-directory conversions. (Closes: #814646) vlc (2.2.4-5) unstable; urgency=medium . * Update ffmpeg to 2.8.8. vlc (2.2.4-4) unstable; urgency=medium . [ Pino Toscano ] * Install solid actions in Frameworks location. (Closes: #834884) . [ Sebastian Ramacher ] * Bump debhelper compat to 10. vlc (2.2.4-3) unstable; urgency=medium . [ Mateusz Łukasik ] * debian/control: - Remove Clément Stenac from Uploaders. Thanks for your job! . [ Sebastian Ramacher ] * debian/patches/{vlc_atomic*,Fix-build-using-old-GCC-intrinsics}.patch: Fix FTBFS with GCC 6 (Closes: #831199) vlc (2.2.4-2) unstable; urgency=medium . * Build ffmpeg without libopenjpeg (Closes: #826827) - debian/control: Remove libopenjpeg-dev from B-D. - debian/rules: Build ffmpeg with --disable-libopenjpeg. * debian/rules: Revert workaround for zsh completion build failures on powerpc. The underlying issue seems to be fixed. vlc (2.2.4-1) unstable; urgency=medium . * New upstream release. * debian/patches: - g711-fix-dangling-pointer-fixes-16909.patch, adpcm-reject-invalid-QuickTime-IMA-files.patch, zsh-completion.patch, frenchtv-links.patch, fix-Hurd-build.patch, the-Hurd-also-uses-the-.so-extension-for-libraries.patch: Removed, all included upstream. - generated-mimetypes.patch: Upstream patch for auto-generated list of mime types. (Closes: #822245) * debian/{rules,vlc-nox.install}: No longer install old BluRay access plugin. (LP: #864933) * debian/rules: No longer disable i686 optimization on i386 architectures. webissues-server (0.8.5-3+deb8u1) jessie; urgency=medium . * QA Upload. * postrm purge: Check for ucf before calling it. (Closes: #677062) weechat (1.0.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121) weechat (1.0.1-1+deb8u1~bpo70+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . weechat (1.0.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121) wget (1.16-1+deb8u2) jessie; urgency=medium . * added upstream patch to fix CVE-2017-6508 closes: Bug#857073 wireshark (1.12.1+g01b65bf-4+deb8u11) jessie-security; urgency=high . [ Balint Reczey ] * security fixes from Wireshark 2.0.10: - The ASTERIX dissector could go into an infinite loop. Discovered by Antti Levomäki and Christian Jalio, Forcepoint. (CVE-2017-5596) - The DHCPv6 dissector could go into a large loop. Discovered by Antti Levomäki and Christian Jalio, Forcepoint.(CVE-2017-5597) * security fixes from Wireshark 2.0.11: - The NetScaler file parser could enter an infinite loop (CVE-2017-6467) - The NetScaler file parser could crash (CVE-2017-6468) - The LDSS dissector could crash (CVE-2017-6469) - The IAX2 dissector could enter an infinite loop (CVE-2017-6470) - The WSP dissector could enter an infinite loop (CVE-2017-6471) - The K12 file parser could crash (CVE-2017-6473) - The NetScaler file parser could enter an infinite loop (CVE-2017-6474) * security fixes from Wireshark 2.2.5: - The RTMPT dissector could enter an infinite loop (CVE-2017-6472) . [ Chris Lamb ] * CVE-2017-6014: Fix memory exhausion/infinite loop via malformed STANAG 4607 capture file. (Closes: #855408) wordpress (4.1+dfsg-1+deb8u13) jessie-security; urgency=medium . * Backport patches from 4.7.3 Closes: #857026 - CVE-2017-6814 Cross-site scripting (XSS) via media file metadata. Changeset 40155 - CVE-2017-6815 Control characters can trick redirect URL validation. Changeset 40190 - CVE-2017-6816 Unintended files can be deleted by administrators using the plugin deletion functionality. Changeset 40176 - CVE-2017-6817 Cross-site scripting (XSS) via video URL in YouTube embeds. Chamgeset 40167 * Not vulnerable: - CVE-2017-6819 Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Press This introduced in 4.2 - CVE-2017-6818 Cross-site scripting (XSS) via taxonomy term names. wordpress (4.1+dfsg-1+deb8u12) jessie-security; urgency=high . * Backport patches from 4.7.1 Closes: #851310 - CVE-2016-10066 Potential Remote Command Execution (RCE) in PHPMailer - CVE-2017-5488 Authenticated Cross-Site scripting (XSS) in update-core.php - CVE-2017-5490 Stored Cross-Site Scripting (XSS) via Theme Name fallback - CVE-2017-5491 Post via Email Checks mail.example.com by Default - CVE-2017-5492 Accessibility Mode Cross-Site Request Forgery (CSRF) - CVE-2017-5493 Cryptographically Weak Pseudo-Random Number Generator - CVE-2017-5489 Cross-Site Request Forgery (CSRF) via Flash Upload Changesets 39838 and 39857, thanks Seb * Backport patches from 4.7.2 Closes: #852767 - CVE-2017-5610 The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Changeset 39976 - CVE-2017-5611 WP_Query is vulnerable to a SQL injection (SQLi) Changeset 39962 - CVE-2017-5612 XSS in the posts list table Changeset 39985 * Not vulnerable - CVE-2017-5487 User Information Disclosure via REST API - API doesn't exist xmobar (0.22-1+deb8u1) jessie; urgency=medium . * Update weather feed URL (Closes: #835547) xshisen (1:1.51-4.1+deb8u1) jessie; urgency=medium . * QA upload. * Set maintainer to the QA team. * Fix frequent segfault on start, thanks Alexey Shilin. (Closes: #765504) yara (3.1.0-2+deb8u1) jessie; urgency=high . * Add patches for CVE-2016-10210, CVE-2016-10211, CVE-2017-5923, CVE-2017-5924 (Closes: #859821) zabbix (1:2.2.7+dfsg-2+deb8u2) jessie-security; urgency=medium . * CVE-2016-10134 (Closes: #850936) ====================================== Sat, 14 Jan 2017 - Debian 8.7 released ====================================== ========================================================================= [Date: Sat, 14 Jan 2017 10:51:10 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ctdb | 2.5.4+debian0-4+deb8u1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:38:25 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-l10n | 1:38.0.1-1~deb8u1 | source icedove-l10n-all | 1:38.0.1-1~deb8u1 | all icedove-l10n-ar | 1:38.0.1-1~deb8u1 | all icedove-l10n-ast | 1:38.0.1-1~deb8u1 | all icedove-l10n-be | 1:38.0.1-1~deb8u1 | all icedove-l10n-bg | 1:38.0.1-1~deb8u1 | all icedove-l10n-bn-bd | 1:38.0.1-1~deb8u1 | all icedove-l10n-br | 1:38.0.1-1~deb8u1 | all icedove-l10n-ca | 1:38.0.1-1~deb8u1 | all icedove-l10n-cs | 1:38.0.1-1~deb8u1 | all icedove-l10n-da | 1:38.0.1-1~deb8u1 | all icedove-l10n-de | 1:38.0.1-1~deb8u1 | all icedove-l10n-el | 1:38.0.1-1~deb8u1 | all icedove-l10n-en-gb | 1:38.0.1-1~deb8u1 | all icedove-l10n-es-ar | 1:38.0.1-1~deb8u1 | all icedove-l10n-es-es | 1:38.0.1-1~deb8u1 | all icedove-l10n-et | 1:38.0.1-1~deb8u1 | all icedove-l10n-eu | 1:38.0.1-1~deb8u1 | all icedove-l10n-fi | 1:38.0.1-1~deb8u1 | all icedove-l10n-fr | 1:38.0.1-1~deb8u1 | all icedove-l10n-fy-nl | 1:38.0.1-1~deb8u1 | all icedove-l10n-ga-ie | 1:38.0.1-1~deb8u1 | all icedove-l10n-gd | 1:38.0.1-1~deb8u1 | all icedove-l10n-gl | 1:38.0.1-1~deb8u1 | all icedove-l10n-he | 1:38.0.1-1~deb8u1 | all icedove-l10n-hr | 1:38.0.1-1~deb8u1 | all icedove-l10n-hu | 1:38.0.1-1~deb8u1 | all icedove-l10n-hy-am | 1:38.0.1-1~deb8u1 | all icedove-l10n-id | 1:38.0.1-1~deb8u1 | all icedove-l10n-is | 1:38.0.1-1~deb8u1 | all icedove-l10n-it | 1:38.0.1-1~deb8u1 | all icedove-l10n-ja | 1:38.0.1-1~deb8u1 | all icedove-l10n-ko | 1:38.0.1-1~deb8u1 | all icedove-l10n-lt | 1:38.0.1-1~deb8u1 | all icedove-l10n-nb-no | 1:38.0.1-1~deb8u1 | all icedove-l10n-nl | 1:38.0.1-1~deb8u1 | all icedove-l10n-nn-no | 1:38.0.1-1~deb8u1 | all icedove-l10n-pa-in | 1:38.0.1-1~deb8u1 | all icedove-l10n-pl | 1:38.0.1-1~deb8u1 | all icedove-l10n-pt-br | 1:38.0.1-1~deb8u1 | all icedove-l10n-pt-pt | 1:38.0.1-1~deb8u1 | all icedove-l10n-rm | 1:38.0.1-1~deb8u1 | all icedove-l10n-ro | 1:38.0.1-1~deb8u1 | all icedove-l10n-ru | 1:38.0.1-1~deb8u1 | all icedove-l10n-si | 1:38.0.1-1~deb8u1 | all icedove-l10n-sk | 1:38.0.1-1~deb8u1 | all icedove-l10n-sl | 1:38.0.1-1~deb8u1 | all icedove-l10n-sq | 1:38.0.1-1~deb8u1 | all icedove-l10n-sr | 1:38.0.1-1~deb8u1 | all icedove-l10n-sv-se | 1:38.0.1-1~deb8u1 | all icedove-l10n-ta-lk | 1:38.0.1-1~deb8u1 | all icedove-l10n-tr | 1:38.0.1-1~deb8u1 | all icedove-l10n-uk | 1:38.0.1-1~deb8u1 | all icedove-l10n-vi | 1:38.0.1-1~deb8u1 | all icedove-l10n-zh-cn | 1:38.0.1-1~deb8u1 | all icedove-l10n-zh-tw | 1:38.0.1-1~deb8u1 | all Closed bugs: 838090 ------------------- Reason ------------------- RoQA; superseded by icedove ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:38:47 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceowl-l10n | 4.0.0.1-1~deb8u1 | source iceowl-l10n-bg | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ca | 4.0.0.1-1~deb8u1 | all iceowl-l10n-cs | 4.0.0.1-1~deb8u1 | all iceowl-l10n-da | 4.0.0.1-1~deb8u1 | all iceowl-l10n-de | 4.0.0.1-1~deb8u1 | all iceowl-l10n-en-gb | 4.0.0.1-1~deb8u1 | all iceowl-l10n-es-ar | 4.0.0.1-1~deb8u1 | all iceowl-l10n-es-es | 4.0.0.1-1~deb8u1 | all iceowl-l10n-et | 4.0.0.1-1~deb8u1 | all iceowl-l10n-eu | 4.0.0.1-1~deb8u1 | all iceowl-l10n-fr | 4.0.0.1-1~deb8u1 | all iceowl-l10n-fy-nl | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ga-ie | 4.0.0.1-1~deb8u1 | all iceowl-l10n-hr | 4.0.0.1-1~deb8u1 | all iceowl-l10n-hu | 4.0.0.1-1~deb8u1 | all iceowl-l10n-is | 4.0.0.1-1~deb8u1 | all iceowl-l10n-it | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ja | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ko | 4.0.0.1-1~deb8u1 | all iceowl-l10n-nl | 4.0.0.1-1~deb8u1 | all iceowl-l10n-nn-no | 4.0.0.1-1~deb8u1 | all iceowl-l10n-pl | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ru | 4.0.0.1-1~deb8u1 | all iceowl-l10n-sk | 4.0.0.1-1~deb8u1 | all iceowl-l10n-sv-se | 4.0.0.1-1~deb8u1 | all iceowl-l10n-zh-cn | 4.0.0.1-1~deb8u1 | all iceowl-l10n-zh-tw | 4.0.0.1-1~deb8u1 | all Closed bugs: 838091 ------------------- Reason ------------------- RoQA; superseded by iceowl ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:38:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedtea-7-jre-jamvm | 7u75-2.5.4-2 | mips Closed bugs: 838092 ------------------- Reason ------------------- RoQA; NBS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:39:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedtea-7-jre-jamvm | 7u79-2.5.6-1~deb8u1 | mipsel Closed bugs: 838093 ------------------- Reason ------------------- RoQA; NBS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:39:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: openjdk-7-jre-zero | 7u79-2.5.6-1~deb8u1 | arm64 Closed bugs: 838094 ------------------- Reason ------------------- RoQA; NBS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:40:12 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ctdb-dbg | 2.5.4+debian0-4+deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ctdb-pcp-pmda | 2.5.4+debian0-4+deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libctdb-dev | 2.5.4+debian0-4+deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 838962 ------------------- Reason ------------------- RoQA; NBS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:40:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: dotclear | 2.6.4+dfsg-1 | source, all Closed bugs: 844695 ------------------- Reason ------------------- RoST; multiple security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:40:52 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: sogo | 2.2.9+git20141017-1 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x sogo-common | 2.2.9+git20141017-1 | all sogo-dbg | 2.2.9+git20141017-1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x sogo-openchange | 2.2.9+git20141017-1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 850105 ------------------- Reason ------------------- RoST; multiple security issues ---------------------------------------------- ========================================================================= akonadi (1.13.0-2+deb8u2) jessie-security; urgency=medium . * Add patch from kubuntu: kubuntu_disable_secure_file_priv_check.diff - fix compatibility with stricter defaults in mysql security update. (Closes: 843534) Thanks to fld for the report and Marc Deslauriers for the patch. apt (1.0.9.8.4) jessie-security; urgency=high . * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252) Thanks to Jann Horn, Google Project Zero for reporting the issue (LP: #1647467) ark (4:4.14.2-2+deb8u1) jessie; urgency=medium . * Add new upstream patch: Stop-crashing-on-exit-when-being-used-solely-as-a-KPart.patch. Thanks to Nick Leverton for reporting (Closes: 800021, 770840) asterisk (1:11.13.1~dfsg-2+deb8u2) jessie; urgency=medium . * AST-2016-009: non-printable ASCII chars treated as whitespace (CVE-2016-9938) (Closes: #847668) asterisk (1:11.13.1~dfsg-2+deb8u1) jessie-security; urgency=high . [ Tzafrir Cohen ] * Add a placeholder conf in manager.c (Closes: #776080) . [ Bernhard Schmidt ] * AST-2016-007: Fix RTP Resource Exhaustion (CVE-2016-7551) (Closes: #838832) * AST-2015-003: Fix TLS Certificate Common name NULL byte exploit (CVE-2015-3008) (Closes: #782411) * AST-2016-003: Fix crash in UDPTL (CVE-2016-2232) * AST-2016-002: File descriptor exhaustion in chan_sip (CVE-2016-2316) * AST-2016-001: BEAST vulnerability in HTTP server (CVE-2011-3389) asused (3.72-11+deb8u1) stable-proposed-updates; urgency=medium . * Use created fields instead of changed (Closes: #799919) Thanks Matthias! base-files (8+deb8u7) stable; urgency=low . * Changed /etc/debian_version to 8.7, for Debian 8.7 point release. bash (4.3-11+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * CVE-2016-0634: Arbitrary code execution via malicious hostname * CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows command substitution bind9 (1:9.9.5.dfsg-9+deb8u8) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd bind9 (1:9.9.5.dfsg-9+deb8u8) jessie-security; urgency=medium . * CVE-2016-8864: Fix assertion failure in DNAME processing with patch provided by ISC. bind9 (1:9.9.5.dfsg-9+deb8u7) jessie-security; urgency=high . * CVE-2016-2775: lwresd crash with long query name. Backport of upstream commit 38cc2d14e218e536e0102fa70deef99461354232. Closes: #831796. * CVE-2016-2776: assertion failure due to unspecified crafted query. Fix based on 43139-9-9.patch from ISC. Closes: #839010. c-ares (1.10.0-2+deb8u1) jessie-security; urgency=high . * Apply patch for CVE-2016-5180 (Closes: #839151) ca-certificates (20141019+deb8u2) stable; urgency=medium . [ Michael Shuler ] * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.9. Thanks for the initial 2.7 patch, Jonathan Wiltshire. Closes: #828845 The following certificate authorities were added (+): + "Certplus Root CA G1" + "Certplus Root CA G2" + "Certum Trusted Network CA 2" + "Hellenic Academic and Research Institutions ECC RootCA 2015" + "Hellenic Academic and Research Institutions RootCA 2015" + "ISRG Root X1" + "OpenTrust Root CA G1" + "OpenTrust Root CA G2" + "OpenTrust Root CA G3" + "SZAFIR ROOT CA2" The following certificate authorities were removed (-): - "CA Disig" - "NetLock Business (Class B) Root" - "NetLock Express (Class C) Root" - "NetLock Notary (Class A) Root" - "NetLock Qualified (Class QA) Root" - "Sonera Class 1 Root CA" - "Staat der Nederlanden Root CA" - "Verisign Class 1 Public Primary Certification Authority - G2" - "Verisign Class 3 Public Primary Certification Authority" - "Verisign Class 3 Public Primary Certification Authority - G2" . [ Andreas Beckmann ] * debian/postinst: Run update-certificates without hooks to initially populate /etc/ssl/certs. (The hooks are deferred to the noawait trigger.) Closes: #825730 cairo (1.14.0-2.1+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * CVE-2016-9082: DoS attack based on using SVG to generate invalid pointers from a _cairo_image_surface in write_png. (Closes: #842289) ceph (0.80.7-2+deb8u2) jessie; urgency=medium . * [78329e] Upstream fix for CVE-2016-9579 (short CORS request) (Closes: #849048) * [514d48] Upstream fix for CVE-2016-5009 (mon DoS) (Closes: #829661) * [7ae81b] Upstream fix for CVE-2016-7031 (anonymous read on ACL) (Closes: #838026) * [86ac46] Upstream fix for CVE-2016-8626 (RGW DoS) (Closes: #844200) chirp (0.4.0-1+deb8u1) jessie; urgency=medium . * Disables reporting of telemetry without informed consent (Closes: #829494) chromium-browser (55.0.2883.75-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous - CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go - CVE-2016-5183: Use after free in PDFium. Credit to Anonymous - CVE-2016-5184: Use after free in PDFium. Credit to Anonymous - CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer - CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman - CVE-2016-5187: URL spoofing. Credit to Luan Herrera - CVE-2016-5188: UI spoofing. Credit to Luan Herrera haojunhou@gmail.com - CVE-2016-5189: URL spoofing. Credit to xisigr Alqabandi - CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen - CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes - CVE-2016-5192: Cross-origin bypass in Blink. Credit to - CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU - CVE-2016-5194: Various fixes from internal audits, fuzzing and other initiatives - CVE-2016-5198: Out of bounds memory access in V8. Credit to Tencent Keen Security Lab - CVE-2016-5200: Out of bounds memory access in V8. Credit to Choongwoo Han - CVE-2016-5201: Info leak in extensions. Credit to Rob Wu - CVE-2016-5202: Various fixes from internal audits, fuzzing and other initiatives - CVE-2016-5203: Use after free in PDFium. Credit to Anonymous - CVE-2016-5204: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5205: Universal XSS in Blink. Credit to Anonymous - CVE-2016-5206: Same-origin bypass in PDFium. Credit to Rob Wu - CVE-2016-5207: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5208: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5209: Out of bounds write in Blink. Credit to Giwan Go - CVE-2016-5210: Out of bounds write in PDFium. Credit to Ke Liu - CVE-2016-5211: Use after free in PDFium. Credit to Anonymous - CVE-2016-5212: Local file disclosure in DevTools. Credit to Khalil Zhani - CVE-2016-5213: Use after free in V8. Credit to Khalil Zhani - CVE-2016-5214: File download protection bypass. Credit to Jonathan Birch and MSVR - CVE-2016-5215: Use after free in Webaudio. Credit to Looben Yang - CVE-2016-5216: Use after free in PDFium. Credit to Anonymous - CVE-2016-5217: Use of unvalidated data in PDFium. Credit to Rob Wu - CVE-2016-5218: Address spoofing in Omnibox. Credit to Abdulrahman Alqabandi - CVE-2016-5219: Use after free in V8. Credit to Rob Wu - CVE-2016-5220: Local file access in PDFium. Credit to Rob Wu - CVE-2016-5221: Integer overflow in ANGLE. Credit to Tim Becker - CVE-2016-5222: Address spoofing in Omnibox. Credit to xisigr - CVE-2016-5223: Integer overflow in PDFium. Credit to Hwiwon Lee - CVE-2016-5224: Same-origin bypass in SVG. Credit to Roeland Krak - CVE-2016-5225: CSP bypass in Blink. Credit to Scott Helme - CVE-2016-5226: Limited XSS in Blink. Credit to Jun Kokatsu - CVE-2016-9650: CSP Referrer disclosure. Credit to Jakub Żoczek - CVE-2016-9651: Private property access in V8. Credit to Guang Gong - CVE-2016-9652: Various fixes from internal audits, fuzzing and other initiatives - Certificate validity is now independent of the browser build date (closes: #844631). - No longer supports gyp build system, so update to use gn instead. chromium-browser (54.0.2840.101-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous - CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go - CVE-2016-5183: Use after free in PDFium. Credit to Anonymous - CVE-2016-5184: Use after free in PDFium. Credit to Anonymous - CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer - CVE-2016-5187: URL spoofing. Credit to Luan Herrera - CVE-2016-5188: UI spoofing. Credit to Luan Herrera - CVE-2016-5192: Cross-origin bypass in Blink. Credit to haojunhou@gmail.com - CVE-2016-5189: URL spoofing. Credit to xisigr - CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman Alqabandi - CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes - CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen - CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU - CVE-2016-5194: Various fixes from internal audits, fuzzing and other initiatives - CVE-2016-5198: Out of bounds memory access in V8. Credit to Tencent Keen Security Lab - CVE-2016-5200: Out of bounds memory access in V8. Credit to Choongwoo Han - CVE-2016-5201: Info leak in extensions. Credit to Rob Wu - CVE-2016-5202: Various fixes from internal audits, fuzzing and other initiatives * Remove libxslt symlinks from the upstream taball. * Drop cups patch that's been applied upstream. * Build using gn and drop gyp dependency. * Update debian/copyright. chromium-browser (53.0.2785.143-1+exp1) experimental; urgency=medium . * armhf and arm64 build added, (closes: #799939) * debian/scripts/chromium: Do the sse2 check only on X86 archs chromium-browser (53.0.2785.143-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-5177: Use after free in V8. Credit to Anonymous - CVE-2016-5178: Various fixes from internal audits, fuzzing and other initiatives. * Change StartupWMClass in the desktop file to chromium (closes: #813079). * Support building with cups 2.2 (closes: #839377). * Update debian/copyright. chromium-browser (53.0.2785.143-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-5177: Use after free in V8. Credit to Anonymous - CVE-2016-5178: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (53.0.2785.113-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-5170: Use after free in Blink. Credit to Anonymous - CVE-2016-5171: Use after free in Blink. Credit to Anonymous - CVE-2016-5172: Arbitrary Memory Read in v8. Credit to Choongwoo Han - CVE-2016-5173: Extension resource access. Credit to Anonymous - CVE-2016-5174: Popup not correctly suppressed. Credit to Andrey Kovalev - CVE-2016-5175: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (53.0.2785.113-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-5170: Use after free in Blink. Credit to Anonymous - CVE-2016-5171: Use after free in Blink. Credit to Anonymous - CVE-2016-5172: Arbitrary Memory Read in v8. Credit to Choongwoo Han - CVE-2016-5173: Extension resource access. Credit to Anonymous - CVE-2016-5174: Popup not correctly suppressed. Credit to Andrey Kovalev - CVE-2016-5175: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (53.0.2785.92-3) unstable; urgency=medium . * Add -fno-delete-null-pointer checks to the build flags (closes: #833501). chromium-browser (53.0.2785.92-2) unstable; urgency=medium . * Build with gcc 6 (closes: #835943). * Add versioned harfbuzz dependency (closes: #833953). chromium-browser (53.0.2785.92-1) unstable; urgency=medium . * New upstream stable release. * Support building with glibc 2.24 (closes: #836611). chromium-browser (53.0.2785.89-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-5147: Universal XSS in Blink. Credit to anonymous - CVE-2016-5148: Universal XSS in Blink. Credit to anonymous - CVE-2016-5149: Script injection in extensions. Credit to Max Justicz - CVE-2016-5150: Use after free in Blink. Credit to anonymous - CVE-2016-5151: Use after free in PDFium. Credit to anonymous - CVE-2016-5152: Heap overflow in PDFium. Credit to GiWan Go of Stealien - CVE-2016-5153: Use after destruction in Blink. Credit to Atte Kettunen - CVE-2016-5154: Heap overflow in PDFium. Credit to anonymous - CVE-2016-5155: Address bar spoofing. Credit to anonymous - CVE-2016-5156: Use after free in event bindings. Credit to jinmo123 - CVE-2016-5157: Heap overflow in PDFium. Credit to anonymous - CVE-2016-5158: Heap overflow in PDFium. Credit to GiWan Go - CVE-2016-5159: Heap overflow in PDFium. Credit to GiWan Go - CVE-2016-5160: Extensions web accessible resources bypass. Credit to @l33terally - CVE-2016-5161: Type confusion in Blink. - CVE-2016-5162: Extensions web accessible resources bypass. Credit to Nicolas Golubovic - CVE-2016-5163: Address bar spoofing. Credit to Rafay Baloch - CVE-2016-5164: Universal XSS using DevTools. Credit to anonymous - CVE-2016-5165: Script injection in DevTools. Credit to Gregory Panakkal - CVE-2016-5166: SMB Relay Attack via Save Page As. Credit to Gregory Panakkal - CVE-2016-5167: Various fixes from internal audits, fuzzing and other initiatives. collectd (5.4.1-6+deb8u1) jessie-security; urgency=high . * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network plugin. Emilien Gaspar has identified a heap overflow in parse_packet(), the function used by the network plugin to parse incoming network packets. Thanks to Florian Forster for reporting the bug in Debian. (Closes: #832507, CVE-2016-6254) * debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of gcry_control. A team of security researchers at Columbia University and the University of Virginia discovered that GCrypt's gcry_control is sometimes called without checking its return value for an error. This may cause the program to be initialized without the desired, secure settings. (Closes: #832577) curl (7.38.0-4+deb8u5) jessie-security; urgency=high . * Fix cookie injection for other servers as per CVE-2016-8615 https://curl.haxx.se/docs/adv_20161102A.html * Fix case insensitive password comparison as per CVE-2016-8616 https://curl.haxx.se/docs/adv_20161102B.html * Fix OOB write via unchecked multiplication as per CVE-2016-8617 https://curl.haxx.se/docs/adv_20161102C.html * Fix double-free in curl_maprintf as per CVE-2016-8618 https://curl.haxx.se/docs/adv_20161102D.html * Fix double-free in krb5 code as per CVE-2016-8619 https://curl.haxx.se/docs/adv_20161102E.html * Fix glob parser write/read out of bounds as per CVE-2016-8620 https://curl.haxx.se/docs/adv_20161102F.html * Fix curl_getdate read out of bounds as per CVE-2016-8621 https://curl.haxx.se/docs/adv_20161102G.html * Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622 https://curl.haxx.se/docs/adv_20161102H.html * Fix use-after-free via shared cookies as per CVE-2016-8623 https://curl.haxx.se/docs/adv_20161102I.html * Fix invalid URL parsing with '#' as per CVE-2016-8624 https://curl.haxx.se/docs/adv_20161102J.html cyrus-imapd-2.4 (2.4.17+nocaldav-0+deb8u2) jessie; urgency=medium . * Proper fix for LIST GROUP broken (Closes: #831554) darktable (1.4.2-1+deb8u1) stable; urgency=medium . * Cherry pick upstream commit 0f809ca5048. Fix for CVE-2015-3885 (Closes: #786792) dbus (1.8.22-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release - fix a potential format string vulnerability, which is not believed to be exploitable in practice * dbus.prerm: ensure that dbus.socket is stopped before removal, so that a new connection to the bus won't cause dbus.service to be restarted (Closes: #813970) dbus (1.8.20-1) unstable; urgency=medium . * New upstream bugfix release - fix a memory leak when GetConnectionCredentials is called - stop dbus-monitor replying to org.freedesktop.DBus.Peer messages, including those that another process should have replied to dcmtk (3.6.0-15+deb8u1) jessie-security; urgency=medium . * Team upload * d/p/0001: Add patch to fix CVE-2015-8979, Closes: #848830 The patch was taken from v 3.6.0-6+deb7u1 where the same security vunerability was fixed by the wheezy LST team. debian-edu-doc (1.6~20161129+deb8u3) jessie; urgency=medium . * Update Debian Edu Jessie manual from the wiki. . [ Wolfgang Schweer ] * Fix (da|nl) Jessie manual PO files to get the PDF manuals built. . [ Jessie Manual translation updates ] * German: Wolfgang Schweer. * Norwegian Bokmål: Ingrid Yrvin, Ole-Erik Yrvin and Petter Reinholdtsen. * Dutch: Frans Spiesschaert. * Italian: Claudio Carboncini. . [ Wheezy Manual translation updates ] * Norwegian Bokmål: Petter Reinholdtsen, Ingrid Yrvin. debian-edu-install (1.821+deb8u2) jessie; urgency=medium . * Update version number to 8+edu1 in preparation of our second Debian Edu release based on Debian Jessie. debian-installer-netboot-images (20150422+deb8u4.b2) jessie; urgency=medium . * Update to 20150422+deb8u4+b2 images, from jessie-proposed-updates drupal7 (7.32-1+deb8u8) jessie-security; urgency=high . * Backported from 7.52: SA-CORE-2016-005: Multiple security vulnerabilities (CVEs not yet issued): - Inconsistent name for term access query can lead to information disclosure - Confirmation form allows external URL injection duck (0.7+deb8u1) jessie; urgency=high . * Fix CVE-2016-1239: Load code from untrusted local dir . * Update Maintainer email to my Debian email address. ebook-speaker (2.8.1-1+deb8u1) jessie; urgency=medium . * Team upload. * Fix hint about installing html2text to read html files (Closes: #841714). elog (2.9.2+2014.05.11git44800a7-2+deb8u1) jessie; urgency=medium . * Added patch 0005_elogd_CVE-2016-6342_fix to fix posting entry as arbitrary username (Closes: #836505, CVE-2016-6342) evolution-data-server (3.12.9~git20141128.5242b0-2+deb8u3) jessie; urgency=medium . * Non-maintainer upload. * d/p/06_787398_bae0c64_fix_connection_drop.patch: cherry-pick commit bae0c64 from upstream git to fix premature drop of connection with reduced TCP window sizes and resulting loss of data. Closes: #787398. exim4 (4.84.2-2+deb8u3) jessie; urgency=medium . * 94_Fix-memory-leak-on-Gnu-TLS-close.patch from upstream exim-4_84_2+fixes branch: Fix GnuTLS memory leak. (Thanks, Heiko Schlittermann!) Closes: #845569 exim4 (4.84.2-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-9963: DKIM information leakage file (1:5.22+15-2+deb8u3) stable; urgency=medium . * Fix memory leak in magic loader. Closes: #840754 firefox-esr (45.6.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-95, also known as: CVE-2016-9899, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905, CVE-2016-9901, CVE-2016-9902, CVE-2016-9893. . * debian/browser.install.in, browser.mozconfig.in, debian/rules: Don't disable the crash reporter. firefox-esr (45.5.1esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-92, also known as CVE-2016-9079. firefox-esr (45.5.1esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-92, also known as CVE-2016-9079. firefox-esr (45.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-90, also known as: CVE-2016-5296, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290. firefox-esr (45.5.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-90, also known as: CVE-2016-5296, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290. firefox-esr (45.4.0esr-2) unstable; urgency=medium . * debian/control*: Force build against libnss3-dev >= 2:3.26-2~, which fixed its symbols file. Closes: #833719. firefox-esr (45.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-86, also known as: CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) . * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) firefox-esr (45.4.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-86, also known as: CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) * debian/rules: Build with -fno-schedule-insns2 and -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles Firefox. Closes: #836533. . * config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h: Don't include mozalloc.h from the cstdlib wrapper. bz#1245076, bz#1259537. Closes: #822715. * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) firefox-esr (45.3.0esr-2) unstable; urgency=medium . * debian/rules: Build with -fno-schedule-insns2 and -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles Firefox. Closes: #836533. . * config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h: Don't include mozalloc.h from the cstdlib wrapper. bz#1245076, bz#1259537. Closes: #822715. firefox-esr (45.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{62-65,67,70,72-73,76-80}, also known as: CVE-2016-2836, CVE-2016-2830, CVE-2016-2838, CVE-2016-2839, CVE-2016-5252, CVE-2016-5254, CVE-2016-5258, CVE-2016-5259, CVE-2016-5262, CVE-2016-2837, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265. . * debian/upstream.mk: Use l10n_changesets.txt from last candidate build for L10N_REV. freeimage (3.15.4-4.2+deb8u1) jessie-security; urgency=high . * [f51f898] Fix CVE-2015-3885: integer overflow in the ljpeg_start function (Closes: #786790) * [b2e0c3f] Fix CVE-2016-5864: apply patch from wheezy-security. Thanks to Salvatore Bonaccorso, Balint Reczey and Chris Lamb (Closes: #839827) game-music-emu (0.5.5-2+deb8u1) jessie-security; urgency=medium . * Fix code injection vulnerability found by Chris Evans ganeti-instance-debootstrap (0.14-2+deb8u1) jessie; urgency=medium . * Replace losetup -s with losetup --show (Closes: #834404) ghostscript (9.06~dfsg-2+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 840691-Fix-.locksafe.patch patch. Fixes regression seen with zathura and evince. Fix .locksafe. We need to .forceput the defintion of getenv into systemdict. Thanks to Edgar Fuß (Closes: #840691) ghostscript (9.06~dfsg-2+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-8602: check for sufficient params in .sethalftone5 and param types (Closes: #840451) ghostscript (9.06~dfsg-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2013-5653: Information disclosure through getenv, filenameforall (Closes: #839118) * CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote shell command execution (Closes: #839260) * CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing remote file disclosure (Closes: #839841) * CVE-2016-7978: reference leak in .setdevice allows use-after-free and remote code execution (Closes: #839845) * CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution (Closes: #839846) glibc (2.19-18+deb8u7) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Do not unconditionally use the fsqrt instruction on 64-bit PowerPC CPUs. Closes: #843904. * debian/patches/any/cvs-hesiod-resolver.diff: patch from upstream to fix a regression introduced by cvs-resolv-ipv6-nameservers.diff in hesiod. Closes: #821358. * debian/sysdeps/{amd64,i386,x32}.mk: disable lock elision (aka Intel TSX) on x86 architectures. This causes programs (wrongly) unlocking an already unlocked mutex to abort. More importantly most of the other distributions decided to disable it, so we don't want to be the only distribution left testing this code path. glusterfs (3.5.2-2+deb8u3) jessie-proposed-updates; urgency=medium . * quota: Fix could not start auxiliary mount issue by adding upstream patch 03-quota-fix-could-not-start-auxiliary-mount-issue. Closes: #825834 gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium . [ Salvatore Bonaccorso ] * CVE-2016-7444: Incorrect certificate validation when using OCSP responses (GNUTLS-SA-2016-3). See #840191. . [ Andreas Metzler ] * Cherry pick 53_nettle-use-rsa_-_key_prepare-on-key-import.patch from upstream GIT, which should allow gnutls continue to work with CVE-2016-6489-patched nettle. See #832983. gst-plugins-bad0.10 (0.10.23-7.4+deb8u2) jessie-security; urgency=medium . * debian/patches/0040-vmncdec-Sanity-check-width-height-before-using-it.patch: + Patch from upstream GIT to fix integer overflow causing memory corruption and a possible information leak. See https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html for more details. gst-plugins-bad0.10 (0.10.23-7.4+deb8u1) jessie-security; urgency=medium . * Remove insecure NSF plugin gst-plugins-bad1.0 (1.4.4-2.1+deb8u1) jessie-security; urgency=medium . * debian/patches/04-vmncdec-Sanity-check-width-height-before-using-it.patch: + Patch from upstream GIT to fix integer overflow causing memory corruption and a possible information leak. See https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html for more details. gst-plugins-good0.10 (0.10.31-3+nmu4+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Remove insecure FLIC file format plugin gst-plugins-good0.10 (0.10.31-3+nmu4+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * flxdec: add some write bounds checking * flxdec: fix some warnings comparing unsigned < 0 gst-plugins-good1.0 (1.4.4-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Salvatore Bonaccorso ] * flxdec: Don't unref() parent in the chain function . [ Sebastian Dröge ] * flxdec: rewrite logic based on GstByteReader/Writer gst-plugins-good1.0 (1.4.4-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * flxdec: add some write bounds checking (Closes: #845375) * flxdec: fix some warnings comparing unsigned < 0 hdf5 (1.8.13+docs-15+deb8u1) jessie-security; urgency=high . * New patches CVE-2016-433*.patch from upstream develop branch to fix four vulnerabilities unveiled by TALOS (closes: #845301, CVE-2016-4330, CVE-2016-4331, CVE-2016-4332, CVE-2016-4333) hplip (3.14.6-1+deb8u1) stable; urgency=medium . * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key fingerprint when fetching key from keyservers (Closes: #787353, LP: #1432516) * Export HOME when building the manpages to permit hp-toolbox's manpage generation icedove (1:45.3.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [3cc29ee] Imported Upstream version 45.3.0 - MFSA 2016-62 aka CVE-2016-2836 icedove (1:45.2.0-4) unstable; urgency=medium . [ Carsten Schoenert ] * [cc8cd76] mozconfig.default: relaxe optimization on arm{64,el,hf} to -O1 icedove (1:45.2.0-3) unstable; urgency=medium . [ Guido Günther ] * [9a8f4e1] tests: Fix typo . [ Carsten Schoenert ] * [53aab10] AppArmor: allow self execution for -ProfileManager (Closes: #833742) * [a459d6a] debian/rules: adding one more CFLAGS/CXXFLAGS compiler flag (Closes: #833864, #833532, #833591, #833635, #833698) * [e32c460] AppArmor: grant access to local mailboxes and enigmail (Closes: #833184) * [f34e41e] debian/rules: fix typo CXLAGS -> CFLAGS icedove (1:45.2.0-2) unstable; urgency=medium . [ Christoph Goehre ] * [8b4f306] rebuild patch queue from patch-queue branch added patches: - p-kfree-hurd/CrossProcessMutex.h-fix-build-on-kfreebsd-and-GNU-hur.patch (Closes: #808183) . [ Carsten Schoenert ] * [08e20a0] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1277295-Remove-obsolete-reference-to-storage-service-.patch (Closes: #827592) - fixes/Bug-1245076-Don-t-include-mozalloc.h-from-the-cstdlib-wra.patch (Closes: #831192) * [1ea97f1] debian/icedove.js: disable Icedove startup check (Closes: #817973) * [83bdcdf] debian/rules: adding additional CFLAGS and CXXFLAGS * [7dc0588] debian/control: addjust breaks for xul-ext-foxyproxy-standard (Closes: #825749) * [50a0f1e] autopkg: fixup small type within test call . [ Ulrike Uhlig ] * [b24bbaa] Add rebranded apparmor profile from upstream (Closes: #829731) * [0a28f91] apparmor/usr.bin.icedove: refresh Icedove AppArmor profile . [ Guido Günther ] * [6fe4897] Fix apparmor profile installation icedove (1:45.2.0-1) unstable; urgency=medium . [ Guido Günther ] * [f777843] Wrap and sort control information via 'wrap-and-sort -ast' to simplify backporting (Closes: #825806) * [999d65c] Register components with gbp * [d3e21b0] Rediff patches . [ Carsten Schoenert ] * [789ed6f] Imported Upstream version 45.1.1 * [8b8bd3c] Imported icedove-l10n Upstream version 45.1.1 * [23b2984] Imported iceowl-l10n Upstream version 45.1.1 * [411b27d] Imported Upstream version 45.2.0 * [975287a] Imported icedove-l10n Upstream version 45.2.0 * [09b6652] Imported iceowl-l10n Upstream version 45.2.0 * [2b99997] icedove-l10n-all: change Section into metapackages. As Jonas Smedegaard pointed out, the icedove-l10n-all package is a metapackage and localization. (Closes: #824785) * [a7eec24] debian/README.source: info about import of multitarballs. As the VCS is using git-buildpackage for package maintenace adding some hints on how to handle the impoert of the used mutitarballs since version 45.0. * [73e8b1a] debian/control: adding Recommends to icedove-l10n-uk (Closes: #825806) * [f118470] debian/control: Icedove, adding dependency on libatk-adaptor. After the adding of some first small autopkg test it turns out that we miss a dependency on libatk-adaptor. * [e6e95c9] debian/control: rework Recommends for icedove-l10n-* As addition to 711468b933f280fe9d6ed78bb1d7d763dede9ea7 also rework the various Recommends for the icedove-l10n packages. * [1275b3d] debian/control: small fixup Recommends on iceowl-l10n-* Fix small typos for iceowl-l10n-{pt-pt,sl} * [c4c9a02] debian/control: sort iceowl-l10n-* alphabetical icu (52.1-8+deb8u4) jessie-security; urgency=high . * Backport upstream fix for CVE-2014-9911: buffer overflow problem in uresbund.cpp . * Backport upstream fix for CVE-2015-2632: unspecified vulnerability allows remote attackers to affect confidentiality via unknown vectors. * Backport upstream fix for CVE-2015-4844: missing boundary checks in layout engine. * Backport upstream fix for CVE-2016-0494: integer signedness issue in IndicRearrangementProcessor. * Backport upstream fix for CVE-2016-6293: the uloc_acceptLanguageFromHTTP function does not ensure that there is a '\0' character at the end of a certain temporary array. * Backport upstream fix for CVE-2016-7415: stack-based buffer overflow in the Locale class via a long locale string (closes: #838694). ieee-data (20150531.1~deb8u2) stable; urgency=high . * Crontab update disable. Closes: #826104 imagemagick (8:6.8.9.9-5+deb8u6) jessie-security; urgency=medium . * Fix CVE-2016-7799: global buffer overflow. (Closes: #840437). * Fix CVE-2016-7906: use after free. (Closes: #840435). * Fix a TIFF file buffer overflow. (Closes: #845195). * Check return of fputc during TIFF file writing. (Closes: #845196). * Prevent buffer overflow by checking image extend for TIFF (Closes: #845198). * Avoid a out of bound read in VIFF file handler. (Closes: #845212 and LP: #1545183). * Avoid a DOS by not allowing too deep nested exception. (Closes: #845213). * Better check for buffer overflow in TIFF files handling. (Closes: #845202). * Fix CVE-2016-8677: memory allocate failure in AcquireQuantumPixels (Closes: #845206). * Prevent fault in MSL interpreter. (Closes: #845242). * Prevent heap buffer overflow in heap-buffer-overflow in IsPixelGray (Closes: #845242) * Fix null pointer dereference in TIFF file handling. (Closes: #845243). * Added check for invalid number of frames in mat file (Closes: #845244). * Fix an out of bound read in mat file due to insuffisant allocation. (Closes: #845246). * Fix CVE-2016-8862: memory allocation failure in AcquireMagickMemory (Closes: #845634). imagemagick (8:6.8.9.9-5+deb8u5) jessie-security; urgency=medium . * Bug fix: "Regression after security update to 8:6.8.9.9-5+deb8u4, unable to convert PDF files in PHP", thanks to Tommie Van Mechgelen (Closes: #835488). * Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders. (Closes: #836172). * Fix TIFF file divide by zero. (Closes: #836171). * Fix SGI file buffer overflow. (Closes: #836776). intel-microcode (3.20161104.1~deb8u1) stable; urgency=medium . * This is the same package as 3.20161104.1 from unstable/testing and 3.20161104.1~bpo8+1, from jessie-backports. It has been present in unstable since 2016-11-09, testing since 2016-11-15, and jessie-backports since 2016-11-17. * STABLE RELEASE MANAGER INFORMATION: + Supposed to fix critical Intel TSX erratum BDE85 on Xeon-D 1500 Y0 + Known to fix critical errata on several Xeon-D 1500 models which will crash vmware (KB2146388) and likely Linux as well + Fixes likely critical errata (which ones unknown) on Broadwell-E (Core extreme edition 5th gen, Xeon E5v4, Xeon E7v4) + Removes (very likely outdated) microcode for the C3500 and C5500 family of embedded Xeon (Jasper Forest). These embedded Xeons are typically found on (older) network equipment appliances such as firewalls/IPS/IDS, and also on data storage devices, and thus are supposed to receive microcode updates through their vendors . intel-microcode (3.20161104.1) unstable; urgency=medium . * New upstream microcode datafile 20161104 + New Microcodes: sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480 sig 0x00050664, pf_mask 0x10, 2016-06-02, rev 0xf00000a, size 21504 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2016-10-07, rev 0x0039, size 32768 sig 0x000406f1, pf_mask 0xef, 2016-10-07, rev 0xb00001f, size 25600 + Removed Microcodes: sig 0x000106e4, pf_mask 0x09, 2013-07-01, rev 0x0003, size 6144 + This update fixes critical errata on Broadwell-DE V2/Y0 (Xeon D-1500 family), including one that can crash VMWare ESXi 6 with #PF (VMWare KB2146388), and could affect Linux as well. This same issue was fixed for the E5v4 Xeons in release 20160607 + This update fixes undisclosed (and likely critical) errata on Broadwell-E Core i7-68xxK/69xxK/6950X, Broadwell-EP/EX B0/R0/M0 Xeon E5v4 and Xeon E7v4, and Haswell-EP Xeon E5v3 + This release deletes the microcode update for the Jasper Forest embedded Xeons (Xeon EC35xx/LC35xx/EC35xx/LC55xx), for undisclosed reasons. The deleted microcode is outdated when compared with the updates for the other Nehalem Xeons * Makefile: always exclude microcode sig 0x206c2 just in case Intel is quite clear in the Intel SA-00030 advisory text that recent revisions (0x14 and later?) of the 0x206c2 microcode updates must be installed along with updated SINIT ACM on vPro systems (i.e. through an UEFI/BIOS firmware update). This is a defensive change so that we don't ship such a microcode update in the future by mistake * source: remove partially superseded upstream data file: 20160714 * source: remove superseded upstream data file: 20101123 * changelog: replace "pf mask" with "pf_mask" * control, compat: switch debhelper compatibility level to 9 * control: bump standards-version, no changes required intel-microcode (3.20161104.1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20161104.1) unstable; urgency=medium . * New upstream microcode datafile 20161104 + New Microcodes: sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480 sig 0x00050664, pf_mask 0x10, 2016-06-02, rev 0xf00000a, size 21504 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2016-10-07, rev 0x0039, size 32768 sig 0x000406f1, pf_mask 0xef, 2016-10-07, rev 0xb00001f, size 25600 + Removed Microcodes: sig 0x000106e4, pf_mask 0x09, 2013-07-01, rev 0x0003, size 6144 + This update fixes critical errata on Broadwell-DE V2/Y0 (Xeon D-1500 family), including one that can crash VMWare ESXi 6 with #PF (VMWare KB2146388), and could affect Linux as well. This same issue was fixed for the E5v4 Xeons in release 20160607 + This update fixes undisclosed (and likely critical) errata on Broadwell-E Core i7-68xxK/69xxK/6950X, Broadwell-EP/EX B0/R0/M0 Xeon E5v4 and Xeon E7v4, and Haswell-EP Xeon E5v3 + This release deletes the microcode update for the Jasper Forest embedded Xeons (Xeon EC35xx/LC35xx/EC35xx/LC55xx), for undisclosed reasons. The deleted microcode is outdated when compared with the updates for the other Nehalem Xeons * Makefile: always exclude microcode sig 0x206c2 just in case Intel is quite clear in the Intel SA-00030 advisory text that recent revisions (0x14 and later?) of the 0x206c2 microcode updates must be installed along with updated SINIT ACM on vPro systems (i.e. through an UEFI/BIOS firmware update). This is a defensive change so that we don't ship such a microcode update in the future by mistake * source: remove partially superseded upstream data file: 20160714 * source: remove superseded upstream data file: 20101123 * changelog: replace "pf mask" with "pf_mask" * control, compat: switch debhelper compatibility level to 9 * control: bump standards-version, no changes required intel-microcode (3.20160714.1) unstable; urgency=medium . * New upstream microcode datafile 20160714 + Updated Microcodes: sig 0x000306f4, pf mask 0x80, 2016-06-07, rev 0x000d, size 15360 sig 0x000406e3, pf mask 0xc0, 2016-06-22, rev 0x009e, size 97280 sig 0x000406f1, pf mask 0xef, 2016-06-06, rev 0xb00001d, size 25600 sig 0x000506e3, pf mask 0x36, 2016-06-22, rev 0x009e, size 97280 + This release hopefully fixes a hang when updating the microcode on some Skylake-U D-1/Skylake-Y D-1 (sig 0x406e3, pf 0x80) systems * source: remove superseded upstream data file: 20160607 irssi (0.8.17-1+deb8u3) jessie; urgency=low . * New patch 24security-fixes pulled from upstream commit 6c6c42e3d1b4 (besides the one issue in src/fe-text/term-terminfo.c which is 0.8.18 onward only), closes: #850403: - CVE-2017-5193: NULL pointer dereference in the nickcmp function - CVE-2017-5194: Use-after-freee when receiving invalid nick message - CVE-2017-5195: Out-of-bounds read in certain incomplete control codes * Set PACKAGE_VERSION for configure as suggested by upstream. irssi (0.8.17-1+deb8u2) jessie; urgency=high . * New patch 23fix-buf.pl to fix an information exposure issue involved with using buf.pl and /upgrade (CVE-2016-7553, closes: #838762) irssi (0.8.17-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix heap corruption and missing bounds checks (CVE-2016-7044 CVE-2016-7045) irssi (0.8.17-1+deb8u1~bpo70+1) wheezy-backports; urgency=critical . * Rebuild for wheezy-backports. * Disable DANE support for the backport. . irssi (0.8.17-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix heap corruption and missing bounds checks (CVE-2016-7044 CVE-2016-7045) isenkram (0.18+deb8u1) jessie; urgency=medium . * Backported fix in isenkram-autoinstall-firmware to download using curl and add curl as dependency for this to work. * Backported change from http.debian.net to httpredir.debian.org as mirror used. * Backported switch to use https when downloading modaliases from git. Replace urllib with urllib2 to handle https via proxies (Closes: #836323). jackrabbit (2.3.6-1+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2016-6801: The CSRF content-type check for POST requests did not handle missing Content-Type header fields, nor variations in field values with respect to upper/lower case or optional parameters. This could be exploited to create a resource via CSRF. jq (1.4-2.1+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Add patch to fix CVE-2015-8863. (Closes: #802231) * Add patch to fix CVE-2016-4074. (Closes: #822456) kdepimlibs (4:4.14.2-2+deb8u2) jessie-security; urgency=high . * Team upload. * Additional patch to complete the fix for CVE-2016-7966 - Replace all scary charactars (", <, > and &) with safe HTML replacements. - Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a in debian/patches/CVE-2016-7966_part2.diff kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high . * Team upload. * CVE-2016-7966 KMail: HTML injection in plain text viewer (Closes: #840546) - Avoid transforming as a url in plain text mode when there is a quote - Add debian/patches/CVE-2016-7966.diff from upstream libarchive (3.1.2-11+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-7166: Denial of service using a crafted gzip file * CVE-2016-6250: Integer overflow in the ISO9660 writer * CVE-2016-5418: Archive Entry with type 1 (hardlink), but has a non-zero data size file overwrite (Closes: #837714) libav (6:11.8-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * debian/upstream-signing-key.pgp: Update upstream signing key. * debian/patches/mpegvideo_motion-Handle-edge-emulation-even-without-.patch: Fix NULL pointer dereference in put_no_rnd_pixels8_xy2_mmx. (CVE-2016-7424) libclamunrar (0.99-0+deb8u2) stable; urgency=medium . * Add patches from upstream bugzilla bb11600 and bb11601 to fix out of band access. libcrypto++ (5.6.1-6+deb8u3) jessie-security; urgency=high . * Fix CVE-2016-9939: possible DoS in ASN.1 decoders (closes: #848009). libdatetime-timezone-perl (1:1.75-2+2016j) jessie; urgency=medium . * Update to Olson database version 2016j. This update contains contemporary changes to Europe/Saratov. libdatetime-timezone-perl (1:1.75-2+2016i) jessie; urgency=medium . * Update to Olson database version 2016i. This update contains contemporary changes to Pacific/Tongatapu, Antarctica/Casey, and Asia/Famagusta (new). * Update debian/tools/update-tzdata.sh helper script. Update handling of -Inf/Inf. (This script is only used manually for updating Olson database data.) libdatetime-timezone-perl (1:1.75-2+2016h) jessie; urgency=medium . * Update to Olson database version 2016h. Add patch debian/patches/olson-2016h, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Palestine. libdatetime-timezone-perl (1:1.75-2+2016g) jessie; urgency=medium . * Update to Olson database version 2016g. Add patch debian/patches/olson-2016g, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Europe/Istanbul. libdbd-mysql-perl (4.028-2+deb8u2) jessie-security; urgency=high . * CVE-2016-1246: Buffer overflow in bind variable error reporting. libfcgi-perl (0.77-1+deb8u1) jessie; urgency=medium . * Team upload. * CVE-2012-6687: numerous connections cause segfault DoS (Closes: #815840) libgd2 (2.1.0-5+deb8u8) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-9933: gdImageFillToBorder stack-overflow when invalid color is used (Closes: #849038) libgd2 (2.1.0-5+deb8u7) jessie-security; urgency=high . * [CVE-2016-7568]: Integer overflow in gdImageWebpCtx * Fix Stack Buffer Overflow in GD dynamicGetbuf * Fix invalid read in gdImageCreateFromTiffPtr() libio-socket-ssl-perl (2.002-2+deb8u2) jessie; urgency=medium . * Add 0001-remove-r-for-checking-SSL_-cert-key-_file-since-this.patch. Removes the -r check for for checking SSL_{cert,key}_file since this will an usable error later anyway. Addresses "Cannot use SSL_key_file with ACL permissions". Thanks to Michael Braun and Steffen Ullrich. (Closes: #839576) libmateweather (1.8.0-2+deb8u1) jessie-proposed-updates; urgency=medium . * debian/patches: + Add 0001_metar-switch-to-aviationweather-gov.patch. The site weather.noaa.gov is discontinued. (Closes: #846900). * debian/copyright: + Add missing Comment: field names. libphp-adodb (5.15-1+deb8u1) jessie; urgency=high . * Cherry pick of upstream patches: - d/patch/cve-2016-7405. Closes: #837211 - d/patch/cve-2016-4855. Closes: #837418 libphp-phpmailer (5.2.9+dfsg-2+deb8u3) jessie-security; urgency=medium . * Non-maintainer upload by the Security Team. * Fix a regression introduced in 5.2.9+dfsg-2+deb8u2, where calling isSendmail() method together with a sendmail_path containing command line parameters would erroneously throw an error. Upstream commit ed4e7ce8. libphp-phpmailer (5.2.9+dfsg-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits 4835657c 9743ff5c 833c35fe from upstream. Closes: #849365. libpng (1.2.50-2+deb8u3) jessie; urgency=medium . * debian/patches/CVE-2016-10087.patch: - cherry-pick upstream fix for CVE-2016-10087 libupnp (1:1.6.19+git20141001-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * backport fixes for CVE-2016-6255 and CVE-2016-8863 (Closes: #831857, #842093) libvncserver (0.9.9+dfsg2-6.1+deb8u2) jessie-security; urgency=high . * CVE-2016-9941 (Closes: #850007) * CVE-2016-9942 (Closes: #850008) libwmf (0.2.8.4-10.3+deb8u2) stable; urgency=medium . * LTS Team upload. * Fix allocating huge block of memory (CVE-2016-9011) (Closes: #842090) libxml2 (2.9.1+dfsg1-5+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix comparison with root node in xmlXPathCmpNodes * Fix XPointer paths beginning with range-to (CVE-2016-5131) (Closes: #840554) * Disallow namespace nodes in XPointer ranges (CVE-2016-4658) (Closes: #840553) * Fix more NULL pointer derefs in xpointer.c libxslt (1.1.28-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix heap overread in xsltFormatNumberConversion (CVE-2016-4738) (Closes: #842570) linkchecker (9.3-1+deb8u1) stable; urgency=medium . * Non-maintainer upload. * fix HTTPS checks (Closes: #772947) linux (3.16.39-1) jessie; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.37 - [x86] iommu/vt-d: Ratelimit fault handler - xfs: disallow rw remount on fs with unknown ro-compat features - Bluetooth: vhci: fix open_timeout vs. hdev race - [x86] drm/i915: Prevent machine death on Ivybridge context switching - scsi: Add intermediate STARGET_REMOVE state to scsi_target_state (Closes: #834513) - Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" - Bluetooth: vhci: Fix race at creating hci device - EDAC: Increment correct counter in edac_inc_ue_error() - ext4: fix data exposure after a crash - [armhf] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks - [armhf] crypto: s5p-sss - fix incorrect usage of scatterlists api - btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl - [arm*] KVM: Enforce Break-Before-Make on Stage-2 page tables - aacraid: Relinquish CPU during timeout wait - aacraid: Fix for aac_command_thread hang - ext4: fix hang when processing corrupted orphaned inode list - ext4: clean up error handling when orphan list is corrupted - Revert "tty: Fix pty master poll() after slave closes v2" - Fix OpenSSH pty regression on close - cpufreq: Fix GOV_LIMITS handling for the userspace governor - ACPI / sysfs: fix error code in get_status() - ext4: fix oops on corrupted filesystem - [arm64] Ensure pmd_present() returns false after pmd_mknotpresent() - [armhf] dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats - [mips*] Fix siginfo.h to use strict posix types - USB: serial: keyspan,muxport,quatech2: fix use-after-free in probe error path - irqchip/gic: Ensure ordering between read of INTACK and shared data - [powerpc*] mm/hash64: Fix subpage protection with 4K HPTE config - rtlwifi: Fix logic error in enter/exit power-save mode - sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems - [mips*] Fix race condition in lazy cache flushing. - ring-buffer: Use long for nr_pages to avoid overflow failures - ring-buffer: Prevent overflow of size in ring_buffer_resize() - RDMA/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr() - IB/core: Fix a potential array overrun in CMA and SA agent - i40e: fix an uninitialized variable bug - mmc: mmc: Fix partition switch timeout for some eMMCs - net/mlx4_core: Fix access to uninitialized index - [x86] PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs - PCI: Disable all BAR sizing for devices with non-compliant BARs - netlink: Fix dump skb leak/double free (CVE-2016-9806) - sched/preempt: Fix preempt_count manipulations - fs/cifs: correctly do anonymous authentication - fs/cifs: remove directory incorrectly tries to set delete on close on non-empty directories - sunrpc: Update RPCBIND_MAXNETIDLEN - cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() - batman-adv: fix skb deref after free - batman-adv: Fix unexpected free of bcast_own on add_if error - batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq - xfs: xfs_iflush_cluster fails to abort on error - xfs: fix inode validity check in xfs_iflush_cluster - xfs: skip stale inodes in xfs_iflush_cluster - crypto: public_key: select CRYPTO_AKCIPHER - net: ehea: avoid null pointer dereference - cifs: Create dedicated keyring for spnego operations - Input: uinput - handle compat ioctl for UI_SET_PHYS - PM / sleep: Handle failures in device_suspend_late() consistently - tuntap: correctly wake up process during uninit - scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands - [x86] drm/i915: Don't leave old junk in ilk active watermarks on readout - mmc: longer timeout for long read time quirk - sunrpc: fix stripping of padded MIC tokens - wait/ptrace: assume __WALL if the child is traced - xen/events: Don't move disabled irqs - UBI: do propagate positive error codes up - UBI: fix missing brace control flow - UBI: Fix static volume checks when Fastmap is used - RDMA/cxgb3: device driver frees DMA memory with different size - [x86] ALSA: hda - Fix headset mic detection problem for one Dell machine - [x86] crypto: ccp - Fix AES XTS error for request sizes above 4096 - sfc: on MC reset, clear PIO buffer linkage in TXQs - Input: xpad - prevent spurious input from wired Xbox 360 controllers - Input: pwm-beeper - remove useless call to pwm_config() - Input: pwm-beeper - fix - scheduling while atomic - [mips*] fix read_msa_* & write_msa_* functions on non-MSA toolchains - hpfs: fix remount failure when there are no options changed - hpfs: implement the show_options method - [powerpc*] pseries/eeh: Handle RTAS delay requests in configure_bridge - [powerpc*] Fix definition of SIAR and SDAR registers - [powerpc*] Use privileged SPR number for MMCR2 - mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL - mac80211: mesh: flush mesh paths unconditionally - [arm64] Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks - scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist - ACPI / processor: Avoid reserving IO regions too early - drm/nouveau/fbcon: fix out-of-bounds memory accesses - [armel,armhf] fix PTRACE_SETVFPREGS on SMP systems - KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi - [x86] KVM: fix OOPS after invalid KVM_SET_DEBUGREGS - ALSA: hda - Fix headset mic detection problem for Dell machine - [powerpc*] pseries: Fix PCI config address for DDW - mnt: fs_fully_visible test the proper mount for MNT_LOCKED - IB/IPoIB: Fix race between ipoib_remove_one to sysfs functions - IB/mlx5: Return PORT_ERR in Active to Initializing tranisition - IB/mlx5: Fix returned values of query QP - IB/IPoIB: Don't update neigh validity for unresolved entries - tcp: record TLP and ER timer stats in v6 stats - of: fix autoloading due to broken modalias with no 'compatible' - [x86] cpufreq: intel_pstate: Fix ->set_policy() interface for no_turbo - fs: fix d_walk()/non-delayed __d_free() race - net/mlx5: Fix the size of modify QP mailbox - net/mlx5: Fix masking of reserved bits in XRCD number - uvc: Forward compat ioctls to their handlers directly - [armhf] mfd: omap-usb-tll: Fix scheduling while atomic BUG - [armhf] usb: dwc3: exynos: Fix deferred probing storm. - usb: f_fs: off by one bug in _ffs_func_bind() - usb: gadget: fix spinlock dead lock in gadgetfs - usb: gadget: avoid exposing kernel stack - HID: elo: kill not flush the work - usb: xhci-plat: properly handle probe deferral for devm_clk_get() - USB: quirks: Fix entries on wrong list in 3.16.y - [armhf] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints - [armhf] usb: musb: Stop bulk endpoint while queue is rotated - iio: Fix error handling in iio_trigger_attach_poll_func - scsi: fix race between simultaneous decrements of ->host_failed - [armel,armhf] 8578/1: mm: ensure pmd_present only checks the valid bit - [armel,armhf] 8579/1: mm: Fix definition of pmd_mknotpresent - drm/radeon: fix asic initialization for virtualized environments - [armhf] spi: sun4i: fix FIFO limit - [armhf] spi: sunxi: fix transfer timeout - [x86] kprobes: Clear TF bit in fault on single-stepping - kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w - ipv6: fix endianness error in icmpv6_err - net_sched: introduce qdisc_replace() helper - net_sched: update hierarchical backlog too - netem: fix a use after free - net_sched: fix pfifo_head_drop behavior vs backlog - [x86] drm/i915/ilk: Don't disable SSC source if it's in use - base: make module_create_drivers_dir race-free - kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES - [armhf] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing - IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs - isa: Call isa_bus_init before dependent ISA bus drivers register - [x86] hwmon: (dell-smm) Restrict fan control and serial number to CAP_SYS_ADMIN by default - tracing: Handle NULL formats in hold_module_trace_bprintk_format() - [arm64] mm: remove page_mapping check in __sync_icache_dcache - pinctrl: single: Fix missing flush of posted write for a wakeirq - net/mlx4_en: Fix the return value of a failure in VLAN VID add/kill - ubi: Make recover_peb power cut aware - mm: Export migrate_page_move_mapping and migrate_page_copy - UBIFS: Implement ->migratepage() - [ppc64el] bpf/jit: Disable classic BPF JIT on ppc64le - can: fix oops caused by wrong rtnl dellink usage - xen/pciback: Fix conf_space read/write overlap check. - IB/mlx5: Fix post send fence logic - IB/mlx4: Fix the SQ size of an RC QP - IB/mlx4: Fix error flow when sending mads under SRIOV - IB/mlx4: Verify port number in flow steering create flow - IB/mlx4: Fix memory leak if QP creation failed - Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 - cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name - cifs: dynamic allocation of ntlmssp blob - ALSA: dummy: Fix a use-after-free at closing - cifs: Fix reconnect to not defer smb3 session reconnect long after socket reconnect - tmpfs: don't undo fallocate past its last page - fs/nilfs2: fix potential underflow in call to crc32_le - staging: iio: accel: fix error check - [armhf,arm64] KVM: Stop leaking vcpu pid references - make nfs_atomic_open() call d_drop() on all ->open_context() errors. - USB: don't free bandwidth_mutex too early - ALSA: echoaudio: Fix memory allocation - [s390x] fix test_fp_ctl inline assembly contraints - net: bgmac: Start transmit queue in bgmac_open - net: bgmac: Remove superflous netif_carrier_on() - mac80211: Fix mesh estab_plinks counting in STA removal case - Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address - NFS: Fix another OPEN_DOWNGRADE bug - ipr: Clear interrupt on croc/crocodile when running with LSI - [powerpc*] tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0 - net: phy: Manage fixed PHY address space using IDA - batman-adv: Fix memory leak on tt add with invalid vlan - batman-adv: replace WARN with rate limited output on non-existing VLAN - batman-adv: Fix use-after-free/double-free of tt_req_node - batman-adv: Fix ICMP RR ethernet access after skb_linearize - batman-adv: Clean up untagged vlan when destroying via rtnl-link - qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag() - ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift() - [amd64] power: Fix kernel text mapping corruption during image restoration - [x86] amd_nb: Fix boot crash on non-AMD systems - bonding: prevent out of bound accesses - net/mlx5: Fix potential deadlock in command mode change - net/mlx5: Add timeout handle to commands with callback - block: fix use-after-free in sys_ioprio_get() (CVE-2016-7911) - ALSA: timer: Fix negative queue usage by racy accesses - qeth: delete napi struct when removing a qeth device - xenbus: don't bail early from xenbus_dev_request_and_reply() - ecryptfs: don't allow mmap when the lower fs doesn't support it - tmpfs: fix regression hang in fallocate undo - fs: limit filesystem stacking depth - proc: prevent stacking filesystems on top - [powerpc*] KVM: Book3S HV: Pull out TM state save/restore into separate procedures - [powerpc*] KVM: Book3S HV: Save/restore TM state in H_CEDE (CVE-2016-5412) https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.38 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.39 - HID: uhid: fix timeout when probe races with IO - macvlan: Fix potential use-after free for broadcasts - netlabel: add address family checks to netlbl_{sock,req}_delattr() - em28xx-i2c: rt_mutex_trylock() returns zero on failure - PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset - [armhf] gpio: pca953x: Fix NBANK calculation for PCA9536 - random: print a warning for the first ten uninitialized random users - [x86] random: add interrupt callback to VMBus IRQ handler - sched/cputime: Fix prev steal time accouting during CPU hotplug - [armel/kirkwood,armhf] mvebu: fix HW I/O coherency related deadlocks - [armhf] usb: dwc3: fix for the isoc transfer EP_BUSY flag - crypto: gcm - Filter out async ghash if necessary - IB/mlx5: Fix MODIFY_QP command input structure - drm/nouveau: Don't leak runtime pm ref on driver unload - drm/radeon: Don't leak runtime pm ref on driver unload - drm/radeon: Don't leak runtime pm ref on driver load - tty/serial: atmel: fix RS485 half duplex with DMA - [armhf] serial: samsung: Fix ERR pointer dereference on deferred probe - [armhf] hwrng: omap - Fix assumption that runtime_get_sync will always succeed - hp-wmi: Fix wifi cannot be hard-unblocked - Input: xpad - validate USB endpoint count during probe - ath9k: Fix programming of minCCA power threshold - ext4: check for extents that wrap around - ext4: fix deadlock during page writeback - ext4: don't call ext4_should_journal_data() on the journal inode - batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag - batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag - batman-adv: Fix orig_node_vlan leak on orig_node_release - batman-adv: lock crc access in bridge loop avoidance - batman-adv: Fix non-atomic bla_claim::backbone_gw access - batman-adv: Fix reference leak in batadv_find_router - batman-adv: Free last_bonding_candidate on release of orig_node - ext4: validate s_reserved_gdt_blocks on mount - iwlwifi: pcie: fix access to scratch buffer - [mips*] Fix page table corruption on THP permission changes. - batman-adv: Fix speedy join in gateway client mode - drm/radeon: add a delay after ATPX dGPU power off - drm/radeon: Poll for both connect/disconnect on analog connectors - ALSA: ctl: Stop notification after disconnection - ALSA: pcm: Free chmap at PCM free callback, too - [armhf] net: mvneta: set real interrupt per packet for tx_done - ppp: defer netns reference release for ppp channel - rtc: ds1307: Fix relying on reset value for weekday - ngene: properly handle __user ptr - media: dvb_ringbuffer: Add memory barriers - [x86] quirks: Apply nvidia_bugs quirk only on root bus - [x86] quirks: Reintroduce scanning of secondary buses - [x86] quirks: Add early quirk to reset Apple AirPort card - posix_cpu_timer: Exit early when process has been reaped - ALSA: hda - fix use-after-free after module unload - svc: Avoid garbage replies when pc_func() returns rpc_drop_reply - NFS: Don't drop CB requests with invalid principals - qxl: check for kmap failures - cifs: Check for existing directory when opening file with O_CREAT - net: ethoc: Fix early error paths - [s390x] mm: fix gmap tlb flush issues - [armel,armhf] 8561/3: dma-mapping: Don't use outer_flush_range when the L2C is coherent - [x86] KVM: nVMX: fix lifetime issues for vmcs02 - [x86] KVM: nVMX: Fix memory corruption when using VMCS shadowing - ext4: fix reference counting bug on block allocation error - ext4: short-cut orphan cleanup on error - [powerpc*] tm: Fix stack pointer corruption in __tm_recheckpoint() - Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU - xfrm: fix crash in XFRM_MSG_GETSA netlink handler - crypto: scatterwalk - Fix test in scatterwalk_done - mmc: block: fix packed command header endianness - crypto: nx - off by one bug in nx_of_update_msc() - tpm: read burstcount from TPM_STS in one 32-bit transaction - [arm64] debug: unmask PSTATE.D earlier - brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain - brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill - brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() - mtd: nand: fix bug writing 1 byte less than page size - target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP - target: Fix race between iscsi-target connection shutdown + ABORT_TASK - target: Fix max_unmap_lba_count calc overflow - cifs: fix crash due to race in hmac(md5) handling - hwmon: (adt7411) set bit 3 in CFG1 register - iscsi-target: Fix panic when adding second TCP connection to iSCSI session - tty/vt/keyboard: fix OOB access in do_compute_shiftstate() - [mips*] bpf: fix off-by-one in ctx offset allocation - libceph: set 'exists' flag for newly up osd - libceph: apply new_state before new_up_client on incrementals - [x86] gpio: intel-mid: Remove potentially harmful code - nfs: don't create zero-length requests - radix-tree: fix radix_tree_iter_retry() for tagged iterators. - pps: do not crash when failed to register - [armhf] OMAP3: hwmod data: Add sysc information for DSI - net/irda: fix NULL pointer dereference on memory allocation failure - l2tp: Correctly return -EBADF from pppol2tp_getname. - ceph: Correctly return NXIO errors from ceph_llseek - CIFS: Fix a possible invalid memory access in smb2_query_symlink() - [mips*] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace - drm/radeon: fix firmware info version checks - fuse: fsync() did not return IO errors - fuse: fuse_flush must check mapping->flags for errors - fuse: fix wrong assignment of ->flags in fuse_send_init() - ubi: Fix race condition between ubi device creation and udev - ubi: Make volume resize power cut aware - ubi: Be more paranoid while seaching for the most recent Fastmap - drm/nouveau/fbcon: fix font width not divisible by 8 - drm/nouveau/acpi: ensure matching ACPI handle and supported functions - drm/nouveau/acpi: check for function 0x1B before using it - tcp: consider recv buf for the initial window scale - ext4: validate that metadata blocks do not overlap superblock - ALSA: hda - On-board speaker fixup on ACER Veriton - [amd64] syscalls: Add compat_sys_keyctl for 32-bit userspace - balloon: check the number of available pages in leak balloon - dm flakey: error READ bios during the down_interval - mm/hugetlb: avoid soft lockup in set_max_huge_pages() - sysv, ipc: fix security-layer leaking - ALSA: hda: Fix krealloc() with __GFP_ZERO usage - block: fix use-after-free in seq file (CVE-2016-7910) - mac80211: fix purging multicast PS buffer queue - SUNRPC: allow for upcalls for same uid but different gss service - USB: serial: fix memleak in driver-registration error path - vfio/pci: Fix NULL pointer oops in error interrupt setup handling - [x86] drm/edid: Add 6 bpc quirk for display AEO model 0. - [x86] drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown" - [powerpc*] powernv: Fix MCE handler to avoid trashing CR0/CR1 registers. - netfilter: nf_ct_expect: remove the redundant slash when policy name is empty - netfilter: nfnetlink_queue: reject verdict request from different portid - [powerpc*] book3s: Fix MCE console messages for unrecoverable MCE. - USB: validate wMaxPacketValue entries in endpoint descriptors - cpuset: make sure new tasks conform to the current config of the cpuset - [s390x] dasd: fix hanging device after clear subchannel - [armhf] usb: dwc3: gadget: increment request->actual once - [x86] mm: Disable preemption during CR3 read+write - megaraid_sas: Fix probing cards without io port - PM / hibernate: Restore processor state before using per-CPU variables - ipv6: suppress sparse warnings in IP6_ECN_set_ce() - USB: serial: mos7720: fix non-atomic allocation in write path - USB: serial: mos7840: fix non-atomic allocation in write path - cdc-acm: fix wrong pipe type on rx interrupt xfers - scsi: fix upper bounds check of sense key in scsi_sense_key_string() - xhci: always handle "Command Ring Stopped" events - usb: xhci: Fix panic if disconnect - xhci: don't dereference a xhci member after removing xhci - [x86] KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write - bcache: register_bcache(): call blkdev_put() when cache_alloc() fails - bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two. - drm/radeon: fix radeon_move_blit on 32bit systems - net/mlx5: Added missing check of msg length in verifying its signature - [x86] staging: comedi: daqboard2000: bug fix board type matching code - [x86] staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility - [armhf] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access - [powerpc*] pseries: use pci_host_bridge.release_fn() to kfree(phb) - [powerpc*] prom: Fix sub-processor option passed to ibm, client-architecture-support - drm: Reject page_flip for !DRIVER_MODESET - USB: fix typo in wMaxPacketSize validation - USB: avoid left shift by -1 - ubifs: Fix assertion in layout_in_gaps() - tun: fix transmit timestamp support - timekeeping: Cap array access in timekeeping_debug - [x86] apic: Do not init irq remapping if ioapic is disabled - usb: gadget: udc: core: don't starve DMA resources - qdisc: fix a module refcount leak in qdisc_create_dflt() - [armel/kirkwood] ib62x0: fix size of u-boot environment partition - batman-adv: Add missing refcnt for last_candidate - [armhf] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function - printk: fix parsing of "brl=" option - fs/seq_file: fix out-of-bounds read - [powerpc*] powernv : Drop reference added by kset_find_obj() - ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE - ALSA: timer: fix NULL pointer dereference on memory allocation failure - NFSv4.x: Fix a refcount leak in nfs_callback_up_net - dm crypt: fix free of bad values after tfm allocation failure - kernfs: don't depend on d_find_any_alias() when generating notifications - ALSA: fireworks: accessing to user space outside spinlock - ipv6: add missing netconf notif when 'all' is updated - tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data - kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race - [x86] paravirt: Do not trace _paravirt_ident_*() functions - IB/core: Fix use after free in send_leave function - IB/ipoib: Fix memory corruption in ipoib cm mode connect flow - [x86] AMD: Apply erratum 665 on machines without a BIOS fix - l2tp: fix use-after-free during module unload - iio: fix pressure data output unit in hid-sensor-attributes - sched/core: Fix a race between try_to_wake_up() and a woken up task - [x86] efi/libstub: Allocate headspace in efi_get_memory_map() - iio:core: fix IIO_VAL_FRACTIONAL sign handling - Btrfs: add missing blk_finish_plug in btrfs_sync_log() - Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns - ipv6: addrconf: fix dev refcont leak when DAD failed - crypto: cryptd - initialize child shash_desc on import - ALSA: timer: Fix zero-division by continue of uninitialized instance - ALSA: rawmidi: Fix possible deadlock with virmidi registration - xfrm_user: propagate sec ctx allocation errors - [armhf,arm64] kvm-arm: Unmap shadow pagetables properly - [arm64] spinlocks: implement smp_mb__before_spinlock() as smp_mb() - asm-generic: make copy_from_user() zero the destination properly - NFSv4.1: Fix the CREATE_SESSION slot number accounting - crypto: skcipher - Fix blkcipher walk OOM crash - [arm64] crypto: aes-ctr - fix NULL dereference in tail processing - nl80211: validate number of probe response CSA counters - asm-generic: make get_user() clear the destination on errors - [mips*] copy_from_user() must zero the destination on access_ok() failure - [powerpc] ppc32: fix copy_from_user() - [s390x] get_user() should zero on failure - [x86] perf/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 - USB: change bInterval default to 10 ms - IB/ipoib: Don't allow MC joins during light MC flush - IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV - IB/mlx4: Fix code indentation in QP1 MAD flow - IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV - irda: Free skb on irda_accept error path. - xfrm: Fix memory leak of aead algorithm name - ocfs2/dlm: fix race between convert and migration - fsnotify: add a way to stop queueing events on group shutdown - ocfs2: fix start offset to ocfs2_zero_range_for_truncate() - fix fault_in_multipages_...() on architectures with no-op access_ok() - [x86] i2c-eg20t: fix race between i2c init and interrupt enable - btrfs: ensure that file descriptor used with subvol ioctls is a dir - can: dev: fix deadlock reported after bus-off - ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path. - ip6_gre: fix flowi6_proto value in ip6gre_xmit_other() - tracing: Move mutex to protect against resetting of seq data - ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route - drm/radeon/si/dpm: add workaround for for Jet parts - mm,ksm: fix endless looping in allocating memory when ksm enable - [armel,armhf] 8617/1: dma: fix dma_max_pfn() - [mips*/5kc-malta] Fix IOCU disable switch read for MIPS64 - mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() - [armhf] 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 - [arm64] perf: reject groups spanning multiple HW PMUs (CVE-2015-8955) - firewire: net: guard against rx buffer overflows (CVE-2016-8633) - brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() (CVE-2016-8658) - vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083, CVE-2016-9084) - fs: Give dentry to inode_change_ok() instead of inode - fs: Avoid premature clearing of capabilities (CVE-2015-1350) (Closes: #770492) - posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097) - staging: comedi: ni_mio_common: fix wrong insn_write handler - xenbus: don't BUG() on user mode induced condition - xenbus: don't look up transaction IDs for ordinary writes - compiler-gcc: disable -ftracer for __noclone functions - PM / devfreq: Fix incorrect type issue. - mm: filemap: don't plant shadow entries without radix tree node . [ Aurelien Jarno ] * [mips*] Fix ptrace handling of any syscalls returning ENOSYS. . [ Salvatore Bonaccorso ] * [x86] KVM: pass host_initiated to functions that read MSRs * [x86] KVM: VMX: Fix host initiated access to guest MSR_TSC_AUX (Closes: #838660) . [ Ben Hutchings ] * [x86] video: Disable X86_SYSFB, FB_SIMPLE (Closes: #822575) * Revert "ecryptfs: forbid opening files without mmap handler", redundant with upstream fixes * fs: Move procfs/ecryptfs stacking check into ecryptfs, to avoid ABI change * [mips*] Fix ABI change in 3.16.37 * net/sched: Fix ABI change in 3.16.37 * SCSI: Fix ABI change in 3.16.37 * ubi: Avoid ABI change in 3.16.37 * i8042: Revert ABI break in 3.16.39 * fs: Fix ABI change in 3.16.39 * can: Ignore ABI change in 3.16.39 * [mips*] uaccess: Avoid ABI change in 3.16.39 * [arm64] Revert "arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO" to avoid ABI change * [s390x] Revert "s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO" to avoid ABI change * Revert "block: fix bdi vs gendisk lifetime mismatch" to avoid ABI change * fsnotify: Ignore ABI change in 3.16.39 * Fix backport of "fs: Give dentry to inode_change_ok() instead of inode" in fuse, xfs * sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962) * perf: Fix race in swevent hash (CVE-2015-8963) * tty: Prevent ldisc drivers from re-using stale tty fields (CVE-2015-8964) * usb: gadget: f_fs: Fix use-after-free (CVE-2016-7912) * HID: core: prevent out-of-bound readings (CVE-2016-7915) * netfilter: nfnetlink: correctly validate length of batch messages (CVE-2016-7917) * net: ping: check minimum size on ICMP header length (CVE-2016-8399) * net: Add __sock_queue_rcv_skb() * rose,dccp: limit sk_filter trim to payload * tcp: take care of truncations done by sk_filter() (CVE-2016-8645) * mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (CVE-2016-8650) * packet: fix race condition in packet_set_ring (CVE-2016-8655) * [x86] Fix potential infoleak in older kernels (CVE-2016-9178) * sctp: validate chunk len before actually using it (CVE-2016-9555) * sg_write()/bsg_write() is not fit to be called under KERNEL_DS (CVE-2016-9576, CVE-2016-10088) * [x86] KVM: drop error recovery in em_jmp_far and em_ret_far (CVE-2016-9756) * net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793) * ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794) * security,perf: Allow unprivileged use of perf_event_open to be disabled (sysctl: kernel.perf_event_paranoid=3) * spi-nor: Add support for n25q256a11 SPI flash device (Closes: #843650) (thanks to Matt Sickler) * xen-blkfront: fix accounting of reqs when migrating (Closes: #843715) . [ Julien Cristau ] * hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616) linux (3.16.36-1+deb8u2) jessie-security; urgency=high . * KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042) * scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425) * Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (CVE-2015-8956) * netfilter: x_tables: speed up jump target validation (Closes: #831014) * mm: remove gup_flags FOLL_WRITE games from __get_user_pages() (CVE-2016-5195) linux (3.16.36-1+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.36-1+deb8u2) jessie-security; urgency=high . * KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042) * scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425) * Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (CVE-2015-8956) * netfilter: x_tables: speed up jump target validation (Closes: #831014) * mm: remove gup_flags FOLL_WRITE games from __get_user_pages() (CVE-2016-5195) lxc (1:1.0.6-6+deb8u5) jessie; urgency=medium . * attach: do not send procfd to attached process Closes: #845465 CVE-2016-8649 lxc (1:1.0.6-6+deb8u4) jessie; urgency=medium . * fix Alpine Linux container creation (Closes: #838517) * remount bind mounts if read-only flag is provided (Closes: #838957) mailman (1:2.1.18-2+deb8u1) jessie-security; urgency=high . * CVE-2016-6893: Fix CSRF vulnerability associated in the user options page which could allow an attacker to obtain a user's password. (Closes: #835970) mapserver (6.4.1-5+deb8u2) stable; urgency=medium . * Add upstream patch to fix FTBFS with php >= 5.6.25. mapserver (6.4.1-5+deb8u1) stable; urgency=high . * Add upstream patch to fix CVE-2016-9839. mdadm (3.3.2-5+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * fix-grow-continue.patch: Port upstream fix to let '--grow --continue' successfully reshape an array when using backup space on a 'spare' device. (Closes: #840743) memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to fix various issues reported by the Cisco TALOS project. CVE-2016-8704: Server append/prepend remote code execution CVE-2016-8705: Server update remote code execution CVE-2016-8706: Server ASL authentication remote code execution (Closes: #842811, #842812, #842814) metar (20061030.1-2+deb8u1) jessie; urgency=medium . * Non-maintainer upload * Import patch for new METAR URL from Kees Leune (Closes: #839907) minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759) The minissdpd daemon contains a improper validation of array index vulnerability (CWE-129) when processing requests sent to the Unix socket at /var/run/minissdpd.sock the Unix socket can be accessed by an unprivileged user to send invalid request causes an out-of-bounds memory access that crashes the minissdpd daemon. moin (1.9.8-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-7146: XSS in GUI editor's attachment dialogue (Closes: #844340) * CVE-2016-7148: XSS in AttachFile view (multifile related) (Closes: #844341) * CVE-2016-9119: XSS in GUI editor's link dialogue (Closes: #844338) monotone (1.1-4+deb8u2) jessie; urgency=high . * Add patch 51-sigpipe-test.diff: change the sigpipe test case to write 1M of test data to increase chances of overflowing the pipe buffer; as already applied on Debian testing. Closes: #833574. most (5.0.0a-2.3+deb8u1) stable-proposed-updates; urgency=high . * lzma-support.patch: - Fix CVE-2016-1253: shell injection attack when opening lzma-compressed files (Closes: #848132) mpg123 (1.20.1-2+deb8u1) jessie; urgency=high . * Team upload. * Fix DoS with crafted ID3v2 tags. (Closes: #838960) musl (1.1.5-2+deb8u1) jessie; urgency=high . * Cherry-pick upstream fix for regex integer overflow in buffer size computations; CVE-2016-8859 (Closes: #842171) mysql-5.5 (5.5.53-0+deb8u1) jessie-security; urgency=high . * Imported upstream version 5.5.53 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html - CVE-2016-7440 CVE-2016-5584 (Closes: #841050) * Packaging will now create /var/lib/mysql-files, as server will now by default restrict all import/export operations to this directory. This can be changed using the secure-file-priv config option. mysql-5.5 (5.5.52-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.52 to fix security issues: - CVE-2016-6662 nbd (1:3.8-4+deb8u3) jessie; urgency=medium . * nbd-client.c: stop mixing global flags into the flags field that gets sent to the kernel, so that connecting to nbd-server >= 3.9 does not cause every export to be (incorrectly) marked as read-only. nettle (2.7.1-5+deb8u2) stable; urgency=medium . * [SECURITY] cve-2016-6489.patch: Protect against potential side-channel attacks against exponentiation operations as described in CVE-2016-6489 "RSA code is vulnerable to cache sharing related attacks" (Closes: #832983). nginx (1.6.2-5+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/nginx-common.config: fix return code so script doesn't exit. Thanks to Marc Deslauriers and Thomas Ward (Closes: #842276) nginx (1.6.2-5+deb8u3) jessie-security; urgency=high . [ Christos Trochalakis ] * debian/nginx-common.postinst: + CVE-2016-1247: Secure log file handling (owner & permissions) against privilege escalation attacks. /var/log/nginx is now owned by root:adm. Thanks ro Dawid Golunski for the report. Changing /var/log/nginx permissions effectively reopens #701112, since log files can be world-readable. This is a trade-off until a better log opening solution is implemented upstream (trac:376). * debian/control: Don't allow building against liblua5.1-0-dev on architectures that libluajit is available. (Closes: #826167) nspr (2:4.12-1+debu8u1) jessie-security; urgency=medium . * New upstream release. Closes: #583651. * Import an updated symbols file from unstable. nspr (2:4.12-1) unstable; urgency=medium . * New upstream release. * debian/libnspr4.symbols: Updated. nspr (2:4.11-1) unstable; urgency=medium . * New upstream release. nspr (2:4.10.10-1) unstable; urgency=high . * New upstream release. * Fixes mfsa-2015-133, aka CVE-2015-7183. nspr (2:4.10.9-2) unstable; urgency=medium . * nspr/pr/include/md/_linux.cfg: Fix mips64 condition testing, avoiding e.g. wrong types being picked up on mips/mipsel. nspr (2:4.10.9-1) unstable; urgency=medium . * New upstream release. * debian/libnspr4.symbols: Updated. nspr (2:4.10.8-2) unstable; urgency=medium . * debian/rules: - Do not pretend nspr's configure can be run through dh_auto_configure. The architecture flags are different than "standard" autoconf. Closes: #782983. - Use changelog date to feed nspr build system. - Pass --enable-x32 for x32 builds. * debian/libnspr4.symbols: - Updated for x32-specific symbols. Thanks to Daniel Schepler . - Reordered symbols. nspr (2:4.10.8-1) unstable; urgency=medium . * New upstream release. nss (2:3.26-1+debu8u1) jessie-security; urgency=medium . * New upstream release. Closes: #583651. * Remove SPI CA certificate. * Remove transitional compatibility kludge for renegotiation handling. * Update watch file and Vcs URLs, and the symbols file from unstable. nss (2:3.26-1) unstable; urgency=medium . * New upstream release. * debian/watch: Update such that uscan --download-version works. * debian/control, debian/libnss3-1d.*, debian/libnss3.symbols: Remove the libnss3-1d* transitional packages. * debian/rules: - Always set CCC to CXX. Thanks Helmut Grohne. Closes: #806292. - Override KERNEL when cross building for a different OS. Closes: #810579. * debian/control: Split Depends/Build-Depends/Conflicts. Thanks Guido Günther. Closes: #806634. nss (2:3.25-1) unstable; urgency=medium . * New upstream release. * debian/libnss3.symbols, debian/rules: Add the new libfreeblpriv3 library. * debian/libnss3.symbols: Add NSS_3.24 and NSSUTIL_3.24 symbol versions. nss (2:3.23-2) unstable; urgency=medium . * debian/control, debian/rules: Leave it to dh_makeshlibs to do the right thing wrt ldconfig. This requires debhelper 9.20160403. Closes: #811124. nss (2:3.23-1) unstable; urgency=medium . * New upstream release. * Fixes mfsa2016-{35-36} also known as CVE-2016-1950 and CVE-2016-1979. * debian/control: Bump nspr build dependency to 2:4.12. * debian/libnss3.symbols: Add NSS_3.22 and NSS_3.23 symbol versions. nss (2:3.21-1.1) unstable; urgency=medium . * Non-maintainer upload. * Fix FTBFS on x32. Closes: #699217 * Fix FTBFS on hppa. Closes: #808990 nss (2:3.21-1) unstable; urgency=medium . * New upstream release. * nss/lib/ssl/sslsock.c: Disable transitional scheme for SSL renegotiation. 5 years after the transition started, it shouldn't be necessary anymore. * nss/lib/ckfw/builtins/certdata.txt: Remove the SPI CA. * nss/lib/util/secload.c: Fix a warning introduced by our patch to this file. * debian/libnss3.symbols: Add NSS_3.21 symbol versions. nss (2:3.20.1-1) unstable; urgency=high . * New upstream release. * Fixes mfsa2015-133. also known as CVE-2015-7181 and CVE-2015-7182. nss (2:3.20-1) unstable; urgency=medium . * New upstream release. * Removed patch for __DATE__ and __TIME__ references from 2:3.19.1-1 because the parts that matter were applied upstream. * debian/rules: Move USE_64 to common make flags, and always use DEB_HOST_ARCH_BITS since it's even supported by dpkg in oldstable, now. * debian/libnss3.symbols: Add NSS_3.20 symbol versions. nss (2:3.19.2-1) unstable; urgency=medium . * New upstream release. * debian/rules: Force set OS_TEST to DEB_HOST_GNU_CPU to avoid it defaulting to `uname -m`. Thanks Helmut Grohne. Closes: #788452 nss (2:3.19.1-2) unstable; urgency=medium . * debian/control: Fix Vcs-Git url. * nss/cmd/shlibsign/manifest.mn: Fix missing LIBRARY_VERSION. * nss/cmd/shlibsign/shlibsign.c: Fix shlibsign on arm64. nss (2:3.19.1-1) unstable; urgency=medium . * New upstream release. * debian/libnss3.symbols: - Add NSS_3.19.1 symbol versions. - Reorder and replace *@ with (symver). * debian/rules: - Pass multi-arch dir for NSPR_LIB_DIR. Closes: #722811. - Set umask when calling shlibsign, and rearrange how it's being called. - Build nsinstall separately and set things up for cross-compilations. - Use native shlibsign when cross-compiling. - Do not run FIPS check on cross-builds. * debian/control: Build depend on native libnss3-tools for cross builds. Closes: #682926. * debian/libnss3-tools.manpages, debian/rules: Install the manpages that are now provided upstream. Closes: #505382. * debian/control: Update Vcs-* urls. * debian/control: Bump Standards-Version to 3.9.6.0. No changes required. * nss/lib/ckfw/builtins/binst.c, nss/lib/ckfw/builtins/ckbiver.c, nss/lib/ckfw/builtins/manifest.mn, nss/lib/ckfw/capi/ckcapiver.c, nss/lib/ckfw/capi/manifest.mn, nss/lib/ckfw/nssmkey/ckmkver.c, nss/lib/ckfw/nssmkey/manifest.mn, nss/lib/freebl/freeblver.c, nss/lib/freebl/ldvector.c, nss/lib/freebl/manifest.mn, nss/lib/nss/manifest.mn, nss/lib/nss/nssinit.c, nss/lib/nss/nssver.c, nss/lib/smime/manifest.mn, nss/lib/smime/smimeutil.c, nss/lib/smime/smimever.c, nss/lib/softoken/legacydb/lginit.c, nss/lib/softoken/manifest.mn, nss/lib/softoken/pkcs11.c, nss/lib/softoken/softkver.c, nss/lib/ssl/manifest.mn, nss/lib/ssl/sslcon.c, nss/lib/ssl/sslver.c, nss/lib/util/secoid.c: Remove __DATE__ and __TIME__ references. * nss/cmd/shlibsign/Makefile, nss/cmd/shlibsign/manifest.mn, nss/cmd/shlibsign/shlibsign.c: Fix shlibsign to properly load the sotfoken module. * debian/rules: Remove debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss from LD_LIBRARY_PATH when executing shlibsign, which can be done now with the fix above. nss (2:3.19-1) unstable; urgency=medium . * New upstream release. * debian/libnss3.symbols: Add NSS_3.19 symbol versions. nss (2:3.18-1) experimental; urgency=medium . * New upstream release. Closes: #782874. * debian/libnss3.symbols: Add NSS_3.18 symbol versions. nss (2:3.17.4-1) experimental; urgency=medium . * New upstream release. * Acknowledge NMU. nss-pam-ldapd (0.9.4-3+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * have init script stop action only return when nslcd has actually stopped (Closes: #814881) nvidia-graphics-drivers (340.101-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.101 (2016-12-14). * Fixed CVE-2016-8826. (Closes: #848195) * Improved compatibility with recent Linux kernels. * New upstream legacy 340xx branch release 340.98 (2016-09-26). * Fixed CVE-2016-7382, CVE-2016-7389. (Closes: #846331) - Added support for the screen_info.ext_lfb_base field, on kernels that have it, in order to properly handle UEFI framebuffer consoles with physical addresses above 4GB. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Stop special-casing of the nvidia-alternative substitution (352.79-6). * rules: Drop support for ancient .run layout (352.79-4). * nvidia-detect: Drop support for lenny and squeeze(-lts) (EoL) (352.79-5). * Do not run dh_strip_nondeterminism, it may perform modifications not permitted by the NVIDIA license (340.96-4). * Use #!armhf# and #HAS_UVM# substitutions as in unstable (340.76-5). * Add slave alternative for libnvcuvid.so (340.96-3). * rules, rules.defs: Synchronize variable naming with unstable (352.79-3). * rules, control: Synchronize substvars with unstable (352.79-3). * get-orig-source: Synchronize with unstable (352.79-3). * get-orig-source: Generate .orig-$ARCH.tar.gz for each architecture (358.16-1). * control: Synchronize descriptions with unstable. * bug-script: Synchronize with unstable (352.79-3). * bug-control.mk: New script to generate bug-control (352.79-4). * bug-control, bug-script: Collect some information about OpenCL (352.79-6). * Use an empty nvidia:legacy-check substvar for legacy packages (352.79-6). * separate-makefile-kbuild.patch: New, don't make all Makefile targets available to Kbuild (352.79-6). * KERNEL_UNAME.patch: New, allow usage of KERNEL_UNAME as in 355.xx onwards (352.79-6). * use-kbuild-compiler.patch: New patch to build with Kbuild's version of the compiler instead of system default, thanks to Luca (352.79-2). * Use NVIDIA's conftest.sh script to determine settings during module build instead of our manually maintained conftest.h header (352.79-2). * conftest-verbose.patch: New patch to dump dynamically generated conftest headers (352.79-2). * conftest-via-kbuild.patch: New patch to call conftest.sh from within kbuild (and therefore with kbuild's compiler and flags) as in 355.xx (352.79-2). * use-kbuild-flags.patch: New, use KBUILD_CFLAGS from Kbuild to support building a 64-bit kernel module with 32-bit userspace (352.79-5). * build-sanity-checks.patch: New, handle the conftest.sh sanity checks in the modernized module build system (352.79-6). * disable-cc_version_check.patch: New patch to disable a useless check that tests the running kernel instead of the compilation target. * disable-preempt_rt_sanity_check.patch: New patch to disable a check we already skipped in our conftest.h (352.79-2). * Pass only the kernel version via KERNEL_UNAME and let the module build system figure out the paths (352.79-2). * Clear ARCH variable from environment before module build, thanks to Luca (352.79-2, 352.79-5). * arm-outer-sync.patch: New patch to fix armhf kernel module build for Linux 4.3, thanks to Luca (340.93-5). * ignore_xen_on_arm.patch: Update to add workaround for conftest.sh to fix kernel module build failure on armhf by forcing XEN_PRESENT=0 when building on armhf, thanks to Luca (352.79-2). * nvidia-detect: Update list of newer PCI IDs from release 375.26. * Add B-D: dpkg-dev (>= 1.17) for dpkg-parsechangelog --show-field (352.79-6). * Build libnvidia-encode1 and libnvidia-ifr1 for armhf, too (352.79-10). * Stop shipping unused pci.ids file (352.21-1). * control: Synchronize descriptions with unstable (370.28-2). * Add xorg-video-abi-23 as alternative dependency (375.20-1). * nvidia-alternative: Restrict Depends: glx-alternative-nvidia to (<< 0.7). Uploading a new upstream legacy release to stable will invalidate package relationships in unstable, thus permitting some (partial) upgrade paths that will fail. * Bump Standards-Version to 3.9.8. No changes needed. * Update lintian overrides. * Upload to jessie. . [ Luca Boccassi ] * Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #848514) nvidia-graphics-drivers (340.101-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Replace 'dpkg-parsechangelog --show-field=Version' with a sed expression. . nvidia-graphics-drivers (340.101-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.101 (2016-12-14). * Fixed CVE-2016-8826. (Closes: #848195) * Improved compatibility with recent Linux kernels. * New upstream legacy 340xx branch release 340.98 (2016-09-26). * Fixed CVE-2016-7382, CVE-2016-7389. (Closes: #846331) - Added support for the screen_info.ext_lfb_base field, on kernels that have it, in order to properly handle UEFI framebuffer consoles with physical addresses above 4GB. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Stop special-casing of the nvidia-alternative substitution (352.79-6). * rules: Drop support for ancient .run layout (352.79-4). * nvidia-detect: Drop support for lenny and squeeze(-lts) (EoL) (352.79-5). * Do not run dh_strip_nondeterminism, it may perform modifications not permitted by the NVIDIA license (340.96-4). * Use #!armhf# and #HAS_UVM# substitutions as in unstable (340.76-5). * Add slave alternative for libnvcuvid.so (340.96-3). * rules, rules.defs: Synchronize variable naming with unstable (352.79-3). * rules, control: Synchronize substvars with unstable (352.79-3). * get-orig-source: Synchronize with unstable (352.79-3). * get-orig-source: Generate .orig-$ARCH.tar.gz for each architecture (358.16-1). * control: Synchronize descriptions with unstable. * bug-script: Synchronize with unstable (352.79-3). * bug-control.mk: New script to generate bug-control (352.79-4). * bug-control, bug-script: Collect some information about OpenCL (352.79-6). * Use an empty nvidia:legacy-check substvar for legacy packages (352.79-6). * separate-makefile-kbuild.patch: New, don't make all Makefile targets available to Kbuild (352.79-6). * KERNEL_UNAME.patch: New, allow usage of KERNEL_UNAME as in 355.xx onwards (352.79-6). * use-kbuild-compiler.patch: New patch to build with Kbuild's version of the compiler instead of system default, thanks to Luca (352.79-2). * Use NVIDIA's conftest.sh script to determine settings during module build instead of our manually maintained conftest.h header (352.79-2). * conftest-verbose.patch: New patch to dump dynamically generated conftest headers (352.79-2). * conftest-via-kbuild.patch: New patch to call conftest.sh from within kbuild (and therefore with kbuild's compiler and flags) as in 355.xx (352.79-2). * use-kbuild-flags.patch: New, use KBUILD_CFLAGS from Kbuild to support building a 64-bit kernel module with 32-bit userspace (352.79-5). * build-sanity-checks.patch: New, handle the conftest.sh sanity checks in the modernized module build system (352.79-6). * disable-cc_version_check.patch: New patch to disable a useless check that tests the running kernel instead of the compilation target. * disable-preempt_rt_sanity_check.patch: New patch to disable a check we already skipped in our conftest.h (352.79-2). * Pass only the kernel version via KERNEL_UNAME and let the module build system figure out the paths (352.79-2). * Clear ARCH variable from environment before module build, thanks to Luca (352.79-2, 352.79-5). * arm-outer-sync.patch: New patch to fix armhf kernel module build for Linux 4.3, thanks to Luca (340.93-5). * ignore_xen_on_arm.patch: Update to add workaround for conftest.sh to fix kernel module build failure on armhf by forcing XEN_PRESENT=0 when building on armhf, thanks to Luca (352.79-2). * nvidia-detect: Update list of newer PCI IDs from release 375.26. * Add B-D: dpkg-dev (>= 1.17) for dpkg-parsechangelog --show-field (352.79-6). * Build libnvidia-encode1 and libnvidia-ifr1 for armhf, too (352.79-10). * Stop shipping unused pci.ids file (352.21-1). * control: Synchronize descriptions with unstable (370.28-2). * Add xorg-video-abi-23 as alternative dependency (375.20-1). * nvidia-alternative: Restrict Depends: glx-alternative-nvidia to (<< 0.7). Uploading a new upstream legacy release to stable will invalidate package relationships in unstable, thus permitting some (partial) upgrade paths that will fail. * Bump Standards-Version to 3.9.8. No changes needed. * Update lintian overrides. * Upload to jessie. . [ Luca Boccassi ] * Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #848514) nvidia-graphics-drivers (340.96-4) unstable; urgency=medium . [ Andreas Beckmann ] * Do not run dh_strip_nondeterminism, it may perform modifications not permitted by the NVIDIA license. * get-orig-source: Download *.run with wget from http download server to preserve timestamps. * get-orig-source: Generate tarball reproducibly. * Update lintian overrides. . [ Luca Boccassi ] * bug-script: collect Xorg log from journalctl if running on systemd nvidia-graphics-drivers (340.96-4~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers (340.96-4) unstable; urgency=medium . [ Andreas Beckmann ] * Do not run dh_strip_nondeterminism, it may perform modifications not permitted by the NVIDIA license. * get-orig-source: Download *.run with wget from http download server to preserve timestamps. * get-orig-source: Generate tarball reproducibly. * Update lintian overrides. . [ Luca Boccassi ] * bug-script: collect Xorg log from journalctl if running on systemd . nvidia-graphics-drivers (340.96-3) unstable; urgency=medium . * Merge changes from 304.131-1 (wheezy) and 340.96-1 (jessie). * Add slave alternative for libnvcuvid.so. * Use a more generic approach for unloading the modules. . nvidia-graphics-drivers (340.96-2) unstable; urgency=medium . * Merge changes from 340.96-1 (UNRELEASED). * seq-printf.patch: Remove, fixed upstream. * Update lintian overrides. (Closes: #805388) * Upload to unstable. . nvidia-graphics-drivers (340.96-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.96 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805917) * Merge changes from 304.131-1. * Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * d/rules: Move tar option --no-recursion before the list of files. * d/control: Make dependencies on nvidia-alternative strictly versioned to prevent partial upgrades. * d/module/debian/control.template: Add armhf to the Architecture list, otherwise module-assistant can't build any module packages from nvidia-kernel-source on armhf. * Upload to jessie. nvidia-graphics-drivers (340.96-3) unstable; urgency=medium . * Merge changes from 304.131-1 (wheezy) and 340.96-1 (jessie). * Add slave alternative for libnvcuvid.so. * Use a more generic approach for unloading the modules. nvidia-graphics-drivers (340.96-2) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.96 (2015-11-16). * New upstream legacy 304xx branch release 304.131 (2015-11-16). - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). * Improved compatibility with recent Linux kernels. * seq-printf.patch: Remove, fixed upstream. * Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * d/control: Make dependencies on nvidia-alternative strictly versioned to prevent partial upgrades. * d/module/debian/control.template: Add armhf to the Architecture list, otherwise module-assistant can't build any module packages from nvidia-kernel-source on armhf. * d/module/debian/rules: Explicitly copy Module.symvers from the nvidia.ko kernel module for use by the nvidia-uvm.ko module, since the dependencies in Kbuild seem not to work in all cases. * Update lintian overrides. (Closes: #805388) nvidia-graphics-drivers-legacy-304xx (304.134-0~deb8u1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.134 (2016-12-14). * Fixed CVE-2016-8826. (Closes: #848195) - Added support for X.Org xserver ABI 23 (xorg-server 1.19) * Improved compatibility with recent Linux kernels. * New upstream legacy 304xx branch release 304.132 (2016-09-26). * Fixed CVE-2016-7382, CVE-2016-7389. (Closes: #846331) - Added /var/log/dmesg to the list of paths which are searched by nvidia-bug-report.sh for kernel messages. - Fixed a bug that caused kernel panics when using the NVIDIA driver on v4.5 and newer Linux kernels built with CONFIG_DEBUG_VM_PGFLAGS. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.134-1: * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.101-1: * Synchronize packaging with nvidia-graphics-drivers 370.28-2: - Overhaul package descriptions. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.132-1: * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.98-1: * Synchronize packaging with nvidia-graphics-drivers 358.16-1: - get-orig-source: Generate .orig-$ARCH.tar.gz for each architecture. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.131-4: * Synchronize kernel module build with nvidia-graphics-drivers: - Simplify maintaining the module build process. - Use NVIDIA's conftest.sh script to determine settings during module build instead of our manually maintained conftest.h header. - Hand over as much as possible to Kbuild. - Support building a 64-bit kernel module with 32-bit userspace. * Synchronize get-orig-source target with nvidia-graphics-drivers. * Synchronize bug-control, bug-script target with nvidia-graphics-drivers. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-4: * Synchronize packaging with nvidia-graphics-drivers 352.79-6: - Stop special-casing the nvidia-alternative substitution. - Add B-D: dpkg-dev (>= 1.17.0) for dpkg-parsechangelog --show-field. - Bump Standards-Version to 3.9.8. No changes needed. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-3: * Synchronize packaging with nvidia-graphics-drivers 352.79-5: - Drop incomplete Perfkit support. - Support building a 64-bit kernel module with 32-bit userspace. * Synchronize packaging with nvidia-graphics-drivers 352.79-4: - nvidia-legacy-304xx-kernel-source: Switch to debhelper compat level 9. - rules: Drop support for ancient .run layout. - debian/bug-control.mk: New script to generate bug-control. * Synchronize packaging with nvidia-graphics-drivers 352.79-3: - rules, rules.defs: Synchronize variable naming with unstable. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.131-3: - Add disable-mtrr.patch to disable MTRR in the kernel module if building on 4.3 or greater, where the deprecated APIs the kernel module uses are no longer exported, causing a failure when the module is loaded at runtime. (Closes: #809324) * Drop some packaging bits needed for 340.xx and newer drivers only. * Depend on a setuid root Xserver. (Closes: #805554) * Add xorg-video-abi-23 as alternative dependency. (Closes: #845639) * nvidia-legacy-304xx-alternative: Restrict Depends: glx-alternative-nvidia to (<< 0.7). Uploading a new upstream legacy release to stable will invalidate package relationships in unstable, thus permitting some (partial) upgrade paths that will fail. * Update lintian overrides. nvidia-graphics-drivers-legacy-304xx (304.134-0~deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Replace 'dpkg-parsechangelog --show-field=Version' with a sed expression. . nvidia-graphics-drivers-legacy-304xx (304.134-0~deb8u1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.134 (2016-12-14). * Fixed CVE-2016-8826. (Closes: #848197) - Added support for X.Org xserver ABI 23 (xorg-server 1.19) * Improved compatibility with recent Linux kernels. * New upstream legacy 304xx branch release 304.132 (2016-09-26). * Fixed CVE-2016-7382, CVE-2016-7389. (Closes: #846331) - Added /var/log/dmesg to the list of paths which are searched by nvidia-bug-report.sh for kernel messages. - Fixed a bug that caused kernel panics when using the NVIDIA driver on v4.5 and newer Linux kernels built with CONFIG_DEBUG_VM_PGFLAGS. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.134-1: * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.101-1: * Synchronize packaging with nvidia-graphics-drivers 370.28-2: - Overhaul package descriptions. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.132-1: * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.98-1: * Synchronize packaging with nvidia-graphics-drivers 358.16-1: - get-orig-source: Generate .orig-$ARCH.tar.gz for each architecture. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.131-4: * Synchronize kernel module build with nvidia-graphics-drivers: - Simplify maintaining the module build process. - Use NVIDIA's conftest.sh script to determine settings during module build instead of our manually maintained conftest.h header. - Hand over as much as possible to Kbuild. - Support building a 64-bit kernel module with 32-bit userspace. * Synchronize get-orig-source target with nvidia-graphics-drivers. * Synchronize bug-control, bug-script target with nvidia-graphics-drivers. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-4: * Synchronize packaging with nvidia-graphics-drivers 352.79-6: - Stop special-casing the nvidia-alternative substitution. - Add B-D: dpkg-dev (>= 1.17.0) for dpkg-parsechangelog --show-field. - Bump Standards-Version to 3.9.8. No changes needed. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-3: * Synchronize packaging with nvidia-graphics-drivers 352.79-5: - Drop incomplete Perfkit support. - Support building a 64-bit kernel module with 32-bit userspace. * Synchronize packaging with nvidia-graphics-drivers 352.79-4: - nvidia-legacy-304xx-kernel-source: Switch to debhelper compat level 9. - rules: Drop support for ancient .run layout. - debian/bug-control.mk: New script to generate bug-control. * Synchronize packaging with nvidia-graphics-drivers 352.79-3: - rules, rules.defs: Synchronize variable naming with unstable. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.131-3: - Add disable-mtrr.patch to disable MTRR in the kernel module if building on 4.3 or greater, where the deprecated APIs the kernel module uses are no longer exported, causing a failure when the module is loaded at runtime. (Closes: #809324) * Drop some packaging bits needed for 340.xx and newer drivers only. * Add xorg-video-abi-23 as alternative dependency. (Closes: #845639) * nvidia-legacy-304xx-alternative: Restrict Depends: glx-alternative-nvidia to (<< 0.7). Uploading a new upstream legacy release to stable will invalidate package relationships in unstable, thus permitting some (partial) upgrade paths that will fail. * Update lintian overrides. * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.132-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.132 (2016-09-26). - Added /var/log/dmesg to the list of paths which are searched by nvidia-bug-report.sh for kernel messages. - Fixed a bug that caused kernel panics when using the NVIDIA driver on v4.5 and newer Linux kernels built with CONFIG_DEBUG_VM_PGFLAGS. * Improved compatibility with recent Linux kernels. * page-cache-release.patch, get-user-pages.patch: Drop, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.98-1: * Synchronize packaging with nvidia-graphics-drivers 358.16-1: - get-orig-source: Generate .orig-$ARCH.tar.gz for each architecture. nvidia-graphics-drivers-legacy-304xx (304.131-8) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-9: nvidia-graphics-drivers-legacy-304xx (304.131-8~bpo8+2) jessie-backports; urgency=medium . * nvidia-legacy-304xx-kernel-source: Remove :any qualification from Depends: make, not supported in jessie. nvidia-graphics-drivers-legacy-304xx (304.131-8~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers-legacy-304xx (304.131-8) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-9: . nvidia-graphics-drivers-legacy-304xx (304.131-7) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-8: * Synchronize packaging with nvidia-graphics-drivers 352.79-9: * libnvidia-legacy-304xx-glcore: New package, split from libgl1-nvidia-legacy-304xx-glx. * libnvidia-legacy-304xx-cfg1: New package, split from libgl1-nvidia-legacy-304xx-glx. . nvidia-graphics-drivers-legacy-304xx (304.131-6) unstable; urgency=medium . [ Luca Boccassi ] * Add page-cache-release.patch and get-user-pages.patch to fix kernel module build for Linux 4.6. (Closes: #826712) . [ Andreas Beckmann ] * nvidia-legacy-304xx-driver-libs: New metapackage for bundling the Depends/Recommends on the OpenGL/GLX packages. * Replace libgl1-nvidia-legacy-304xx-glx-i386 with new nvidia-legacy-304xx-driver-libs-i386 metapackage. * Update lintian overrides. * Upload to unstable. . nvidia-graphics-drivers-legacy-304xx (304.131-5) experimental; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers 340.46-4: - Split nvidia-legacy-304xx-driver-bin from the metapackage nvidia-legacy-304xx-driver. * Build legacy packages for more legacy driver specific components: - nvidia-vdpau-driver => nvidia-legacy-304xx-vdpau-driver - nvidia-smi => nvidia-legacy-304xx-smi - libcuda1 => libnvidia-legacy-304xx-cuda1 - libcuda1-i386 => libnvidia-legacy-304xx-cuda1-i386 - libnvidia-compiler => libnvidia-legacy-304xx-compiler - libnvcuvid1 => libnvidia-legacy-304xx-nvcuvid1 - libnvidia-ml1 => libnvidia-legacy-304xx-ml1 - nvidia-opencl-icd => nvidia-legacy-304xx-opencl-icd * Upload to experimental. . nvidia-graphics-drivers-legacy-304xx (304.131-4) unstable; urgency=medium . * Synchronize kernel module build with nvidia-graphics-drivers: - Simplify maintaining the module build process. - Use NVIDIA's conftest.sh script to determine settings during module build instead of our manually maintained conftest.h header. - Hand over as much as possible to Kbuild. - Support building a 64-bit kernel module with 32-bit userspace. * Synchronize get-orig-source target with nvidia-graphics-drivers. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-4: * Synchronize packaging with nvidia-graphics-drivers 352.79-6: - Stop special-casing the nvidia-alternative substitution. - bug-control, bug-script: Collect some information about OpenCL. - Add B-D: dpkg-dev (>= 1.17.0) for dpkg-parsechangelog --show-field. - Bump Standards-Version to 3.9.8. No changes needed. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-3: * Synchronize packaging with nvidia-graphics-drivers 352.79-5: - Drop incomplete Perfkit support. - Support building a 64-bit kernel module with 32-bit userspace. * Synchronize packaging with nvidia-graphics-drivers 352.79-4: - nvidia-legacy-304xx-kernel-source: Switch to debhelper compat level 9. - rules: Drop support for ancient .run layout. - debian/bug-control.mk: New script to generate bug-control. * Synchronize packaging with nvidia-graphics-drivers 352.79-3: - bug-script: Report bumblebee configuration. * Depend on a setuid root Xserver. (Closes: #805554) * Update lintian overrides. nvidia-graphics-drivers-legacy-304xx (304.131-7) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-8: * Synchronize packaging with nvidia-graphics-drivers 352.79-9: * libnvidia-legacy-304xx-glcore: New package, split from libgl1-nvidia-legacy-304xx-glx. * libnvidia-legacy-304xx-cfg1: New package, split from libgl1-nvidia-legacy-304xx-glx. nvidia-graphics-drivers-legacy-304xx (304.131-6) unstable; urgency=medium . [ Luca Boccassi ] * Add page-cache-release.patch and get-user-pages.patch to fix kernel module build for Linux 4.6. (Closes: #826712) . [ Andreas Beckmann ] * nvidia-legacy-304xx-driver-libs: New metapackage for bundling the Depends/Recommends on the GL/GLX packages. * Replace libgl1-nvidia-legacy-304xx-glx-i386 with new nvidia-legacy-304xx-driver-libs-i386 metapackage. * Update lintian overrides. * Upload to unstable. nvidia-graphics-drivers-legacy-304xx (304.131-5) experimental; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers 340.46-4: - Split nvidia-legacy-304xx-driver-bin from the metapackage nvidia-legacy-304xx-driver. * Build legacy packages for more legacy driver specific components: - nvidia-vdpau-driver => nvidia-legacy-304xx-vdpau-driver - nvidia-smi => nvidia-legacy-304xx-smi - libcuda1 => libnvidia-legacy-304xx-cuda1 - libcuda1-i386 => libnvidia-legacy-304xx-cuda1-i386 - libnvidia-compiler => libnvidia-legacy-304xx-compiler - libnvcuvid1 => libnvidia-legacy-304xx-nvcuvid1 - libnvidia-ml1 => libnvidia-legacy-304xx-ml1 - nvidia-opencl-icd => nvidia-legacy-304xx-opencl-icd * Upload to experimental. nvidia-graphics-drivers-legacy-304xx (304.131-4) unstable; urgency=medium . * Synchronize kernel module build with nvidia-graphics-drivers: - Simplify maintaining the module build process. - Use NVIDIA's conftest.sh script to determine settings during module build instead of our manually maintained conftest.h header. - Hand over as much as possible to Kbuild. - Support building a 64-bit kernel module with 32-bit userspace. * Synchronize get-orig-source target with nvidia-graphics-drivers. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-4: * Synchronize packaging with nvidia-graphics-drivers 352.79-6: - Stop special-casing the nvidia-alternative substitution. - bug-control, bug-script: Collect some information about OpenCL. - Add B-D: dpkg-dev (>= 1.17.0) for dpkg-parsechangelog --show-field. - Bump Standards-Version to 3.9.8. No changes needed. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-3: * Synchronize get-orig-source target with nvidia-graphics-drivers. * Synchronize packaging with nvidia-graphics-drivers 352.79-5: - Drop incomplete Perfkit support. - Support building a 64-bit kernel module with 32-bit userspace. * Synchronize packaging with nvidia-graphics-drivers 352.79-4: - nvidia-legacy-304xx-kernel-source: Switch to debhelper compat level 9. - rules: Drop support for ancient .run layout. - debian/bug-control.mk: New script to generate bug-control. * Synchronize packaging with nvidia-graphics-drivers 352.79-3: - bug-script: Report bumblebee configuration. * Synchronize packaging with nvidia-graphics-drivers 352.79-2: - Bump Standards-Version to 3.9.7. No changes needed. * Depend on a setuid root Xserver. (Closes: #805554) * Update lintian overrides. nvidia-graphics-drivers-legacy-304xx (304.131-3) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.131-1 (jessie). * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-2: * Synchronize packaging with nvidia-graphics-drivers 340.96-4: - Do not run dh_strip_nondeterminism, it may perform modifications not permitted by the NVIDIA license. - get-orig-source: Download *.run with wget from http download server to preserve timestamps. - get-orig-source: Generate tarball reproducibly. - bug-script: Collect Xorg log from journalctl if running under systemd. * Update lintian overrides. . [ Luca Boccassi ] * Add disable-mtrr.patch to disable MTRR in the kernel module if building on 4.3 or greater, where the deprecated APIs the kernel module uses are no longer exported, causing a failure when the module is loaded at runtime. (Closes: #809324) nvidia-graphics-drivers-legacy-304xx (304.131-3~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers-legacy-304xx (304.131-3) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.131-1 (jessie). * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-2: * Synchronize packaging with nvidia-graphics-drivers 340.96-4: - Do not run dh_strip_nondeterminism, it may perform modifications not permitted by the NVIDIA license. - get-orig-source: Download *.run with wget from http download server to preserve timestamps. - get-orig-source: Generate tarball reproducibly. - bug-script: Collect Xorg log from journalctl if running under systemd. * Update lintian overrides. . [ Luca Boccassi ] * Add disable-mtrr.patch to disable MTRR in the kernel module if building on 4.3 or greater, where the deprecated APIs the kernel module uses are no longer exported, causing a failure when the module is loaded at runtime. (Closes: #809324) . nvidia-graphics-drivers-legacy-304xx (304.131-2) unstable; urgency=medium . * Merge changes from 304.131-1 (UNRELEASED). * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-1: * Synchronize packaging with nvidia-graphics-drivers 340.96-3: - Use a more generic approach for unloading the modules. * Synchronize packaging with nvidia-graphics-drivers 340.96-2: - seq-printf.patch: Remove, fixed upstream. * Upload to unstable. . nvidia-graphics-drivers-legacy-304xx (304.131-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.131 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805918) - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). * Improved compatibility with recent Linux kernels. * Synchronize packaging with nvidia-graphics-drivers 340.96-1: - d/control: Make dependencies on nvidia-legacy-304xx-alternative strictly versioned to prevent partial upgrades. * Synchronize packaging with nvidia-graphics-drivers 304.131-1: - Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.131-2) unstable; urgency=medium . * Merge changes from 304.131-1 (UNRELEASED). * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.96-1: * Synchronize packaging with nvidia-graphics-drivers 340.96-3: - Use a more generic approach for unloading the modules. * Synchronize packaging with nvidia-graphics-drivers 340.96-2: - seq-printf.patch: Remove, fixed upstream. * Upload to unstable. . nvidia-graphics-drivers-legacy-304xx (304.131-1) UNRELEASED; urgency=medium . * New upstream legacy 304xx branch release 304.131 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805918) - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). * Improved compatibility with recent Linux kernels. * Synchronize packaging with nvidia-graphics-drivers 340.96-1: - d/control: Make dependencies on nvidia-legacy-304xx-alternative strictly versioned to prevent partial upgrades. * Synchronize packaging with nvidia-graphics-drivers 304.131-1: - Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. nvidia-graphics-modules (340.101+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.101. * Upload to jessie. nvidia-graphics-modules (340.101+3.16.0+1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-modules (340.101+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.101. * Upload to jessie. nvidia-graphics-modules (340.96+4.3.0+1) unstable; urgency=medium . * Build for Linux 4.3.0 (ABI 1). - [i386] Rename 586 flavour to 686. * Add nvidia-kernel-586 transitional package. * Add armhf support. nvidia-graphics-modules (340.96+4.2.0+1) unstable; urgency=medium . * Use nvidia-kernel-source 340.96. * Fix binNMU version handling. * Generalize architecture support. openbox (3.5.2-8+deb8u1) jessie; urgency=medium . [ Mateusz Łukasik ] * debian/control: + Add libxcursor-dev to B-D for fix load startup notifications. (Closes: #838326) . [ Salvatore Bonaccorso ] * Add 808138_Replace-getgrent-with-getgroups.patch patch. Replace getgrent with getgroups for not enumerate all groups at startup. Thanks to Simon (Closes: #808138) opendkim (2.9.2-2+deb8u1) stable; urgency=medium . * Fix relaxed canonicalization of folded headers breaks signatures, fix backported from upstream 2.11.0 (Closes: #840015) openjpeg2 (2.1.0-2+deb8u1) jessie-security; urgency=medium . * CVE-2015-6581 CVE-2015-8871 CVE-2016-1924 CVE-2016-7163 openssl (1.0.1t-1+deb8u5) jessie-security; urgency=medium . * The patch for CVE-2016-2182 was missing a fix. (Closes: #838652, #838659) openssl (1.0.1t-1+deb8u4) jessie-security; urgency=medium . * Fix CVE-2016-2177 * Fix CVE-2016-2178 * Fix CVE-2016-2179 * Fix CVE-2016-2180 * Fix CVE-2016-2181 * Fix CVE-2016-2182 * Fix CVE-2016-2183 * Fix CVE-2016-6302 * Fix CVE-2016-6303 * Fix CVE-2016-6304 * Fix CVE-2016-6306 pam (1.1.8-3.1+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * debian/patches-applied/pam-loginuid-in-containers: Updated with the version from Ubuntu, this should fix logins in containers (Closes: #726661) pcsc-lite (1.8.13-1+deb8u1) jessie-security; urgency=high . * Fix CVE-2016-10109 "use-after-free and double-free" Apply 2 patches from upstream to fix the issue. pgpdump (0.28-1+deb8u1) jessie; urgency=high . * Fix endless loop parsing specially crafted input in read_binary. Upstream commits ece39dd and 0c306f4. Closes: #773747 [CVE-2016-4021] * Fix a buffer overrun in read_radix64. Upstream commit 6e15953 php-ssh2 (0.12-3+deb8u1) jessie-security; urgency=high . * Add patch to fix regression in php_ssh2_fopen_wraper_parse_path caused by security update in PHP 5.6.28 (Closes: #848632) php5 (5.6.29+dfsg-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.6.29+dfsg * Rebase patches on top of PHP 5.6.29 release * Change Build-Depend from libsystemd-daemon-dev to libsystemd-dev php5 (5.6.28+dfsg-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.6.28+dfsg * Rebase patches on top of 5.6.28+dfsg release php5 (5.6.27+dfsg-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.6.27+dfsg * Rebase patches on to of 5.6.27+dfsg php5 (5.6.26+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.26+dfsg * Rebase patches on top of PHP 5.6.26+dfsg release php5 (5.6.26+dfsg-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.6.26+dfsg * Rebase patches on top of PHP 5.6.26+dfsg php5 (5.6.24+dfsg-1) unstable; urgency=medium . * Move -ignore_session_path to be the first argument (Closes: #830792) * Imported Upstream version 5.6.24+dfsg * Rebase patches on top of 5.6.24+dfsg release pillow (2.6.1-2+deb8u3) jessie-security; urgency=medium . * CVE-2016-9189 / CVE-2016-9190 postgresql-9.4 (9.4.10-0+deb8u1) jessie; urgency=medium . * New upstream version. . If your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted free space maps. . + Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas) . It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like could not read block XXX: read only 0 of 8192 bytes. Checksum failures in the visibility map are also possible, if checksumming is enabled. . Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems. postgresql-common (165+deb8u2) jessie; urgency=medium . * pg_upgradecluster: Properly upgrade databases with non-login role owners. (Closes: #614374, #838812) * pg_ctlcluster, t/020_create_sql_remove.t: Protect against symlink in /var/log/postgresql/ allowing the creation of arbitrary files elsewhere. Discovered by Dawid Golunski, thanks! (CVE-2016-1255) * t/TestLib.pm: Cherry-pick program_ok() from master for use in t/020_create_sql_remove.t. potrace (1.12-1+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2016-8694, CVE-2016-8695, CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700, CVE-2016-8701, CVE-2016-8702, CVE-2016-8703. python-bottle (0.12.7-1+deb8u1) jessie-security; urgency=high . * Fix header filtering: CVE-2016-9964 (Closes: #848392) python-crypto (2.6.1-5+deb8u1) jessie; urgency=high . * debian/patches/CVE-2013-7459.patch: Raise a warning when IV is used with ECB or CTR and ignored the IV in that case. Thanks to Salvatore Bonaccorso for the initial patch. (CVE-2013-7459) (Closes: #849495) python-django (1.7.11-1+deb8u1) jessie-security; urgency=high . * SECURITY UPDATE: - CVE-2016-7401: CSRF protection bypass on a site with Google Analytics python-werkzeug (0.9.6+dfsg-1+deb8u1) jessie-proposed-updates; urgency=medium . * Fix XSS in debugger qtbase-opensource-src (5.3.2+dfsg-4+deb8u2) jessie; urgency=medium . * Backport upstream change (networkconfig_prevent_bad_deref.patch) to prevent bad-ptrs deref in QNetworkConfigurationManagerPrivate. Closes: #805265. * Backport upstream change to fix X11 tray icons on some desktops (xcb_delay_showing_tray_icon_window_until_it_is_embedded.patch). Closes: #775398, #847665. quagga (0.99.23.1-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245) (Closes: #841162) rawtherapee (4.2-1+deb8u2) jessie; urgency=high . * Add patch debian/patches/03-fix-overflow-in-dcraw.patch: - Fix buffer overflow in dcraw (CVE-2015-8366) redmine (3.0~20140825-8~deb8u4) jessie; urgency=medium . * debian/postinst: handle dependency check failure when triggered, to avoid breaking in the middle of dist-upgrades. * gemfile-adjustments.patch: avoid opening database configuration that are not readable (Closes: #826663) samba (2:4.2.14+dfsg-0+deb8u2) jessie-security; urgency=high . * This is a security release in order to address the following defects: - CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability). - CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in trusted realms). - CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege elevation). * Fix smbclient compatibility with Windows 10 (Closes: #820794) samba (2:4.2.14+dfsg-0+deb8u1) jessie; urgency=high . * New upstream release. + Fixes CVE-2016-2119: Client side SMB2/3 required signing can be downgraded. + Various fixes for regressions introduced by the 4.2.10 security fixes. Closes: #820965, #827141 + Fixes for segfault with clustering. Closes: #824177 + Bump tevent dependency up to 0.9.28. * Drop obsolete patch security-2016-04-12-prerequisite-v4-2-regression- fixes.metze01.txt. * Drop patch sockets-with-htons.patch; applied upstream. * Drop patch CVE-2016-2110-NTLMSSP-regression.patch; fixed upstream. * Drop patch s3-smbd-fix-anonymous-authentication-if-signing-is- m.patch: fixed upstream. sed (4.2.2-4+deb8u1) stable; urgency=medium . [ Jérémy Bobbio ] * Ensure consistent permissions with different umasks. closes: #774347, #835516. shutter (0.92-0.1+deb8u1) jessie; urgency=high . * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854] sniffit (0.3.7.beta-17+deb8u1) jessie; urgency=medium . * Added a patch to fix CVE-2014-5439 (Root shell on Sniffit). squid3 (3.4.8-6+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix cache_peer login=PASS(THRU) after CVE-2015-5400. Thanks to Amos Jeffries (Closes: #819563) * CVE-2016-10002: Information disclosure in HTTP Request processing (Closes: #848493) suckless-tools (40-1+deb8u2) stable-proposed-updates; urgency=medium . * CVE-2016-6866: Fix SEGV in slock when users account has been disabled. The screen locking application slock called crypt(3) and used the return value for strcmp(3) without checking to see if the return value of crypt(3) was a NULL pointer. If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would return NULL and set errno to EINVAL. This would cause slock to segfault which then leaves the machine unprotected. sympa (6.1.23~dfsg-2+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Fix logrotate configuration so that sympa is not left in a confused state when systemd is used (Closes: #804066) systemd (215-17+deb8u6) stable; urgency=medium . [ Michael Biebl ] * Don't return any error in manager_dispatch_notify_fd(). If manager_dispatch_notify_fd() fails and returns an error then the handling of service notifications will be disabled entirely leading to a compromised system. For example pid1 won't be able to receive the WATCHDOG messages anymore and will kill all services supposed to send such messages. (CVE-2016-7796) (Closes: #839607) * core: Rework logic to determine when we decide to add automatic deps for mounts. This adds a concept of "extrinsic" mounts. If mounts are extrinsic we consider them managed by something else and do not add automatic ordering against umount.target, local-fs.target, remote-fs.target. Extrinsic mounts include API mounts such as everything below /proc, /sys, /dev. This avoids a crash in LXC containers where /dev/urandom is a bind mount from the host system and unmounting it leads to an assert in systemd. (Closes: #818978) * Various ordering fixes for ifupdown. Run ifup after all kernel modules have been loaded and all sysctl settings are applied. Update ifup@.service to add missing After= for the device unit we bind to. This ensures that the device unit is active when systemd tries to start the service. (Closes: #819314) * systemctl: Fix argument handling when invoked as shutdown. (Closes: #776997) . [ Simon McVittie ] * localed: tolerate absence of /etc/default/keyboard. The debian-specific patch to read Debian config files was not tolerating the absence of /etc/default/keyboard. This causes systemd-localed to fail to start on systems where that file isn't populated (like embedded systems without keyboards). (Closes: #833849) . [ Martin Pitt ] * systemctl, loginctl, etc.: Don't start polkit agent when running as root. (Closes: #774153, LP: #1565617) tar (1.27.1-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-6321: Bypassing the extract path name. When extracting, member names containing '..' components are skipped. (Closes: #842339) terminology (0.7.0-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix for "CVE-2015-8971: Escape Sequence Command Execution vulnerability" backported from upstream rev b80bedc. (Closes: #843434) tevent (0.9.28-0+deb8u1) jessie; urgency=high . * Upload to stable for Samba security release. * Drop 01_fix_ld_library patch; applied upstream. * Allow build against older talloc. tevent (0.9.26-3) unstable; urgency=low . * debian/copyright: Set short names for licenses. * Fix Vcs-Git header. * debian/rules: Properly clean up bin/, .lock-wscript and libtevent.a. tevent (0.9.26-2) unstable; urgency=medium . * Set LD_LIBRARY_PATH during tests. Fixes FTBFS. Closes: #805319 tevent (0.9.26-1) unstable; urgency=medium . * New upstream release. tevent (0.9.25-2) unstable; urgency=medium . * Merge back in packaging changes between 0.9.18 and 0.9.24. * Drop revert-ldflags-atend: applied upstream. * Force LD_LIBRARY_PATH=bin/shared to fix python tests. tevent (0.9.25-1) unstable; urgency=medium . * Fix watch file. * New upstream release. * Bump standards version to 3.9.6 (no changes). * debian/copyright: Fix duplicate license names. tomcat7 (7.0.56-3+deb8u7) jessie-security; urgency=high . * Fixed CVE-2016-8745: A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. tomcat7 (7.0.56-3+deb8u6) jessie-security; urgency=high . * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat7 package is upgraded. Thanks to Paul Szabo for the report (see #845393) * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat7 package is purged. Thanks to Paul Szabo for the report (see #845385) * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used. * Backported the fix for upstream bug 57377: Remove the restriction that prevented the use of SSL when specifying a bind address for the JMX/RMI server. Enable SSL to be configured for the registry as well as the server. * CVE-2016-5018 follow-up: Applied a missing modification fixing a ClassNotFoundException when the security manager is enabled (Closes: #846298) * CVE-2016-6797 follow-up: Fixed a regression preventing some applications from accessing the global resources (Closes: #845425) * CVE-2015-5345 follow-up: Added a missing modification enabling the use of the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes on a context. * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator with recent JREs * Refreshed the expired SSL certificates used by the tests * Set the locale when running the tests to prevent locale sensitive tests from failing * Fixed a test failure in the new TestNamingContext test added with the fix for CVE-2016-6797 * Fixed a test failure in TestResourceBundleELResolver * Reduced the verbosity of the tests tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high . * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. (Closes: #842662) * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (Closes: #842663) * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (Closes: #842664) * Fixed CVE-2016-6796: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (Closes: #842665) * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (Closes: #842666) * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo tomcat7 (7.0.56-3+deb8u4) jessie-security; urgency=high . * Team upload. * Fix CVE-2016-1240: tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink attacks and a possible root privilege escalation. * Do not unconditionally override files in /etc/tomcat7. Change file permissions to 640 for Debian files in /etc/tomcat7/* (Closes: #821391) tomcat8 (8.0.14-1+deb8u6) jessie-security; urgency=high . * Fixed CVE-2016-8745: A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. tomcat8 (8.0.14-1+deb8u5) jessie-security; urgency=high . * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat8 package is upgraded. Thanks to Paul Szabo for the report (Closes: #845393) * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat8 package is purged. Thanks to Paul Szabo for the report (Closes: #845385) * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used. * Backported the fix for upstream bug 57377: Remove the restriction that prevented the use of SSL when specifying a bind address for the JMX/RMI server. Enable SSL to be configured for the registry as well as the server. * CVE-2016-5018 follow-up: Applied a missing modification fixing a ClassNotFoundException when the security manager is enabled (see #846298) * CVE-2016-6797 follow-up: Fixed a regression preventing some applications from accessing the global resources (see #845425) * CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator with recent JREs * Backported a fix disabling the broken SSLv3 tests * Refreshed the expired SSL certificates used by the tests * Set the locale when running the tests to prevent locale sensitive tests from failing * Added asm-all.jar to the test classpath to fix TestWebappServiceLoader * Fixed a test failure in the new TestNamingContext test added with the fix for CVE-2016-6797 * Test failures are no longer ignored and now stop the build tomcat8 (8.0.14-1+deb8u4) jessie-security; urgency=medium . * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. * Fixed CVE-2016-6796: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685) tomcat8 (8.0.14-1+deb8u3) jessie-security; urgency=high . * Team upload. * Fix CVE-2016-1240: tomcat8.init: Protect /var/lib/tomcat8/catalina.out against a symlink attack and possible root privilege escalation. * Do not unconditionally overwrite files in /etc/tomcat8 anymore. (Closes: #825786) * Change file permissions to 640 for Debian files in /etc/tomcat8. tor (0.2.5.12-4) jessie-security; urgency=medium . * Fix for an issue (Tor#21018) where Tor clients could crash when attempting to visit a hostile hidden service. [TROVE-2016-12-002,CVE-2016-1254] tor (0.2.5.12-3) jessie-security; urgency=medium . * Fix a remote denial of service bug, torbug#20384, TROVE-2016-001. tre (0.8.0-4+deb8u1) jessie; urgency=medium . * Add debian/patches/03-cve-2016-8859 to fix CVE-2016-8859. Patch borrowed from wheezy LTS. Closes: #842169. * Add locales-all to Build-Depends, required to run the test suite. * Add debian/clean with files generated/modified during the build. tzdata (2016j-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future timestamp: - Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. * Update translations from the sid package. tzdata (2016i-1) unstable; urgency=high . [ Aurelien Jarno ] * New upstream version, affecting the following past and future timestamps: - Pacific/Tongatapu (DST starting on 2016-11-06 at 02:00). - Northern Cyprus is now +03 year round, the Asia/Famagusta zone has been added. - Antarctica/Casey (switched from +08 to +11 on 2016-10-22). * Update templates and translations. tzdata (2016i-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following past and future timestamps: - Pacific/Tongatapu (DST starting on 2016-11-06 at 02:00). - Northern Cyprus is now +03 year round, the Asia/Famagusta zone has been added. - Antarctica/Casey (switched from +08 to +11 on 2016-10-22). * Update translations from the sid package. tzdata (2016h-1) unstable; urgency=high . [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - Asia/Gaza and Asia/Hebron (DST ending on 2016-10-29 at 01:00, not 2016-10-21 at 00:00). * Convert Asia/Rangoon into Asia/Yangon, as the former is now deprecaed. tzdata (2016h-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future timestamp: - Asia/Gaza and Asia/Hebron (DST ending on 2016-10-29 at 01:00, not 2016-10-21 at 00:00). tzdata (2016g-1) unstable; urgency=medium . [ Aurelien Jarno ] * Update Danish debconf translation, by Joe Hansen. Closes: #830591. * Update German debconf translation, by Holger Wansing. Closes: #835538. . [ Clint Adams ] * New upstream version. tzdata (2016g-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - Europe/Istanbul switch from EET/EEST (+02/+03) to permanent +03 on 2016-09-07. While the timezone has changed, the divergence from EET/EEST will happen on 2016-10-30. Closes: #838781. - New leap second 2016-12-31 23:59:60 UTC as per IERS Bulletin C 52. tzdata (2016f-1) unstable; urgency=medium . * New upstream version, affecting the following future time stamp: - Africa/Cairo (DST starting on 2016-07-07) cancelled. * debian/control: Update Standards-Version to 3.9.8, no changes. * debian/rules: install NEWS as upstream changelog. unadf (0.7.11a-3+deb8u1) stable-security; urgency=high . * Orphaned package with security issues. * Tuomas Räsäne discoveried two security issues (Closes: #838248): - CVE-2016-1243: stack buffer overflow caused by blindly trusting on pathname lengths of archived files. - CVE-2016-1244: execution of unsanitized input. unrtf (0.21.5-3+deb8u1) stable; urgency=medium . * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various cmd_ functions) closes: 849705 vim (2:7.4.488-7+deb8u1) jessie-security; urgency=high . * Backport patch 8.0.0056 (and adapt tests) to fix an issue where malicious modelines could execute arbitrary shell commands. (CVE-2016-1248) w3m (0.5.3-19+deb8u1) jessie; urgency=medium . * New patch 901_ucsmap.patch to fix array index (closes: #820162) * New patch 902_johab1.patch to fix array index (closes: #820373) * New patch 903_input-type.patch to fix null deref [CVE-2016-9430] * New patch 904_form-update.patch to fix overflow [CVE-2016-9423] [CVE-2016-9431] * New patch 905_textarea.patch to fix heap write [CVE-2016-9424] * New patch 906_form-update.patch to fix bcopy size [CVE-2016-9432] * New patch 907_iso2022.patch to fix array index [CVE-2016-9433] * New patch 908_forms.patch to fix null deref [CVE-2016-9434] * New patch 909_button-type.patch to fix rodata write [CVE-2016-9437] * New patch 910_input-alt.patch to fix null deref [CVE-2016-9438] * New patch 911_rowcolspan.patch to fix stack smashing [CVE-2016-9422] * New patch 912_i-dd.patch to fix uninit values [CVE-2016-9435] [CVE-2016-9436] * New patch 913_tabwidth.patch to fix heap corruption [CVE-2016-9426] * New patch 914_curline.patch to fix near-null deref [CVE-2016-9440] * New patch 915_table-alt.patch to fix near-null deref [CVE-2016-9441] * New patch 916_anchor.patch to fix heap write [CVE-2016-9425] [CVE-2016-9428] * New patch 917_strgrow.patch to fix potential heap buffer corruption [CVE-2016-9442] * New patch 918_form-value.patch to fix null deref [CVE-2016-9443] * New patch 919_form-update.patch to fix buffer overflow [CVE-2016-9429] [CVE-2016-9621] * New patch 920_table.patch to fix stack overflow [CVE-2016-9439] (closes: #844726) * New patch 921_cotable.patch to fix null deref (additional fix for #844726) * New patch 922_lineproc.patch to fix null deref [CVE-2016-9622] * New patch 923_tagproc.patch to fix null deref [CVE-2016-9623] * New patch 924_curline.patch to fix near-null deref [CVE-2016-9624] * New patch 925_lineproc.patch to fix stack overflow [CVE-2016-9625] * New patch 926_indent-level.patch to fix stack overflow [CVE-2016-9626] * New patch 927_symbol.patch to fix array index [CVE-2016-9627] * New patch 928_form-id.patch to fix null deref [CVE-2016-9628] * New patch 929_anchor.patch to fix null deref [CVE-2016-9629] * New patch 930_tbl-mode.patch to fix null deref [CVE-2016-9631] * New patch 931_parse-url.patch to fix buffer overflow [CVE-2016-9630] * New patch 932_ucsmap.patch to fix buffer overflow [CVE-2016-9632] * New patch 933_table-level.patch to fix out of memory [CVE-2016-9633] wireless-regdb (2016.06.10-1~deb8u1) jessie; urgency=medium . * Upload to jessie * Revert "Remove obsolete postinst script"; the script is needed for upgrades from wheezy to jessie . wireless-regdb (2016.06.10-1) unstable; urgency=medium . * New upstream version (Closes: #830288) - Update rules for Hong Kong (HK): assign to ETSI DFS region - Update rules for South Africa (ZA): remove DFS requirement and increase transmit power limit for channels 100..140 (5490-5710 MHz) - Update rules for Taiwan (TW): extend the 2.4 GHz and 5 GHz bands; change transmit power limits for parts of the 5 GHz band; re-assign to FCC DFS region - Update rules for United States (US): increase transmit power limit for channels 36..48 (5170-5250 MHz) - Update rules for Uruguay (UY): remove channels 100..144 (5490-5730 MHz) - Update rules for Russia (RU): enable VHT80 in 5 GHz band and VHT160 for channel 50 (5170-5330 MHz) - Update rules for Ukraine (UA): enable VHT80 in 5 GHz band and VHT160 for channels 46..54 (5150-5350 MHz) and 114..118 (5490-5670 MHz) - Update rules for Malaysia (MY): change transmit power limit for the 5 GHz band; enable VHT80 in 5 GHz band and VHT160 for channels 50 (5170-5330 MHz) and 114 (5490-5650 MHz) - Update rules for Greenland (GL): enable VHT160 for channels 50 (5170-5330 MHz) and 114..126 (5490-5710 MHz) - Update rules for Croatia (HR) and Finland (FI): extend the 2.4 GHz and 5 GHz bands; increase transmit power limit for channels 34..48 (5150-5250 MHz); add NO-OUTDOOR flag for channels 34..64 (5150-5350 MHz) - Fix world regulatory domain: correct the channel width for channels 12..13 (2457-2482 MHz) - Add rules for Cuba (CU) - Update rules for Germany (DE) and Netherlands (NL): add channels 147..165 (5725-5875 MHz) - Update rules for Bulgaria (BG): increase transmit power limit for channels 36..48 (5170-5250 MHz); add NO-OUTDOOR flag for 60 GHz band - Update rules for Republic of Korea (KR): add 60 GHz band * debian/control: Change Vcs-Git and Vcs-Browser to canonical HTTP-S URLs * debian/copyright: Change Source to HTTP-S URL * Use debhelper compatibility level 9 * debian/control: Update Standards-Version to 3.9.8; no changes needed * Remove obsolete postinst script * debian/control: Update Homepage . wireless-regdb (2015.07.20-1) unstable; urgency=medium . * New upstream version - Update rules for Armenia (AM), Bahrain (BH), Costa Rica (CR), Ecuador (EC), Guam (GU), Sri Lanka (LK), El Salvador (SV): disable VHT in 5 GHz band - Update rules for Australia (AU), New Zealand (NZ): assign to ETSI DFS region - Update rules for Bulgaria (BG): add channels 147..173 (5725-5875 MHz) - Update rules for Canada (CA): remove channels 120..134 (5600-5650 MHz) - Update rules for Egypt (EG): disable VHT80 - Update rules for Indonesia (ID), Democratic People's Republic of Korea (KP): disable VHT - Update rules for Japan (JP): add 60 GHz band - Update rules for Macao (MO): assign to ETSI FCC region; add channels 100..144 (5490-5730 MHz); enable VHT80 and VHT160 in 5 GHz band - Add rules for Maldives (MV), Nigeria (NG), Tanzania (TZ) and Samoa (WS) - Update rules for Russia (RU): disable VHT80; add 60 GHz band - Update rules for United States (US): re-add channels 100..144 (5490-5730 MHz) * Generate a detached signature at source preparation time and append it when building the binary package (thanks to Jérémy Bobbio) (Closes: #725803) wireless-regdb (2015.07.20-1) unstable; urgency=medium . * New upstream version - Update rules for Armenia (AM), Bahrain (BH), Costa Rica (CR), Ecuador (EC), Guam (GU), Sri Lanka (LK), El Salvador (SV): disable VHT in 5 GHz band - Update rules for Australia (AU), New Zealand (NZ): assign to ETSI DFS region - Update rules for Bulgaria (BG): add channels 147..173 (5725-5875 MHz) - Update rules for Canada (CA): remove channels 120..134 (5600-5650 MHz) - Update rules for Egypt (EG): disable VHT80 - Update rules for Indonesia (ID), Democratic People's Republic of Korea (KP): disable VHT - Update rules for Japan (JP): add 60 GHz band - Update rules for Macao (MO): assign to ETSI FCC region; add channels 100..144 (5490-5730 MHz); enable VHT80 and VHT160 in 5 GHz band - Add rules for Maldives (MV), Nigeria (NG), Tanzania (TZ) and Samoa (WS) - Update rules for Russia (RU): disable VHT80; add 60 GHz band - Update rules for United States (US): re-add channels 100..144 (5490-5730 MHz) * Generate a detached signature at source preparation time and append it when building the binary package (thanks to Jérémy Bobbio) (Closes: #725803) wireshark (1.12.1+g01b65bf-4+deb8u10) jessie-security; urgency=high . * security fixes from Wireshark 2.0.8: - AllJoyn dissector crash (CVE-2016-9374) - OpenFlow dissector crash (CVE-2016-9376) - DCERPC dissector crash (CVE-2016-9373) - DTN dissector infinite loop (CVE-2016-9375) wireshark (1.12.1+g01b65bf-4+deb8u9) jessie-security; urgency=medium . * security fixes from Wireshark 2.0.6: - The H.225 dissector could crash (CVE-2016-7176) - The Catapult DCT2000 dissector could crash (CVE-2016-7177) - The UMTS FP dissector could crash (CVE-2016-7178) - The Catapult DCT2000 dissector could crash (CVE-2016-7179) - The IPMI trace dissector could crash (CVE-2016-7180) wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches/CVE-2016-6635.patch: - don't duplicate wp_encode_json() which has already been backported upstream, just merge later changes, fix regression in the previous upload. closes: #839190 * debian/languages: fix language with "\n" inconsistencies in msgid/msgstr. wordpress (4.1+dfsg-1+deb8u10) jessie-security; urgency=high . * Backport patches from 4.6.1/4.1.13 Closes: #837090 * CVE-2016-6896 and CVE-2016-6897 not vulnerable * Changeset 38538 sanitize filename in media CVE-2016-7168 * Changeset 38524 sanitize filename upload upgrader CVE-2016-7169 * CVE-2016-4029: WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. * CVE-2016-6634: Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. * CVE-2016-6635: Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. wot (20131118-2) stable; urgency=high . * Team upload * Removed all code, because this is malware (Closes: #842939) * Changed homepage to Debian wiki page about the malware incident xen (4.4.1-9+deb8u8) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-7777: CR0.TS and CR0.EM not always honored for x86 HVM guests * CVE-2016-9386: x86 null segments not always treated as unusable (Closes: #845663) * CVE-2016-9382: x86 task switch to VM86 mode mis-handled (Closes: #845664) * CVE-2016-9385: x86 segment base write emulation lacking canonical address checks (Closes: #845665) * CVE-2016-9383: x86 64-bit bit test instruction emulation broken (Closes: #845668) * CVE-2016-9379, CVE-2016-9380: delimiter injection vulnerabilities in pygrub (Closes: #845670) xwax (1.5-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * For jessie only, replace ffmpeg with avconv from libav-tools (Closes: #722487) zookeeper (3.4.5+dfsg-2+deb8u1) jessie; urgency=high . * Team upload. * Fix CVE-2016-5017: Lyon Yang discovered that the C client shells cli_st and cli_mt of Apache Zookeeper, a high-performance coordination service for distributed applications, were affected by a buffer overflow vulnerability associated with parsing of the input command when using the "cmd:" batch mode syntax. If the command string exceeds 1024 characters a buffer overflow will occur. ====================================== Sat, 17 Sep 2016 - Debian 8.6 released ====================================== ========================================================================= [Date: Sat, 17 Sep 2016 09:45:44 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: trn | 3.6-23 | source, i386 Closed bugs: 830900 ------------------- Reason ------------------- RoM; insecure, unmaintained upstream, superseded by trn4 ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 17 Sep 2016 09:46:41 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: minit | 0.10-5 | source, amd64, armhf, i386, mips, mipsel, powerpc, s390x Closed bugs: 836981 ------------------- Reason ------------------- RoQA; unmaintained, outdated ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 17 Sep 2016 10:03:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libsmbsharemodes-dev | 2:4.1.17+dfsg-2+deb8u2 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libsmbsharemodes0 | 2:4.1.17+dfsg-2+deb8u2 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by samba) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 17 Sep 2016 10:04:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceweasel-dbg | 38.8.0esr-1~deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 17 Sep 2016 10:05:08 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceweasel-dev | 38.8.0esr-1~deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 17 Sep 2016 10:05:17 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceweasel | 38.8.0esr-1~deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 17 Sep 2016 10:20:32 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceweasel | 38.8.0esr-1~deb8u1 | source iceweasel-l10n-ach | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-af | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-all | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-an | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ar | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-as | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ast | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-az | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-be | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-bg | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-bn-bd | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-bn-in | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-br | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-bs | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ca | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-cs | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-cy | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-da | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-de | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-dsb | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-el | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-en-gb | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-en-za | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-eo | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-es-ar | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-es-cl | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-es-es | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-es-mx | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-et | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-eu | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-fa | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ff | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-fi | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-fr | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-fy-nl | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ga-ie | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-gd | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-gl | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-gu-in | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-he | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-hi-in | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-hr | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-hsb | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-hu | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-hy-am | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-id | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-is | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-it | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ja | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-kk | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-km | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-kn | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ko | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-lij | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-lt | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-lv | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-mai | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-mk | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ml | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-mr | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ms | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-nb-no | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-nl | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-nn-no | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-or | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-pa-in | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-pl | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-pt-br | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-pt-pt | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-rm | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ro | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ru | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-si | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-sk | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-sl | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-son | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-sq | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-sr | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-sv-se | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-ta | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-te | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-th | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-tr | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-uk | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-uz | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-vi | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-xh | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-zh-cn | 1:38.8.0esr-1~deb8u1 | all iceweasel-l10n-zh-tw | 1:38.8.0esr-1~deb8u1 | all Closed bugs: 838086 ------------------- Reason ------------------- RoQA; superseded by firefox-esr ---------------------------------------------- ========================================================================= adblock-plus (2.7.3+dfsg-1~deb8u1) jessie; urgency=medium . * Upload compatible version with recent Firefox in Jessie (Closes: #829267) adblock-plus (2.7.2+dfsg-2) unstable; urgency=medium . [ Mathias Behrle ] * Fix get-orig-source target (Closes: #816053) . [ David Prévot ] * Drop Iceweasel from description * Rebuild with recent mozilla-devscripts to be ready for Firefox (Closes: #819303) adblock-plus (2.7.2+dfsg-1) unstable; urgency=medium . [ Wladimir Palant ] * Releasing Adblock Plus 2.7.2 . [ David Prévot ] * Add adblockpluscore source * Update copyright (years) adblock-plus (2.7.1+dfsg-1) unstable; urgency=medium . [ Wladimir Palant ] * Releasing Adblock Plus 2.7.1 . [ Eduard Sanou ] * Fix timezone when running build.py to make the package build reproducibly (Closes: #795395) . [ David Prévot ] * Use numeric versions * Drop upstream dependency check * Update Standards-Version to 3.9.7 adblock-plus (2.6.10+dfsg-1) unstable; urgency=medium . [ Wladimir Palant ] * Releasing Adblock Plus 2.6.10 . [ David Prévot ] * Don’t ship new fonts adblock-plus (2.6.9.1+dfsg+4real-1) unstable; urgency=medium . * Restore buildtools as of 2.6.9 (Closes: #788225) adblock-plus (2.6.9.1+dfsg-1) unstable; urgency=medium . * Adpat watch to new -signed trend adblock-plus (2.6.9+dfsg-2) unstable; urgency=medium . * Upload to unstable since Jessie has been released adblock-plus (2.6.9+dfsg-1) experimental; urgency=medium . [ Wladimir Palant ] * Releasing Adblock Plus 2.6.9 adblock-plus (2.6.8+dfsg-1) experimental; urgency=medium . [ Wladimir Palant ] * Releasing Adblock Plus 2.6.8 adblock-plus (2.6.7+dfsg-1) experimental; urgency=medium . [ Wladimir Palant ] * Releasing Adblock Plus 2.6.7 . [ David Prévot ] * Add adblockplusui internal dependency * Remove fonts (path changed) * Update copyright * Upload to experimental to respect the freeze apache2 (2.4.10-10+deb8u7) jessie; urgency=medium . * Fix installation of /lib/systemd/system/apache2.service.d/forking.conf. apache2 (2.4.10-10+deb8u6) jessie; urgency=medium . * Fix race condition and logical error in init script. Thanks to Thomas Stangner for the patch. Closes: #822144 * Remove links to manpages.debian.org in default index.html to avoid broken robots doing a DoS on the site. Closes: #821313 * mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive connections. Closes: #803035 * mod_proxy_fcgi: Fix wrong behavior with 304 responses. Closes: #827472 * Correct systemd-sysv-generator behavior by customizing some parameters. This fixes 'systemctl status' returning incorrect results. Closes: #827444 * mod_proxy_html: Add missing config file mods-available/proxy_html.conf. This is intentionally not enabled during upgrade, to make it less likely to break existing setups. It will be enabled by a a2dismod/a2enmod cycle, though. Closes: #827258 apache2 (2.4.10-10+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-5387: Sets environmental variable based on user supplied Proxy request header. Don't pass through HTTP_PROXY in server/util_script.c audiofile (0.3.6-2+deb8u1) jessie; urgency=high . * Team upload. * Fix CVE-2015-7747: buffer overflow when changing both sample format and number of channels. (Closes: #801102) automake-1.14 (1:1.14.1-4+deb8u1) jessie; urgency=medium . * Non-maintainer upload to fix security issue. * Avoid insecure use of /tmp/ in install-sh (Closes: #827347). Based on patch from RedHat and Pavel Raiskup. backintime (1.0.36-1+deb8u1) jessie; urgency=medium . * Add missing dependency on python-dbus (Closes: #831349) backuppc (3.3.0-2+deb8u1) jessie; urgency=medium . * Regexps fix for smbclient >= 4.2 to avoid failing SMB backups and set $Conf{BackupZeroFilesIsFatal} = 0 in the default config.pl. Workaround for SMB restores: '-d' 5 is now the default for smbclient. Added some cleanup regexps for SMB backup logs. Closes: #820963 base-files (8+deb8u6) stable; urgency=low . * Changed /etc/debian_version to 8.6, for Debian 8.6 point release. biber (1.9-3+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Fix breakage triggered by point release update of perl (Closes: #826667) bogofilter (1.2.4+dfsg1-3+deb8u1) jessie-security; urgency=medium . * Rebuild against fixed flex, see DSA 3653 cacti (0.8.8b+dfsg-8+deb8u6) jessie-proposed-updates; urgency=medium . [ Emilio Pozuelo Monfort ] * CVE-2016-2313-guest-auth.patch: + Fix regression in the fix for CVE-2016-2313 that broke guest user logins. Thanks to Matus Uhlar for the report. cacti (0.8.8b+dfsg-8+deb8u5) jessie-proposed-updates; urgency=medium . [ Emilio Pozuelo Monfort ] * debian/patches/CVE-2016-3172-sql-injection.patch: + CVE-2016-3172: Fix sql injection in tree.php (Closes: #818647) * debian/patches/CVE-2016-3659-sql-injection.patch: + CVE-2016-3659: Fix sql injection in graph_view.php (Closes: #820521) * debian/patches/CVE-2016-2313-authentication-bypass.patch: + CVE-2016-2313: Fix authentication bypass (Closes: #814353) ccache (3.1.12-1) stable; urgency=medium . * New upstream release 3.1.12 containing important bug fixes (and only bug fixes) made since 3.1.10: - Fixes a bug where (due to ccache rewriting paths) the compiler could choose incorrect include files if CCACHE_BASEDIR is used and the source file path is absolute and is a symlink. (Closes: #829088.) - Fixes a bug which could result in false cache hits when source code contains '"' followed by " /*" or " //" (with variations). - Makes hash of cached result created with and without CCACHE_CPP2 different. This makes it possible to rebuild with CCACHE_CPP2 set without having to clear the cache to get new results. - Fixes a bug which could result in "No such file or directory" messages in the ccache log when the cache directory doesn't exist. cdbs (0.4.130+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for CVE-2016-1238 charybdis (3.4.2-5+deb8u2) jessie-security; urgency=high . * add fix for CVE-2016-7143, backported from upstream (Closes: #836714) charybdis (3.4.2-5) unstable; urgency=high . * switch to new anonscm hostnames * initialise gnutls properly (Closes: #768339, #705369) * add fix for CVE-2015-5290, cherry-picked from upstream d5f856c^..172b58f chromium-browser (53.0.2785.89-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-5147: Universal XSS in Blink. Credit to anonymous - CVE-2016-5148: Universal XSS in Blink. Credit to anonymous - CVE-2016-5149: Script injection in extensions. Credit to Max Justicz - CVE-2016-5150: Use after free in Blink. Credit to anonymous - CVE-2016-5151: Use after free in PDFium. Credit to anonymous - CVE-2016-5152: Heap overflow in PDFium. Credit to GiWan Go of Stealien - CVE-2016-5153: Use after destruction in Blink. Credit to Atte Kettunen - CVE-2016-5154: Heap overflow in PDFium. Credit to anonymous - CVE-2016-5155: Address bar spoofing. Credit to anonymous - CVE-2016-5156: Use after free in event bindings. Credit to jinmo123 - CVE-2016-5157: Heap overflow in PDFium. Credit to anonymous - CVE-2016-5158: Heap overflow in PDFium. Credit to GiWan Go - CVE-2016-5159: Heap overflow in PDFium. Credit to GiWan Go - CVE-2016-5160: Extensions web accessible resources bypass. Credit to @l33terally - CVE-2016-5161: Type confusion in Blink. - CVE-2016-5162: Extensions web accessible resources bypass. Credit to Nicolas Golubovic - CVE-2016-5163: Address bar spoofing. Credit to Rafay Baloch - CVE-2016-5164: Universal XSS using DevTools. Credit to anonymous - CVE-2016-5165: Script injection in DevTools. Credit to Gregory Panakkal - CVE-2016-5166: SMB Relay Attack via Save Page As. Credit to Gregory Panakkal - CVE-2016-5167: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (52.0.2743.116-2) unstable; urgency=medium . * Fix syntax error in debian/copyright. * Include compiler info in the build log. * Add information about debugging to README.debian. * Build with gcc 5 during the gcc 6 transition (closes: #833501). chromium-browser (52.0.2743.116-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-5141 Address bar spoofing. Credit to Sergey Glazunov - CVE-2016-5142 Use-after-free in Blink. Credit to Sergey Glazunov - CVE-2016-5139 Heap overflow in pdfium. Credit to GiWan Go - CVE-2016-5140 Heap overflow in pdfium. Credit to Ke Liu - CVE-2016-5145 Same origin bypass for images in Blink. Credit to Sergey Glazunov - CVE-2016-5143 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal - CVE-2016-5144 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal - CVE-2016-5146: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (52.0.2743.116-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-5141 Address bar spoofing. Credit to Sergey Glazunov - CVE-2016-5142 Use-after-free in Blink. Credit to Sergey Glazunov - CVE-2016-5139 Heap overflow in pdfium. Credit to GiWan Go - CVE-2016-5140 Heap overflow in pdfium. Credit to Ke Liu - CVE-2016-5145 Same origin bypass for images in Blink. Credit to Sergey Glazunov - CVE-2016-5143 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal - CVE-2016-5144 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal - CVE-2016-5146: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (52.0.2743.82-4) unstable; urgency=medium . * Remove menu file. * Build with fastbuild=2. * Disable background networking features. * Link against system harfbuzz library again. chromium-browser (52.0.2743.82-3) unstable; urgency=medium . * Fix a few lintian warnings. * Use gtk3 backend instead of gtk2. * Launch as a single process when debugging to get useful symbol info. chromium-browser (52.0.2743.82-2) unstable; urgency=medium . * Bump standards version. * Drop no longer needed speechd patch. * Build complete debugging symbols again. * Link against libusb 1.0 (closes: #810403). * Fix path to master_preferences (closes: #830274). * Add an explicit dependency on libnettle6 (closes: #832125). chromium-browser (52.0.2743.82-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-1704: Various fixes from internal audits, fuzzing and other initiatives. - CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives. - CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie - CVE-2016-1707: URL spoofing on iOS. Credit to xisigr. - CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan - CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin. - CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski - CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski - CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer - CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous - CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin - CVE-2016-5130: URL spoofing. Credit to Wadih Matar - CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer - CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly - CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor - CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone - CVE-2016-5135: Content-Security-Policy bypass. Credit to ShenYeYinJiu - CVE-2016-5136: Use after free in extensions. Credit to Rob Wu - CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu chromium-browser (52.0.2743.82-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-1704: Various fixes from internal audits, fuzzing and other initiatives. - CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives. - CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie - CVE-2016-1707: URL spoofing on iOS. Credit to xisigr. - CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan - CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin. - CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski - CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski - CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer - CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous - CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin - CVE-2016-5130: URL spoofing. Credit to Wadih Matar - CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer - CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly - CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor - CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone - CVE-2016-5135: Content-Security-Policy bypass. Credit to ShenYeYinJiu - CVE-2016-5136: Use after free in extensions. Credit to Rob Wu - CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu * Use embedded harfbuzz. chromium-browser (51.0.2704.79-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-1696: Cross-origin bypass in Extension bindings. Credit to anonymous. - CVE-2016-1697: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1698: Information leak in Extension bindings. Credit to Rob Wu. - CVE-2016-1699: Parameter sanitization failure in DevTools. Credit to Gregory Panakkal. - CVE-2016-1700: Use-after-free in Extensions. Credit to Rob Wu. - CVE-2016-1701: Use-after-free in Autofill. Credit to Rob Wu. - CVE-2016-1702: Out-of-bounds read in Skia. Credit to cloudfuzzer. chromium-browser (51.0.2704.79-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-1696: Cross-origin bypass in Extension bindings. Credit to anonymous. - CVE-2016-1697: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1698: Information leak in Extension bindings. Credit to Rob Wu. - CVE-2016-1699: Parameter sanitization failure in DevTools. Credit to Gregory Panakkal. - CVE-2016-1700: Use-after-free in Extensions. Credit to Rob Wu. - CVE-2016-1701: Use-after-free in Autofill. Credit to Rob Wu. - CVE-2016-1702: Out-of-bounds read in Skia. Credit to cloudfuzzer. chromium-browser (51.0.2704.63-2) unstable; urgency=medium . * Fix libspeechd build error. chromium-browser (51.0.2704.63-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-1667: Same origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2016-1668: Same origin bypass in Blink V8 bindings. Credit to Mariusz Mlynski. - CVE-2016-1669: Buffer overflow in V8. Credit to Choongwoo Han. - CVE-2016-1670: Race condition in loader. Credit to anonymous. - CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski. - CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski. - CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu. - CVE-2016-1677: Type confusion in V8. Credit to Guang Gong. - CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler. - CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu. - CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen. - CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic. - CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime. - CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire. - CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire. - CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu. - CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu. - CVE-2016-1687: Information leak in extensions. Credit to Rob Wu. - CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko. - CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen. - CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu. - CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen. - CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich. - CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani. - CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan. - CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (51.0.2704.63-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-1667: Same origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2016-1668: Same origin bypass in Blink V8 bindings. Credit to Mariusz Mlynski. - CVE-2016-1669: Buffer overflow in V8. Credit to Choongwoo Han. - CVE-2016-1670: Race condition in loader. Credit to anonymous. - CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski. - CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski. - CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu. - CVE-2016-1677: Type confusion in V8. Credit to Guang Gong. - CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler. - CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu. - CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen. - CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic. - CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime. - CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire. - CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire. - CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu. - CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu. - CVE-2016-1687: Information leak in extensions. Credit to Rob Wu. - CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko. - CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen. - CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu. - CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen. - CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich. - CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani. - CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan. - CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (50.0.2661.94-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen. - CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih Matar. - CVE-2016-1662: Use-after-free in extensions. Credit to Rob Wu. - CVE-2016-1663: Use-after-free in Blink’s V8 bindings. Credit to anonymous. - CVE-2016-1664: Address bar spoofing. Credit to Wadih Matar. - CVE-2016-1665: Information leak in V8. Credit to gksgudtjr456. - CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives. clamav (0.99.2+dfsg-0+deb8u2) stable; urgency=medium . * Don't fail if AllowSupplementaryGroups is still set in the config file but ignore it and continue (Closes: #826406). cmake (3.0.2-1+deb8u1) jessie; urgency=medium . * Fix FindOpenSSL module to detect OpenSSL 1.0.1t. (Closes: #826656) - Add FindOpenSSL-fix-detection-of-OpenSSL-1.0.2.patch - Add FindOpenSSL-Tolerate-tabs-in-header-while-parsing-ve.patch conkeror (1.0~~pre-1+git141025-1+deb8u2) jessie; urgency=medium . * Cherry-pick 631644f5 from upstream master branch to remove "let" expressions to support Firefox 44 and later (including the ESR release 45.x in Debian Jessie). (Closes: #813039) curl (7.38.0-4+deb8u4) jessie-security; urgency=high . * Fix TLS session resumption client cert bypass as per CVE-2016-5419 https://curl.haxx.se/docs/adv_20160803A.html * Fix re-using connection with wrong client cert as per CVE-2016-5420 https://curl.haxx.se/docs/adv_20160803B.html * Fix use of connection struct after free as per CVE-2016-5421 https://curl.haxx.se/docs/adv_20160803C.html debhelper (9.20150101+deb8u2) jessie-security; urgency=high . * Non-maintainer upload. * Re-upload to security-master debian-edu-config (1.818+deb8u2) jessie; urgency=medium . [ Wolfgang Schweer ] * Take 2b2a657f from sid on cf/cf.ldapclient: don't purge libnss-mdns cause cups now needs mdns for automatic printer detection. (Closes: #825919). * dhclient-exit-hooks.d/hostname: adjust for the case of a dedicated LTSP server. (Closes: #783087). * Adjust ldap-tools/ldap-debian-edu-install to be compliant with systemd now that unit samba.service is masked (see #769714). (Closes: #826201). * Move from Iceweasel to Firefox ESR: (Closes: #827448) - rename several files containing iceweasel and also the directory share/iceweasel. - replace iceweasel with firefox-esr in various files. - use '/etc/firefox-esr' as place for firefox preference files. - update Makefile. - Add code to cleanup iceweasel and firefox-esr related conffiles in postinst and preinst scripts. - Adjust testsuite/ltsp and testsuite/webserver as /etc/firefox-esr/cert_override.txt is no longer useful. - Adjust sbin/snakeoil-on-ice as only the /etc/skel location on the main server seems to be useful for the certificate override file. - Move debian-edu.js -> etc/firefox-esr/debian-edu.js as this is the location for syspref now. . [ Mike Gabriel ] * Iceweasel -> Firefox transition: system-wide, non-configurable browser defaults now go into /usr/share/firefox-esr/browser/defaults/, not /usr/share/firefox/defaults/. * Rename cf.firefox to cf.firefox-esr and make sure it operated on /etc/firefox-esr. * firefox-networked-prefs.js: Fix configuration folder in comment. * sbin/snake-on-ice: Rename /etc/firefox to /etc/firefox-esr. Only declare OVERRIDE_FILE once and then use it accordingly (instead of hard-coding /etc/firefox(-esr) several times. Use more quotes. * debian/dirs: We ship /etc/firefox-esr, not /etc/firefox. * kickoffrc: Use firefox-esr.desktop, rather than firefox.desktop. * testsuite/ltsp: Check presence of cert_override.txt in /etc/firefox-esr/, rather than /etc/firefox/. * testsuite/webserver: Dito (check presence of cert_override.txt in /etc/firefox-esr/, rather than /etc/firefox/). . [ Holger Levsen ] * Move code to cleanup /usr/share/pam-configs/krb5 diversion from postinst to preinst to ease upgrades from old wheezy installations. (Closes: #779641) * Adjust cf.krb5client to ensure that cfengine runs are idempotent. (Closes: #779642) - Patch taken from master branch from Wolfgang. debian-edu-doc (1.6~20160910+deb8u2) jessie; urgency=medium . [ Holger Levsen ] * Update Debian Edu Jessie and Wheezy manuals from the wiki. * Update debian/copyright from the wiki using the update-copyright target. * Update package descriptions for debian-edu-doc-(nl|nb) to reflect the contents shipped in those packages. . [ Jessie Manual translation updates ] * German: Wolfgang Schweer. * Dutch: Frans Spiesschaert. * Norwegian Bokmål: Ingrid Yrvin and Ole-Erik Yrvin. . [ Wheezy Manual translation updates ] * German: Wolfgang Schweer. * Norwegian Bokmål: Ingrid Yrvin and Ole-Erik Yrvin. * Dutch: Frans Spiesschaert. debian-installer-netboot-images (20150422+deb8u4.b1) jessie; urgency=medium . * Update to 20150422+deb8u4+b1 images, from jessie-proposed-updates debian-security-support (2016.05.24~deb8u1) jessie; urgency=medium . * Team upload. . [ Santiago Ruano Rincón ] * Rebuild for Jessie. debian-security-support (2016.05.09+nmu1) unstable; urgency=medium . * Non-maintainer upload. * Remove postrm file, accidentally included in the previous release (Closes: #823563) debian-security-support (2016.05.04+nmu1) unstable; urgency=medium . * Unify binary package for all distributions. check-security-support evaluates the debian version where it runs upon, or according to a DEBIAN_VERSION env variable (Closes: #762594). - Keep a symlink to security-support-ended to avoid backward issues. * check-support-status, man page: Parse version from debian/changelog * Update messages.po, Spanish and French translations. * Update packages not supported in Wheezy LTS. debian-security-support (2016.03.30+nmu1) unstable; urgency=medium . [ Salvatore Bonaccorso ] * Mark virtualbox as unsupported in Wheezy (Closes: #812822) . [ Santiago Ruano Rincón ] * Take into account future end of security support (Closes: #818843). - Include early end support checks in t/check-support-status.t. - Update man page. * debian/rules: Generate right debian version from /etc/debian_version (Closes: #819493). debian-security-support (2016.01.07) unstable; urgency=medium . * Team upload. . [ Salvatore Bonaccorso ] * Mark typo3-src as unsupported in Wheezy. Thanks to Holger Levsen (Closes: #793454) . [ Raphaël Hertzog ] * Mark wine-gecko-2.21 and wine-gecko-2.24 as unsupported in all releases. Closes: #804058 * Mark virtualbox-ose as unsupported in Squeeze (cf DLA 372-1). * Mark qtwebkit-opensource-src as unsupported in all releases. Closes: #799189 * Mark redmine as unsupported in squeeze and wheezy due to the fact that it depends on rails which is not supported. debian-security-support (2016.01.07~deb6u1) squeeze-lts; urgency=medium . * Team upload. * Rebuild for squeeze-lts. debian-security-support (2015.07.11) unstable; urgency=medium . * Team upload. * Add list of packages not supported in stretch. The list ist empty for the time being. Fixes "FTBFS: cp: cannot stat 'security-support-ended.deb9': No such file or directory" when building in stretch and sid. Thanks to Daniel Schepler for the report (Closes: #792007) * Declare compliance with Debian policy 3.9.6 * Use canonical URI for Vcs-Git field * Add Vcs-Browser fields in debian/control file * Prepare check-support-status for release devscripts (2.15.3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Remove . from @INC when loading modules dynamically [CVE-2016-1238] dietlibc (0.33~cvs20120325-6+deb8u1) jessie; urgency=high . * Security: fix insecure default PATH. (Closes: #832169) Thanks to Thorsten Glaser for discovering this drupal7 (7.32-1+deb8u7) jessie-security; urgency=high . * Backported from 7.44: SA-CORE-2016-002: Webapp user privilege escalation. CVE IDs not yet assigned. dwarfutils (20120410-2+deb8u1) stable; urgency=medium . * New maintainer. * Add patch CVE-2015-8538.patch to fix CVE-2015-8538 (Closes: #807817). * Add patch CVE-2015-8750.patch to fix CVE-2015-8750 (Closes: #813182). * Add patch CVE-2016-2050.patch to fix CVE-2016-2050. * Add patch CVE-2016-2091.patch to fix CVE-2016-2091 (Closes: #813148). * Add patch CVE-2016-5034.patch to fix CVE-2016-5034. * Add patch CVE-2016-5036.patch to fix CVE-2016-5036. * Add patch CVE-2016-5038.patch to fix CVE-2016-5038. * Add patch CVE-2016-5039.patch to fix CVE-2016-5039. * Add patch CVE-2016-5042.patch to fix CVE-2016-5042. e2fsprogs (1.42.12-2) jessie; urgency=medium . * NMU acknowledge (closes: #778948) * Disable prompts for time skew which is fudged in e2fsck (closes: #812141) * Fix potential corruption of Hurd file systems by e2fsck * Fix pointer bugs that could cause crashes in e2fsck and resize2fs exim4 (4.84.2-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Dominic Hargreaves ] * eximstats: Remove . from @INC [CVE-2016-1238] exim4 (4.84.2-2) jessie; urgency=medium . * 90_Cutthrough-Fix-bug-with-dot-only-line.patch: JH/38 Fix cutthrough bug with body lines having a single dot. The dot was incorrectly not doubled on cutthrough transmission, hence seen as a body-termination at the receiving system - resulting in truncated mails. Commonly the sender saw a TCP-level error, and retransmitted the nessage via the normal store-and-forward channel. This could result in duplicates received - but deduplicating mailstores were liable to retain only the initial truncated version. * 91_Expansions-Fix-crash-in-crypteq-On-OpenBSD-a-bad-sec.patch: Fix crash on "exim -be '${if crypteq{xxx}{\$aaa}{yes}{no}}'". Closes: #812585 * Improve on NEWS file. Closes: #818349 * Add 89_01_p_Delay-chdir-until-we-opened-the-main-config.patch. Backport 3de973a29de6852d61ba9bf1845835d08ca5a5ab (Delay chdir(/) until we opened the main config) to actually make $initial_cwd expansion work. Also unfuzz 89_02_Store-the-initial-working-directory.diff. (Thanks, Серж ИвановЪ for bugreport and pointer to missing patch) Closes: #818897, #826646 expat (2.1.0-6+deb8u3) jessie-security; urgency=high . * Use upstream fix for the following security vulnerabilities: - CVE-2012-6702, unanticipated internal calls to srand - CVE-2016-5300, use of too little entropy file (1:5.22+15-2+deb8u2) stable; urgency=high . * Fix CVE-2015-8865: Buffer over-write in finfo_open with malformed magic file. firefox-esr (45.3.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{62-65,67,70,72-73,76-80}, also known as: CVE-2016-2836, CVE-2016-2830, CVE-2016-2838, CVE-2016-2839, CVE-2016-5252, CVE-2016-5254, CVE-2016-5258, CVE-2016-5259, CVE-2016-5262, CVE-2016-2837, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265. . * debian/upstream.mk: Use l10n_changesets.txt from last candidate build for L10N_REV. firefox-esr (45.2.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{49-52,56,58}, also known as: CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2828, CVE-2016-2831. . * debian/*.NEWS: Move NEWS to the iceweasel transitional package and add a few instructions about prefs. firefox-esr (45.2.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{49-52,56,58}, also known as: CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2828, CVE-2016-2831. . * debian/*.NEWS: Move NEWS to the iceweasel transitional package and add a few instructions about prefs. . firefox-esr (45.1.1esr-1) unstable; urgency=medium . * New upstream release. . * debian/changelog: Add missing changelog entries for 45.0.2esr-1. * debian/rules: Use the mach compare-locales command for l10n. * debian/upstream.mk, debian/watch: Remove "mozilla.org" from path in archive.mozilla.org urls. * debian/upstream.mk: Don't use get a separate source tarball for compare-locales. There is a copy in-tree that we now use. * debian/browser.desktop.in, debian/control*, debian/rules: Allow to distinguish between firefox and firefox-esr. Closes: #821952. . firefox-esr (45.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,44,47}, also known as: CVE-2016-2807, CVE-2016-2806, CVE-2016-2814, CVE-2016-2808. . firefox-esr (45.0.2esr-1) unstable; urgency=medium . * New upstream release. . * debian/control.in: Add missing %endif. * debian/control*: Remove build dependencies that were only required for the iceweasel branding. * debian/control*, debian/browser.mozconfig.in: Remove configure flags and build dependencies related to gnomevfs. They have been ignored for close to a year. * debian/browser.mozconfig.in: - Remove configure flags explicitly enabling gio, it has been enabled by default for more than 3 years. - Remove --enable-svg, the option has been ignored for more than 5 years. - Remove --enable-mathml, the option has been ignored for more than 4 years. - Remove --enable-pango, the option has been ignored for 2 years. - Remove --disable-pedantic, the option has been ignored for 3 years. - Remove --disable-long-long-warning, the option has been ignored for almost 5 years. - Remove --disable-gnomeui, it is the default. - Remove --disable-mochitest, the option has been ignored for more than 7 years. - Remove --disable-debug, it is the default. - Remove --enable-canvas, the option has been ignored for more than 6 years. - Remove --disable-installer, the option has been ignored for close to 4 years. - Remove --disable-javaxpcom, the option has been ignored for close to 5 years. - Remove --disable-elf-dynstr-gc, the option has been ignored for more than 2 years. - Remove --enable-url-classifier, it is the default. - Remove --with-user-appdir=.mozilla, it is the default. - Remove --enable-single-profile, the option has been ignored for more than 7 years. - Remove --disable-profilesharing, the option has been ignored for more than 7 years. . firefox-esr (45.0.1esr-1) unstable; urgency=medium . * New upstream release. - Disables Graphite font shaping library. . * debian/iceweasel.desktop: - Use Firefox ESR icon for this transitional desktop file. Closes: #818098. - Remove StartupWMClass and StartupNotify. I think it's the least worse option for the transition. Closes: #818101. * debian/firefox.in: Literally check for "firefox" in the firefox wrapper instead of $0. Closes: #818159. * debian/browser.js.in: Don't mention the pref subdirectory in /etc/firefox*/firefox*.js. Also reword the comment there, and remove some parts of it. Closes: #818322. * debian/iceweasel.lintian-overrides: Add a lintian override for iceweasel.desktop launching firefox-esr. * debian/control*: - Bump libvpx build dependency to 1.4.0. Closes: #818454. - Switch Vcs-* fields to https urls. - Point Vcs-* urls to the right branch. * debian/rules: Add --exclude=.mkdir.done to TAR_CREATE_FLAGS. . * ipc/chromium/atomics/moz.build, ipc/chromium/moz.build, media/webrtc/signaling/test/common.build: Link chromium mutex-based atomics implementation to webrtc signaling tests. bz#1257888. This should fix the powerpc FTBFSes. . firefox-esr (45.0esr-2) unstable; urgency=medium . * debian/control*, debian/l10n/browser-l10n.control.in: Move transitional packages to oldlibs/extra. Closes: #818038. * debian/control*: Don't make firefox-esr break/replace iceweasel. Instead, add a conflict with older versions of iceweasel. Hopefully, this means iceweasel would be unpacked first, removing its /usr/bin/firefox file before firefox-esr removes the diversion. Closes: #817977. * debian/rules: Add version information to rm_conffile calls. Along with the conflict instead of replace/break, it looks like it closes: #817908. * debian/iceweasel.links: Add an iceweasel symbolic link for a smoother transition. Closes: #817952. * debian/rules, debian/control*, debian/browser.desktop.in: Make firefox-esr more differentiable from firefox when both are installed. * debian/iceweasel.install, debian/iceweasel.desktop: Add a desktop file for iceweasel. Closes: #817904. . * ipc/chromium/moz.build, ipc/chromium/src/build/build_config.h, ipc/chromium/src/base/atomicops.h, ipc/chromium/src/base/atomicops_internals_arm64_gcc.h: Add aarch64 support for atomic operations. bz#1250403. * media/webrtc/moz.build, media/webrtc/signaling/test/standalone/*, toolkit/toolkit.mozbuild: Remove signaling standalone tests. bz#1239866. This should fix the FTBFS on ppc by not linking some unit tests we don't run anyways (and were removed upstream in version 46). . firefox-esr (45.0esr-1) unstable; urgency=medium . * Farewell, Iceweasel. * New upstream release. * Fixes for mfsa2016-{16-34,37}, also known as: CVE-2016-1952, CVE-2016-1953, CVE-2016-1954, CVE-2016-1955, CVE-2016-1956, CVE-2016-1957, CVE-2016-1958, CVE-2016-1959, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1963, CVE-2016-1964, CVE-2016-1965, CVE-2016-1967, CVE-2016-1968, CVE-2016-1966, CVE-2016-1970, CVE-2016-1971, CVE-2016-1975, CVE-2016-1976, CVE-2016-1973, CVE-2016-1974, CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802. . * debian/rules, debian/browser.install.in: Remove xpm icon. It was only shipped for the menu file, which is not there anymore. * debian/control*, debian/changelog: Rename the source package to firefox-esr. * debian/browser.install.in, debian/control*, debian/rules, debian/upstream.mk, debian/vendor.js*: Remove the OFFICIAL_NAME variable and adjust packaging code accordingly. Now all cases will be using the official name, although in some cases the package name might be different. * debian/rules: Remove epoch from l10n package names. * debian/branding, debian/installer/package-manifest.browser, debian/rules, debian/source/include-binaries: Remove debian/branding. * debian/browser.postinst.in, debian/browser.prerm.in: Do not remove compreg.dat, xpti.dat and .autoreg. Those files have not been created for a long time, so no Debian "firefox" package will have created them. * debian/browser.install.in, debian/browser.links.in, debian/rules: Remove the default profile. It's going away for good in version 46 anyways, and hasn't been provided upstream for a very long time. * browser-dev.install.in, debian/libxul.pc.in, debian/mozilla-nspr.pc.in, debian/mozilla-plugin.pc.in, debian/rules: Remove pkg-config files. They don't exist upstream, and are obviously unused in Debian since libxul.pc has been broken since version 40.0. * debian/control*, debian/l10n/browser-l10n.control.in, debian/rules: Add transitional packages when building firefox-esr. * debian/upstream.mk: Remove -esr suffix from PRODUCT_NAME when downloading. * debian/copyright: Update debian/copyright with some missing files. * debian/browser.NEWS.in, debian/browser.README.Debian.in, debian/firefox-esr.NEWS: Rearrange README and NEWS files. Removed outdated information, moved the NTLM info from NEWS to README and added a NEWS file for the transition off iceweasel. * debian/browser.install.in, debian/browser.links.in: Move debsearch searchplugin to usr/share/firefox{-esr,}/distribution/searchplugins. * debian/browser.install.in, debian/browser.links.in: Move preferences from /etc/firefox{-esr,}/pref to /etc/firefox{-esr,}. * debian/control*: Bump nspr and nss build dependencies. * debian/browser.mozconfig.in: Add --with-app-name option for firefox-esr. * debian/browser.install.in: - Don't install libmozgnome.so and corresponding manifests, it's gone. - The default theme is now an XPI. - Install features addons. * debian/browser.preinst.in: Remove iceweasel diversion of /usr/bin/firefox. * debian/rules, debian/removed_conffiles*: Remove all iceweasel conffiles. * debian/source/lintian-overrides: - Remove source package name so that the same file can be used for both firefox and firefox-esr. - Fix some existing lintian overrides to actually work. - Add lintian overrides for new false positives. . iceweasel (44.0.2-1) unstable; urgency=medium . * New upstream release * Fixes for mfsa2016-13, also known as CVE-2016-1949. . * debian/control*: - Bump sqlite3 build dependency. - Bump Standards-Version. No changes required. * debian/copyright: - Rename all BSD-n licenses to BSD-n-clause. - Remove commas separating lines in Files and Copyright. - Fixup some lintian warnings. * debian/source/lintian-overrides: Add lintian overrides for various "errors" in the source package. See associated comments. * debian/rules: Avoid tar creating hard links with -h for symlinks pointing to the same file. * debian/browser.menu.in: Remove menu file. . iceweasel (44.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{01-04,06,09-11}, also known as: CVE-2016-1930, CVE-2016-1931, CVE-2016-1933, CVE-2016-1935, CVE-2016-1939, CVE-2016-1937, CVE-2016-1942, CVE-2016-1943, CVE-2016-1944, CVE-2016-1945, CVE-2016-1946, CVE-2016-1947. . * js/src/jit/mips-shared/Architecture-mips-shared.h, js/src/jit/mips-shared/Assembler-mips-shared.*, js/src/jit/mips32/Architecture-mips32.*, js/src/jit/mips32/Assembler-mips32.*, js/src/jit/mips64/Architecture-mips64.*, js/src/jit/mips64/Assembler-mips64.*: Fix build failure on mipsel. bz#1213146. . iceweasel (43.0.4-1) unstable; urgency=medium . * New upstream release. . * debian/removed_conffiles: Add profile/bookmarks.html to the list of removed conffiles. Closes: #809309. * debian/removed_conffiles*, debian/rules: Add @browser@rc to the list of removed conffiles. Closes: #809386. . iceweasel (43.0.2-1) unstable; urgency=medium . * New upstream release. . * debian/latest_nightly.py, debian/upstream.mk: Ensure aurora/nightly versions match the requested one for `debian/rules download`. . * toolkit/mozapps/extensions/internal/XPIProvider.jsm: Simplify change allowing unsigned addons in /usr/{lib,share}/mozilla/extensions. * browser/components/migration/MigrationUtils.jsm, browser/components/nsBrowserGlue.js, browser/installer/package-manifest.in, browser/locales/Makefile.in: Move bookmarks.html to a chrome localized location. bz#1235107. * js/src/jit/mips-shared/Lowering-mips-shared.*, js/src/jit/mips32/Lowering-mips32.h: Move LIRGeneratorMIPS::visitRandom to architecture-specific: bz#1206591. . iceweasel (43.0.1-1) experimental; urgency=medium . * New upstream release. . * toolkit/mozapps/extensions/content/extensions.js, toolkit/mozapps/extensions/internal/XPIProvider.jsm: Allow unsigned addons in /usr/{lib,share}/mozilla/extensions when upgrading as well, and avoid message about them not being verified in about:addons. Closes: #808228. * security/nss/lib/ckfw/builtins/certdata.txt: Remove the SPI Inc. and CAcert.org CA certificates for backports. The former was removed in NSS 3.21-1 and the latter in 3.16-1, and remained here largely overlooked. * media/webrtc/trunk/build/build_config.h: Add aarch64 macros. bz#1219566. . iceweasel (43.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134-149}, also known as: CVE-2015-7201, CVE-2015-7202, CVE-2015-7204, CVE-2015-7207, CVE-2015-7208, CVE-2015-7210, CVE-2015-7212, CVE-2015-7215, CVE-2015-7211, CVE-2015-7218, CVE-2015-7219, CVE-2015-7216, CVE-2015-7217, CVE-2015-7203, CVE-2015-7220, CVE-2015-7221, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7223, CVE-2015-7214. . * debian/control*: Bump nss build dependency. * debian/rules: - Follow upstream default for Gtk+2 vs. Gtk+3 automatically. - Only extract defaults/{preferences,profile} from browser/omni.ja. * debian/browser.install.in: Don't install libdbusservice.so, it's gone. . * toolkit/mozapps/extensions/internal/XPIProvider.jsm: Allow unsigned addons in /usr/{lib,share}/mozilla/extensions. Closes: #800150. . iceweasel (42.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116-118,121-123,127-132}, also known as: CVE-2015-4513, CVE-2015-4514, CVE-2015-4515, CVE-2015-4518, CVE-2015-7187, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7195, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197. . * debian/control*: Bump nspr, nss and sqlite build dependencies. * debian/browser.install.in: - Adapt to location change for the Gtk+2 wrapper library. - Install liblgpllibs.so. * debian/branding/content/Makefile.in: identity-icons-brand*.png were replaced by a svg. . iceweasel (41.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-115, also known as CVE-2015-7184. . iceweasel (41.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/watch: Update watch file to use https://archive.mozilla.org/ and xz archives. . * toolkit/library/moz.build: Link libxul against libatomic when necessary. bz#1178266. . iceweasel (41.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,98,102-112}, also known as: CVE-2015-4500, CVE-2015-4501, CVE-2015-4504, CVE-2015-4507, CVE-2015-4508, CVE-2015-4510, CVE-2015-4511, CVE-2015-4509, CVE-2015-4512, CVE-2015-4502, CVE-2015-4516, CVE-2015-4519, CVE-2015-4520, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7177. . * debian/control*: Bump sqlite build dependency. . * config/system-headers: Add a system header wrapper for . bz#1194520. . iceweasel (40.0.3-3) experimental; urgency=medium . * debian/browser.js.in: Disable Health Report upload. . * build/autoconf/toolchain.m4: Fixup for libatomic detection. * browser/components/preferences/applications.js, uriloader/exthandler/nsHandlerService.js: Revert patch from 3.0.1-1 that doesn't seem useful anymore. * browser/confvars.sh: Stop not building Health Report. * l10n-ru/browser/chrome/browser-region/region.properties: Revert reordering of mailto handlers. * toolkit/components/search/nsSearchService.js: Revert change from 12.0-1 that handled the transition to /etc//searchplugins more gracefully because that's not doing anything useful anymore. . iceweasel (40.0.3-2) experimental; urgency=medium . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * build/autoconf/toolchain.m4, mfbt/moz.build: Link against libatomic when necessary to fix FTBFS on powerpc and mips. . iceweasel (40.0.3-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * debian/import-tar.py, debian/repack.py, debian/upstream.mk: Adjust debian/upstream.mk, debian/repack.py and debian/import-tar.py to cope with xz source tarballs. * debian/control*: Suggest Latin Modern Math instead of MathJax TeX fonts for MathML rendering, and remove suggestion for Asana Math. Thanks Frédéric Wang. Closes: #792012. * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/copyright: Fix typo in MPL 1.1 license version number. Closes: #755802. * debian/upstream.mk: Avoid latest_nightly.py being run every time debian/rules is invoked for aurora builds. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (40.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{79-83,86-88,90-92}, also known as: CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4477, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4483, CVE-2015-4484, CVE-2015-4491, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4490, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. * debian/rules, debian/browser.install.in: Don't copy searchplugins to /etc/iceweasel. They now are in chrome://. * debian/browser.install.in: Don't install libmozalloc.so, it doesn't exist anymore. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. . iceweasel (39.0.3-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. . iceweasel (39.0-1) experimental; urgency=medium . * New upstream release. . * debian/branding/content/Makefile.in: Re-revert to non-ESR branding. firefox-esr (45.1.1esr-1) unstable; urgency=medium . * New upstream release. . * debian/changelog: Add missing changelog entries for 45.0.2esr-1. * debian/rules: Use the mach compare-locales command for l10n. * debian/upstream.mk, debian/watch: Remove "mozilla.org" from path in archive.mozilla.org urls. * debian/upstream.mk: Don't use get a separate source tarball for compare-locales. There is a copy in-tree that we now use. * debian/browser.desktop.in, debian/control*, debian/rules: Allow to distinguish between firefox and firefox-esr. Closes: #821952. firefox-esr (45.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,44,47}, also known as: CVE-2016-2807, CVE-2016-2806, CVE-2016-2814, CVE-2016-2808. firefox-esr (45.0.2esr-1) unstable; urgency=medium . * New upstream release. firefox-esr (45.0.1esr-1) unstable; urgency=medium . * New upstream release. - Disables Graphite font shaping library. . * debian/iceweasel.desktop: - Use Firefox ESR icon for this transitional desktop file. Closes: #818098. - Remove StartupWMClass and StartupNotify. I think it's the least worse option for the transition. Closes: #818101. * debian/firefox.in: Literally check for "firefox" in the firefox wrapper instead of $0. Closes: #818159. * debian/browser.js.in: Don't mention the pref subdirectory in /etc/firefox*/firefox*.js. Also reword the comment there, and remove some parts of it. Closes: #818322. * debian/iceweasel.lintian-overrides: Add a lintian override for iceweasel.desktop launching firefox-esr. * debian/control*: - Bump libvpx build dependency to 1.4.0. Closes: #818454. - Switch Vcs-* fields to https urls. - Point Vcs-* urls to the right branch. * debian/rules: Add --exclude=.mkdir.done to TAR_CREATE_FLAGS. . * ipc/chromium/atomics/moz.build, ipc/chromium/moz.build, media/webrtc/signaling/test/common.build: Link chromium mutex-based atomics implementation to webrtc signaling tests. bz#1257888. This should fix the powerpc FTBFSes. firefox-esr (45.0esr-2) unstable; urgency=medium . * debian/control*, debian/l10n/browser-l10n.control.in: Move transitional packages to oldlibs/extra. Closes: #818038. * debian/control*: Don't make firefox-esr break/replace iceweasel. Instead, add a conflict with older versions of iceweasel. Hopefully, this means iceweasel would be unpacked first, removing its /usr/bin/firefox file before firefox-esr removes the diversion. Closes: #817977. * debian/rules: Add version information to rm_conffile calls. Along with the conflict instead of replace/break, it looks like it closes: #817908. * debian/iceweasel.links: Add an iceweasel symbolic link for a smoother transition. Closes: #817952. * debian/rules, debian/control*, debian/browser.desktop.in: Make firefox-esr more differentiable from firefox when both are installed. * debian/iceweasel.install, debian/iceweasel.desktop: Add a desktop file for iceweasel. Closes: #817904. . * ipc/chromium/moz.build, ipc/chromium/src/build/build_config.h, ipc/chromium/src/base/atomicops.h, ipc/chromium/src/base/atomicops_internals_arm64_gcc.h: Add aarch64 support for atomic operations. bz#1250403. * media/webrtc/moz.build, media/webrtc/signaling/test/standalone/*, toolkit/toolkit.mozbuild: Remove signaling standalone tests. bz#1239866. This should fix the FTBFS on ppc by not linking some unit tests we don't run anyways (and were removed upstream in version 46). firefox-esr (45.0esr-1) unstable; urgency=medium . * Farewell, Iceweasel. * New upstream release. * Fixes for mfsa2016-{16-34,37}, also known as: CVE-2016-1952, CVE-2016-1953, CVE-2016-1954, CVE-2016-1955, CVE-2016-1956, CVE-2016-1957, CVE-2016-1958, CVE-2016-1959, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1963, CVE-2016-1964, CVE-2016-1965, CVE-2016-1967, CVE-2016-1968, CVE-2016-1966, CVE-2016-1970, CVE-2016-1971, CVE-2016-1975, CVE-2016-1976, CVE-2016-1973, CVE-2016-1974, CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802. . * debian/rules, debian/browser.install.in: Remove xpm icon. It was only shipped for the menu file, which is not there anymore. * debian/control*, debian/changelog: Rename the source package to firefox-esr. * debian/browser.install.in, debian/control*, debian/rules, debian/upstream.mk, debian/vendor.js*: Remove the OFFICIAL_NAME variable and adjust packaging code accordingly. Now all cases will be using the official name, although in some cases the package name might be different. * debian/rules: Remove epoch from l10n package names. * debian/branding, debian/installer/package-manifest.browser, debian/rules, debian/source/include-binaries: Remove debian/branding. * debian/browser.postinst.in, debian/browser.prerm.in: Do not remove compreg.dat, xpti.dat and .autoreg. Those files have not been created for a long time, so no Debian "firefox" package will have created them. * debian/browser.install.in, debian/browser.links.in, debian/rules: Remove the default profile. It's going away for good in version 46 anyways, and hasn't been provided upstream for a very long time. * browser-dev.install.in, debian/libxul.pc.in, debian/mozilla-nspr.pc.in, debian/mozilla-plugin.pc.in, debian/rules: Remove pkg-config files. They don't exist upstream, and are obviously unused in Debian since libxul.pc has been broken since version 40.0. * debian/control*, debian/l10n/browser-l10n.control.in, debian/rules: Add transitional packages when building firefox-esr. * debian/upstream.mk: Remove -esr suffix from PRODUCT_NAME when downloading. * debian/copyright: Update debian/copyright with some missing files. * debian/browser.NEWS.in, debian/browser.README.Debian.in, debian/firefox-esr.NEWS: Rearrange README and NEWS files. Removed outdated information, moved the NTLM info from NEWS to README and added a NEWS file for the transition off iceweasel. * debian/browser.install.in, debian/browser.links.in: Move debsearch searchplugin to usr/share/firefox{-esr,}/distribution/searchplugins. * debian/browser.install.in, debian/browser.links.in: Move preferences from /etc/firefox{-esr,}/pref to /etc/firefox{-esr,}. * debian/control*: Bump nspr and nss build dependencies. * debian/browser.mozconfig.in: Add --with-app-name option for firefox-esr. * debian/browser.install.in: - Don't install libmozgnome.so and corresponding manifests, it's gone. - The default theme is now an XPI. - Install features addons. * debian/browser.preinst.in: Remove iceweasel diversion of /usr/bin/firefox. * debian/rules, debian/removed_conffiles*: Remove all iceweasel conffiles. * debian/source/lintian-overrides: - Remove source package name so that the same file can be used for both firefox and firefox-esr. - Fix some existing lintian overrides to actually work. - Add lintian overrides for new false positives. firegestures (1.10.9-1~deb8u1) jessie; urgency=medium . * Upload compatible version with recent Firefox in Jessie (Closes: #827277) firegestures (1.10.7-1) unstable; urgency=medium . * Team upload . [ Gomita ] * fix: [Firefox48] '[pooup] Back / Forward History' error * ver.1.10.7 . [ David Prévot ] * Update Standards-Version to 3.9.8 firegestures (1.10.6-1) unstable; urgency=medium . * Team upload . [ Gomita ] * add uk-UA locale * ver.1.10.6 firegestures (1.10.5-2) unstable; urgency=medium . * Team upload * Rebuild with recent mozilla-devscripts to be ready for Firefox firegestures (1.10.5-1) unstable; urgency=medium . * Team upload . [ Gomita ] * [e10s] fix: cannot find links when zoomed in/out * ver.1.10.5 . [ David Prévot ] * Simplify rules with --buildsystem=xul_ext firegestures (1.10.4-1) unstable; urgency=medium . * Team upload . [ Gomita ] * update license * ver.1.10.4 . [ David Prévot ] * Update copyright (years) * Update Standards-Version to 3.9.7 firegestures (1.10.3-2) unstable; urgency=medium . * Team upload, to unstable since iceweasel 43.0.2-1+b1 is currently available there firegestures (1.10.3-1) experimental; urgency=medium . * Team upload . [ Gomita ] * fix #107: error in mozlAsyncFavicons.getFaviconURLForPage firegestures (1.10.2-1) experimental; urgency=medium . * Team upload, to experimental since it depends on recent iceweasel (>= 41.0) . [ Gomita ] * remove compatibility code * ver.1.10.2 firegestures (1.10-2) unstable; urgency=medium . * Team upload, to unstable since it’s a stable version firegestures (1.10-1) experimental; urgency=medium . * Team upload . [ Gomita ] * add sl-SI locale * ver.1.10 firegestures (1.10~a3-1) experimental; urgency=medium . * Team upload . [ Gomita ] * ver.1.10a3 . [ David Prévot ] * Update copyright firegestures (1.9~b6-1) experimental; urgency=medium . * Team upload . [ Gomita ] * ver.1.9b6 firegestures (1.9~b5-1) experimental; urgency=medium . * Team upload . [ Gomita ] * ver.1.9b5 firegestures (1.9~b4-1) experimental; urgency=medium . * Team upload . [ Gomita ] * ver.1.9b4 . [ David Prévot ] * Update copyright firegestures (1.9~b3-1) experimental; urgency=medium . * Team upload . [ Gomita ] * ver.1.9b3 firegestures (1.9~b2-1) experimental; urgency=medium . * Team upload . [ Gomita ] * ver.1.9b2 firegestures (1.9~a4-1) experimental; urgency=medium . * Team upload of alpha version to experimental . [ David Prévot ] * Drop Fabrizio Regalli from uploaders (Closes: #761872) * Update watch file for new amo links * Bump standards version to 3.9.6 . [ Gomita ] * [e10s] add support to multi-process tabs flashplugin-nonfree (1:3.6.1+deb8u1) jessie; urgency=medium . * update-flashplugin-nonfree: Delete old get-upstream-version.pl from cache. Closes: #833413. flex (2.5.39-8+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Tweak CVE-2016-6354 patch to have the changes propagated. As noticed by Robert Shearman due to the patching of skel.c in previous patches and thus updated timestamps, skel.c is not regenerated during build, resulting in the CVE-2016-6354 fix actually not being applied completely. Thanks to Robert Shearman and Frank Heckenbach (Closes: #835542) * Generated code, `max_size' seems to be of type `int', fix casts accordingly. Regression introduced by the fix for CVE-2016-6354 in DSA-3653-1. Thanks to Frank Heckenbach and Robert Shearman. (Closes: #835542) flex (2.5.39-8+deb8u1) jessie-security; urgency=medium . * CVE-2016-6354 fontconfig (2.11.0-6.3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-5384: Possible double free due to insufficiently validated cache files (Closes: #833570) fusionforge (5.3.2+20141104-3+deb8u3) jessie; urgency=medium . * Remove dependency on Mediawiki plugin from fusionforge-full metapackage. gdcm (2.4.4-3+deb8u1) jessie; urgency=medium . * add patches: - d/p/CVE-2015-8396.patch: fix according security vunerability - d/p/CVE-2015-8397.patch: fix according security vunerability gdk-pixbuf (2.31.1-2+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-8875: Integer overflows in various pixops functions * CVE-2015-7552: Heap-based buffer overflow in the gdk_pixbuf_flip function * ico: Protect against overflow * bmp: Reject bogus depth * bmp: Reject impossible palette size gdk-pixbuf (2.31.1-2+deb8u4+kbsd8u1) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd gimp (2.8.14-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-4994: Use-after-free vulnerabilities in the channel and layer properties parsing process (Closes: #828179) glibc (2.19-18+deb8u6) stable; urgency=medium . * Update from upstream stable branch: - Fix backtrace hang on armel/armhf, possibly causing a minor denial-of-service vulnerability (CVE-2016-6323). Closes: #834752. - Fix open and openat functions with O_TMPFILE. Closes: #832521. - Drop debian/patches/any/cvs-ld_pointer_guard.diff (merged upstream). - Drop debian/patches/any/cvs-mangle-tls_dtor_list.diff (merged upstream). - Drop debian/patches/any/cvs-strxfrm-buffer-overflows.diff (merged upstream). * debian/patches/any/submitted-resolv-ipv6-nameservers.diff: replace by patch cvs-resolv-ipv6-nameservers.diff taken from upstream. This fixes mtr on systems using only IPv6 nameservers. Closes: #818281. glibc (2.19-18+deb8u5) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Drop debian/patches/any/local-CVE-2015-7547.diff. - Refresh debian/patches/any/cvs-resolv-first-query-failure.diff. - Fix assertion failure with unconnectable name server addresses. (regression introduced by CVE-2015-7547). Closes: #816669. - Fix *context functions on s390x. - Fix a buffer overflow in the glob function (CVE-2016-1234). - Fix a stack overflow in nss_dns_getnetbyname_r (CVE-2016-3075). - Fix a stack overflow in getaddrinfo function (CVE-2016-3706). - Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429). gnome-maps (3.14.3.1-1) jessie; urgency=medium . * New upstream release. - Uses the Mapbox tile server. Closes: #830842. gnome-sudoku (1:3.14.1-1+deb8u1) jessie; urgency=medium . [ Jeremy Bicha ] * debian/patches/generate_new_puzzles.patch: - Don't generate the same puzzle sequence every time. Closes: #828106 gnupg (1.4.18-7+deb8u3) jessie; urgency=medium . * Non-maintainer with maintainers approval. * gpgv: Tweak default options for extra security * g10: Fix checking key for signature validation gnupg (1.4.18-7+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * cipher: Improve readability by using a macro * random: Hash continuous areas in the csprng pool (CVE-2016-6313) gnupg2 (2.0.26-6+deb8u1) jessie; urgency=medium . * Non-maintainer with maintainers approval. * gpgv: Tweak default options for extra security * g10: Fix checking key for signature validation greasemonkey (3.8-1~deb8u1) jessie; urgency=medium . * Upload compatible version with recent Firefox in Jessie (Closes: #828622) greasemonkey (3.8~beta2-1) experimental; urgency=medium . * Team upload, to experimental since it’s a beta version . [ Anthony Lieuallen ] * Version bump: 3.8beta2 . [ David Prévot ] * Drop Iceweasel from description greasemonkey (3.7-1) unstable; urgency=medium . * Team upload . [ Anthony Lieuallen ] * Version bump: 3.7 . [ David Prévot ] * Simplify rules with --buildsystem=xul_ext * Update Standards-Version to 3.9.7 greasemonkey (3.6-1) unstable; urgency=medium . * Team upload . [ Anthony Lieuallen ] * Version bump: 3.6 greasemonkey (3.5-1) unstable; urgency=medium . * Team upload . [ Anthony Lieuallen ] * Version bump: 3.5 greasemonkey (3.4-1) unstable; urgency=medium . * Team upload, to unstable since it’s a stable release . [ Anthony Lieuallen ] * Version bump: 3.4 greasemonkey (3.3~beta1-1) experimental; urgency=medium . * Team upload, to experimental since it’s a beta version . [ Anthony Lieuallen ] * Switch from resource: to chrome: for JSM. greasemonkey (3.2-1) unstable; urgency=medium . * Team upload, to unstable since it’s a stable release . [ Anthony Lieuallen ] * Version bump: 3.2. greasemonkey (3.2~beta2-1) experimental; urgency=medium . * Team upload . [ Anthony Lieuallen ] * Version bump: 3.1beta2 greasemonkey (3.2~beta1-1) experimental; urgency=medium . * Team upload greasemonkey (3.1-2) unstable; urgency=medium . * Team upload, to unstable since Jessie has been released, as well as iceweasel 38. * Track currently stable 3.1 branch * Track stable releases greasemonkey (3.1-1) experimental; urgency=medium . * Team upload . [ Anthony Lieuallen ] * Version bump: 3.1 greasemonkey (3.0-1) experimental; urgency=medium . * Team upload . [ Anthony Lieuallen ] * Temporarily ignore referer failure under e10s. greasemonkey (3.0~beta1-1) experimental; urgency=medium . * Team upload . [ Anthony Lieuallen ] * Version: 3.0beta1 . [ Damyan Ivanov ] * patch content/config.js to stop calling home on first run (Closes: #771110) greasemonkey (2.3-1) experimental; urgency=medium . * Team upload, to experimental to respect the freeze . [ Anthony Lieuallen ] * Update the parser to detect @noframes. * When @noframes is set, only inject into top-level windows. * Restore the responseType feature for GM_xhr * Update translations from babelzilla.org. * Version bump: 2.3 horizon (2014.1.3-7+deb8u2) jessie-security; urgency=medium . * CVE-2016-4428: Possible client side template injection in horizon. Applied upstream patch: "Escape angularjs templating in unsafe HTML" after rebasing it for Icehouse (Closes: #828967). icedove (1:45.2.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [411b27d] Imported Upstream version 45.2.0 - MFSA 2016-49 aka CVE-2016-2818 * [aeb5aee] debian/icedove.js: disable Icedove startup check (Closes: #817973) * [685b602] icedove-l10n-all: change Section into metapackages (Closes: #824785) . [ Christoph Goehre ] * [2871800] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1277295-Remove-obsolete-reference-to-storage-service-.patch (Closes: #827592) icedove (1:45.2~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [68883af] rebuild patch queue from patch-queue branch added patches: - porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch * [ee509d2] debian/mozconfig.default: switching back to gtk2 as default (Closes: #821744) * [f72fe06] adding helper script create-iceowl-l10n-tarball.sh * [28fba93] debian/README.source: adding additional info for iceowl-l10n * [826af5b] adding iceowl-l10n related patches to the patch queue * [1aa6f37] debian/iceowl-*.in: adding needed base files * [a5946b4] debian/rules: adding iceowl-l10n related rules * [b1da616] debian/control: adding the current iceowl-l10n-* packages * [b359c95] debian/source.filter: some adjustments to the filter * [e45ab44] debian/README.source: use recent version and reformating * [50b3830] debian/control: increase Standards-Version to 3.9.8 * [3a767b8] debian/rules: remove no longer needed LDFLAGS * [29a7739] Imported Upstream version 45.2~b1 * [15b7797] iceowl-l10n-*: rearrange Recommends field for various packages (Closes: #824727, #824750, #824763, #824764, #824768, #824780) * [3f75b56] debian/vendor.js: adjust to new version related wiki site * [6bd7f89] d/c-id-l10n: adjusting download URL for stable versions * [f15d1a2] icedove-l10n-all: change Section into metapackages (Closes: #824785) * [25c3ba1] debian/README.source: info about import of multitarballs * [3ebcf59] debian/control: adding Recommends to icedove-l10n-uk (Closes: #825806) * [3e57d5e] debian/control: Icedove, adding dependency on libatk-adaptor * [e19c59d] debian/control: rework Recommends for icedove-l10n-* * [4741d80] debian/control: small fixup Recommends on iceowl-l10n-* * [f9f5193] debian/control: sort iceowl-l10n-* alphabetical . [ Christoph Goehre ] * [ce58560] debian/rules: add option to dh_auto_clean * [8cfbeca] debian/rules: export necessary DEB_ vars into environment (Closes: #819020) * [7512da8] debian/rules: ignore build folder and run 'build' target instead (Closes: #819020) * [354f836] turn the reduce of memory usage of the linker on again * [5e48e17] don't build dbgsym packages on unreleased builds * [09679eb] rebuild patch queue from patch-queue branch added patches: - p-kfree-hurd/CrossProcessMutex.h-fix-build-on-kfreebsd-and-GNU-hu.patch (Closes: #808183) . [ Guido Günther ] * [24bbee9] Wrap and sort control information (Closes: #825806) * [fcfe4ac] Add minimalistic autopkgtest * [f7a32e8] Add autopkgtest to test header and typelib generation * [189d835] Add autopkgtest to smoke test xpcshell icedove (1:45.1.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [58fb559] Imported Upstream version 45.0 * [68883af] rebuild patch queue from patch-queue branch added patches: - porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch * [ee509d2] debian/mozconfig.default: switching back to gtk2 as default (Closes: #821744) * [f72fe06] adding helper script create-iceowl-l10n-tarball.sh * [28fba93] debian/README.source: adding additional info for iceowl-l10n * [826af5b] adding iceowl-l10n related patches to the patch queue * [1aa6f37] debian/iceowl-*.in: adding needed base files * [a5946b4] debian/rules: adding iceowl-l10n related rules * [b1da616] debian/control: adding the current iceowl-l10n-* packages * [b359c95] debian/source.filter: some adjustments to the filter * [e45ab44] debian/README.source: use recent version and reformating * [7046f6c] rebuild patch queue from patch-queue branch added patches: - porting/Bug-1250403-Part-1.-Define-ARCH_CPU_ARM64-instead-of-ARCH.patch - porting/Bug-1250403-Part-2.-Import-crbug-354405-for-aarch64.-r-bi.patch * [50b3830] debian/control: increase Standards-Version to 3.9.8 * [3a767b8] debian/rules: remove no longer needed LDFLAGS. * [69b0013] debian/control: add Breaks on xul-ext-foxyproxy-standard (Closes: #820026) * [711468b] iceowl-l10n-*: rearrange Recommends field for various packages (Closes: #824727, #824750, #824763, #824764, #824768, #824780) * [9d0a4f0] d/c-id-l10n: adjusting download URL for stable versions * [fb43fac] Imported Upstream version 45.1.0 * [8e25131] rebuild patch queue from patch-queue branch removed patches (fixed upstream): - debian-hacks/Add-unminified-jquery-and-jquery-ui-files.patch - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - porting/Bug-1250403-Part-1.-Define-ARCH_CPU_ARM64-instead-of-ARCH.patch - porting/Bug-1250403-Part-2.-Import-crbug-354405-for-aarch64.-r-bi.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patch - reproducible/Generate-sorted-libical-header-list * [07d84c7] debian/control: increase B-D on libvpx-dev * [1e3332f] debian/control: remove not needed B-D on libgtk-3-dev . [ Christoph Goehre ] * [ad8406c] turn the reduce of memory usage of the linker on again * [5aa9652] don't build dbgsym packages on unreleased builds * [ce58560] debian/rules: add option to dh_auto_clean * [8cfbeca] debian/rules: export necessary DEB_ vars into environment (Closes: #819020) * [7512da8] debian/rules: ignore build folder and run 'build' target instead (Closes: #819020) . [ Guido Günther ] * [4884a9f] Add minimalistic autopkgtest (Closes: #824869) * [338d7d3] Add autopkgtest to test header and typelib generation * [92a8bdc] Add autopkgtest to smoke test xpcshell icedove (1:45.1.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [fb43fac] Imported Upstream version 45.1.0 - MFSA 2016-16 aka CVE-2016-1952, CVE-2016-1953 - MFSA 2016-17 aka CVE-2016-1954 - MFSA 2016-18 aka CVE-2016-1955 - MFSA 2016-19 aka CVE-2016-1956 - MFSA 2016-20 aka CVE-2016-1957 - MFSA 2016-23 aka CVE-2016-1960 - MFSA 2016-24 aka CVE-2016-1961 - MFSA 2016-27 aka CVE-2016-1964 - MFSA 2016-34 aka CVE-2016-1974 - MFSA 2016-35 aka CVE-2016-1950 - MFSA 2016-36 aka CVE-2016-1979 - MFSA 2016-37 aka CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802 - MFSA 2016-39 aka CVE-2016-2807, CVE-2016-2806 * [2f41836] debian/vendor.js: adjust to new version related wiki site * [695d480] Icedove Branding: adopt usptream changes to branding * [ff8a29d] d/icedove.install: remove no longer existing parts * [a93f81f] debian/rules: remove obsolet dpkg-shlibdeps call * [47e35db] debian/control: adding the current icedove-l10n-* packages * [dbfa1c6] debian/rules: adding icedove.l10n install to targets * [3c53b2d] debian/control: adding a B-D on libpng-dev * [e564202] debian/rules: adding iceowl-l10n related rules * [679d2c5] debian/control: adding the current iceowl-l10n-* packages * [11cf262] d/icedove.install: searchplugins isn't alive anymore * [bbd1f2c] adopting needed changes for GTK3 into the Debian branding * [c4766ca] adding changes due ldap restructure * [59eac2e] debian/mozconfig.default: switching back to gtk2 as default (Closes: #821744) * [4d2462c] debian/iceowl-*.in: adding needed base files . [ Guido Günther ] * [772cd63] icedove-dev: Drop dependencies on nspr, nss . [ Christoph Goehre ] * [566d769] debian/control: make depends between icedove-l10n and icedove dynamic * [38d43e9] debian/control: add section localization to all l10n packages * [b1c0f93] debian/NEWS: rename to icedove.NEWS to ship only in icedove core package * [2c8467e] build against internal sqlite * [389571a] rebuild patch queue from patch-queue branch added patches: - icedove-l10n/* - iceowl-l10n/* - p-kfreebsd-hurd/CrossProcessMutex.h-fix-build-on-kfreebsd-and-GNU.patch - porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch modified patches: - fixes/Allow-.js-preference-files-to-set-locked-prefs-with-lockP.patch - fixes/Bug-628252-os2.cc-fails-to-compile-against-GCC-4.6-m.patch - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - p-kfreebsd-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch obsolete patches (fixed upstream): - debian-hacks/Add-unminified-jquery-and-jquery-ui-files.patch - debian-hacks/pass-OS_LDFLAGS-to-all-ldap-libraries.patch - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - fixes/Bug-1194905-Build-libvpx-neon-code-without-mthumb-an.patch - fixes/Followup-to-bug-1194905-add-mfloat-abi-softfp-when-t.patch - fixes/Link-libldap-against-libpthread.patch - icedove/no-dynamic-nss-softokn.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patch - reproducible/generate-sorted-output-while-header-creation.patch * [8bce181] icedove.lintian-overrides: add override for embedded library sqlite icedove (1:45.0~b4-2) experimental; urgency=medium . * [fa7bc47] debian/control: fix FTBFS by moving Build-Depends-Indep to Build-Depends icedove (1:45.0~b4-1) experimental; urgency=medium . [ Carsten Schoenert ] * [3bf50c7] Imported Upstream version 45.0~b4 * [11744a7] debian/source.filter: fixup for previous change * [0bd3753] debian/gbp.conf: adding default filter out pattern * [a9f6cfa] rebuild patch queue from patch-queue branch removed patches (fixed upstream): - fixes/Bug-1178266-Link-against-libatomic-when-necessary.patch - p-arm64/FTBFS-arm64-Adding-configure-option-for-aarch64-platform.patch - p-mips/FTBFS-mips-adoptions-to-get-build-on-mips-el-working-1-4.patch - p-mips/FTBFS-mips-adoptions-to-get-build-on-mips-el-working-2-4.patch - p-mips/FTBFS-mips-adoptions-to-get-build-on-mips-el-working-3-4.patch - p-mips/FTBFS-mips-adoptions-to-get-build-on-mips-el-working-4-4.patch modified patches: - p-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [9dcb46e] debian/control: increase B-D on libnspr-dev * [b31fba5] debian/control: increase Standards-Version to 3.9.7 * [623250d] Icedove Branding: adopt usptream changes to branding * [2fa9b24] debian/copyright: update copyright information * [c5dd11d] debian/copyright: include the license text for MPL-1.0 * [3a90ecd] debian/copyright: include the license text for MPL-1.1 * [7291650] debian/copyright: include the license text for MPL-2.0 * [0ebdd3f] debian/copyright: include the license text for libpng * [9ee79fa] d/icedove.install: remove no longer existing parts * [880c9e9] debian/rules: remove obsolet dpkg-shlibdeps call * [e4fb8a2] adding helper script create-icedove-l10n-tarball.sh * [8826951] debian/README.source: adding hint for creating l10n tarball * [08f9071] debian/control: adding the current icedove-l10n-* packages (Closes: #680488) * [d839f37] debian/rules: adding icedove.l10n install to targets * [5b0df21] debian/gbp.conf: use a Tuple for selecting multiple files * [e32519f] debian/control: increase B-D on libnss-dev * [2200691] debian/control: increase B-D on libnspr4-dev * [0f5660e] debian/control: increase increase B-D on libnss3-dev * [5fd8af8] mozconfig.default: adding new configure option * [e288c6e] debian/control: adding a B-D on libpng-dev . [ Christoph Goehre ] * [f8c7ca5] debian/control: make depends between icedove-l10n and icedove dynamic * [ac760d7] debian/control: add section localization to all l10n packages * [72ef6c7] debian/NEWS: rename to icedove.NEWS to ship only in icedove core package * add epoch in version number to update l10n packages smoothly icedove (44.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [a24f78b] Imported Upstream version 44.0~b1 * [7f52453] rebuild patch queue from patch-queue branch removed patches: - d-hacks/Add-unminified-jquery-and-jquery-ui-files.patch - d-hacks/Allow-unsigned-addons-in-usr-lib-share-mozilla-extensions.patch - d-hacks/creating-a-dummy-.deps-directory-to-get-make-happy.patch added patches: - p-arm64/FTBFS-arm64-Adding-configure-option-for-aarch64-platform.patch - p-mips/FTBFS-mips-adoptions-to-get-build-on-mips-el-working-1-4.patch - p-mips/FTBFS-mips-adoptions-to-get-build-on-mips-el-working-2-4.patch - p-mips/FTBFS-mips-adoptions-to-get-build-on-mips-el-working-3-4.patch - p-mips/FTBFS-mips-adoptions-to-get-build-on-mips-el-working-4-4.patch modified patches: - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch * [ecf1110] debian/watch: adjust to new CDN structure * [dd5efe8] debian/control: increase Build-Depends on libsqlite3-dev * [57165b5] debian/control: switch URI for the Vcs fields to https * [c9ded96] debian/source.filter: adding more filters on testings js files * [31ce42f] debian/copyright: update due upstream/import changes icedove (43.0~b1-1) experimental; urgency=medium . [ Christoph Goehre ] * [ef5b1ef] debian/rules: split override_dh_install into arch and indep section (Closes: #806047) * [02d5d7c] debian/source.filter: remove filter for searchplugins . [ Guido Günther ] * [2008a71] Clarify relation between icedove and the calendar extensions (Closes: #809017) . [ Carsten Schoenert ] * [11ffac0] debian/source.filter: modifying file list to ignore * [926912b] Imported Upstream version 43.0~b1 * [32cd8c0] rebuild patch queue from patch-queue branch added patches: - d-hacks/Allow-unsigned-addons-in-usr-lib-share-mozilla-extensions.patch removed patches (fixed upstream): - reproducible/Generate-sorted-libical-header-list.patch * [a1637e4] debian/control: increase B-D on libnspr-dev and libnss3-dev * [f9937c1] debian/source.filter: sort entries alphabetical * [326f74d] debian/source.filter: adding new files to filter out * [9b9d9b9] debian/copyright: update due upstream changes * [69664c7] d/icedove.install: searchplugins isn't alive anymore icedove (42.0~b2-1) experimental; urgency=medium . [ Carsten Schoenert ] * [8842d85] Imported Upstream version 42.0~b2 * [6d14aca] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1178266-Link-against-libatomic-when-necessary.patch * [320c43d] add myself to the uploaders * [797a290] lintian: remove icedove.menu file due CTTE#741573 . [ Guido Günther ] * [caca7c2] Add unminified jquery and jquery-ui files (Closes: #802281) icedove (42.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [c599b6b] Imported Upstream version 42.0~b1 * [41285cb] debian/copyright: fixup's and update * [6b270be] debian/control: increase various build depends * [be75969] adopting needed changes for GTK3 into the Debian branding * [245161e] fixup branding about.png file icedove (41.0~b2-1) experimental; urgency=medium . [ Carsten Schoenert ] * [b1d982c] Imported Upstream version 41.0~b2 * [8389b9b] rebuild patch queue from patch-queue branch added patches: - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch modified patches: - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch dropped patches (fixed upstream): - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patch * [9ebf7b9] debian/source.filter: modifying file list to ignore * [b25d990] debian/copyright: fixup's and update . [ Christoph Goehre ] * [8ebffb0] relax optimize to -O1 on s390x (Closes: #797551) * [dea1627] debian/rules: Disable jit on mips (Closes: #797548) icedove (40.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [9d358dc] debian/source.filter: adjust new files * [328cdc7] Imported Upstream version 40.0~b1 * [8813d89] debian/rules: setting MOZ_BUILD_DATE explicitly. This patch is based on work from Mike Hommey within the Iceweasel package to enable reproducible builds. It defines the MOZ_BUILD_DATE with a pre defined timezone. * [8dd5b9f] debian/rules: add switch to skip icedove-dbg build to speed up the build. * [a6beec7] debian/control: Let icedove recommendiceowl-extension * [691dfe9] add release related information * [bdfdfd8] debian/vendor.js: adjusting WhatNew link to more dedicated URL * [5ba6ec7] rebuild patch queue from patch-queue branch added patches: debian-hacks/changing-the-default-search-engine.patch fixes/Bug-1168231-Fixup-to-keep-file-type.patch fixes/Bug-1168231-Normalize-file-mode-in-jars.patch reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patc reproducible/Generate-sorted-libical-header-list modified patches: fixes/Allow-.js-preference-files-to-set-locked-prefs-with-.patch porting-kfreebsd-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch porting-kfreebsd-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch porting/Disable-optimization-on-alpha-for-the-url-classifier.patch deleted patches: debian-hacks/pass-OS_LDFLAGS-to-all-ldap-libraries.patch debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch debian/patches/fixes/Link-libldap-against-libpthread.patch debian/patches/icedove/no-dynamic-nss-softokn.patch debian/patches/porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch * [59046ae,12d4f4b] debian/copyright: update due upstream changes * [7c1f002] debian/iceowl-extension.lintian-overrides: remove file, no longer needed * [23eed8c] debian/source.lintian-overrides: adding new entries. Lintian is detecting the braces within the folder names incorrectly as brace expansion. * [2f95cd3] add changes due ldap restructure. . [ Christoph Goehre ] * [ff66528] lintian: fix spelling error in debian/README.Debian imagemagick (8:6.8.9.9-5+deb8u4) jessie-security; urgency=medium . * Fix a few security problems (Closes: #823750): - Fix a off-by-one error leading to segfault (Closes: #832455). - Fix an out-of-bounds read in coders/psd.c (Closes: #832457, LP: #1533442). - Fix rle file handling for corrupted file (Closes: #832461, LP: #1533445) - Fix a buffer overflow in sun file handling (Closes: #832464). - Fix a potential DOS in sun file handling due to malformed files (Closes: #832465). - Fix multiple out of bound problem in rle, pict, viff and sun files (Closes: #832467, LP: #1533452, LP: #1533449, LP: #1533447, LP: #1533445). - Fix a heap overflow in hdr file handling (Closes: #832469, LP: #1537213). - Fix a heap buffer overflow in psd file handling (Closes: #832474, LP: #1537418). - Fix an out of bound access for malformed psd file (Closes: #832475, LP: #1537419). - Fix a meta file out of bound access (Closes: #832478, LP: #1537420) - Fix heap buffer overflow in psd file coder (Closes: #832480, LP: #1537424) - Fix an out of bound access in wpg file coder (Closes: #832482, LP: #1539050, LP: #1542115). - Fix out of bound access for viff file coder (Closes: #832483, LP: #1537425) - Fix an out of bound access in xcf file coder (Closes: #832504, LP: #1539051, LP: #1539052). - Fix out of bound in quantum handling (Closes: #832506, LP: #1539067, LP: #1539053). - Fix a pbd file out of bound access (Closes: #832633, LP: #1539061, LP: #1542112). - Fix handling of corrupted psd file (Closes: #832776, LP: #1539066). - Fix a wpg file out of bound for corrupted file (Closes: #832780, LP: #1542114). - Fix an out of bound access in generic decoder (Closes: #832785, LP: #1542785). - Fix an out of bound access for corrupted psd file (Closes: #832787, LP: #1545180). - Fix a SEGV reported in corrupted profile handling (Closes: #832789, LP: #1545367). - Fix an out of bound access for corrupted pdb file (Closes: #832791, LP: #1553366). - Fix a SIGABRT for corrupted pdb file (Closes: #832793, LP: #1556273). * Prevent buffer overflow in magick/draw.c. Fix CVE-2016-4562, CVE-2016-4563, CVE-2016-4564. (Closes: #832885, #832887, #832888). * Fix DOS due to corrupted DDS files (Closes: #832942, #832944). * Fix out of bounds memory read for DDS files. This fix CVE-2016-5687. (Closes: #832890). * Prevent possible buffer overflow when reading TIFF images. This fix CVE-2016-5010. (Closes: #832968). * Fix out of bound access for corrupted WPG file. This fix CVE-2016-5688. (Closes: #833003). * Add additional checks to DCM reader to prevent data-driven faults. This fix CVE-2016-5689, CVE-2016-5690, CVE-2016-5691. (Closes: #833044, #833043, #833042). * Improve checking of EXIF profile to prevent integer overflow. This fix CVE-2016-5841 and CVE-2016-5842. (Closes: #831034). * Prevent buffer overflow in properties reading. This fix CVE-2016-6491. (Closes: #833099). * Fix potential DOS by not releasing memory. (Closes: #833101). * Fix abort when writing to rgf format. (Closes: #827643, LP: #1594060). * Prevent possible stack overflow. (Closes: #833812) * Prevent heap overflow in RLE file handling. (Closes: #833744) * Prevent Segfault in ReadRLEImage for corrupted file. (Closes: #833743). * Fix loading arbitrary module from user side. (Closes: #833735). * Fix small memory leak in XML file traversal. (Closes: #833732). * Prevent buffer overflow in draw.c (Closes: #833730). * Avoid a double free. (Closes: #834183). * Avoid an out of bound access for malformed exif data. (Closes: #834501). * Avoid a DOS due to improper locking in magick++ lib. (Closes: #834163). * Avoid a buffer overflow in bmp file reader. (Closes: #834504). imagemagick (8:6.8.9.9-5+deb8u3) jessie-security; urgency=medium . * Disable support for reading input from a shell command, or writing output to a shell command. This was done by the pipe (|) prefix. It was possible to perform a command injection as discrived by CVE-2016-5118 since it use popen. Closes: 825799 inspircd (2.0.17-1+deb8u2) jessie-security; urgency=high . * m_sasl: don't allow AUTHENTICATE with mechanisms with a space (CVE-2016-7142) intel-microcode (3.20160714.1~deb8u1) stable; urgency=medium . * Rebuild for Debian jessie stable update (no changes) * STABLE RELEASE MANAGER INFORMATION: + This is the same package which is in unstable since 2016-07-22, and stretch (testing) and jessie-backports since 2016-07-28, with no issues reported + Contains updated microcode for: Skylake/H/DT, Broadwell/E/EP/H/DE/WS, Haswell/E/WS/EP/EX, and their usual variants (U/ULT,Y,S...): mobile, desktop, embedded, single- and dual-socket server/workstation. Also includes related Pentium and Celeron + Somewhat unusually, this release includes an update for the multi-socket Haswell-EX E7-v3 Xeon server processors + Fixes critical issues on Intel Skylake processors, such as: - TSX unpredictable behavior - AVX data/calculation corruption - High-hitting crashes and hangs related to MCEs and power management errata that might make it impossible to even install Debian in the first place (systems with very outdated firmware) + Likely fixes a recently identified, critical but low-hitting TSX erratum on Broadwell, Broadwell-E and related Xeons (Broadwell-DE/WS/EP: Xeon-D 1500, E3-v4 and E5-v4) + Fix Broadwell-DE (Xeon-D 1500) errata (incomplete list): Stepping V-1: BDE58, BDE56, BDE55, BDE50, BDE44, BDE41, BDE38, BDE10, BDE9, BDE8, BDE7 Stepping Y-0: LAN1, BDE67, BDE68 + Might fix Haswell-EP Xeon E5-v3 power management regression which is already present in the packages currently in jessie (#815990) + Fixes undisclosed errata on Xeon E7-v3 48xx/88xx . intel-microcode (3.20160714.1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20160714.1) unstable; urgency=medium . * New upstream microcode datafile 20160714 + Updated Microcodes: sig 0x000306f4, pf mask 0x80, 2016-06-07, rev 0x000d, size 15360 sig 0x000406e3, pf mask 0xc0, 2016-06-22, rev 0x009e, size 97280 sig 0x000406f1, pf mask 0xef, 2016-06-06, rev 0xb00001d, size 25600 sig 0x000506e3, pf mask 0x36, 2016-06-22, rev 0x009e, size 97280 + This release hopefully fixes a hang when updating the microcode on some Skylake-U D-1/Skylake-Y D-1 (sig 0x406e3, pf 0x80) systems * source: remove superseded upstream data file: 20160607 . intel-microcode (3.20160607.2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20160607.2) unstable; urgency=low . * REMOVE microcode: sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 (closes: #828819) * The Core i7-6500U and m3-6Y30 processors (Skylake-UY D-1, sig=0x406e3, pf=0x80) may hang while attempting an early microcode update to revision 0x8a, apparently due to some sort of firmware dependency. On affected systems, the only way to avoid the issue is to get a firmware update that includes microcode revision 0x8a or later. At this time, there are reports of both sucessful and failed updates on the m3-6Y30, and only of failed updates on the i7-6500U. There are no reports about Skylake-U K-1 (pf=0x40). + WARNING: it is unsafe to use a system based on an Intel Skylake-U/Y processor with microcode earlier than revision 0x8a, due to several critical errata that cause unpredictable behavior, data corruption, and other problems. Users *must* update their firmware to get microcode 0x8a or newer, and keep it up-to-date. . intel-microcode (3.20160607.1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20160607.1) unstable; urgency=medium . * New upstream microcode data file 20160607 + New Microcodes: sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 sig 0x000406f1, pf mask 0xef, 2016-05-20, rev 0xb00001c, size 25600 sig 0x00050662, pf mask 0x10, 2015-12-12, rev 0x000f, size 28672 sig 0x000506e3, pf mask 0x36, 2016-04-06, rev 0x008a, size 96256 + Updated Microcodes: sig 0x000306c3, pf mask 0x32, 2016-03-16, rev 0x0020, size 22528 sig 0x000306d4, pf mask 0xc0, 2016-04-29, rev 0x0024, size 17408 sig 0x000306f2, pf mask 0x6f, 2016-03-28, rev 0x0038, size 32768 sig 0x000306f4, pf mask 0x80, 2016-02-11, rev 0x000a, size 15360 sig 0x00040651, pf mask 0x72, 2016-04-01, rev 0x001f, size 20480 sig 0x00040661, pf mask 0x32, 2016-04-01, rev 0x0016, size 24576 sig 0x00040671, pf mask 0x22, 2016-04-29, rev 0x0016, size 11264 * source: remove superseded upstream data file: 20151106. * control: change upstream URL to a search for "linux microcode" Unfortunately, many of the per-processor-model feeds have not been updated for microcode release 20160607. Switch to the general search page as the upstream URL. * README.Debian: fix duplicated word 'to' . intel-microcode (3.20151106.2) unstable; urgency=medium . * Makefile: make the build less verbose. * debian/changelog: fix error in past entry. Correct the version of the microcode that caused bug #776431, in the entry for version 3.20150121.1. * initramfs: don't force_load microcode.ko when missing. Detect a missing microcode.ko and don't attempt to force_load() it, otherwise we get spurious warnings at boot. In verbose mode, log the fact that the microcode driver is modular. For Linux 4.4 and later, skip the entire module loading logic, since the microcode driver cannot be modular for those kernels (closes: #814301). * initramfs: update copyright notice * initramfs: use iucode_tool -l for verbose mode * README.Debian: enhance and add recovery instructions. Rewrite large parts of the README.Debian document, and add recovery instructions (use of the "dis_ucode_ldr" kernel parameter). . intel-microcode (3.20151106.1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) intel-microcode (3.20160714.1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20160714.1) unstable; urgency=medium . * New upstream microcode datafile 20160714 + Updated Microcodes: sig 0x000306f4, pf mask 0x80, 2016-06-07, rev 0x000d, size 15360 sig 0x000406e3, pf mask 0xc0, 2016-06-22, rev 0x009e, size 97280 sig 0x000406f1, pf mask 0xef, 2016-06-06, rev 0xb00001d, size 25600 sig 0x000506e3, pf mask 0x36, 2016-06-22, rev 0x009e, size 97280 + This release hopefully fixes a hang when updating the microcode on some Skylake-U D-1/Skylake-Y D-1 (sig 0x406e3, pf 0x80) systems * source: remove superseded upstream data file: 20160607 intel-microcode (3.20160607.2) unstable; urgency=low . * REMOVE microcode: sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 (closes: #828819) * The Core i7-6500U and m3-6Y30 processors (Skylake-UY D-1, sig=0x406e3, pf=0x80) may hang while attempting an early microcode update to revision 0x8a, apparently due to some sort of firmware dependency. On affected systems, the only way to avoid the issue is to get a firmware update that includes microcode revision 0x8a or later. At this time, there are reports of both sucessful and failed updates on the m3-6Y30, and only of failed updates on the i7-6500U. There are no reports about Skylake-U K-1 (pf=0x40). + WARNING: it is unsafe to use a system based on an Intel Skylake-U/Y processor with microcode earlier than revision 0x8a, due to several critical errata that cause unpredictable behavior, data corruption, and other problems. Users *must* update their firmware to get microcode 0x8a or newer, and keep it up-to-date. intel-microcode (3.20160607.2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20160607.2) unstable; urgency=low . * REMOVE microcode: sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 (closes: #828819) * The Core i7-6500U and m3-6Y30 processors (Skylake-UY D-1, sig=0x406e3, pf=0x80) may hang while attempting an early microcode update to revision 0x8a, apparently due to some sort of firmware dependency. On affected systems, the only way to avoid the issue is to get a firmware update that includes microcode revision 0x8a or later. At this time, there are reports of both sucessful and failed updates on the m3-6Y30, and only of failed updates on the i7-6500U. There are no reports about Skylake-U K-1 (pf=0x40). + WARNING: it is unsafe to use a system based on an Intel Skylake-U/Y processor with microcode earlier than revision 0x8a, due to several critical errata that cause unpredictable behavior, data corruption, and other problems. Users *must* update their firmware to get microcode 0x8a or newer, and keep it up-to-date. intel-microcode (3.20160607.1) unstable; urgency=medium . * New upstream microcode data file 20160607 + New Microcodes: sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 sig 0x000406f1, pf mask 0xef, 2016-05-20, rev 0xb00001c, size 25600 sig 0x00050662, pf mask 0x10, 2015-12-12, rev 0x000f, size 28672 sig 0x000506e3, pf mask 0x36, 2016-04-06, rev 0x008a, size 96256 + Updated Microcodes: sig 0x000306c3, pf mask 0x32, 2016-03-16, rev 0x0020, size 22528 sig 0x000306d4, pf mask 0xc0, 2016-04-29, rev 0x0024, size 17408 sig 0x000306f2, pf mask 0x6f, 2016-03-28, rev 0x0038, size 32768 sig 0x000306f4, pf mask 0x80, 2016-02-11, rev 0x000a, size 15360 sig 0x00040651, pf mask 0x72, 2016-04-01, rev 0x001f, size 20480 sig 0x00040661, pf mask 0x32, 2016-04-01, rev 0x0016, size 24576 sig 0x00040671, pf mask 0x22, 2016-04-29, rev 0x0016, size 11264 * source: remove superseded upstream data file: 20151106. * control: change upstream URL to a search for "linux microcode" Unfortunately, many of the per-processor-model feeds have not been updated for microcode release 20160607. Switch to the general search page as the upstream URL. * README.Debian: fix duplicated word 'to' intel-microcode (3.20151106.2) unstable; urgency=medium . * Makefile: make the build less verbose. * debian/changelog: fix error in past entry. Correct the version of the microcode that caused bug #776431, in the entry for version 3.20150121.1. * initramfs: don't force_load microcode.ko when missing. Detect a missing microcode.ko and don't attempt to force_load() it, otherwise we get spurious warnings at boot. In verbose mode, log the fact that the microcode driver is modular. For Linux 4.4 and later, skip the entire module loading logic, since the microcode driver cannot be modular for those kernels (closes: #814301). * initramfs: update copyright notice * initramfs: use iucode_tool -l for verbose mode * README.Debian: enhance and add recovery instructions. Rewrite large parts of the README.Debian document, and add recovery instructions (use of the "dis_ucode_ldr" kernel parameter). intel-microcode (3.20151106.1) unstable; urgency=medium . * New upstream microcode data file 20151106 + New Microcodes: sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336 sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264 + Updated Microcodes: sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288 sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504 sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384 sig 0x000306f2, pf mask 0x6f, 2015-08-10, rev 0x0036, size 30720 sig 0x00040651, pf mask 0x72, 2015-08-13, rev 0x001d, size 20480 * This massive Haswell + Broadwell (and related Xeons) update fixes several critical errata, including the high-hitting BDD86/BDM101/ HSM153(?) which triggers an MCE and locks the processor core (LP: #1509764) * Might fix critical errata BDD51, BDM53 (TSX-related) * source: remove superseded upstream data file: 20150121 * Add support for supplementary microcode bundles: + README.source: update and mention supplementary microcode + Makefile: support supplementary microcode Add support for supplementary microcode bundles, which (unlike .fw microcode override files) can be superseded by a higher revision microcode from the latest regular microcode bundle. Also, fix the "oldies" target to have its own exclude filter (IUC_OLDIES_EXCLUDE) * Add support for x32 arch: + README.source: mention x32 + control,rules: enable building on x32 arch (Closes: #777356) * ucode-blacklist: add Broadwell and Haswell-E signatures Add a missing signature for Haswell Refresh (Haswell-E) to the "must be updated only by the early microcode update driver" list. There is at least one report of one of the Broadwell microcode updates disabling TSX-NI, so add them as well just in case jakarta-jmeter (2.11-2+deb8u1) jessie-proposed-updates; urgency=medium . * Team upload. * Install the templates (Closes: #795356) * Fixed an error with libxstream-java >= 1.4.9 when loading the templates javatools (0.48+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Fixed the arch returned for ppc64el in java-arch.sh (closes: #833572) kamailio (4.2.0-2+deb8u2) stable-proposed-updates; urgency=medium . * use my DD account \o/ * add upstream fix for: proper check of libssl versions used for compilation and available on system (Closes: #833973) kde4libs (4:4.14.2-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-6232: Extraction of tar files possible to arbitrary system locations (Closes: #832620) ldb (2:1.1.20-0+deb8u1) jessie-security; urgency=high . [ Andrew Bartlett ] * Update in debian stable for Samba security release libarchive (3.1.2-11+deb8u2) jessie-security; urgency=high . * CVE-2015-8916, CVE-2015-8917, CVE-2015-8919-CVE-2015-8926, CVE-2015-8928, CVE-2015-8930-CVE-2015-8934, CVE-2016-4300, CVE-2016-4302, CVE-2016-4809, CVE-2016-5844. Backports thanks to Marc Deslauriers. libav (6:11.7-1~deb8u1) jessie-security; urgency=medium . * New upstream release fixing a security issue. - mov: Check the entries value when parsing dref boxes (CVE-2016-3062) * debian/patches/CVE-2016-2326.patch: Removed, included upstream. libbusiness-creditcard-perl (0.35-0+deb8u1) jessie; urgency=medium . * Import upstream release 0.35 to adjust to changes in credit card ranges and processing of various companies. (Closes: #814479) libcommons-fileupload-java (1.3.1-1+deb8u1) jessie-security; urgency=high . * Fixed CVE-2016-3092: Denial-of-Service vulnerability libcss-dom-perl (0.15-1+deb8u1) stable; urgency=medium . * Team upload. * Apply upstream patch to work around Encode changes included in perl and libencode-perl stable updates (Closes: #826993) libdatetime-timezone-perl (1:1.75-2+2016f) jessie; urgency=medium . * Update to Olson database version 2016f. Add patch debian/patches olson-2016f, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Africa/Cairo and Asia/Novosibirsk. libdatetime-timezone-perl (1:1.75-2+2016e) jessie; urgency=medium . * Update to Olson database version 2016e. Add patch debian/patches/olson-2016e, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Egypt. libdbd-mysql-perl (4.028-2+deb8u1) jessie-security; urgency=high . * Team upload. * CVE-2014-9906: Fix use-after-free flaw * CVE-2015-8949: Use after free when my_login fails libdevel-declare-perl (0.006017-1+deb8u1) jessie; urgency=high . * Team upload. * Fix breakage caused by change in perl stable update (Closes: #826563) libgcrypt20 (1.6.3-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * random: Improve the diagram showing the random mixing * random: Hash continuous areas in the csprng pool (CVE-2016-6313) libgd2 (2.1.0-5+deb8u6) jessie-security; urgency=high . * [CVE-2016-6207]: Improve fix while (u>=0) with unsigned int will always be true. libgd2 (2.1.0-5+deb8u5) jessie-security; urgency=medium . * Fix out-of-bounds memory write access in _gdContributionsAlloc() libgd2 (2.1.0-5+deb8u4) jessie-security; urgency=high . * [CVE-2016-5766]: Fix Integer Overflow in _gd2GetHeader() resulting in heap overflow (Closes: #829014) * [CVE-2016-6128]: Fix invalid color index not handled, can lead to crash (Closes: #829062) * [CVE-2016-6161]: Add upstream patch to fix gif: avoid out-of-bound reads of masks array * [CVE-2016-6132]: Fix out-of-bounds read in the parsing of TGA files (Closes: #829694) * [CVE-2016-6214]: Fix read out-of-bands was found in TGA * [CVE-to-be-assigned]: Fix another out-of-bounds read in read_image_tga (upstream #248) * [CVE-2016-5116]: Fix xbm: avoid stack overflow (read) with large names libidn (1.29-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-8948: Out-of-bounds read due to use of fgets with fixed-size buffer * Add help2man to Build-Depends to fix FTBFS due to doc regeneration * CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i * CVE-2016-6263: Crash when given invalid UTF-8 data on input libintl-perl (1.23-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Remove . from @INC when loading modules dynamically [CVE-2016-1238] libmime-charset-perl (1.011.1-1+deb8u2) jessie-security; urgency=high . * Team upload. * Provide corrected version of previous security patch libmime-charset-perl (1.011.1-1+deb8u1) jessie-security; urgency=high . * Team upload. * Remove . from @INC when loading modules dynamically [CVE-2016-1238] libmime-encwords-perl (1.014.3-1+deb8u1) jessie-security; urgency=high . * Team upload. * Remove . from @INC when loading modules dynamically [CVE-2016-1238] libmodule-build-perl (0.421000-2+deb8u1) jessie-security; urgency=high . * Team upload * Work around removal of "." in @INC (CVE-2016-1238) libnet-dns-perl (0.81-2+deb8u1) jessie-security; urgency=high . * Team upload. * Remove . from @INC when loading modules dynamically [CVE-2016-1238] libnet-ssleay-perl (1.65-1+deb8u1) jessie; urgency=medium . * Team upload. * Fix FTBFS: apply patch to disable test 33_x509_create_cert.t which fails with openssl 1.0.1t-1+deb8u1 (Closes: #789344) libpdfbox-java (1:1.8.7+dfsg-1+deb8u1) jessie-security; urgency=high . * Fixed CVE-2016-2175: XML External Entity vulnerability libquota-perl (1.7.1+dfsg-1+deb8u1) jessie; urgency=medium . * Team upload. * Adapt platform detection to work as well under Linux 4.x (Closes: #787463, #827101) libreoffice (1:4.3.3-2+deb8u5) jessie-security; urgency=medium . * debian/patches/CVE-2016-4324.diff: fix "LibreOffice RTF Stylesheet Code Execution Vulnerability" (TALOS-CAN-0126 / CVE-2016-4324) libsys-syslog-perl (0.33-1+deb8u1) jessie-security; urgency=high . * Team upload. * Remove . from @INC when loading modules dynamically [CVE-2016-1238] libunicode-linebreak-perl (0.0.20140601-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload. * Provide fixed version of previous security patch libunicode-linebreak-perl (0.0.20140601-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Remove . from @INC when loading modules dynamically [CVE-2016-1238] libvirt (1.2.9-9+deb8u3) jessie-security; urgency=high . * [9da83d8] CVE-2016-5008: qemu: Let empty default VNC password work as documented. * [27d6b02] Adjust gbp.conf for jessie-security libxml2 (2.9.1+dfsg1-5+deb8u3) jessie; urgency=medium . * Non-maintainer upload. * Fix a problem unparsing URIs without a host part like qemu:///system. This unbreaks libvirt, libsys-virt-perl and others (Closes: #781232) libxml2 (2.9.1+dfsg1-5+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer overread in xmlNextChar (CVE-2016-1762) * heap-buffer-overflow in xmlStrncat (CVE-2016-1834) * Add missing increments of recursion depth counter to XML parser (CVE-2016-3705) (Closes: #823414) * Avoid an out of bound access when serializing malformed strings (CVE-2016-4483) (Closes: #823405) * Heap-buffer-overflow in xmlFAParsePosCharGroup (CVE-2016-1840) * Heap-based buffer overread in xmlParserPrintFileContextInternal (CVE-2016-1838) * Heap-based buffer overread in xmlDictAddString (CVE-2016-1839 CVE-2015-8806 CVE-2016-2073) (Closes: #813613, #812807) * Heap use-after-free in xmlDictComputeFastKey (CVE-2016-1836) * Fix inappropriate fetch of entities content (CVE-2016-4449) * Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (CVE-2016-1837) * Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835) * Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447) * Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833) * Avoid building recursive entities (CVE-2016-3627) (Closes: #819006) libxslt (1.1.28-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix for type confusion in preprocessing attributes (CVE-2015-7995) (Closes: #802971) * Always initialize EXSLT month and day to 1 * Fix use-after-free in xsltDocumentFunctionLoadDocument * Fix xsltNumberFormatGetMultipleLevel (CVE-2016-1683) * Round xsl:number values to nearest integer * Handle negative xsl:number values * Lower bound for format token "a" * Lower and upper bound for format token "i" (CVE-2016-1684) * Fix double free in libexslt hash functions * Fix buffer overflow in exsltDateFormat * Fix OOB heap read in xsltExtModuleRegisterDynamic lighttpd (1.4.35-4+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Fix CVE-2016-1000212: Mitigate HTTPoxy vulnerability. * Add mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch linux (3.16.36-1+deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * tcp: make challenge acks less predictable (CVE-2016-5696) * audit: fix a double fetch in audit_log_single_execve_arg() (CVE-2016-6136) * fs: Fix oops when fcntl() is called on an aufs directory (CVE-2016-7118; regression in 3.16.36-1) . [ Salvatore Bonaccorso ] * tcp: fix use after free in tcp_xmit_retransmit_queue() (CVE-2016-6828) * aacraid: Check size values after double-fetch from user (CVE-2016-6480) linux (3.16.36-1+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.36-1+deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * tcp: make challenge acks less predictable (CVE-2016-5696) * audit: fix a double fetch in audit_log_single_execve_arg() (CVE-2016-6136) * fs: Fix oops when fcntl() is called on an aufs directory (CVE-2016-7118; regression in 3.16.36-1) . [ Salvatore Bonaccorso ] * tcp: fix use after free in tcp_xmit_retransmit_queue() (CVE-2016-6828) * aacraid: Check size values after double-fetch from user (CVE-2016-6480) . linux (3.16.36-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt26 - [x86] Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6" - [x86] iommu/vt-d: Fix 64-bit accesses to 32-bit DMAR_GSTS_REG - [x86] drm/i915/dsi: defend gpio table against out of bounds access - [x86] drm/i915/dsi: don't pass arbitrary data to sideband - [x86] drm/i915: fix error path in intel_setup_gmbus() - cifs: fix erroneous return value - [s390x] dasd: prevent incorrect length error under z/VM after PAV changes - [s390x] dasd: fix refcount for PAV reassignment - scsi: fix soft lockup in scsi_remove_target() on module removal - ext4: fix potential integer overflow - ext4: don't read blocks from disk after extents being swapped - bio: return EINTR if copying to user space got interrupted - ALSA: seq: Drop superfluous error/debug messages after malloc failures - ALSA: seq: Fix leak of pool buffer at concurrent writes - dmaengine: dw: disable BLOCK IRQs for non-cyclic xfer - tracepoints: Do not trace when cpu is offline - tracing: Fix freak link error caused by branch tracer - ALSA: seq: Fix double port list deletion - drm/radeon: use post-decrement in error handling - drm/qxl: use kmalloc_array to alloc reloc_info in qxl_process_single_command - ext4: fix bh->b_state corruption - ext4: fix crashes in dioread_nolock mode - kernel/resource.c: fix muxed resource handling in __request_region() - nfs: fix nfs_size_to_loff_t - xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY - xen/pciback: Save the number of MSI-X entries to be copied later. (Closes: #810379) - xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted. - usb: dwc3: Fix assignment of EP transfer resources - NFSv4: Fix a dentry leak on alias use - hwmon: (ads1015) Handle negative conversion values correctly - can: ems_usb: Fix possible tx overflow - drm/radeon/pm: adjust display configuration after powerstate - sunrpc/cache: fix off-by-one in qword_get() - KVM: async_pf: do not warn on page allocation failures - tracing: Fix showing function event in available_events - libceph: don't bail early from try_read() when skipping a message - ALSA: hda - Fixing background noise on Dell Inspiron 3162 - [x86] KVM: MMU: fix ubsan index-out-of-range warning - [x86] ALSA: hda - Fix headset support and noise on HP EliteBook 755 G2 - hpfs: don't truncate the file when delete fails - do_last(): don't let a bogus return value from ->open() et.al. to confuse us - [armel/kirkwood] dts: use unique machine name for ds112 - bonding: Fix ARP monitor validation - af_unix: Don't set err in unix_stream_read_generic unless there was an error - net: phy: bcm7xxx: Fix shadow mode 2 disabling - net/mlx4_en: Count HW buffer overrun only once - net/mlx4_en: Choose time-stamping shift value according to HW frequency - net/mlx4_en: Avoid changing dev->features directly in run-time - unix_diag: fix incorrect sign extension in unix_lookup_by_ino - af_iucv: Validate socket address length in iucv_sock_bind() - net: dp83640: Fix tx timestamp overflow handling. - tcp: fix NULL deref in tcp_v4_send_ack() - ipv6/udp: use sticky pktinfo egress ifindex on connect() - tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs - ipv4: fix memory leaks in ip_cmsg_send() callers - pppoe: fix reference counting in PPPoE proxy - route: check and remove route cache when we get route - rtnl: RTM_GETNETCONF: fix wrong return value - sctp: Fix port hash table size computation - target: Fix LUN_RESET active TMR descriptor handling - target: Fix LUN_RESET active I/O handling for ACK_KREF - target: Fix TAS handling for multi-session se_node_acls - target: Fix remote-port TMR ABORT + se_cmd fabric stop - target: Fix race with SCF_SEND_DELAYED_TAS handling - libata: fix HDIO_GET_32BIT ioctl - [media] adv7604: fix tx 5v detect regression - [armhf] usb: chipidea: otg: change workqueue ci_otg as freezable - Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" - jffs2: Fix page lock / f->sem deadlock - Fix directory hardlinks from deleted directories - [x86] iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered - vfio: fix ioctl error handling - ALSA: timer: Fix broken compat timer user status ioctl - cifs: fix out-of-bounds access in lease parsing - CIFS: Fix SMB2+ interim response processing for read requests - Fix cifs_uniqueid_to_ino_t() function for s390x - [arm*] KVM: Fix ioctl error handling - ALSA: hdspm: Fix wrong boolean ctl value accesses - ALSA: hdspm: Fix zero-division - ALSA: hdsp: Fix wrong boolean ctl value accesses - ALSA: seq: oss: Don't drain at closing a client - drm/ast: Fix incorrect register check for DRAM width - drm/radeon/pm: update current crtc info after setting the powerstate - PM / sleep / x86: Fix crash on graph trace through x86 suspend - ALSA: hda - Fix mic issues on Acer Aspire E1-472 - [mips*] traps: Fix SIGFPE information leak from `do_ov' and `do_trap_or_bp' - ubi: Fix out of bounds write in volume update code - IB/core: Use GRH when the path hop-limit > 0 - wext: fix message delay/ordering - cfg80211/wext: fix message ordering - mac80211: fix use of uninitialised values in RX aggregation - mac80211: minstrel_ht: set default tx aggregation timeout to 0 - can: gs_usb: fixed disconnect bug by removing erroneous use of kfree() - target: Drop incorrect ABORT_TASK put for completed commands - [powerpc*] KVM: Book3S HV: Sanitize special-purpose register values on guest exit - [x86] KVM: VMX: disable PEBS before a guest entry - Revert "drm/radeon/pm: adjust display configuration after powerstate" - tcp: convert cached rtt from usec to jiffies when feeding initial rto - net/mlx4_core: Allow resetting VF admin mac to zero - mld, igmp: Fix reserved tailroom calculation - ipv6: re-enable fragment header matching in ipv6_find_hdr - net: moxa: fix an error code - ext4: iterate over buffer heads correctly in move_extent_per_page() - bcache: add mutex lock for bch_is_open - [x86] KVM: move steal time initialization to vcpu entry time - efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version - efi: Do variable name validation tests in utf8 - efi: Make our variable validation list include the guid - efi: Make efivarfs entries immutable by default - efi: Add pstore variables to the deletion whitelist - lib/ucs2_string: Correct ucs2 -> utf8 conversion - tracing: Fix check for cpu online when event is disabled http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt27 - USB: iowarrior: fix oops with malicious USB descriptors (CVE-2016-2188) - cpu: Defer smpboot kthread unparking until CPU known to scheduler - ipr: Fix out-of-bounds null overwrite - ipr: Fix regression when loading firmware - ceph: fix request time stamp encoding (Closes: #823907) - staging: comedi: ni_tiocmd: change mistaken use of start_src for start_arg - drm/radeon: hold reference to fences in radeon_sa_bo_new (3.17 and older) - [x86] Drivers: hv: vmbus: prevent cpu offlining on newer hypervisors https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.35 - [x86] EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr() - [x86] crypto: ccp - Add hash state import and export support - [armhf] PCI: imx6: Remove broken Gen2 workaround - [armhf] PCI: imx6: Move link up check into imx6_pcie_wait_for_link() - tty: Fix GPF in flush_to_ldisc(), part 2 - media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32 - [x86] crypto: ccp - Limit the amount of information exported - xc2028: avoid use after free - xc2028: unlock on error in xc2028_set_config() - nbd: ratelimit error msgs after socket close - [x86] crypto: ccp - Don't assume export/import areas are aligned - 8250: use callbacks to access UART_DLL/UART_DLM - net: irda: Fix use-after-free in irtty_open() - [armhf] dts: armada-375: use armada-370-sata for SATA - mtd: map: fix .set_vpp() documentation - usb: retry reset if a device times out - HID: logitech: fix Dual Action gamepad support - HID: core: do not scan reports if the group is already set - HID: fix hid_ignore_special_drivers module parameter - [armhf] regulator: s5m8767: fix get_register() error handling - saa7134: Fix bytesperline not being set correctly for planar formats - [armhf] OMAP3: Add cpuidle parameters table for omap3430 - [x86] mei: fix possible integer overflow issue - [x86] mei: fix format string in debug prints - aacraid: Fix memory leak in aac_fib_map_free - mac80211: fix unnecessary frame drops in mesh fwding - mac80211: avoid excessive stack usage in sta_info - mac80211: fix memory leak - mtd: onenand: fix deadlock in onenand_block_markbad - [armel/versatile] clk: sp810: support reentrance - md/raid5: Compare apples to apples (or sectors to sectors) - [x86] crypto: ccp - memset request context to zero during import - mmc: sdhci: fix data timeout - IB/srpt: Simplify srpt_handle_tsk_mgmt() - bttv: Width must be a multiple of 16 when capturing planar formats - nfsd4: fix bad bounds checking - net/mlx5: Make command timeout way shorter - xfs: fix two memory leaks in xfs_attr_list.c error paths - drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors - mtip32xx: Fix broken service thread handling - mtip32xx: Remove unwanted code from taskfile error handler - mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild - [amd64] clk: xgene: Add missing parenthesis when clearing divider value - of: alloc anywhere from memblock if range not specified - usb: hub: fix a typo in hub_port_init() leading to wrong logic - [x86] KVM: i8254: change PIT discard tick policy - sched/cputime: Fix steal time accounting vs. CPU hotplug - ipvs: correct initial offset of Call-ID header search in SIP persistence engine - mwifiex: fix corner case association failure - perf/core: Fix perf_sched_count derailment - [x86] perf/intel: Use PAGE_SIZE for PEBS buffer size on Core2 - [x86] perf/intel: Fix PEBS warning by only restoring active PMU in pmi - [x86] perf/intel: Add definition for PT PMI bit - [x86] perf/pebs: Add workaround for broken OVFL status on HSW+ - [x86] perf/intel: Fix PEBS data source interpretation on Nehalem/Westmere - sched/cputime: Fix steal_account_process_tick() to always return jiffies - bcache: Fix more early shutdown bugs - bcache: cleaned up error handling around register_cache() - bcache: fix cache_set_flush() NULL pointer dereference on OOM - [x86] PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs - be2iscsi: set the boot_kset pointer to NULL in case of failure - [x86] drm/radeon: add a PX quirk list - [x86] drm/radeon: add PX quirk for asus K53TK - drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards. - sg: fix dxferp in from_to case - jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path - sctp: fix the transports round robin issue when init is retransmitted - [x86] ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41. - fuse: do not use iocb after it may have been freed - [s390x] pci: extract software counters from fmb - [s390x] pci: enforce fmb page boundary rule - net: Fix use after free in the recvmmsg exit path - mlx4: add missing braces in verify_qp_parameters - ath9k: fix buffer overrun for ar9287 - md: multipath: don't hardcopy bio in .make_request path - HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report() - ALSA: hda - Fix unconditional GPIO toggle via automute - gpiolib: Fix comment referring to gpio_*() in gpiod_*() - nfsd: fix deadlock secinfo+readdir compound - vfs: show_vfsstat: do not ignore errors from show_devname method - ppp: ensure file->private_data can't be overridden - [x86] iopl: Fix iopl capability check on Xen PV - sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race - Input: ims-pcu - sanity check against missing interfaces - Input: synaptics - handle spurious release of trackstick buttons, again - [x86] apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt() - USB: usb_driver_claim_interface: add sanity checking - tracing: Have preempt(irqs)off trace preempt disabled functions - lpfc: fix misleading indentation - tracing: Fix crash from reading trace_pipe with sendfile - splice: handle zero nr_pages in splice_to_pipe() - ethernet: micrel: fix some error codes - tunnels: Don't apply GRO to multiple layers of encapsulation. - [armhf] mdio-sun4i: oops in error handling in probe - target: Fix target_release_cmd_kref shutdown comp leak - [x86] KVM: VMX: avoid guest hang on invalid invept instruction - [x86] KVM: fix spin_lock_init order on x86 - tracing: Fix trace_printk() to print when not using bprintk() - fs/coredump: prevent fsuid=0 dumps into user-controlled directories - [x86] ALSA: hda - Asus N750JV external subwoofer fixup - [x86] ALSA: hda - Fix white noise on Asus N750JV headphone - [x86] ALSA: hda - Apply fix for white noise on Asus N550JV, too - [x86] ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list - drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5 - ocfs2/dlm: fix race between convert and recovery - ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list - hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated - drm/radeon: add another R7 370 quirk - drm/radeon: add a dpm quirk for all R7 370 parts - ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk() - ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call - sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes - drm/dp: move hw_mutex up the call stack - drm/udl: Use unlocked gem unreferencing - ext4: add lockdep annotations for i_data_sem - [x86] ALSA: hda - fix front mic problem for a HP desktop - [x86] KVM: Inject pending interrupt even if pending nmi exist - ALSA: timer: Use mod_timer() for rearming the system timer - mm: fix invalid node in alloc_migrate_target() - xen/events: Mask a moving irq - compiler-gcc: disable -ftracer for __noclone functions - ip6_tunnel: set rtnl_link_ops before calling register_netdevice - Btrfs: fix file/data loss caused by fsync after rename and new inode - [armhf] gpio: pca953x: Use correct u16 value for register word write - ext4: fix NULL pointer dereference in ext4_mark_inode_dirty() - net: jme: fix suspend/resume on JMC260 - sctp: lack the check for ports in sctp_v6_cmp_addr - cdc_ncm: toggle altsetting to force reset before setup - udp6: fix UDP/IPv6 encap resubmit path - macvtap: always pass ethernet header in linear - farsync: fix off-by-one bug in fst_add_one - qlge: Fix receive packets drop. - xfrm: Fix crash observed during device unregistration and decryption - tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter - ipv4: l2tp: fix a potential issue in l2tp_ip_recv - ipv6: l2tp: fix a potential issue in l2tp_ip6_recv - ipv6: Count in extension headers in skb->network_header - jme: Do not enable NIC WoL functions on S0 - jme: Fix device PM wakeup API usage - netfilter: x_tables: fix unconditional helper - crypto: gcm - Fix rfc4543 decryption crash https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.36 - [x86] ASoC: rt5640: Correct the digital interface data select - HID: usbhid: fix inconsistent reset/resume/reset-resume behavior - [armhf] OMAP2+: Only write the sysconfig on idle when necessary - [armhf] OMAP2+: hwmod: Fix updating of sysconfig register - [armhf] regulator: s2mps11: Fix invalid selector mask and voltages for buck9 - drm/qxl: fix cursor position with non-zero hotspot - libahci: save port map for forced port map - [s390x] scm_blk: fix deadlock for requests != REQ_TYPE_FS - assoc_array: don't call compare_object() on a node - [x86] kvm: do not leak guest xcr0 into host interrupt handlers - [x86] ALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock - nl80211: check netlink protocol in socket release notification - lib: lz4: fixed zram with lz4 on big endian machines - [x86] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host - usb: xhci: fix wild pointers in xhci_mem_cleanup - USB: uas: Add a new NO_REPORT_LUNS quirk - usb: hcd: out of bounds access in for_each_companion - packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface - regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case - pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs - [x86] crypto: ccp - Prevent information leakage on export - [s390x] spinlock: avoid yield to non existent cpu - [x86] drm/i915/userptr: Hold mmref whilst calling get-user-pages - [powerpc*] scan_features() updates incorrect bits for REAL_LE - drm/radeon: add a quirk for a XFX R9 270X - futex: Acknowledge a new waiter in counter before plist - [armhf] net: ethernet: davinci_emac: Fix Unbalanced pm_runtime_enable - [armhf] net: ethernet: davinci_emac: Fix platform_data overwrite - [s390x] hugetlb: add hugepages_supported define - [armhf] i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared - efi: Fix out-of-bounds read in variable_matches() - batman-adv: Check skb size before using encapsulated ETH+VLAN header - batman-adv: Reduce refcnt of removed router when updating route - batman-adv: Fix broadcast/ogm queue limit on a removed interface - libceph: kfree() in put_osd() shouldn't depend on authorizer - libceph: make authorizer destruction independent of ceph_auth_client - net/mlx4_en: fix spurious timestamping callbacks - [x86] ALSA: hda - Add dock support for ThinkPad X260 - workqueue: fix ghost PENDING flag while doing MQ IO - [x86] drm/i915: Fix system resume if PCI device remained enabled - [armhf] SoCFPGA: Fix secondary CPU startup in thumb2 kernel - rbd: fix rbd map vs notify races - mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check - batman-adv: Fix invalid stack access in batadv_dat_select_candidates - batman-adv: fix DAT candidate selection (must use vid) - batman-adv: Fix reference counting of vlan object for tt_local_entry - [x86] EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback - atomic_open(): fix the handling of create_error - [x86] Drivers: hv_vmbus: Fix signal to host condition - [x86] Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read() - [powerpc*] Fix bad inline asm constraint in create_zero_mask() - Make hash_64() use a 64-bit multiply when appropriate - Minimal fix-up of bad hashing behavior of hash_64() - tracing: Don't display trigger file for events that can't be enabled - drm/radeon: make sure vertical front porch is at least 1 - ACPICA: Dispatcher: Update thread ID for recursive method calls - crypto: hash - Fix page length clamping in hash walk - [x86] sysfb_efi: Fix valid BAR address range check - drm/radeon: fix PLL sharing on DCE6.1 (v2) - proc: prevent accessing /proc//environ until it's ready - [x86] tsc: Read all ratio bits from MSR_PLATFORM_INFO - macvtap: segmented packet is consumed - [x86] ALSA: hda - Fix white noise on Asus UX501VW headset - [x86] drm/i915: Bail out of pipe config compute loop on LPT - [x86] ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 - ocfs2: dereferencing freed pointers in ocfs2_reflink() - ocfs2: fix posix_acl_create deadlock - nf_conntrack: avoid kernel pointer value leak in slab name - xfs: introduce and use mmap/truncate lock - [arm64] kernel: fix architected PMU registers unconditional access - mm/balloon_compaction: redesign ballooned pages management - mm/balloon_compaction: fix deflation when compaction is disabled - sched: Replace post_schedule with a balance callback list - sched: Allow balance callbacks for check_class_changed() - sched, rt: Convert switched_{from, to}_rt() / prio_changed_rt() to balance callbacks - sched, dl: Convert switched_{from, to}_dl() / prio_changed_dl() to balance callbacks . [ Ben Hutchings ] * [amd64] KVM: bit-ops emulation ignores offset on 64-bit (Closes: #818502) * linux-headers: Avoid mixed implicit and normal rules in Makefile, thanks to Thierry Herbelot (Closes: #822666) * Revert "libata: Align ata_device's id on a cacheline" to avoid ABI change * Revert "net/ipv6: add sysctl option accept_ra_min_hop_limit" to avoid ABI change * stable-update: Rewrite stable-update.sh in Python * [s390x] PCI: Ignore zpci ABI changes; these functions are not used by modules * aufs: Make fcntl(F_SETFL, ...) work (Closes: #627782): - for aufs: new f_op->setfl() to support fcntl(F_SETFL) - aufs: implement new f_op->setfl() - fs: Fix ABI change for aufs F_SETFL fix * libceph: Ignore ABI changes; these functions are only used by the ceph filesystem * migrate, sched: Fix ABI changes * batman-adv: Fix double-put of vlan object * [x86] thunderbolt: Fix double free of drom buffer . [ Aurelien Jarno ] * [mips*] Emulate unaligned LDXC1 and SDXC1 instructions. . [ Salvatore Bonaccorso ] * [x86] Add Skylake audio support. Thanks to Yann Soubeyrand and Florian Gillot (Closes: #810219) - ALSA: hda_controller: Separate stream_tag for input and output - ALSA: hda_intel: apply the Seperate stream_tag for Skylake - ALSA: hda_intel: apply the Seperate stream_tag for Sunrise Point * arcmsr: Backport changes up to Linux 4.5 (Closes: #826004) linux (3.16.36-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt26 - [x86] Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6" - [x86] iommu/vt-d: Fix 64-bit accesses to 32-bit DMAR_GSTS_REG - [x86] drm/i915/dsi: defend gpio table against out of bounds access - [x86] drm/i915/dsi: don't pass arbitrary data to sideband - [x86] drm/i915: fix error path in intel_setup_gmbus() - cifs: fix erroneous return value - [s390x] dasd: prevent incorrect length error under z/VM after PAV changes - [s390x] dasd: fix refcount for PAV reassignment - scsi: fix soft lockup in scsi_remove_target() on module removal - ext4: fix potential integer overflow - ext4: don't read blocks from disk after extents being swapped - bio: return EINTR if copying to user space got interrupted - ALSA: seq: Drop superfluous error/debug messages after malloc failures - ALSA: seq: Fix leak of pool buffer at concurrent writes - dmaengine: dw: disable BLOCK IRQs for non-cyclic xfer - tracepoints: Do not trace when cpu is offline - tracing: Fix freak link error caused by branch tracer - ALSA: seq: Fix double port list deletion - drm/radeon: use post-decrement in error handling - drm/qxl: use kmalloc_array to alloc reloc_info in qxl_process_single_command - ext4: fix bh->b_state corruption - ext4: fix crashes in dioread_nolock mode - kernel/resource.c: fix muxed resource handling in __request_region() - nfs: fix nfs_size_to_loff_t - xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY - xen/pciback: Save the number of MSI-X entries to be copied later. (Closes: #810379) - xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted. - usb: dwc3: Fix assignment of EP transfer resources - NFSv4: Fix a dentry leak on alias use - hwmon: (ads1015) Handle negative conversion values correctly - can: ems_usb: Fix possible tx overflow - drm/radeon/pm: adjust display configuration after powerstate - sunrpc/cache: fix off-by-one in qword_get() - KVM: async_pf: do not warn on page allocation failures - tracing: Fix showing function event in available_events - libceph: don't bail early from try_read() when skipping a message - ALSA: hda - Fixing background noise on Dell Inspiron 3162 - [x86] KVM: MMU: fix ubsan index-out-of-range warning - [x86] ALSA: hda - Fix headset support and noise on HP EliteBook 755 G2 - hpfs: don't truncate the file when delete fails - do_last(): don't let a bogus return value from ->open() et.al. to confuse us - [armel/kirkwood] dts: use unique machine name for ds112 - bonding: Fix ARP monitor validation - af_unix: Don't set err in unix_stream_read_generic unless there was an error - net: phy: bcm7xxx: Fix shadow mode 2 disabling - net/mlx4_en: Count HW buffer overrun only once - net/mlx4_en: Choose time-stamping shift value according to HW frequency - net/mlx4_en: Avoid changing dev->features directly in run-time - unix_diag: fix incorrect sign extension in unix_lookup_by_ino - af_iucv: Validate socket address length in iucv_sock_bind() - net: dp83640: Fix tx timestamp overflow handling. - tcp: fix NULL deref in tcp_v4_send_ack() - ipv6/udp: use sticky pktinfo egress ifindex on connect() - tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs - ipv4: fix memory leaks in ip_cmsg_send() callers - pppoe: fix reference counting in PPPoE proxy - route: check and remove route cache when we get route - rtnl: RTM_GETNETCONF: fix wrong return value - sctp: Fix port hash table size computation - target: Fix LUN_RESET active TMR descriptor handling - target: Fix LUN_RESET active I/O handling for ACK_KREF - target: Fix TAS handling for multi-session se_node_acls - target: Fix remote-port TMR ABORT + se_cmd fabric stop - target: Fix race with SCF_SEND_DELAYED_TAS handling - libata: fix HDIO_GET_32BIT ioctl - [media] adv7604: fix tx 5v detect regression - [armhf] usb: chipidea: otg: change workqueue ci_otg as freezable - Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" - jffs2: Fix page lock / f->sem deadlock - Fix directory hardlinks from deleted directories - [x86] iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered - vfio: fix ioctl error handling - ALSA: timer: Fix broken compat timer user status ioctl - cifs: fix out-of-bounds access in lease parsing - CIFS: Fix SMB2+ interim response processing for read requests - Fix cifs_uniqueid_to_ino_t() function for s390x - [arm*] KVM: Fix ioctl error handling - ALSA: hdspm: Fix wrong boolean ctl value accesses - ALSA: hdspm: Fix zero-division - ALSA: hdsp: Fix wrong boolean ctl value accesses - ALSA: seq: oss: Don't drain at closing a client - drm/ast: Fix incorrect register check for DRAM width - drm/radeon/pm: update current crtc info after setting the powerstate - PM / sleep / x86: Fix crash on graph trace through x86 suspend - ALSA: hda - Fix mic issues on Acer Aspire E1-472 - [mips*] traps: Fix SIGFPE information leak from `do_ov' and `do_trap_or_bp' - ubi: Fix out of bounds write in volume update code - IB/core: Use GRH when the path hop-limit > 0 - wext: fix message delay/ordering - cfg80211/wext: fix message ordering - mac80211: fix use of uninitialised values in RX aggregation - mac80211: minstrel_ht: set default tx aggregation timeout to 0 - can: gs_usb: fixed disconnect bug by removing erroneous use of kfree() - target: Drop incorrect ABORT_TASK put for completed commands - [powerpc*] KVM: Book3S HV: Sanitize special-purpose register values on guest exit - [x86] KVM: VMX: disable PEBS before a guest entry - Revert "drm/radeon/pm: adjust display configuration after powerstate" - tcp: convert cached rtt from usec to jiffies when feeding initial rto - net/mlx4_core: Allow resetting VF admin mac to zero - mld, igmp: Fix reserved tailroom calculation - ipv6: re-enable fragment header matching in ipv6_find_hdr - net: moxa: fix an error code - ext4: iterate over buffer heads correctly in move_extent_per_page() - bcache: add mutex lock for bch_is_open - [x86] KVM: move steal time initialization to vcpu entry time - efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version - efi: Do variable name validation tests in utf8 - efi: Make our variable validation list include the guid - efi: Make efivarfs entries immutable by default - efi: Add pstore variables to the deletion whitelist - lib/ucs2_string: Correct ucs2 -> utf8 conversion - tracing: Fix check for cpu online when event is disabled http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt27 - USB: iowarrior: fix oops with malicious USB descriptors (CVE-2016-2188) - cpu: Defer smpboot kthread unparking until CPU known to scheduler - ipr: Fix out-of-bounds null overwrite - ipr: Fix regression when loading firmware - ceph: fix request time stamp encoding (Closes: #823907) - staging: comedi: ni_tiocmd: change mistaken use of start_src for start_arg - drm/radeon: hold reference to fences in radeon_sa_bo_new (3.17 and older) - [x86] Drivers: hv: vmbus: prevent cpu offlining on newer hypervisors https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.35 - [x86] EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr() - [x86] crypto: ccp - Add hash state import and export support - [armhf] PCI: imx6: Remove broken Gen2 workaround - [armhf] PCI: imx6: Move link up check into imx6_pcie_wait_for_link() - tty: Fix GPF in flush_to_ldisc(), part 2 - media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32 - [x86] crypto: ccp - Limit the amount of information exported - xc2028: avoid use after free - xc2028: unlock on error in xc2028_set_config() - nbd: ratelimit error msgs after socket close - [x86] crypto: ccp - Don't assume export/import areas are aligned - 8250: use callbacks to access UART_DLL/UART_DLM - net: irda: Fix use-after-free in irtty_open() - [armhf] dts: armada-375: use armada-370-sata for SATA - mtd: map: fix .set_vpp() documentation - usb: retry reset if a device times out - HID: logitech: fix Dual Action gamepad support - HID: core: do not scan reports if the group is already set - HID: fix hid_ignore_special_drivers module parameter - [armhf] regulator: s5m8767: fix get_register() error handling - saa7134: Fix bytesperline not being set correctly for planar formats - [armhf] OMAP3: Add cpuidle parameters table for omap3430 - [x86] mei: fix possible integer overflow issue - [x86] mei: fix format string in debug prints - aacraid: Fix memory leak in aac_fib_map_free - mac80211: fix unnecessary frame drops in mesh fwding - mac80211: avoid excessive stack usage in sta_info - mac80211: fix memory leak - mtd: onenand: fix deadlock in onenand_block_markbad - [armel/versatile] clk: sp810: support reentrance - md/raid5: Compare apples to apples (or sectors to sectors) - [x86] crypto: ccp - memset request context to zero during import - mmc: sdhci: fix data timeout - IB/srpt: Simplify srpt_handle_tsk_mgmt() - bttv: Width must be a multiple of 16 when capturing planar formats - nfsd4: fix bad bounds checking - net/mlx5: Make command timeout way shorter - xfs: fix two memory leaks in xfs_attr_list.c error paths - drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors - mtip32xx: Fix broken service thread handling - mtip32xx: Remove unwanted code from taskfile error handler - mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild - [amd64] clk: xgene: Add missing parenthesis when clearing divider value - of: alloc anywhere from memblock if range not specified - usb: hub: fix a typo in hub_port_init() leading to wrong logic - [x86] KVM: i8254: change PIT discard tick policy - sched/cputime: Fix steal time accounting vs. CPU hotplug - ipvs: correct initial offset of Call-ID header search in SIP persistence engine - mwifiex: fix corner case association failure - perf/core: Fix perf_sched_count derailment - [x86] perf/intel: Use PAGE_SIZE for PEBS buffer size on Core2 - [x86] perf/intel: Fix PEBS warning by only restoring active PMU in pmi - [x86] perf/intel: Add definition for PT PMI bit - [x86] perf/pebs: Add workaround for broken OVFL status on HSW+ - [x86] perf/intel: Fix PEBS data source interpretation on Nehalem/Westmere - sched/cputime: Fix steal_account_process_tick() to always return jiffies - bcache: Fix more early shutdown bugs - bcache: cleaned up error handling around register_cache() - bcache: fix cache_set_flush() NULL pointer dereference on OOM - [x86] PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs - be2iscsi: set the boot_kset pointer to NULL in case of failure - [x86] drm/radeon: add a PX quirk list - [x86] drm/radeon: add PX quirk for asus K53TK - drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards. - sg: fix dxferp in from_to case - jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path - sctp: fix the transports round robin issue when init is retransmitted - [x86] ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41. - fuse: do not use iocb after it may have been freed - [s390x] pci: extract software counters from fmb - [s390x] pci: enforce fmb page boundary rule - net: Fix use after free in the recvmmsg exit path - mlx4: add missing braces in verify_qp_parameters - ath9k: fix buffer overrun for ar9287 - md: multipath: don't hardcopy bio in .make_request path - HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report() - ALSA: hda - Fix unconditional GPIO toggle via automute - gpiolib: Fix comment referring to gpio_*() in gpiod_*() - nfsd: fix deadlock secinfo+readdir compound - vfs: show_vfsstat: do not ignore errors from show_devname method - ppp: ensure file->private_data can't be overridden - [x86] iopl: Fix iopl capability check on Xen PV - sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race - Input: ims-pcu - sanity check against missing interfaces - Input: synaptics - handle spurious release of trackstick buttons, again - [x86] apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt() - USB: usb_driver_claim_interface: add sanity checking - tracing: Have preempt(irqs)off trace preempt disabled functions - lpfc: fix misleading indentation - tracing: Fix crash from reading trace_pipe with sendfile - splice: handle zero nr_pages in splice_to_pipe() - ethernet: micrel: fix some error codes - tunnels: Don't apply GRO to multiple layers of encapsulation. - [armhf] mdio-sun4i: oops in error handling in probe - target: Fix target_release_cmd_kref shutdown comp leak - [x86] KVM: VMX: avoid guest hang on invalid invept instruction - [x86] KVM: fix spin_lock_init order on x86 - tracing: Fix trace_printk() to print when not using bprintk() - fs/coredump: prevent fsuid=0 dumps into user-controlled directories - [x86] ALSA: hda - Asus N750JV external subwoofer fixup - [x86] ALSA: hda - Fix white noise on Asus N750JV headphone - [x86] ALSA: hda - Apply fix for white noise on Asus N550JV, too - [x86] ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list - drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5 - ocfs2/dlm: fix race between convert and recovery - ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list - hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated - drm/radeon: add another R7 370 quirk - drm/radeon: add a dpm quirk for all R7 370 parts - ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk() - ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call - sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes - drm/dp: move hw_mutex up the call stack - drm/udl: Use unlocked gem unreferencing - ext4: add lockdep annotations for i_data_sem - [x86] ALSA: hda - fix front mic problem for a HP desktop - [x86] KVM: Inject pending interrupt even if pending nmi exist - ALSA: timer: Use mod_timer() for rearming the system timer - mm: fix invalid node in alloc_migrate_target() - xen/events: Mask a moving irq - compiler-gcc: disable -ftracer for __noclone functions - ip6_tunnel: set rtnl_link_ops before calling register_netdevice - Btrfs: fix file/data loss caused by fsync after rename and new inode - [armhf] gpio: pca953x: Use correct u16 value for register word write - ext4: fix NULL pointer dereference in ext4_mark_inode_dirty() - net: jme: fix suspend/resume on JMC260 - sctp: lack the check for ports in sctp_v6_cmp_addr - cdc_ncm: toggle altsetting to force reset before setup - udp6: fix UDP/IPv6 encap resubmit path - macvtap: always pass ethernet header in linear - farsync: fix off-by-one bug in fst_add_one - qlge: Fix receive packets drop. - xfrm: Fix crash observed during device unregistration and decryption - tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter - ipv4: l2tp: fix a potential issue in l2tp_ip_recv - ipv6: l2tp: fix a potential issue in l2tp_ip6_recv - ipv6: Count in extension headers in skb->network_header - jme: Do not enable NIC WoL functions on S0 - jme: Fix device PM wakeup API usage - netfilter: x_tables: fix unconditional helper - crypto: gcm - Fix rfc4543 decryption crash https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.36 - [x86] ASoC: rt5640: Correct the digital interface data select - HID: usbhid: fix inconsistent reset/resume/reset-resume behavior - [armhf] OMAP2+: Only write the sysconfig on idle when necessary - [armhf] OMAP2+: hwmod: Fix updating of sysconfig register - [armhf] regulator: s2mps11: Fix invalid selector mask and voltages for buck9 - drm/qxl: fix cursor position with non-zero hotspot - libahci: save port map for forced port map - [s390x] scm_blk: fix deadlock for requests != REQ_TYPE_FS - assoc_array: don't call compare_object() on a node - [x86] kvm: do not leak guest xcr0 into host interrupt handlers - [x86] ALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock - nl80211: check netlink protocol in socket release notification - lib: lz4: fixed zram with lz4 on big endian machines - [x86] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host - usb: xhci: fix wild pointers in xhci_mem_cleanup - USB: uas: Add a new NO_REPORT_LUNS quirk - usb: hcd: out of bounds access in for_each_companion - packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface - regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case - pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs - [x86] crypto: ccp - Prevent information leakage on export - [s390x] spinlock: avoid yield to non existent cpu - [x86] drm/i915/userptr: Hold mmref whilst calling get-user-pages - [powerpc*] scan_features() updates incorrect bits for REAL_LE - drm/radeon: add a quirk for a XFX R9 270X - futex: Acknowledge a new waiter in counter before plist - [armhf] net: ethernet: davinci_emac: Fix Unbalanced pm_runtime_enable - [armhf] net: ethernet: davinci_emac: Fix platform_data overwrite - [s390x] hugetlb: add hugepages_supported define - [armhf] i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared - efi: Fix out-of-bounds read in variable_matches() - batman-adv: Check skb size before using encapsulated ETH+VLAN header - batman-adv: Reduce refcnt of removed router when updating route - batman-adv: Fix broadcast/ogm queue limit on a removed interface - libceph: kfree() in put_osd() shouldn't depend on authorizer - libceph: make authorizer destruction independent of ceph_auth_client - net/mlx4_en: fix spurious timestamping callbacks - [x86] ALSA: hda - Add dock support for ThinkPad X260 - workqueue: fix ghost PENDING flag while doing MQ IO - [x86] drm/i915: Fix system resume if PCI device remained enabled - [armhf] SoCFPGA: Fix secondary CPU startup in thumb2 kernel - rbd: fix rbd map vs notify races - mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check - batman-adv: Fix invalid stack access in batadv_dat_select_candidates - batman-adv: fix DAT candidate selection (must use vid) - batman-adv: Fix reference counting of vlan object for tt_local_entry - [x86] EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback - atomic_open(): fix the handling of create_error - [x86] Drivers: hv_vmbus: Fix signal to host condition - [x86] Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read() - [powerpc*] Fix bad inline asm constraint in create_zero_mask() - Make hash_64() use a 64-bit multiply when appropriate - Minimal fix-up of bad hashing behavior of hash_64() - tracing: Don't display trigger file for events that can't be enabled - drm/radeon: make sure vertical front porch is at least 1 - ACPICA: Dispatcher: Update thread ID for recursive method calls - crypto: hash - Fix page length clamping in hash walk - [x86] sysfb_efi: Fix valid BAR address range check - drm/radeon: fix PLL sharing on DCE6.1 (v2) - proc: prevent accessing /proc//environ until it's ready - [x86] tsc: Read all ratio bits from MSR_PLATFORM_INFO - macvtap: segmented packet is consumed - [x86] ALSA: hda - Fix white noise on Asus UX501VW headset - [x86] drm/i915: Bail out of pipe config compute loop on LPT - [x86] ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 - ocfs2: dereferencing freed pointers in ocfs2_reflink() - ocfs2: fix posix_acl_create deadlock - nf_conntrack: avoid kernel pointer value leak in slab name - xfs: introduce and use mmap/truncate lock - [arm64] kernel: fix architected PMU registers unconditional access - mm/balloon_compaction: redesign ballooned pages management - mm/balloon_compaction: fix deflation when compaction is disabled - sched: Replace post_schedule with a balance callback list - sched: Allow balance callbacks for check_class_changed() - sched, rt: Convert switched_{from, to}_rt() / prio_changed_rt() to balance callbacks - sched, dl: Convert switched_{from, to}_dl() / prio_changed_dl() to balance callbacks . [ Ben Hutchings ] * [amd64] KVM: bit-ops emulation ignores offset on 64-bit (Closes: #818502) * linux-headers: Avoid mixed implicit and normal rules in Makefile, thanks to Thierry Herbelot (Closes: #822666) * Revert "libata: Align ata_device's id on a cacheline" to avoid ABI change * Revert "net/ipv6: add sysctl option accept_ra_min_hop_limit" to avoid ABI change * stable-update: Rewrite stable-update.sh in Python * [s390x] PCI: Ignore zpci ABI changes; these functions are not used by modules * aufs: Make fcntl(F_SETFL, ...) work (Closes: #627782): - for aufs: new f_op->setfl() to support fcntl(F_SETFL) - aufs: implement new f_op->setfl() - fs: Fix ABI change for aufs F_SETFL fix * libceph: Ignore ABI changes; these functions are only used by the ceph filesystem * migrate, sched: Fix ABI changes * batman-adv: Fix double-put of vlan object * [x86] thunderbolt: Fix double free of drom buffer . [ Aurelien Jarno ] * [mips*] Emulate unaligned LDXC1 and SDXC1 instructions. . [ Salvatore Bonaccorso ] * [x86] Add Skylake audio support. Thanks to Yann Soubeyrand and Florian Gillot (Closes: #810219) - ALSA: hda_controller: Separate stream_tag for input and output - ALSA: hda_intel: apply the Seperate stream_tag for Skylake - ALSA: hda_intel: apply the Seperate stream_tag for Sunrise Point * arcmsr: Backport changes up to Linux 4.5 (Closes: #826004) linux (3.16.7-ckt25-2+deb8u3) jessie-security; urgency=high . [ Salvatore Bonaccorso ] * Revert "netfilter: ensure number of counters is >0 in do_replace()" Fixes regression introduced in 3.16.7-ckt25-2+deb8u2. Setting rules with ebtables did not work any more. Thanks to Jacob Lundberg (Closes: #828914) . [ Ben Hutchings ] * ALSA: compress: fix an integer overflow check (CVE-2014-9904) * [amd64] misc: mic: Fix for double fetch security bug in VOP driver (CVE-2016-5728) * [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls (CVE-2016-5828) * HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands (CVE-2016-5829) * [s390*] sclp_ctl: fix potential information leak with /dev/sclp (CVE-2016-6130) linux (3.16.7-ckt25-2+deb8u3~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt25-2+deb8u3) jessie-security; urgency=high . [ Salvatore Bonaccorso ] * Revert "netfilter: ensure number of counters is >0 in do_replace()" Fixes regression introduced in 3.16.7-ckt25-2+deb8u2. Setting rules with ebtables did not work any more. Thanks to Jacob Lundberg (Closes: #828914) . [ Ben Hutchings ] * ALSA: compress: fix an integer overflow check (CVE-2014-9904) * [amd64] misc: mic: Fix for double fetch security bug in VOP driver (CVE-2016-5728) * [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls (CVE-2016-5828) * HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands (CVE-2016-5829) * [s390*] sclp_ctl: fix potential information leak with /dev/sclp (CVE-2016-6130) . linux (3.16.7-ckt25-2+deb8u2) jessie-security; urgency=high . * Fix backport of "netfilter: x_tables: validate targets of jumps" * netfilter: ensure number of counters is >0 in do_replace() . linux (3.16.7-ckt25-2+deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * include/linux/poison.h: fix LIST_POISON{1,2} offset (CVE-2016-0821) * [s390*] mm: four page table levels vs. fork (CVE-2016-2143) * [amd64] iopl: Properly context-switch IOPL on Xen PV (CVE-2016-3157) * [amd64] entry/compat: Add missing CLAC to entry_INT80_32 * netfilter: x_tables: Fix parsing of IPT_SO_SET_REPLACE blobs (CVE-2016-3134, CVE-2016-4997, CVE-2016-4998) - validate e->target_offset early - make sure e->next_offset covers remaining blob size - fix unconditional helper - don't move to non-existent next rule - validate targets of jumps - add and use xt_check_entry_offsets - kill check_entry helper - assert minimum target size - add compat version of xt_check_entry_offsets - check standard target size too - check for bogus target offset - validate all offsets and sizes in a rule - don't reject valid target size on some - arp_tables: simplify translate_compat_table args - ip_tables: simplify translate_compat_table args - ip6_tables: simplify translate_compat_table args - xt_compat_match_from_user doesn't need a retval - do compat validation via translate_table - introduce and use xt_copy_counters_from_user * Ignore ABI change in x_tables * ipv4: Don't do expensive useless work during inetdev destroy. (CVE-2016-3156) * [x86] standardize mmap_rnd() usage * [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672) * usbnet: Fix possible memory corruption after probe failure (CVE-2016-3951) - cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind - usbnet: cleanup after bind() in probe() * atl2: Disable unimplemented scatter/gather feature (CVE-2016-2117) * mm: hugetlb: allow hugepages_supported to be architecture specific * ecryptfs: fix handling of directory opening * ecryptfs: forbid opening files without mmap handler (CVE-2016-1583) * Input: aiptek - fix crash on detecting device without endpoints (CVE-2015-7515) * ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk() (CVE-2016-2184) * ALSA: usb-audio: Add sanity checks for endpoint accesses * Input: ati_remote2 - fix crashes on detecting device with invalid descriptor (CVE-2016-2185) * Input: powermate - fix oops with malicious USB descriptors (CVE-2016-2186) * Input: gtco - fix crash on detecting device without endpoints (CVE-2016-2187) * USB: mct_u232: add sanity checking in probe (CVE-2016-3136) * USB: cypress_m8: add endpoint sanity check (CVE-2016-3137) * USB: cdc-acm: more sanity checking (CVE-2016-3138) * USB: digi_acceleport: do sanity checking for the number of ports (CVE-2016-3140) * mm: migrate dirty page without clear_page_dirty_for_io etc (CVE-2016-3070) * migrate: Fix ABI change * net: fix infoleak in llc (CVE-2016-4485) * net: fix infoleak in rtnetlink (CVE-2016-4486) * net: fix a kernel infoleak in x25 module (CVE-2016-4580) * IB/security: Restrict use of the write() interface (CVE-2016-4565) * ppp: take reference on channels netns (CVE-2016-4805) * KEYS: potential uninitialized variable (CVE-2016-4470) . [ Salvatore Bonaccorso ] * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955) * [x86] xen: suppress hugetlbfs in PV guests (CVE-2016-3961) * get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913) * fs/pnode.c: treat zero mnt_group_id-s as unequal * propogate_mnt: Handle the first propogated copy being a slave (CVE-2016-4581) * USB: usbfs: fix potential infoleak in devio (CVE-2016-4482) * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569) * ALSA: timer: Fix leak in events via snd_timer_user_ccallback or snd_timer_user_tinterrupt (CVE-2016-4578) * tipc: fix an infoleak in tipc_node_get_links (CVE-2016-5243) * rds: fix an infoleak in rds_inc_info_copy (CVE-2016-5244) * nfsd: check permissions when setting ACLs (CVE-2016-1237) linux (3.16.7-ckt25-2+deb8u2) jessie-security; urgency=high . * Fix backport of "netfilter: x_tables: validate targets of jumps" * netfilter: ensure number of counters is >0 in do_replace() linux (3.16.7-ckt25-2+deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * include/linux/poison.h: fix LIST_POISON{1,2} offset (CVE-2016-0821) * [s390*] mm: four page table levels vs. fork (CVE-2016-2143) * [amd64] iopl: Properly context-switch IOPL on Xen PV (CVE-2016-3157) * [amd64] entry/compat: Add missing CLAC to entry_INT80_32 * netfilter: x_tables: Fix parsing of IPT_SO_SET_REPLACE blobs (CVE-2016-3134, CVE-2016-4997, CVE-2016-4998) - validate e->target_offset early - make sure e->next_offset covers remaining blob size - fix unconditional helper - don't move to non-existent next rule - validate targets of jumps - add and use xt_check_entry_offsets - kill check_entry helper - assert minimum target size - add compat version of xt_check_entry_offsets - check standard target size too - check for bogus target offset - validate all offsets and sizes in a rule - don't reject valid target size on some - arp_tables: simplify translate_compat_table args - ip_tables: simplify translate_compat_table args - ip6_tables: simplify translate_compat_table args - xt_compat_match_from_user doesn't need a retval - do compat validation via translate_table - introduce and use xt_copy_counters_from_user * Ignore ABI change in x_tables * ipv4: Don't do expensive useless work during inetdev destroy. (CVE-2016-3156) * [x86] standardize mmap_rnd() usage * [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672) * usbnet: Fix possible memory corruption after probe failure (CVE-2016-3951) - cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind - usbnet: cleanup after bind() in probe() * atl2: Disable unimplemented scatter/gather feature (CVE-2016-2117) * mm: hugetlb: allow hugepages_supported to be architecture specific * ecryptfs: fix handling of directory opening * ecryptfs: forbid opening files without mmap handler (CVE-2016-1583) * Input: aiptek - fix crash on detecting device without endpoints (CVE-2015-7515) * ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk() (CVE-2016-2184) * ALSA: usb-audio: Add sanity checks for endpoint accesses * Input: ati_remote2 - fix crashes on detecting device with invalid descriptor (CVE-2016-2185) * Input: powermate - fix oops with malicious USB descriptors (CVE-2016-2186) * Input: gtco - fix crash on detecting device without endpoints (CVE-2016-2187) * USB: mct_u232: add sanity checking in probe (CVE-2016-3136) * USB: cypress_m8: add endpoint sanity check (CVE-2016-3137) * USB: cdc-acm: more sanity checking (CVE-2016-3138) * USB: digi_acceleport: do sanity checking for the number of ports (CVE-2016-3140) * mm: migrate dirty page without clear_page_dirty_for_io etc (CVE-2016-3070) * migrate: Fix ABI change * net: fix infoleak in llc (CVE-2016-4485) * net: fix infoleak in rtnetlink (CVE-2016-4486) * net: fix a kernel infoleak in x25 module (CVE-2016-4580) * IB/security: Restrict use of the write() interface (CVE-2016-4565) * ppp: take reference on channels netns (CVE-2016-4805) * KEYS: potential uninitialized variable (CVE-2016-4470) . [ Salvatore Bonaccorso ] * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955) * [x86] xen: suppress hugetlbfs in PV guests (CVE-2016-3961) * get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913) * fs/pnode.c: treat zero mnt_group_id-s as unequal * propogate_mnt: Handle the first propogated copy being a slave (CVE-2016-4581) * USB: usbfs: fix potential infoleak in devio (CVE-2016-4482) * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569) * ALSA: timer: Fix leak in events via snd_timer_user_ccallback or snd_timer_user_tinterrupt (CVE-2016-4578) * tipc: fix an infoleak in tipc_node_get_links (CVE-2016-5243) * rds: fix an infoleak in rds_inc_info_copy (CVE-2016-5244) * nfsd: check permissions when setting ACLs (CVE-2016-1237) lxc (1:1.0.6-6+deb8u3) jessie; urgency=medium . * 0023-lxc-debian-make-sure-init-is-installed.patch: make sure stretch/sid containers have an init system, after init 1.34 dropped the `Essential: yes` header. mariadb-10.0 (10.0.27-0+deb8u1) jessie; urgency=low . * New upstream release 10.0.27. Includes fix for regression in powerpc builds (Closes: #832931). mariadb-10.0 (10.0.26-3) unstable; urgency=low . [ Dieter Adriaenssens ] * Add DEP-12 formatted upstream metadata file (Closes: #808421) . [ Vicențiu Ciorbaru ] * Update innodb_xtradb patch to introduce memory barrier after lock * Fix failing shutdown with gcc v6 . [ Otto Kekäläinen ] * Extend commit d5af196 with old name of package libmariadb-dev-compat * Extend commit 8d2a7c9 and actually install the tokuftdump man page * Update mariadb-test dependencies to include also libmariadbclient18 * Add path to fix for sporadically failing test main.information_schema_stats * d/rules: NUMJOBS must have a default value mariadb-10.0 (10.0.26-2) unstable; urgency=low . [ Vicențiu Ciorbaru ] * Add patch to correctly revert changes from 10.0.26 that caused build failure regression on PPC64el . [ Paul Gevers ] * Add autopkg tests for MariaDB 10.0 (Closes: #809022) . [ Axel Beckert ] * Extend mariadb-server to purge gracefully if datadir is a mountpoint (Closes: #829491) . [ Ian Gilfillan ] * Add a patch to provide a man page for tokuftdump . [ Robie Basak ] * Re-add libmariadbclient18 and libmariadbclient-dev * Add libmariadbclient-dev-compat package . [ Otto Kekäläinen ] * d/control: libmariadbclient18 must be 'Multi-Arch: same' * Make libmariadbclient-dev-compat conflict with libmariadb-dev-compat (Closes: #831229) * Add libmariadbclient-dev as dependency for libmariadbd-dev * Replace hacky sed of libmysqlclient->libmariadbclient with proper patch * Update symbols file to match newest libmariadbclient18 * Updated Danish translation by Joe Hansen (Closes: #830592) * Remove mariadb-plugin-cassandra until libthrif-dev lands in unstable * Make libdbd-mysql-perl and friends Recommends instead of strict Depends (Closes: #793787) * Documentation and spelling fixes * Remove mysqlbug binary as it is not used for MariaDB * Update default config files with more secure TLS examples mariadb-10.0 (10.0.26-2~exp3) experimental; urgency=low . [ Otto Kekäläinen ] * Updated Danish translation by Joe Hansen (Closes: #830592) * Make libmariadbclient-dev-compat conflict with libmariadb-dev-compat (Closes: #831229) . [ Vicențiu Ciorbaru ] * Add patch to correctly revert changes from 10.0.26 that caused build failure regression on PPC64el mariadb-10.0 (10.0.26-2~exp2) experimental; urgency=low . [ Paul Gevers ] * Add autopkg tests for MariaDB 10.0 (Closes: #809022) . [ Otto Kekäläinen ] * d/control: libmariadbclient18 must be 'Multi-Arch: same' mariadb-10.0 (10.0.26-1) unstable; urgency=low . * Updated French translation by Baptiste Jammet (Closes: #826879) * New upstream release 10.0.26 * Refresh patches after 10.0.26 import mariadb-10.0 (10.0.26-0+deb8u1) jessie-security; urgency=high . [ Otto Kekäläinen ] * New upstream release 10.0.26. Includes fixes for the following security vulnerabilities: - CVE-2016-5440 - CVE-2016-3615 - CVE-2016-3521 - CVE-2016-3477 * Update old changelog entries to include new CVE identifiers . [ Vicențiu Ciorbaru ] * Revert InnoDB and XtraDB Power 8 synchronization fix from upstream 10.0.26 to fix failing builds on ppc64el mariadb-10.0 (10.0.25-1) unstable; urgency=low . [ Otto Kekäläinen ] * Revert previous changes tailored for Ubuntu 16.04 compatibility. * New upstream release 10.0.25. Includes fixes for the following security vulnerabilities (Closes: #823325): - CVE-2016-0666 - CVE-2016-0655 - CVE-2016-0648 - CVE-2016-0647 - CVE-2016-0643 * Updated old changelog entries to include new CVE identifiers. * Upstream included changes to logrotate script that supports systems that has multiple mysqld processes running (Closes: #810968). * Updated Dutch translation by Frans Spiesschaert (Closes: #822894). * Updated Spanish translation by Javier Fernández-Sanguino Peña (Closes: #823099). * Updated Russian translation by Yuri Kozlov (Closes: #823422). * Updated German translation by Chris Leick (Closes: #824487). * Updated Brazilian Portuguese translation (Closes: #824644). * Updated Turkish translation by Atila KOÇ (Closes: #825802). * Add patch to provide passwordless root accounts for test suite. * Updated Japanese translation by Takuma Yamada (Closes: #825813). . [ Vicențiu Ciorbaru ] * Backport upstream MDEV-9479 fix: oqgraph fails to build with boost 1.60 mariadb-10.0 (10.0.25-0+deb8u1) jessie-security; urgency=high . * New upstream release 10.0.25. Includes fixes for the following security vulnerabilities (Closes: #823325): - CVE-2016-0666 - CVE-2016-0655 - CVE-2016-0648 - CVE-2016-0647 - CVE-2016-0643 * Includes fixes done in 10.0.24 for the following security vulnerabilities: - CVE-2016-0668 - CVE-2016-0650 - CVE-2016-0649 - CVE-2016-0646 - CVE-2016-0644 - CVE-2016-0641 - CVE-2016-0640 * Updated old changelog entries to include new CVE identifiers. * Upstream included changes to logrotate script that supports systems that has multiple mysqld processes running (Closes: #810968). mariadb-10.0 (10.0.24-7) unstable; urgency=low . * Temporarily remove mariadb-plugin-cassandra as Debian FTP bot thinks it wasn't there before 10.0.24-6 and put the package in the NEW queue. mariadb-10.0 (10.0.24-6) unstable; urgency=low . * Move mysql_embedded from client package to client-core package, equally as is in mysql-client-core-5.6 and -5.7 (LP: #1568077). * Add breaks/replaces for mariadb-client to accommodate the above. * Add conflicts/breaks/replaces for MySQL 5.7 series packages now when mysql-5.7 entered the Ubuntu repositories (LP: #1568285). * Detect properly if there is an incompatible data directory from 5.7, save it to another location and initialize a new data directory so that the installation can complete properly without leaving dpkg in an inconsistent state. * Remove all old passwordless root account lines to close a potential security vulnerability (LP: #1561062). mariadb-10.0 (10.0.24-5) unstable; urgency=low . * Disable sporadically failing rpl_binlog_index test on PowerPC. * Disable another sporadic on amd64 and update all Jira links. * Fix typo in Mroonga prerm script. mariadb-10.0 (10.0.24-4) unstable; urgency=low . * Update contributor documentation to match git-buildpackage version in sid. * Add libxml and unixOBDC as build-depends for ConnectSE as done by in upstream (Closes: #814944). * Upload to via NEW as mariadb-10.0 was accidentally removed from Debian unstable archives. mariadb-10.0 (10.0.24-4~exp1) experimental; urgency=low . * Enable debug build flag and full test suite. Upload to experimental to get extensive build results. mariadb-10.0 (10.0.24-3) unstable; urgency=low . * Fix typo in rules file about Mroonga control section * Add main.delayed test exception to more platforms * Install mysql_embedded man page correctly mariadb-10.0 (10.0.24-2) unstable; urgency=low . * Make new plugin packages breaks+replaces mariadb-server-10.0 as the files used to reside there (Closes: #815377). * Disable main.delayed that has been confirmed to be a false positive caused by built platform resource limits. * Disable multiple s390x tests that only fail on Ubuntu/Launchpad and cannot be reproduced anywhere else. mariadb-10.0 (10.0.24-1) unstable; urgency=low . [Otto Kekäläinen] * New upstream release 10.0.24 - Drop auth_socket patches as MDEV-8375 was partially fixed upstream - Refresh other patches * Update filenames in d/copyright . [Ian Gilfillan] * Add missing mysql_embedded man page mariadb-10.0 (10.0.23-3) unstable; urgency=low . * Add Lintian overrides for TokuDB sources that indeed need autotools files * Split TokuDB, Mroonga, Spider and Cassandra into their own packages and start using new naming scheme 'mariadb-plugin-xzy' and rename existing Connect and OQGraph packages accordingly (Closes: #773727) * There is no need for mariadb-test packages to contain the version in the package name, so remove it. It only makes sense to keep the version number in the client and server packages, which users actually want to pin to. * Update standards version mariadb-10.0 (10.0.23-2) unstable; urgency=low . * Skip unstable Spider tests on Launchpad s390x builds * Extend install lists with missing files after reviewing the list of files produced by the build process * Update server README.Debian to match current unix socekt authentication * Lintian fixes and more updates to TokuDB plugin copyright paths * Move mysql_upgrade to server core package so that Akonadi and similar core package consumers can upgrade the database. Also update control file with breaks/replaces to allow smooth upgrades (Closes: #793977). * Update slow_query_log_file configuration syntax to match upstream's. Also fixes #677222 in MariaDB packages. * Rename and install Apport hook correctly * Remove Taocrypt workaround fixed upstream long since #627208 * Removed CFLAGS and CXXFLAGS as suggested by Lars Tangvald and also done in mysql-5.6 packaging commit id 16a64e810e28f1d0b66ede274cd4c2b1a425fecb * Unmask the systemd mysql.service if left behind by a mysql-server-5.6 installation, otherwise the MariaDB service would remain masked too. * Add gdb to build-deps as suggested in #627208 to get automatic stack traces * Updated Turkish translation by Atila KOÇ (Closes: #811414) mariadb-10.0 (10.0.23-1) unstable; urgency=low . * New upstream release * Ignore test suite exit code on unstable platforms (mips, mipsel) * Update TokuDB plugin install and copyright paths to match latest release done under Percona ownership monotone (1.1-4+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * No-change rebuild against libbotan1.10. mozilla-noscript (2.9.0.11-1~deb8u1) jessie; urgency=medium . * Upload compatible version with recent Firefox in Jessie (Closes: #826896) mozilla-noscript (2.9.0.10-1) unstable; urgency=medium . * Imported Upstream version 2.9.0.10 * Refresh upstream changelog mozilla-noscript (2.9.0.7-1) unstable; urgency=medium . * Imported Upstream version 2.9.0.7 * Refresh upstream changelog * Update Standards-Version to 3.9.7 mozilla-noscript (2.9.0.4-1) unstable; urgency=medium . * Imported Upstream version 2.9.0.4 * Refresh upstream changelog mozilla-noscript (2.9.0.3-1) unstable; urgency=medium . * Imported Upstream version 2.9.0.3 * Refresh upstream changelog mozilla-noscript (2.9.0.2-1) unstable; urgency=medium . * Imported Upstream version 2.9.0.2 * Refresh upstream changelog mozilla-noscript (2.9-1) unstable; urgency=medium . * Imported Upstream version 2.9 * Refresh upstream changelog * Drop xpi-repack call * Provide a get-orig-source rule mozilla-noscript (2.7-1) unstable; urgency=medium . * Imported Upstream version 2.7 * Refresh upstream changelog mozilla-noscript (2.6.9.39-1) unstable; urgency=medium . * Imported Upstream version 2.6.9.39, and upload to unstable * Refresh upstream changelog mozilla-noscript (2.6.9.39~rc1-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.39~rc1, and upload to experimental * Refresh upstream changelog * Revert "Update to antlr.js new path" mozilla-noscript (2.6.9.38-1) unstable; urgency=medium . * Imported Upstream version 2.6.9.38 * Refresh upstream changelog * Update to antlr.js new path mozilla-noscript (2.6.9.36-1) unstable; urgency=medium . * Imported Upstream version 2.6.9.36 * Refresh upstream changelog mozilla-noscript (2.6.9.34-1) unstable; urgency=medium . * Imported Upstream version 2.6.9.34 * Refresh upstream changelog mozilla-noscript (2.6.9.30-1) unstable; urgency=medium . * Imported Upstream version 2.6.9.30, and upload to unstable * Refresh upstream changelog mozilla-noscript (2.6.9.30~rc3-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.30~rc3 * Refresh upstream changelog mozilla-noscript (2.6.9.30~rc1-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.30~rc1, and upload to experimental * Refresh upstream changelog mozilla-noscript (2.6.9.29-1) unstable; urgency=medium . * Imported Upstream version 2.6.9.29 * Refresh upstream changelog mozilla-noscript (2.6.9.27-1) unstable; urgency=medium . * Imported Upstream version 2.6.9.27 * Refresh upstream changelog mozilla-noscript (2.6.9.26-1) unstable; urgency=medium . * Imported Upstream version 2.6.9.26 * Refresh upstream changelog mozilla-noscript (2.6.9.25-1) unstable; urgency=medium . * Imported Upstream version 2.6.9.25 * Refresh upstream changelog mozilla-noscript (2.6.9.23-1) unstable; urgency=medium . * Upload to unstable since Jessie has been released * Add amo source to watch file * Imported Upstream version 2.6.9.23 * Refresh upstream changelog mozilla-noscript (2.6.9.23~rc3-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.23~rc3 * Refresh upstream changelog mozilla-noscript (2.6.9.23~rc2-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.23~rc2 * Refresh upstream changelog mozilla-noscript (2.6.9.23~rc1-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.23~rc1 * Refresh upstream changelog mozilla-noscript (2.6.9.22-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.22 * Refresh upstream changelog mozilla-noscript (2.6.9.21-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.21 * Refresh upstream changelog mozilla-noscript (2.6.9.20-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.20 * Refresh upstream changelog mozilla-noscript (2.6.9.20~rc1-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.20~rc1 * Refresh upstream changelog mozilla-noscript (2.6.9.19-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.19 * Refresh upstream changelog mozilla-noscript (2.6.9.19~rc1-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.19~rc1 * Refresh upstream changelog mozilla-noscript (2.6.9.18-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.18 * Refresh upstream changelog mozilla-noscript (2.6.9.18~rc3-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.18~rc3 * Refresh upstream changelog mozilla-noscript (2.6.9.18~rc2-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.18~rc2 * Refresh upstream changelog mozilla-noscript (2.6.9.17~rc2-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.17~rc2 * Refresh upstream changelog mozilla-noscript (2.6.9.16-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.16 * Refresh upstream changelog mozilla-noscript (2.6.9.15-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.15 * Refresh upstream changelog mozilla-noscript (2.6.9.14~rc1-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.14~rc1 * Refresh upstream changelog mozilla-noscript (2.6.9.13-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.13 * Refresh upstream changelog mozilla-noscript (2.6.9.13~rc1-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.13~rc1 * Refresh upstream changelog mozilla-noscript (2.6.9.12-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.12 * Refresh upstream changelog mozilla-noscript (2.6.9.11-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.11 * Refresh upstream changelog mozilla-noscript (2.6.9.10-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.10 * Refresh upstream changelog mozilla-noscript (2.6.9.10~rc2-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.10~rc2 * Refresh upstream changelog mozilla-noscript (2.6.9.9-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.9 * Refresh upstream changelog mozilla-noscript (2.6.9.9~rc1-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.9~rc1 * Refresh upstream changelog * Update copyright mozilla-noscript (2.6.9.8-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.8 * Refresh upstream changelog mozilla-noscript (2.6.9.8~rc2-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.8~rc2 * Refresh upstream changelog mozilla-noscript (2.6.9.7-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.7 * Refresh upstream changelog mozilla-noscript (2.6.9.7~rc2-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.7~rc2 * Refresh upstream changelog mozilla-noscript (2.6.9.6-1) experimental; urgency=medium . * Imported Upstream version 2.6.9.6 * Refresh upstream changelog mozilla-noscript (2.6.9.4-1) experimental; urgency=medium . * Upload to experimental to respect the freeze * Imported Upstream version 2.6.9.4 * Refresh upstream changelog mupdf (1.5-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-6265: Use after free vulnerability in pdf_xref.c (Closes: #832031) * CVE-2016-6525: heap overflow in pdf_load_mesh_params() (Closes: #833417) mysql-5.5 (5.5.50-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.50 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html - CVE-2016-3477 CVE-2016-3521 CVE-2016-3615 CVE-2016-5440 mysql-connector-java (5.1.39-1~deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2015-2575 by backporting the latest stable release. Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.34 and earlier. Difficult to exploit vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some MySQL Connectors accessible data as well as read access to a subset of MySQL Connectors accessible data. * Relax build-dependency on default-jdk to >= 1.7. * Do not build the JDBC 4+ implementation which requires Java 8 and disable JDBC42 invocations. mysql-connector-java (5.1.38-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches mysql-connector-java (5.1.37-1) experimental; urgency=medium . * New upstream release - Refreshed the patches - Build depend on Java 8 * Standards-Version updated to 3.9.6 (no changes) * Updated the package description nginx (1.6.2-5+deb8u2) jessie-security; urgency=medium . [ Christos Trochalakis ] * Fixes CVE-2016-4450 NULL pointer dereference while writing client request body. (Closes: #825960) nginx (1.6.2-5+deb8u2~bpo70+1) wheezy-backports; urgency=high . [ Christos Trochalakis ] * Rebuild for wheezy-backports. ntp (1:4.2.6.p5+dfsg-7+deb8u2) jessie-security; urgency=medium . * Rename and update some patches to be closer to what's in Fedora, only some white space changes. * Fix CVE-2015-7974 * Fix CVE-2015-7977, CVE-2015-7978 * Fix CVE-2015-7979 * Fix CVE-2015-8138 * Fix CVE-2015-8158 * Fix CVE-2016-1548 * Fix CVE-2016-1550 * Fix CVE-2016-2516 * Fix CVE-2016-2518 nullmailer (1:1.13-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Do not keep relayhost data in debconf database longer than strictly needed. (Closes: #831813) Backport of 1:1.13-1.2 from unstable. open-iscsi (2.0.873+git0.3b4b4500-8+deb8u2) jessie; urgency=medium . * [6d8d26d] init script: wait a bit after iSCSI devices have appeared. This works around a race condition in which dependent devices can appear only after the initial udev settle has returned. (Closes: #833917) * [8a8a870] open-iscsi-udeb: update initramfs after copying configuration to target system. (Closes: #834830) openjdk-7 (7u111-2.6.7-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u101-2.6.6-2) experimental; urgency=medium . * Configure with --disable-arm32-jit, broken by the security update. openssh (1:6.7p1-5+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-6210: User enumeration via covert timing channel (closes: #831902). openssl (1.0.1t-1+deb8u3) jessie; urgency=medium . [ Kurt Roeckx ] * Fix length check for CRLs. (Closes: #826552) . [ Sebastian Andrzej Siewior ] * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov. (Closes: #833156). ovirt-guest-agent (1.0.10.2.dfsg-2+deb8u1) jessie; urgency=medium . * Install ovirt-guest-agent.py executable (closes: #782005). * Change owner of log directory to ovirtagent in postinst (closes: #811481). p7zip (9.20.1~dfsg.1-4.1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2335: UDF CInArchive::ReadFileItem code execution vulnerability (Closes: #824160) pdns (3.4.1-4+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Reject qname's wirelength > 255, `chopOff()` handle dot inside labels. CVE-2016-5426: PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes. CVE-2016-5427: PowerDNS Authoritative Server does not properly handle dot inside labels. * Limit size of receivable AXFR data. CVE-2016-6172: Improper restriction of zone size limit (Closes: #830808) perl (5.20.2-3+deb8u6) jessie-security; urgency=high . [ Niko Tyni ] * [SECURITY] CVE-2016-1238: opportunistic loading of optional modules can make many programs unintentionally load code from the current working directory (which might be changed to another directory without the user realising). + allow user configurable removal of "." from @INC in /etc/perl/sitecustomize.pl for a transitional period. (See: #588017) + backport patches from [perl #127834] to fix known vulnerabilities even if the user does not configure "." to be removed from @INC + backport patches from [perl #127810] to fix various classes of build failures in perl and CPAN modules if "." is removed from @INC . [ Dominic Hargreaves ] * [SECURITY] CVE-2016-6185: Make XSLoader skip relative paths not on @INC. (Closes: #829578) php5 (5.6.24+dfsg-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.6.24+dfsg * Rebase patches on top of 5.6.24+dfsg release php5 (5.6.23+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.23+dfsg * Rebase patches on top of 5.6.23+dfsg * Adjust tidy extension for tidy-html5 php5 (5.6.23+dfsg-0+deb8u1) jessie-security; urgency=medium . * Silence errors from find caused by time race (Closes: #827370) * Replace cut&paste error php@PHP_VERSION@ in libapache2-mod-php5 postinst just to php5 (Closes: #822855) * Merge sessionclean script from master to fix reading conf.d directories (Closes: #827548) * Imported Upstream version 5.6.23+dfsg * Rebase patches on top of 5.6.23 * Move -ignore_session_path to be the first argument (Closes: #830792) * Update Vcs-* to point at pkg-php/php5.git php5 (5.6.22+dfsg-2) unstable; urgency=medium . * Silence errors from find caused by time race (Closes: #827370) php5 (5.6.22+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.22+dfsg * Add Provides: php5-mysql to php5-mysqlnd (Closes: #820451) php5 (5.6.22+dfsg-0+deb8u1) jessie-security; urgency=medium . [ Bernat Arlandis ] * Fix the bug where sessionclean doesn't touch session files (Closes: #799155) . [ Ondřej Surý ] * Add patch to make opcache lockfile path configurable + Courtesy of Gandi and already merged in PHP 7.0 upstream * Imported Upstream version 5.6.22+dfsg * Add Provides: php5-mysql to php5-mysqlnd (Closes: #820451) * Rebase patches on top of PHP 5.6.22 php5 (5.6.21+dfsg-2) unstable; urgency=medium . [ Santiago Vila ] * Make src:php5 compatible with source-only uploads (Closes: #823954) php5 (5.6.21+dfsg-1) unstable; urgency=medium . * Update Vcs-* to point at pkg-php/php5.git * Imported Upstream version 5.6.21+dfsg * Rebase patches on top of 5.6.21+dfsg release * Add patch to make opcache lockfile path configurable * Replace the while loop with for loop to prevent launching subshell in the sessionclean script php5 (5.6.20+dfsg-1) unstable; urgency=medium . * Allow multiple whitespace in php5-fpm init script (Closes: #818102) * Improve conffile parsing ini the init.d script * Imported Upstream version 5.6.20+dfsg * Rebase patches on top of 5.6.20+dfsg release phpmyadmin (4:4.2.12-2+deb8u2) jessie-security; urgency=high . * Fix several security issues: CVE-2016-1927, CVE-2016-2039, CVE-2016-2040, CVE-2016-2041, CVE-2016-2560, CVE-2016-2561, CVE-2016-5099, CVE-2016-5701, CVE-2016-5705, CVE-2016-5706, CVE-2016-5731, CVE-2016-5733, CVE-2016-5739 pidgin (2.11.0-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 2.11.0 to fix security issues: - CVE-2016-4323 CVE-2016-2380 CVE-2016-2378 CVE-2016-2377 CVE-2016-2376 CVE-2016-2375 CVE-2016-2374 CVE-2016-2373 CVE-2016-2372 CVE-2016-2371 CVE-2016-2370 CVE-2016-2369 CVE-2016-2368 CVE-2016-2367 CVE-2016-2366 CVE-2016-2365 * Update libpurple0.symbols for 2.10.12 and 2.11.0 pidgin (2.10.12-1) unstable; urgency=low . [ Peter Spiess-Knafl ] * Fix extra end tag in prefs.xml (Closes: #589631) . [ Ari Pollak ] * Imported upstream version 2.10.12 (Closes: #822782) * Install upstream appdata (Closes: #785759) pidgin (2.10.11-1.1) unstable; urgency=medium . [ Bernhard Schmidt ] * GStreamer 1.0 and libfarstream 0.2 support (Closes: #785926, #731122) - Import patch from Fedora and refresh for Debian + almost the same patch has been in Ubuntu for a while - run autoreconf through dh-autoreconf/cdbs - Bump Build-Depends for src:pidgin - Bump Recommends for pidgin + replace gstreamer0.10-ffmpeg with gstreamer1.0-libav . [ Ari Pollak ] * Add gstreamer0.10-pulseaudio as alternative to gstreamer0.10-alsa in Recommends (Closes: #772116) . [ Sebastian Dröge ] * Non-Maintainer Upload with Bernhard's patch from #785926. piuparts (0.62+deb8u1) stable; urgency=medium . [ Stefano Rivera ] * Don't test the current Debian release status, tracking that is distro-info-data's problem. (Closes: #827411) policykit-1 (0.105-15~deb8u2) stable; urgency=medium . * Disable 0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch and 0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch. Those two patches add support for `systemd --user` sessions and the D-Bus user model. For that they rely on sd_uid_get_state() which seems to be broken in Jessie when logind is running under sysvinit. Since those features are not yet needed in Jessie, do not apply those patches. (Closes: #825956) policykit-1 (0.105-15~deb8u1) stable; urgency=medium . * Upload to stable. . policykit-1 (0.105-15) unstable; urgency=medium . * Generate tight inter-package dependencies. This ensures that everything from the same source package is upgraded in lockstep. (Closes: #817998) . policykit-1 (0.105-14.1) unstable; urgency=medium . * Non-maintainer upload. * Fix FTBFS on non-linux/non-systemd. (Closes: #798769) . policykit-1 (0.105-14) unstable; urgency=medium . * debian/policykit-1.preinst: Use systemctl unmask instead of direct symlink removal for consistency. * Fix handling of multi-line helper output. Thanks Dariusz Gadomski! Patch backported from upstream master. (LP: #1510824) . policykit-1 (0.105-13) unstable; urgency=medium . * debian/policykit-1.{pre,pos}inst: Temporarily mask polkitd.service while policykit-1 is unpackaged but not yet configured. During that time we don't yet have our D-Bus policy in /etc so that polkitd cannot work yet. This can be dropped once the D-Bus policy moves to /usr. (Closes: #794723, LP: #1447654) . policykit-1 (0.105-12) unstable; urgency=medium . * Team upload * Replace 03_complete_session.patch with a change from upstream which seems like a more correct solution for LP#445303, LP#649939 * 05_revert-admin-identities-unix-group-wheel.patch: remove confusing staff -> desktop_admin_r change in a man page (desktop_admin_r looks vaguely like a SELinux role but is actually being used as a group); keep only the actual functional change. This matches the syntactically different but functionally similar change in experimental. * 09_pam_environment.patch: replace with the version that went upstream. * Annotate remaining patches with a bit more information. They are: - 00git_fix_memleak.patch, 00git_invalid_object_paths.patch, 00git_type_registration.patch, 04_get_cwd.patch, 07_set-XAUTHORITY-environment-variable-if-unset.patch, 08_deprecate_racy_APIs.patch, 09_pam_environment.patch, cve-2013-4288.patch: either backports from upstream, or already applied upstream, and not discussed further here. - 01_pam_polkit.patch: use Debian's common-* infrastructure, plus pam_env to get the global environment and locale. Debian-specific. - 02_gettext.patch: Use gettext to translate .policy files at runtime, allowing for Ubuntu-style language packs. Debian-specific (mainly for Ubuntu's benefit, really). - 05_revert-admin-identities-unix-group-wheel.patch: Debian does not use the "wheel" group like Red Hat derivatives do; treat uid 0 as the administrative identity instead. Debian-specific. - 06_systemd-service.patch: hook up the systemd service in debian/polkitd.service. Not forwarded: obsoleted by an upstream change in 0.106, commit 2995085. * Re-order patch series to put upstream changes first, sorted by version in which they went upstream, and put them in subdirectories by version * Add patches from 0.113 to fix heap corruption CVE-2015-3255 (Closes: #766860) and local authenticated denial of service CVE-2015-4625 (Closes: #796134) * Add numerous other bug-fix patches from 0.113 - work around bugs in older versions of libpam-systemd when using su or similar (Closes: #772125) - treat background processes as part of the same uid's active GUI session if they have one (Closes: #779988) - fix some memory leaks (Closes: #775158, LP: #1417637) * Add backported public API polkit_system_bus_name_get_user_sync() to symbols file * Fix FTBFS with dpkg-buildpackage -A by only installing files into policykit-1 in per-arch builds * Run tests with a session bus pretending to be the system bus, so they can pass in a buildd environment . policykit-1 (0.105-11) unstable; urgency=medium . * Add 00git_invalid_object_paths.patch: backend: Handle invalid object paths in RegisterAuthenticationAgent (CVE-2015-3218, Closes: #787932) * policykit-1.postinst: Reload systemd before restarting polkitd.service, to avoid "Warning: polkitd.service changed on disk". (Closes: #791397) . policykit-1 (0.105-10) unstable; urgency=medium . * Add 00git_type_registration.patch: Use GOnce for interface type registration. Fixes frequent udisks segfault (LP: #1236510). * Add 00git_fix_memleak.patch: Fix memory leak in EnumerateActions call results handler. (LP: #1417637) . policykit-1 (0.105-9) unstable; urgency=medium . [ Martin Pitt ] * policykit-1.postinst: Don't kill polkitd under systemd, but properly restart it. This avoids killing it shortly after systemd tries to bus-activate it on installation. (LP: #1447654) . [ Michael Biebl ] * Build against libsystemd instead of the old libsystemd-login compat library. (Closes: #779756) policykit-1 (0.105-14.1) unstable; urgency=medium . * Non-maintainer upload. * Fix FTBFS on non-linux/non-systemd. (Closes: #798769) policykit-1 (0.105-14) unstable; urgency=medium . * debian/policykit-1.preinst: Use systemctl unmask instead of direct symlink removal for consistency. * Fix handling of multi-line helper output. Thanks Dariusz Gadomski! Patch backported from upstream master. (LP: #1510824) policykit-1 (0.105-13) unstable; urgency=medium . * debian/policykit-1.{pre,pos}inst: Temporarily mask polkitd.service while policykit-1 is unpackaged but not yet configured. During that time we don't yet have our D-Bus policy in /etc so that polkitd cannot work yet. This can be dropped once the D-Bus policy moves to /usr. (Closes: #794723, LP: #1447654) policykit-1 (0.105-12) unstable; urgency=medium . * Team upload * Replace 03_complete_session.patch with a change from upstream which seems like a more correct solution for LP#445303, LP#649939 * 05_revert-admin-identities-unix-group-wheel.patch: remove confusing staff -> desktop_admin_r change in a man page (desktop_admin_r looks vaguely like a SELinux role but is actually being used as a group); keep only the actual functional change. This matches the syntactically different but functionally similar change in experimental. * 09_pam_environment.patch: replace with the version that went upstream. * Annotate remaining patches with a bit more information. They are: - 00git_fix_memleak.patch, 00git_invalid_object_paths.patch, 00git_type_registration.patch, 04_get_cwd.patch, 07_set-XAUTHORITY-environment-variable-if-unset.patch, 08_deprecate_racy_APIs.patch, 09_pam_environment.patch, cve-2013-4288.patch: either backports from upstream, or already applied upstream, and not discussed further here. - 01_pam_polkit.patch: use Debian's common-* infrastructure, plus pam_env to get the global environment and locale. Debian-specific. - 02_gettext.patch: Use gettext to translate .policy files at runtime, allowing for Ubuntu-style language packs. Debian-specific (mainly for Ubuntu's benefit, really). - 05_revert-admin-identities-unix-group-wheel.patch: Debian does not use the "wheel" group like Red Hat derivatives do; treat uid 0 as the administrative identity instead. Debian-specific. - 06_systemd-service.patch: hook up the systemd service in debian/polkitd.service. Not forwarded: obsoleted by an upstream change in 0.106, commit 2995085. * Re-order patch series to put upstream changes first, sorted by version in which they went upstream, and put them in subdirectories by version * Add patches from 0.113 to fix heap corruption CVE-2015-3255 (Closes: #766860) and local authenticated denial of service CVE-2015-4625 (Closes: #796134) * Add numerous other bug-fix patches from 0.113 - work around bugs in older versions of libpam-systemd when using su or similar (Closes: #772125) - treat background processes as part of the same uid's active GUI session if they have one (Closes: #779988) - fix some memory leaks (Closes: #775158, LP: #1417637) * Add backported public API polkit_system_bus_name_get_user_sync() to symbols file * Fix FTBFS with dpkg-buildpackage -A by only installing files into policykit-1 in per-arch builds * Run tests with a session bus pretending to be the system bus, so they can pass in a buildd environment policykit-1 (0.105-11) unstable; urgency=medium . * Add 00git_invalid_object_paths.patch: backend: Handle invalid object paths in RegisterAuthenticationAgent (CVE-2015-3218, Closes: #787932) * policykit-1.postinst: Reload systemd before restarting polkitd.service, to avoid "Warning: polkitd.service changed on disk". (Closes: #791397) policykit-1 (0.105-10) unstable; urgency=medium . * Add 00git_type_registration.patch: Use GOnce for interface type registration. Fixes frequent udisks segfault (LP: #1236510). * Add 00git_fix_memleak.patch: Fix memory leak in EnumerateActions call results handler. (LP: #1417637) policykit-1 (0.105-9) unstable; urgency=medium . [ Martin Pitt ] * policykit-1.postinst: Don't kill polkitd under systemd, but properly restart it. This avoids killing it shortly after systemd tries to bus-activate it on installation. (LP: #1447654) . [ Michael Biebl ] * Build against libsystemd instead of the old libsystemd-login compat library. (Closes: #779756) postgresql-9.4 (9.4.9-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. . + Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane) . A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423) . + Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier) . Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout. . Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation. . Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts. . pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet. . These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424) publicsuffix (20160703-0+deb8u1) jessie; urgency=medium . * Upload to stable. . publicsuffix (20160703-1) unstable; urgency=medium . * new upstream version . publicsuffix (20160630-1) unstable; urgency=medium . * new upstream version . publicsuffix (20160613-1) unstable; urgency=medium . * new upstream version . publicsuffix (20160525-1) unstable; urgency=medium . * new upstream version . publicsuffix (20160509-2) unstable; urgency=medium . * updated build-deps to account for upstream build tests. . publicsuffix (20160509-1) unstable; urgency=medium . * new upstream version . publicsuffix (20160325-1) unstable; urgency=medium . * new upstream version . publicsuffix (20160130-1) unstable; urgency=medium . * new upstream version . publicsuffix (20160115-1) unstable; urgency=medium . * new upstream version . publicsuffix (20160104-1) unstable; urgency=medium . * new upstream version . publicsuffix (20151205-1) unstable; urgency=medium . * new upstream version . publicsuffix (20151117-1) unstable; urgency=medium . * new upstream version . publicsuffix (20151011-1) unstable; urgency=medium . * new upstream version . publicsuffix (20150915-1) unstable; urgency=medium . * new upstream version . publicsuffix (20150907-1) unstable; urgency=medium . * new upstream version . publicsuffix (20150807-2) unstable; urgency=medium . * fix test_psl.txt . publicsuffix (20150807-1) unstable; urgency=medium . * new upstream release . publicsuffix (20150731-1) unstable; urgency=medium . * new upstream release (patches dropped, adopted upstream) . publicsuffix (20150709-2) unstable; urgency=medium . * update test_psl.txt to match upstream rules. . publicsuffix (20150709-1) unstable; urgency=medium . * new upstream release * move to upstream from https://github.com/publicsuffix/list https://bugzilla.mozilla.org/show_bug.cgi?id=1182052 . publicsuffix (20150507-1) unstable; urgency=medium . * new data from upstream. * renamed shipped file to public_suffix_list.dat (see https://bugzilla.mozilla.org/show_bug.cgi?id=1155581), while retaining symlink from the old effective_tld_names.dat * bumped standards-version to 3.9.6 (no changes needed) * moved package metadata urls to https where possible. . publicsuffix (20150225-1) unstable; urgency=medium . * new data from upstream. . publicsuffix (20150204-1) unstable; urgency=medium . * new data from upstream. publicsuffix (20160630-1) unstable; urgency=medium . * new upstream version publicsuffix (20160613-1) unstable; urgency=medium . * new upstream version publicsuffix (20160525-1) unstable; urgency=medium . * new upstream version publicsuffix (20160509-1) unstable; urgency=medium . * new upstream version publicsuffix (20160130-1) unstable; urgency=medium . * new upstream version publicsuffix (20160115-1) unstable; urgency=medium . * new upstream version publicsuffix (20160104-1) unstable; urgency=medium . * new upstream version publicsuffix (20151205-1) unstable; urgency=medium . * new upstream version publicsuffix (20151117-1) unstable; urgency=medium . * new upstream version publicsuffix (20151011-1) unstable; urgency=medium . * new upstream version publicsuffix (20150915-1) unstable; urgency=medium . * new upstream version publicsuffix (20150907-1) unstable; urgency=medium . * new upstream version publicsuffix (20150807-2) unstable; urgency=medium . * fix test_psl.txt publicsuffix (20150807-1) unstable; urgency=medium . * new upstream release publicsuffix (20150731-1) unstable; urgency=medium . * new upstream release (patches dropped, adopted upstream) publicsuffix (20150709-2) unstable; urgency=medium . * update test_psl.txt to match upstream rules. . publicsuffix (20150709-1) unstable; urgency=medium . * new upstream release * move to upstream from https://github.com/publicsuffix/list https://bugzilla.mozilla.org/show_bug.cgi?id=1182052 publicsuffix (20150507-1) unstable; urgency=medium . * new data from upstream. * renamed shipped file to public_suffix_list.dat (see https://bugzilla.mozilla.org/show_bug.cgi?id=1155581), while retaining symlink from the old effective_tld_names.dat * bumped standards-version to 3.9.6 (no changes needed) * moved package metadata urls to https where possible. publicsuffix (20150225-1) unstable; urgency=medium . * new data from upstream. publicsuffix (20150204-1) unstable; urgency=medium . * new data from upstream. pypdf2 (1.23+git20141008-1+deb8u1) jessie; urgency=medium . * Backport fix 'prevent infinite loop in readObject() function' to prevent DoS from upstream Git tree. python-django (1.7.11-1) jessie; urgency=medium . * New upstream release incorporating former security updates and multiple bugfixes. Detailed changes documented here: - https://docs.djangoproject.com/en/1.7/releases/1.7.8/ - https://docs.djangoproject.com/en/1.7/releases/1.7.9/ - https://docs.djangoproject.com/en/1.7/releases/1.7.10/ - https://docs.djangoproject.com/en/1.7/releases/1.7.11/ * 1.7.8 fixes: - Database introspection with SQLite 3.8.9 (#24637). - A database table name quoting regression in 1.7.2 (#24605). - The loss of null/not null column properties during field alteration of MySQL databases (#24595). * 1.7.9 fixes: - Prevented the loss of null/not null column properties during field renaming of MySQL databases (#24817). - Fixed SimpleTestCase.assertRaisesMessage() on Python 2.7.10 (#24903). * 1.7.10 contained only a security patch already applied in former Debian update. * 1.7.11 fixes: - Fixed a data loss possibility with Prefetch if to_attr is set to a ManyToManyField (#25693). * Add DEP-8 test suite. python-django (1.7.10-1) unstable; urgency=medium . * Fix Python 3.5 HTMLParseError issue. Closes: #800137. * New upstream version. Fixes CVE-2015-5963, CVE-2015-5964. Closes: #796104. * Add numpy 1.9 support. Closes: #801554. python-django (1.7.9-1) unstable; urgency=medium . * New upstream security release: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ It fixes: - CVE-2015-5143: possible denial-of-service by filling session store - CVE-2015-5144: possible header injection since validators accept newlines in input python-django (1.7.7-1+deb8u5) jessie-security; urgency=high . * SECURITY UPDATE: - CVE-2016-6186: XSS in admin's add/change related popup python2.7 (2.7.9-2+deb8u1) jessie; urgency=medium . * Backport upstream commit b3ce713fb9beebfff9848cefa0acbd59acc68fe9 to address StartTLS stripping attack in smtplib (CVE-2016-0772) * Backport upstream commit 985fc64c60d6adffd1138b6cc46df388ca91ca5d to address integer overflow in zipimporter (CVE-2016-5636) * Backport upstream commit 1c45047c51020d46246385949d5c02e026d47320 to address HTTP header injection (CVE-2016-5699) quagga (0.99.23.1-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-4049: Missing size check in bgp_dump_routes_func in bgpd/bgp_dump.c allowing DoS (Closes: #822787). * CVE-2016-4036: World readable sensitive files in /etc/quagga (Closes: #835223). quassel (1:0.10.0-2.3+deb8u3) jessie; urgency=medium . * Non-maintainer upload. * Fix CVE-2016-4414: remote DoS in quassel core with invalid handshake data. (Closes: #826402) - Add debian/patches/CVE-2016-4414.patch, cherry-picked from upstream. rails (2:4.1.8-1+deb8u4) jessie-security; urgency=high . [ Salvatore Bonaccorso ] * add test script for CVE-2016-6316 . [ Antonio Terceiro ] * CVE-2016-6316.patch: update to fix regression with non-string arguments to tag options rails (2:4.1.8-1+deb8u3) jessie-security; urgency=high . * Security update * CVE-2016-6316: Possible XSS Vulnerability in Action View (Closes: Bug#834155) redis (2:2.8.17-1+deb8u5) jessie-security; urgency=high . * Re-upload to security-master with -sa. redis (2:2.8.17-1+deb8u4) jessie-security; urgency=high . * Avoid world_readable ~/.rediscli_history files. Thanks to kpcyrd . (Closes: #832460) ruby-eventmachine (1.0.3-6+deb8u1) stable; urgency=medium . * Team upload * Fix remotely triggerable crash due to FD handling (Closes: #678512, #696015) * Fix memory leak caused when fixing crash ruby2.1 (2.1.5-2+deb8u3) jessie; urgency=low . * Non-maintainer upload to fix security problem. * Fix CVE-2009-5147: DL::dlopen should not open a library with tainted library name in safe mode (Closes: #796344). Based on patch used in DLA-299-1, which was pulled from upstream. * Fix CVE-2015-7551: Fiddle handles should not call functions with tainted function names (Closes: #796344). Patch pulled from upstream. samba (2:4.2.10+dfsg-0+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Salvatore Bonaccorso ] * Add missing Breaks+Replaces for samba-libs binary package. The 2:4.2.10+dfsg-0+deb8u2 update moved some libraries back to the samba-libs binary package from the samba binary package but did not add respective Breaks and Replaces package relations. (Closes: #821002) * Add Patchset for regression introduced by CVE-2016-2110. NetAPP SMB servers don't negotiate NTLMSSP_SIGN. (Closes: #822937) . [ Steven Chamberlain ] * ctdb: Fix detection of gnukfreebsd (Closes: #802621) GNU/kFreeBSD's platform name is 'gnukfreebsd', not just 'kfreebsd'. . [ Andrew Bartlett ] * Add back better NEWS item for 2:4.2.10+dfsg-0+deb8u1 . [ Salvatore Bonaccorso ] * s3:smbd: fix anonymous authentication if signing is mandatory samba (2:4.2.10+dfsg-0+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Move libraries back to samba-libs libsmbd-base.so.0, process_model/*.so and libprocess-model.so.0 libraries back to the samba-libs binary package. (Closes: #820947) samba (2:4.2.10+dfsg-0+deb8u1) jessie-security; urgency=high . [ Jelmer Vernooij ] * New upstream release. + Drop patch Fix-CTDB-build-with-PMDA.patch: applied upstream. * Re-enable cluster support. * Add patch no_wrapper: avoid dependencies on {nss,uid,socket}_wrapper. . [ Mathieu Parent ] * Fix CTDB behavior since CVE-2015-8543 (Closes: #813406) * Don't build ctdb twice: - Shorten build time - Fix ctdb log path from /var/log/log.ctdb to /var/log/ctdb/log.ctdb - Remove unused /usr/lib/*/ctdb/*.so files . [ Andrew Bartlett ] * New upstream release + Fixes: - CVE-2015-5370 (Multiple errors in DCE-RPC code) - CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP) - CVE-2016-2111 (NETLOGON Spoofing Vulnerability) - CVE-2016-2112 (LDAP client and server don't enforce integrity) - CVE-2016-2113 (Missing TLS certificate validation) - CVE-2016-2114 ("server signing = mandatory" not enforced) - CVE-2016-2115 (SMB IPC traffic is not integrity protected) - CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) * Backport BackupKey patches from Samba 4.3.0 to avoid regressions * Additional regression fix for 'net ads join' to a Windows 2003 domain by metze * Revert the change to made libsamba-debug a library, allowing openchange to link to Samba 4.2 * Add Breaks against openchangeproxy that uses an API and ABI that has changed . [ Marc Deslauriers ] * Fix double-free in pam_smbpass samba (2:4.2.1+dfsg-1) experimental; urgency=medium . [ Jelmer Vernooij ] * New upstream release. + Drop patch do-not-install-smbclient4-and-nmbclient4: applied upstream. + Drop patch bug_598313_upstream_7499-nss_wins-dont-clobber-daemons-logs.patch: present upstream. + Refresh patch 26_heimdal_compat.26_heimdal_compat. + Add build-dependency on libarchive-dev. * Drop samba_bug_11077_torturetest.patch: applied upstream. * Drop dependency on ctdb - now bundled with Samba. * Use bundled Heimdal as the system Heimdal doesn't contain the changes required for Samba. * Add patch heimdal-rfc3454.txt: patch in truncated rfc3454.txt for building bundled heimdal. * Drop patches 25_heimdal_api_changes and 26_heimdal_compat. * Disable cluster support; it breaks the build. * Add patch no_wrapper: avoid dependencies on {nss,uid,socket}_wrapper. * Move some libraries around. * Move ownership of var/lib/samba and var/lib/samba/private to samba- common, remove obsolete samba4.dirs. Closes: #793866 * Remove ctdb-tests and ctdb-pcp-pmda packages as they contain problems and unclear what they are useful for, now ctdb now longer provides an external API. . [ Mathieu Parent ] * Merge ctdb source package - initial merge - libctdb-dev has been dropped - ctdb-dbg renamed to ctdb-tests, debug files moved to samba-dbg - ctdb-tests depends on python * Fix CTDB socketpath parsing * Fix CTDB build with PMDA * ctdb: Fix privacy breach on google.com (from documentation) samba (2:4.1.22+dfsg-1) unstable; urgency=high . * New upstream release. Fixes: - CVE-2015-7540 (Remote DoS in Samba (AD) LDAP server) - CVE-2015-3223 (Denial of service in Samba Active Directory server) - CVE-2015-5252 (Insufficient symlink verification in smbd) - CVE-2015-5299 (Missing access control check in shadow copy code) - CVE-2015-5296 (Samba client requesting encryption vulnerable to downgrade attack) - CVE-2015-8467 (Denial of service attack against Windows Active Directory server) - CVE-2015-5330 (Remote memory read in Samba LDAP server) * debian/control: Depend on newer system ldb (2:1.1.24). samba (2:4.1.21+dfsg-2) unstable; urgency=medium . * Rebuild against newer ldb. Closes: #805304 samba (2:4.1.21+dfsg-1) unstable; urgency=medium . * New upstream release. * Fix epoch for dependency on ldb. Closes: #800331 * Rebuild aginst newer ldb. Closes: #805176 samba (2:4.1.20+dfsg-1) unstable; urgency=medium . * New upstream release (last compatible with current OpenChange). * samba_bug_11077_torturetest.patch: refresh. samba (2:4.1.17+dfsg-5) unstable; urgency=medium . * Rebuild against new ldb. Closes: #799569 samba (2:4.1.17+dfsg-4) unstable; urgency=medium . * Add pidl_reproducible.patch: Make pidl output reproducible. samba (2:4.1.17+dfsg-3) unstable; urgency=medium . * Rebuild against new ldb. Closes: #783424 sendmail (8.14.4-8+deb8u1) jessie; urgency=medium . * QA upload. * Cherry-pick some patches from RHEL 6: RHBA-2015:1299-3 * sendmail-8.14.4-client-port.patch: sendmail {client_port} not set correctly on little endian machines (8.15.1). * sendmail-8.14.4-ldap-fix.patch: do not abort with an assertion if the connection to an LDAP server is lost (8.14.5). (Closes: #826120) spice (0.12.5-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0749: heap-based buffer overflow in smartcard interaction * CVE-2016-2150: host memory access from guest using crafted primary surface parameters sqlite3 (3.8.7.1-1+deb8u2) jessie; urgency=medium . * Fix CVE-2016-6153 , Tempdir Selection Vulnerability. * Backport fix for segfault following heavy SAVEPOINT usage (closes: #835205). squid3 (3.4.8-6+deb8u3) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2016-4051: Buffer overflow in cachemgr.cgi. * Fix CVE-2016-4052: Multiple stack-based buffer overflows by wrongly handling Edge Side Includes (ESI) responses. * Fix CVE-2016-4053: Public information disclosure of the server stack layout when processing ESI responses. * Fix CVE-2016-4054: Remote code execution when processing ESI responses. * Fix CVE-2016-4553: Cache Poisoning issue in HTTP Request handling. * Fix CVE-2016-4554: Header Smuggling issue in HTTP Request processing. * Fix CVE-2016-4555 and CVE-2016-4556: Denial of Service when processing ESI responses. * debian/rules: include /usr/share/cdbs/1/rules/autoreconf.mk, needed by CVE-2016-4051 fix. * debian/control: Add Build-depend on dh-autoreconf symfony (2.3.21+dfsg-4+deb8u3) jessie-security; urgency=high . [ Daniel Beyer ] * Backport a security fix from 2.3.41 - Large username storage in session [CVE-2016-4423] * Backport a security fix from 2.3.37 - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902] . [ David Prévot ] * Add copyright entry for embeded paragonie/random_compat systemd (215-17+deb8u5) stable; urgency=medium . * Use the right timeout for stop processes we fork. This ensures that services are properly killed after a given timeout. (Closes: #813702) * Don't reset log level to NOTICE if we get quiet on the kernel cmdline. (Closes: #828006) * Fix prepare priority queue comparison function in sd-event. Otherwise a disabled event source can get swapped with an enabled one and cause a severe sd-event malfunction, breaking the event loop. (Closes: #789796) * Update links to kernel.org cgroup documentation. The systemd.resource-control man page had references to /cgroups/ which moved to /cgroup-v1/. (Closes: #819970) * Don't start console-getty.service when /dev/console is missing. Avoids repeated unsuccessful start attempts of agetty inside (docker) containers. (Closes: #829537) * Order systemd-user-sessions.service after nss-user-lookup.target. We should not allow logins before NIS/LDAP users are available. * Order systemd-user-sessions.service after network.target. That way we can be sure that local users are logged out and SSH sessions are ended cleanly before the network is shut down when the system goes down. tabmixplus (0.5.0.0-1~deb8u1) jessie; urgency=medium . * Upload compatible version with recent Firefox in Jessie (Closes: #826995) tabmixplus (0.4.2.3~160425a1-1) experimental; urgency=medium . * Update Standards-Version to 3.9.8 tabmixplus (0.4.2.3~160328a1-1) experimental; urgency=medium . * Actually watch pre-releases * Imported Upstream version 0.4.2.3~160328a1 tabmixplus (0.4.2.3~160319a1-1) experimental; urgency=medium . * Upload development version to experimental * Drop Iceweasel from description * Imported Upstream version 0.4.2.3~160319a1 tabmixplus (0.4.2.2-1) unstable; urgency=medium . * Upload stable version do unstable . [ onemen ] * Version update to 0.4.2.2 tabmixplus (0.4.2.1~160216a1-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 47.0a1 * Update compatibility with TreeStyleTab extension version 0.16.2016021602 tabmixplus (0.4.2.1~160124a1-1) experimental; urgency=medium . * Upload development version to experimental . [ onemen ] * Start using the new Tab mix domain 'tabmixplus.org' instead of 'tmp.garyr.net' . [ David Prévot ] * Update homepage URL * Update Standards-Version to 3.9.7 tabmixplus (0.4.2.0-1) unstable; urgency=medium . [ onemen ] * Version update to 0.4.2.0 tabmixplus (0.4.1.9-1) unstable; urgency=medium . * Upload stable version to unstable . [ onemen ] * Update locales from http://www.babelzilla.org * Version update to 0.4.1.9 tabmixplus (0.4.1.9~150819a1-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 43.0a1 and minVersion to 31.0 tabmixplus (0.4.1.9~150703a1-1) experimental; urgency=medium . * Upload development version to experimental . [ onemen ] * Update maxVersion to 42.0a1 tabmixplus (0.4.1.8-1) unstable; urgency=medium . * Upload stable version to unstable . [ onemen ] * Version update to 0.4.1.8 talloc (2.1.2-0+deb8u1) jessie-security; urgency=high . [ Andrew Bartlett ] * Update to stable required for Samba security release. tcpreplay (3.4.4-2+deb8u1) stable; urgency=low . * tcprewrite: Handle frames of 65535 octets size, add a size check [CVE-2016-6160]. Closes: #829350 tdb (1.3.6-0+deb8u1) jessie-security; urgency=high . [ Andrew Bartlett ] * Update to stable required for Samba security release. tdb (1.3.5-1) unstable; urgency=medium . * Fix watch URL. * New upstream release. * Drop 01_reproducible_builds.diff: applied upstream. tdb (1.3.4-2) unstable; urgency=medium . * debian/rules: Pass CPPFLAGS from dpkg-buildflags onto configure, enabling hardening. * Make libtdb2-dbg Multi-Arch: same. * Add patch 01_reproducible_builds.diff: Make build reproducible by adding set dates to manpages. * debian/copyright: Fix paths for lib/replace. * debian/copyright: Add paragraph for most of tdb. tdb (1.3.4-1) unstable; urgency=medium . * New upstream release. tdb (1.3.3-1) unstable; urgency=medium . * New upstream release. * Update 40_test_transaction_expand_non_fatal.diff: Remove ignoring of tdb1-run-mutex-openflags2 test output, as the test was fixed upstream. . * Add dh-python to Build-Depends. tdb (1.3.2-1) unstable; urgency=medium . * New upstream release. + Fixes __attribute__((visibility)) check to not use nested functions. Closes: #749986 * Drop missing-stdbool-include.patch; now included upstream. * Update 40_test_transaction_expand_non_fatal.diff: Ignore tdb1-run- mutex-openflags2 test output, since newly added test fails on Debian. * Bump standards version to 3.9.6 (no changes). tevent (0.9.25-0+deb8u1) jessie-security; urgency=high . [ Andrew Bartlett ] * Update to stable required for Samba security release. tevent (0.9.24-1) unstable; urgency=medium . * Fix upstream location in debian/watch. * New upstream release. * Bump standards version to 3.9.6 (no changes). * Use dpkg-buildflags. * Add patch revert-ldflags-atend: Reverts upstream change preventing use of -Wl,--as-needed. * Fix lib/replace paths in debian/copyright. * Set libtevent0-dbg to Multi-Arch: Same. * Don't override CFLAGS from dpkg-getbuildflags, enabling hardening. tevent (0.9.22-1) unstable; urgency=medium . * New upstream release. * Use canonical URL in Vcs-Git header. * Set branch in Vcs-Git header. tomcat7 (7.0.56-3+deb8u3) jessie-security; urgency=high . * Fixed CVE-2016-3092: Denial-of-Service vulnerability with file uploads tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high . * Team upload. . [ Emmanuel Bourg ] * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads . [ Markus Koschany ] * Fix CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. * Fix CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. * Fix CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. * Fix CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Fix CVE-2016-0706: Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. * Fix CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. * Fix CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. tor (0.2.5.12-2) stable; urgency=medium . * Update the set of authority directory servers to the one from Tor 0.2.8.7, released in August 2016. This updates the key for dannenberg, replaces the Tonga bridge authority with Bifroest, and drops urras. tryton-server (3.4.0-3+deb8u2) jessie-security; urgency=high . * Adapting the release of the last changelog entry to be in sync with the archive. * CVE-2016-1241 Adding patch 03-CVE-2016-1241_prevent_read_of_password_hash.patch. * CVE-2016-1242 Adding 04-CVE-2016-1242_sanitize_path_in_file_open.patch. tzdata (2016f-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - Africa/Cairo (DST starting on 2016-07-07 cancelled). - Asia/Novosibirsk (on 2016-07-24) tzdata (2016e-1) unstable; urgency=medium . * New upstream version, affecting the following future time stamp: Africa/Cairo * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #823442. tzdata (2016e-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamp: - Africa/Cairo * Update translations from the sid package. tzdata (2016d-2) unstable; urgency=medium . * Update Japanese debconf translation, by Takuma Yamada. Closes: #819599. * Update French debconf translation, by Christian Perrier. Closes: #819949. * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #821439. tzdata (2016d-1) unstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Caracas. Closes: #821147. - Asia/Magadan - Asia/Tomsk (new timezone). * Update templates and translations. unbound (1.4.22-3+deb8u2) jessie; urgency=medium . * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132) * debian/unbound.init: Call start-stop-daemon with --retry for 'stop' action (patch from Julien Cristau) vlc (2.2.4-1~deb8u1) jessie-security; urgency=medium . * New upstream release. - quicktime: Reject invalid IMA files (CVE-2016-5108). (Closes: #825728) - pulse: Compute latency correctly if negative, fixing missing audio on high network latency. (Closes: #784640) - alsa: Fix audio device selection. (Closes: #801448) - hls: Fix hang on stop, crashes and stack overflow. - mkv: Fix infinite loop. - vpx: Fix crash. - mxf: Fix crash on stop. - adpcm: Fix double-free. - zvbi: Fix crash. - skins2: Fix crash on malformed skin bitmaps. - swscale: Fix crashes in swscale resizing. - mp4: Fix divide-by-zero crash in mux. - rtsp: Fix off-by-one buffer overflow. - mms: Fix segmentation fault on large allocation, fix overflows. - lua: Fix use-after-free. - httplive: Fix stack overflow. - avformat: Fix heap overflow, NULL dereference and double-free. - avcodec: Fix invalid free. - sdp: Fix read overflow. - vcd: Fix double-free. - aout: Fix use-after-free. - vout: Fix use-after-free. - realrtsp: Fix off-by-one and various crashes. - Fix various memory leaks. - Fix links to French TV icons. (Closes: #782229) * debian/patches/CVE-2015-5949.patch: Removed, included upstream. * debian/copyright: Update copyright years. * debian/libvlc5.symbols: Bump version of libvlc_event_type_name for new event names. vlc (2.2.3-2) unstable; urgency=medium . * debian/patches: - g711-fix-dangling-pointer-fixes-16909.patch: Upstream patch to fix issue with some WAV files. - adpcm-reject-invalid-QuickTime-IMA-files.patch: Apply upstream patch for CVE-2016-5108. (Closes: #825728) * debian/rules: Reduce libX11 and libxcb linkage to a warning. Moving the ffmpeg and libtheora plugins to vlc does not make much sense. vlc (2.2.3-1) unstable; urgency=medium . [ Mateusz Łukasik ] * New upstream release. * debian/patches: - Refresh fix-translation.patch: remove parts included upstream. - Remove qt4-Fix-resume-where-you-left-off.patch, qt4-input_manager-Always-reset-lastURI-when-stopping.patch, avcodec-pass-consistent-dimensions-to-hardware-decod.patch: included upstream. - Add drop-check-qt-check.patch: to ignore check qt version. . [ Sebastian Ramacher ] * debian/patches: Fix build on hurd-i386. Thanks to Samuel Thibault. (Closes: #765578) * Update ffmpeg to 2.8.7. * debian/vlc{,-nox}.lintian-overrides: Override embedded-libary. * debian/source/lintian-overrides: Update overrides. vlc (2.2.2-6) unstable; urgency=medium . * Use embedded copy of ffmpeg 2.8.6. (Closes: #803868) * debian/rules: * Explicitly disable gst-decode. * Enable sndio plugin. * Drop unnecessary override. * Fix noopt handling. * debian/vlc{-nox}.install: Filter plugins with a helper script. * debian/control: Bump Standards-Version. * debian/watch: Update to version 4. vlc (2.2.2-5) unstable; urgency=medium . * debian/patches: - qt4-Fix-resume-where-you-left-off.patch, qt4-input_manager-Always-reset-lastURI-when-stopping.patch: Apply upstream patches to fix issues with "resume playback" feature. - avcodec-pass-consistent-dimensions-to-hardware-decod.patch: Apply upstream patch to fix hardware decoding with libvdpau-va-gl. (Closes: #813370) vlc (2.2.2-4) unstable; urgency=medium . * debian/patches/fix-translation.patch: Fix translation of Shortcuts. (Closes: #814258) * debian/*.maintscript: Switch from absolute to relative paths to better handle symlink chains. (Closes: #814646) vlc (2.2.2-3) unstable; urgency=medium . * debian/*.maintscript: Handle all cases. * debian/patches/zsh-completion.patch: Upstream patch to fix zsh completion generation. vlc (2.2.2-2) unstable; urgency=medium . * debian/*.maintscript: Handle more symlink to directory conversions. * debian/rules: Do not fail to build if zsh completion fails to generate. This is a temporary workaround for a FTBFS on praetorius. vlc (2.2.2-1) unstable; urgency=medium . * New upstream release. - pulse: compute latency correctly if negative. (Closes: #784640) - Fix build failure with newer libdvdread-dev. (Closes: #797207) * Migrate to automatic debug packages. * Tell reportbug to report bugs against src:vlc and install reportbug control files in every package. * Remove some of the /usr/share/doc/ symlinks to clean up dependencies. * debian/vlc.menu: Removed since vlc contains a desktop file. * debian/rules: - Remove some parts that are handled by dpkg-dev and debhelper. - Install NEWS as upstream changelog. - Remove options passed twice to configure. * debian/README.{Debian,source}: Removed, outdated. * debian/libvlc-dev.examples: Install programming examples. * debian/{vlc.,source/}lintian-overrides: Override false positives. * debian/NEWS: Fix spelling error. * debian/control: Update Vcs-Git. * debian/patches: - Removed all patches applied upstream. - freenchtv-links.patch: Fix links to French TV icons. Thanks to Mathieu Malaterre (Closes: #782229). * debian/libvlc5.symbols: Bump version of libvlc_event_type_name for new event names. vlc (2.2.1-5) unstable; urgency=medium . * debian/control: - Update Breaks + Replaces. (Closes: #799594) - Remove vlc-plugin-pulse from Description. - Add libxi-dev to B-D for debian/patches/unsubscribe-disable-motion.patch. * Add DEP-8 tests * debian/libvlccore8.bug-control: Update libavutil package name. * debian/libvlccore8.bug-presubj: Mention global plugins cache and VLC_PLUGIN_PATH. (Closes: #801439) * debian/patches: - unsubscribe-disable-motion.patch: Unsubscribe disable motion and XI2 mouse events. Fixes mouse event issues with Qt 5.5. - alsa-fix-changing-audio-device.patch: Fix changing of audio devices. (Closes: #801448) * debian/vlc-data.{postinst,maintscript}, debian/vlc.postinst: Remove obsolete maintainer scripts. vlc (2.2.1-4) unstable; urgency=medium . * debian/control: - No longer suggest videolan-doc. It is very outdated. - Remove transitional vlc-plugin-pulse package. - Remove obsolete Breaks and Replaces. * debian/libvlccore8.symbols: Bump version requirements for meta data change (Closes: #798763, #798899) vlc (2.2.1-3) unstable; urgency=high . * debian/patches/demux-mp4-correctly-match-release-function.patch: Apply upstream patch to fix CVE-2015-5949. (Closes: #796255) vlc (2.2.1-2) unstable; urgency=medium . * debian/rules: - Enable svgdec plugin - Remove obsolete dh_builddeb override. - Explicitly pass --enable-sdl-image. * debian/control: - Switch Build-Depends from Qt4 to Qt5. - Remove obsolete Breaks+Replaces. - Drop libdvbpsi5-dev from Build-Depenss. - Add libcairo2-dev to Build-Depends for svgdec plugin. * debian/vlc.install.in: Install svgdec plugin. vlc (2.2.1-1) unstable; urgency=medium . [ Sebastian Ramacher ] * Regenerate plugin cache using triggers. (Closes: #755154) (LP: #1328466) - debian/vlc-nox.postinst: Run vlc-cache-gen. - debian/vlc-nox.postrm: Remove generated cache. - debian/rules: remove plugins.dat generated during the build. - debian/vlc-nox.install.in: Do not install pre-generated plugins.dat. * debian/control: Add libx265-dev and zsh to Build-Depends. * debian/rules: - Build with -Wl,--as-needed. - Enable x265 plugin. - Build zsh completion. (Closes: #316357) * debian/vlc-nox.install.in: - Install x265 plugin. . [ Mateusz Łukasik ] * New upstream release. * debian/patches: - Remove codec-schroedinger-fix-potential-buffer-overflow.patch -- included upstream. vorbis-tools (1.4.0-6+deb8u1) jessie; urgency=low . [ Petter Reinholdtsen ] * Add gbp.conf file documenting git branch to use for updates to Jessie. * oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749). (Closes: 797461) * oggenc: Validate count of channels in the header (CVE-2014-9638, CVE-2014-9639). (Closes: 776086) . [ Martin Steghöfer ] * Fix segmentation fault in vcut (Closes: #818037) wget (1.16-1+deb8u1) jessie; urgency=medium . * added patch for CVE-2016-4971. closes: #827003, #829130 By default, on server redirects to a FTP resource, use the original URL to get the local file name. Close CVE-2016-4971. This introduces a backward-incompatibility for HTTP->FTP redirects and any script that relies on the old behaviour must use --trust-server-names. * debian/rules fixed clean target wireshark (1.12.1+g01b65bf-4+deb8u8) jessie-security; urgency=medium . * security fixes from Wireshark 1.12.13: - The NDS dissector could crash (CVE-2016-6504) - The PacketBB dissector could crash (CVE-2016-6505) - The WSP dissector could go into an infinite loop (CVE-2016-6506) - The MMSE dissector could go into an infinite loop (CVE-2016-6507) - The RLC dissector could go into a long loop (CVE-2016-6508) - The LDSS dissector could crash (CVE-2016-6509) - The RLC dissector could crash (CVE-2016-6510) - The OpenFlow dissector could go into a long loop (CVE-2016-6511) * Cherry-pick fix for regressions caused by CVE-2016-6511's fix wireshark (1.12.1+g01b65bf-4+deb8u7) jessie-security; urgency=high . * security fixes from Wireshark 1.12.12: - The SPOOLS dissector could go into an infinite loop Discovered by the CESG (CVE-2016-5350) - The IEEE 802.11 dissector could crash (CVE-2016-5351) - The UMTS FP dissector could crash (CVE-2016-5353) - Some USB dissectors could crash. Discovered by Mateusz Jurczyk (CVE-2016-5354) - The Toshiba file parser could crash. Discovered by iDefense Labs (CVE-2016-5355) - The CoSine file parser could crash. Discovered by iDefense Labs (CVE-2016-5356) - The NetScreen file parser could crash. Discovered by iDefense Labs (CVE-2016-5357) - The WBXML dissector could go into an infinite loop. Discovered by Chris Benedict, Aurelien Delaitre, NIST SAMATE Project (CVE-2016-5359) - Fix patch for CVE-2015-8724 released in 1.12.1+g01b65bf-4+deb8u4 to not return error code from a function returning void wordpress (4.1+dfsg-1+deb8u9) jessie-security; urgency=high . * Backport patches from 4.5.3/4.1.12 Closes: #828225 * Fixes CVE-2016-5834, CVE-2016-5838, CVE-2016-5839 * Changeset 37762 admin auth redirect * Changeset 37773 Customizer urls CVE-2016-5832 * Changeset 37781 Category check CVE-2016-5837 * Changeset 37790 admin escape attach * Changeset 37800 Revision capability CVE-2016-5835 * Changeset 37815 escape url permalinks * Changeset 37818 media extensionless filenames * Changeset 32387 CVE-2015-8834 XSS in comments wpa (2.3-1+deb8u4) jessie; urgency=medium . * Non-maintainer upload. * Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to Salvatore Bonaccorso (Closes: #823411): - WPS: Reject a Credential with invalid passphrase - Reject psk parameter set with invalid passphrase character - Remove newlines from wpa_supplicant config network output - Reject SET_CRED commands with newline characters in the string values - Reject SET commands with newline characters in the string values * Refresh patches to apply cleanly. xen (4.4.1-9+deb8u7) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-7092: x86: Disallow L3 recursive pagetable for 32-bit PV guests (XSA-185) * CVE-2016-7094: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187) * CVE-2016-7154: use after free in FIFO event channel code (XSA-188) xen (4.4.1-9+deb8u6) jessie-security; urgency=high . * CVE-2015-8338, CVE-2016-4480, CVE-2016-4962 * CVE-2016-5242, CVE-2016-6258 xerces-c (3.1.1-5.1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD (Closes: #828990) * Enable the ability to disable DTD processing through the use of an env variable * Add NEWS.Debian entry to document the XERCES_DISABLE_DTD variable yaws (1.98-4+deb8u1) jessie; urgency=low . * Applied a patch from upstream to fix CVE-2016-1000108 (passing HTTP_PROXY to CGI scripts). Closes: #832433. zabbix (1:2.2.7+dfsg-2+deb8u1) stable; urgency=medium . * CVE-2016-4338 / ZBX-10741: fixed mysql.size shell command injection in zabbix-agent (Closes: #823329). ====================================== Sat, 04 Jun 2016 - Debian 8.5 released ====================================== ========================================================================= [Date: Sat, 04 Jun 2016 12:26:37 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libreoffice-zotero-integration | 4.0.22-1 | all xul-ext-zotero | 4.0.22-1 | all zotero-standalone | 4.0.22-1 | all zotero-standalone-build | 4.0.22-1 | source Closed bugs: 821343 ------------------- Reason ------------------- RoQA; unusable in jessie ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:28:01 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: lyz | 2.1.5-3-g895ff3a-1 | source xul-ext-lyz | 2.1.5-3-g895ff3a-1 | all Closed bugs: 824345 ------------------- Reason ------------------- RoQA; broken, dependency zotero-standalone-build removed ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:29:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mediawiki-extensions-math | 2:1.0+git20120528-8 | all mediawiki-math | 2:1.0+git20120528-8 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x mediawiki-math-texvc | 2:1.0+git20120528-8 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 825308 ------------------- Reason ------------------- RoST; depends on mediawiki, to be removed ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:30:08 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mediawiki | 1:1.19.20+dfsg-2.3 | source, all mediawiki-classes | 1:1.19.20+dfsg-2.3 | all Closed bugs: 825127 ------------------- Reason ------------------- RoST; unsupported ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:50:40 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: fusionforge-plugin-mediawiki | 5.3.2+20141104-3+deb8u1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 12:53:12 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cyrus-caldav | 2.4.17+caldav~beta10-18 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by cyrus-imapd-2.4) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 13:01:16 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cyrus-caldav-2.4 | 2.4.17+caldav~beta10-18 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 04 Jun 2016 13:06:52 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: pepperflashplugin-nonfree | 1.8.1 | i386 ------------------- Reason ------------------- RoQA; outdated crap ---------------------------------------------- ========================================================================= atheme-services (6.0.11-2+deb8u1) jessie-security; urgency=high . * add patch to fix CVE-2016-4478 autofs (5.0.8-2+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Remove macro debugging prints from macro_setenv (Closes: #755019) bareos (14.2.1+20141017gitc6c5b56-3+deb8u2) jessie; urgency=medium . * Fix GnuTLS backend initialization. (Closes: #819807) - Backport upstream commits in d/patches/fix-tls-backend-initalization * Add autopkgtests for TLS. * Add breaks-testbed to all tests. * Fix TLS negotiation for passive filedaemons. - Backport upstream commit in d/patches/fix-tls-passive-fds base-files (8+deb8u5) stable; urgency=low . * Changed /etc/debian_version to 8.5, for Debian 8.5 point release. botan1.10 (1.10.8-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2015-5726: Fix crash in BER decoder. * CVE-2015-5727: Fix excess memory allocation in BER decoder. * CVE-2015-7827: Fix PKCS #1 v1.5 decoding was not constant time. * CVE-2016-2194: Fix infinite loop in modulur square root algorithm. * CVE-2016-2195: Fix Heap overflow on invalid ECC point. * CVE-2016-2849: Use constant time modular inverse algorithm to avoid possible side channel attack against ECDSA. cgit (0.10.2.git2.0.1-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1899: Reflected XSS and header injection in mimetype query string (Closes: #812411) * CVE-2016-1900: Stored cross site scripting and header injection in filename parameter (Closes: #812411) * CVE-2016-1901: Integer overflow resulting in buffer overflow (Closes: #812411) * filters: apply HTML escaping. Addresses cross-site scripting vulnerability in via the txt2html filter. chromium-browser (50.0.2661.94-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen. - CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih Matar. - CVE-2016-1662: Use-after-free in extensions. Credit to Rob Wu. - CVE-2016-1663: Use-after-free in Blink’s V8 bindings. Credit to anonymous. - CVE-2016-1664: Address bar spoofing. Credit to Wadih Matar. - CVE-2016-1665: Information leak in V8. Credit to gksgudtjr456. - CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (50.0.2661.75-2) unstable; urgency=medium . * Fix problem with linking to ffmpeg (closes: #821154). - Thanks to Sebastian Ramacher. chromium-browser (50.0.2661.75-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous. - CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han. - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. - CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen. - CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu. - CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera. - CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso. - CVE-2015-1659: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (50.0.2661.75-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous. - CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han. - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. - CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen. - CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu. - CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera. - CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso. - CVE-2015-1659: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (49.0.2623.108-2) experimental; urgency=medium . * Build packages for armhf (closes: #799939). chromium-browser (49.0.2623.108-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu. - CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. - CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. - CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt. - CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives. chrony (1.30-2+deb8u2) jessie; urgency=medium . * Fix CVE-2016-1567: Restrict authentication of server/peer to specified key. (Closes: #812923) . * debian/postrm: - Remove /var/lib/chrony on purge only. (Closes: #568492) . * debian/logrotate: - Rework postrotate script. (Closes: #763542) clamav (0.99.2+dfsg-0+deb8u1) stable; urgency=medium . * Import new Upstream. * Drop AllowSupplementaryGroups option which is default now (Closes: #822444). * Let the LSB init script have more consistent output. Patch by Guillem Jover (Closes: #823074). * Ensure the users of PRIVATE symbols (clamd + freshclam) do not fall behind a upstream version (Closes: #824485). * also remove bytecode.cld on purge clamav (0.99.1+dfsg-1) unstable; urgency=medium . [ Scott Kitterman ] * Update version guards for pid file checks in clamav-daemon and clamav- freshclam to account for squeeze-lts upload that did not include the related change * Bump standards version to 3.9.7 without further change * Bump debhelper minimum version requirement to 9 to match compat * Drop squeeze related work-arounds now that squeeze-lts is no longer supported - Strip llvm from the upstream tarball in Files-Excluded to make it more compatct (system llvm is always used now) - Clean up debian/rules by removing squeeze specific configuration and work arounds . [ Adriano Rafael Gomes ] * Brazilian Portuguese debconf templates translation (Closes: #816956). . [ Sebastian Andrzej Siewior ] * Import new upstream * Drop patches applied upstream: - add-LLVM-3.6-support.patch - libclamav-yara-avoid-unaliged-access-to-64bit-variab.patch * add new clamd.conf options. * update symbol version for cl_retflevel due to CL_FLEVEL change. * use a https:// prefix in VCS-* links and for the homepage. * use "hardening=+all" for building. * fixup typos in copyright file * exclude .zip files dh_strip_nondeterminism because it currently breaks them. This `repairs' the .zip files in clamav-testfiles. * Update pid checks clamav-daemon and clamav-freshclam match lower than 0.99 version (to catch the upgrade path). * Apply malloc() check, from clamav's bugzilla #11524, #11526, #11529 clamav (0.99+dfsg-2) unstable; urgency=medium . * Use compat 9 and drop clamav-dbg in favour of dbgsym. * use libtfm-dev instead of in-tree copy and drop all tfm related patches. * Add libclamav-yara-avoid-unaliged-access-to-64bit-variab.patch to get the testsuite passed on sparc. It also seem avoid invalid loads on ARMv5 cpus. clamav (0.99+dfsg-1) unstable; urgency=medium . * Import final release of 0.99 * suggest libclamunrar7 instead of libclamunrar6 cyrus-imapd-2.4 (2.4.17+nocaldav-0~deb8u1) jessie; urgency=medium . * [CVE-2015-8077,CVE-2015-8077,CVE-2015-8078]: fix urlfetch range handling flaw in Cyrus IMAP * Remove the experimental caldav support * Replication got unbroken with caldav support removal (Closes: #799724) * Always disable SSLv3 and TLS compression * Workaround subshell losing variables in while loop (Closes: #803976) * Don't fail when database type disappears, just warn the user (Closes: #803965) debian-edu (1.812+deb8u1) jessie; urgency=medium . [ Mike Gabriel ] * Add libdns-mdns to tasks/desktop-other and tasks/main-server (together with avahi-daemon) to make CUPS browsing really functional. This makes automatic printer discovery via CUPS browsing work on multicast-enabled networks. (Closes: #791995). Also add avahi-discover, mdns-scan, avahi-autoipd and kdnssd to tasks/main-server as suggested packages. debian-edu-config (1.818+deb8u1) jessie; urgency=low . [ Petter Reinholdtsen ] * Translation updates: - Updated Brazilian Portuguese translation for debconf questions (Closes: #785467). Translated by Adriano Rafael Gomes. . [ Mike Gabriel ] * Add quotes around DNs when evoking kadmin.local in gosa-create and gosa-create-host. (Closes: #792042). * debian-edu-fsautoresize: Always use mapper names instead of kernel names when detecting supported mount points. (Closes: #800651). Thanks to Wolfgang Schweer and Giorgio Pioda. * gosa-sync: Test if a given user account actually is a Kerberos account. If not, don't try to set the Kerberos password for this account. (Closes: #798435). * gosa-sync: Fix escaping double quotes and semicolons. (Closes: #794000). * exim4 mainserver configuration: Allow Debian Edu clients on the default Debian Edu network to directly send mails to the main server (by white- listing the 10./8 network). This fixes console mailing and system mails on Debian Edu clients (Closes: #794602). * Set configVersion="Managed-by-Debian-Edu" in gosa.conf. (Closes: #794189). This requires gosa (>= 2.7.4+reloaded2-1+deb8u2~) to be installed on the main server. * wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and for hosts being in the .local domain. (Closes: #803911). * GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/ unlocking the Kerberos part of user accounts. (Closes: #804207). * Adapt to a code injection prevention fix in GOsa (starting with Debian package gosa 2.7.4+reloaded2-1+deb8u2): Don't mention the sambaHashHook parameter in gosa.conf anymore (as hashed passwords now have to be base64 encoded). Already existing gosa.conf files on deployed servers should drop the sambaHashHook from the gosa.conf file, as well, once gosa is updated to the above referenced GOsa version. * CUPS: Do hostname lookups, so https redirects are done to the FQDN of the CUPS server instead of to its IP address. (Closes: #805402). * Improve gosa-lock-user, gosa-unlock-user: When logging success/failure, differentiate between non-existent and non-kerberized accounts. * Don't create home dir and Kerberos principal for GOsa user template account. (Closes: #815040). . [ Wolfgang Schweer ] * Adjust tools/subnet-change for squid3. (Closes: #800654) * Fix XML syntax error in gosa.conf. (Closes: #820551). * Add script sbin/debian-edu-nscd-netgroup-cache (workaround for #791562). debian-edu-doc (1.6~20160528+deb8u1) jessie; urgency=medium . [ Holger Levsen ] * Update Debian Edu Jessie and Wheezy manuals from the wiki. * Update debian/copyright from the wiki using the update-copyright target. . [ Wolfgang Schweer ] * Adjust Danish po file to fix building the Jessie PDF manual. . [ Jessie Manual translation updates ] * Norwegian Bokmål: Ingrid Yrvin. * German: Wolfgang Schweer. * Dutch: Frans Spiesschaert. * Italian: Claudio Carboncini. * Danish: Joe Hansen. * French: Cédric Boutillier. . [ Wheezy Manual translation updates ] * Norwegian Bokmål: Ingrid Yrvin. debian-edu-doc (1.6~20150704~8+edu0) unstable; urgency=medium . [ Holger Levsen ] * Update Debian Edu Jessie and Wheezy manuals from the wiki. . [ Jessie Manual translation updates ] * German: Wolfgang Schweer. * Italian: Claudio Carboncini. * Dutch: Frans Spiesschaert. * Norwegian Bokmål: Petter Reinholdtsen, Ingrid Yrvin. * Danish: Joe Dalton. * French: Cédric Boutillier. . [ Wheezy Manual translation updates ] * German: Wolfgang Schweer. * Dutch: Frans Spiesschaert. * Norwegian Bokmål: Petter Reinholdtsen, Ingrid Yrvin. . [ Rosegarden Manual updates ] * Norwegian Bokmål: Ingrid Yrvin. . [ Audacity Manual updates ] * Norwegian Bokmål: Ingrid Yrvin. debian-edu-install (1.821+deb8u1) jessie; urgency=medium . * Update version number to 8+edu0 in preparation of our first Jessie release. debian-installer (20150422+deb8u4) jessie; urgency=medium . [ Steve McIntyre ] * Add sata-modules for arm64 - some machines do have SATA CD debian-installer-netboot-images (20150422+deb8u4) jessie; urgency=medium . [ Didier Raboud ] * Swap the d-i Built-Using with the installer fetching, to fail on version mismatches earlier (Closes: #819586). . [ Cyril Brulebois ] * Update to 20150422+deb8u4 images, from jessie-proposed-updates didiwiki (0.5-11+deb8u2) jessie-security; urgency=high . * debian/patches: - 91_check_page_path.patch: updated patch to correct restrictive behavior, rendering pages beginning with non alpha-numeric UTF-8 characters, such as "à", inaccessible. Thank you Sergio Gelato for your report and help! (Closes: #818708) dpkg (1.17.27) jessie; urgency=medium . [ Guillem Jover ] * Add more Conflicts for removed packages expecting dpkg to ship install-info. Namely ada-mode and octave2.1-info. Closes: #783657 Thanks to Andreas Beckmann . * Remove trailing space before handling blank line dot-separator in Dpkg::Control::HashCore. Regression introduced in dpkg 1.17.25. Reported by Jakub Wilk . Closes: #789580 * Only use the SHELL environment variable for interactive shells. Closes: #788819 * Move tar option --no-recursion before -T in dpkg-deb. With tar > 1.28 the --no-recursion option is now positional, and needs to be passed before the -T option, otherwise the tarball will end up with duplicated entries. Thanks to Richard Purdie . Closes: #807940 * Initialize Config-Version also for packages previously in triggers-pending state, otherwise we end up not passing the previously configured version to «postinst configure», which might consider this a first install instead of an upgrade. Closes: #801156 * Fix memory leak in dpkg infodb format upgrade logic. * Fix physical file offset comparison in dpkg. Closes: #808912 Thanks to Yuri Gribov . * Add kfreebsd-armhf support to ostable and triplettable. Closes: #796283 Thanks to Steven Chamberlain . * Add NIOS2 support to cputable. Thanks to Marek Vasut . * Build system: - Set PERL5LIB globally for the test suite to the local modules directory, to avoid using the system modules. Regression introduced in dpkg 1.17.8. Reported by Jérémy Bobbio . Closes: #801329 - When sys_siglist is defined in the system, try to use NSIG as we cannot compute the array size with sizeof(). If NSIG is missing fallback to 32 items. Prompted by Igor Pashev . . [ Updated scripts translations ] * German (Helge Kreutzmann). (Various fixes) . [ Updated manpages translations ] * German (Helge Kreutzmann). (Various fixes) enigmail (2:1.8.2-4~deb8u1) jessie-security; urgency=high . * Upload requested by security team. enigmail (2:1.8.2-4~deb7u1) wheezy-security; urgency=high . * Upload requested by security team. enigmail (2:1.8.2-3) unstable; urgency=medium . * Reproducibility: - make build date use $SOURCE_DATE_EPOCH when available - sort keys for perl-generated .dtd files enigmail (2:1.8.2-2) unstable; urgency=medium . * upload to unstable. enigmail (2:1.8.2-1) experimental; urgency=medium . * New upstream release. * More strongly encourage the use of gnupg2 in Depends and Recommends; enigmail 1.9 will make gnupg 2.x a requirement. enigmail (2:1.8.2~beta3-1) experimental; urgency=medium . * New upstream beta release. enigmail (2:1.8.1-1) experimental; urgency=medium . * New upstream release. enigmail (2:1.8-1) experimental; urgency=medium . * New Upstream Release. * move from autotools-dev to dh-autoreconf evince (3.14.1-2+deb8u1) stable; urgency=medium . [ Jason Crain ] * Add reload-page-count.patch. Fix crash when document has pages removed and is reloaded. Update the end page index when the document is reloaded. (Closes: #805276) * Add check-load-job-success.patch. Fix crash in recent documents view when a recent document fails to load. Check whether a document's load job failed before creating it's thumbnail. (Closes: #762719) expat (2.1.0-6+deb8u2) jessie-security; urgency=high . * Avoid relying on undefined behavior in CVE-2015-1283 fix. * Apply upstream patch to fix the root cause of CVE-2016-0718 and CVE-2016-0719 vulnerabilities. ext4magic (0.3.2-2+deb8u1) stable; urgency=medium . * debian/patches/fix-recover-examine.patch: added as a temporary work around to fix an issue which makes impossible to recover or examine Ext4 filesystems. Thanks to Roberto Maar , the ext4magic upstream. (Closes: #802089) fusionforge (5.3.2+20141104-3+deb8u2) jessie; urgency=medium . * Disable Mediawiki plugin, since Mediawiki itself is going out of support in Jessie. gitolite3 (3.6.1-2+deb8u1) stable; urgency=medium . * Bug fix: "Git-annex-shell not working", thanks to risca (Closes: #819941). Enable repository paths without '~/'. Cherry picked from upstream commit, 276cf761de0522a19b0312f4466fc497a2a38b5f glusterfs (3.5.2-2+deb8u2) jessie-proposed-updates; urgency=medium . * Add missing glusterd hook script to glusterfs-server package. Closes: #824823 gosa (2.7.4+reloaded2-1+deb8u2) jessie; urgency=medium . [ Mike Gabriel ] * debian/patches: + Add 1009_fix-insertDhcp-icon-in-dhcp-section-overview.patch. Fix label stripping in GOsa²'s image() function. This fixes displaying the insertDhcp* icon in the DHCP service plugin. (Closes: #794117). + Add 2009_allow-Debian-blends-to-override-gosa-conf.patch. Allow Debian blends to provide their own version of gosa.conf and not get bugged by GOsa's notification message on gosa.conf template changes. Debian blends using GOsa (e.g., Edu, LAN) must handle gosa.conf updates themselves. (Closes: #794118). + Add 0004_fix-get-post.patch. Fix transferral of POST variables. + Add 1010_fix-entry-removal-in-mail-plugin.patch. Fix entry deletion of items in "alternatives addresses" and "forward messages to non-group members" for group mail objects. (LP:#1307483). + Add 0005_fix-password-expiry-status.patch. Fix expiration status for passwords if shadowMax is used in POSIX/shadow accounts. + Add 1011_define-isPluginModified.patch. Fix undefined property error for non-defined usertags::$isPluginModified. (Closes: #794690). + Add 1012_allow-one-level-domains-in-email-addresses.patch. Allow one-level domains in email addresses (such as @intern, as used in Debian Edu by default). (Closes: #794738). . [ Holger Levsen ] * Fixup PHP syntax in 1010_fix-entry-removal-in-mail-plugin.patch. See #796823 for the details. * Cherry-picked from 2.7.4+reloaded2-6 from Mike Gabriel: + Add 0006_code-injection-in-samba-hash-generation.patch, 0007_update-sambaHashHook-description.patch. Fix potential code injection issue in Samba hash generation. (CVE-2015-8771) + Update 1004_fix-typos-in-man-pages.patch due to cherry-picking 0007_update-sambaHashHook-description.patch from upstream. gpa (0.9.5-2+deb8u1) jessie; urgency=high . * Add patch fixing checks of dialog return values (Closes: #820342) groovy (1.8.6-4+deb8u1) stable; urgency=high . * Fix remote execution of untrusted code and possible DoS vulnerability. (CVE-2015-3253) (Closes: #793397). hexchat (2.10.1-1+deb8u1) jessie; urgency=medium . * Security Update: verify hostnames when ssl is in use - debian/patches/ssl_verify_hostnames.patch - CVE-2013-7449 (Closes: #818009) hivex (1.3.10-2+deb8u2) jessie; urgency=medium . * Fix ruby-hivex installation (Closes: #819261) icedove (38.8.0-1~deb8u1) stable-security; urgency=medium . [ Guido Günther ] * [ee8dd49] Clarify relation between icedove and the calendar extensions (Closes: #809017) . [ Christoph Goehre ] * [bac2d5b] Imported Upstream version 38.8.0 - MFSA 2016-36 aka CVE-2016-1979 - MFSA 2016-39 aka CVE-2016-2807, CVE-2016-2805 icedove (38.7.2-1) unstable; urgency=medium . * [397cd7a] Imported Upstream version 38.7.2 icedove (38.7.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [cb9c003] Imported Upstream version 38.7.0 * [7273cb9] bump up standards version to 3.9.7 (no changes needed) . [ Carsten Schoenert ] * [0341a8c] debian/control: switch URI for the Vcs fields to https icedove (38.7.0-1~deb8u3) jessie; urgency=medium . * Non-maintainer upload. * Try to fix the build on mips: disable jit. Per the iceweasel changelog, only mipsel is supported. icedove (38.7.0-1~deb8u2) jessie; urgency=medium . * Non-maintainer upload: steal arm build fixes from the firefox package. . [ Mike Hommey ] * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. icedove (38.7.0-1~deb8u1) stable-security; urgency=medium . * [cb9c003] Imported Upstream version 38.7.0 - MFSA 2016-16 aka CVE-2016-1952 - MFSA 2016-17 aka CVE-2016-1954 - MFSA 2016-20 aka CVE-2016-1957 - MFSA 2016-23 aka CVE-2016-1960 - MFSA 2016-24 aka CVE-2016-1961 - MFSA 2016-27 aka CVE-2016-1964 - MFSA 2016-31 aka CVE-2016-1966 - MFSA 2016-34 aka CVE-2016-1974 - MFSA 2016-35 aka CVE-2016-1950 - MFSA 2016-37 aka CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802 icedove (38.7.0-1~deb7u1) oldstable-security; urgency=medium . * [cb9c003] Imported Upstream version 38.7.0 - MFSA 2016-16 aka CVE-2016-1952 - MFSA 2016-17 aka CVE-2016-1954 - MFSA 2016-20 aka CVE-2016-1957 - MFSA 2016-23 aka CVE-2016-1960 - MFSA 2016-24 aka CVE-2016-1961 - MFSA 2016-27 aka CVE-2016-1964 - MFSA 2016-31 aka CVE-2016-1966 - MFSA 2016-34 aka CVE-2016-1974 - MFSA 2016-35 aka CVE-2016-1950 - MFSA 2016-37 aka CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802 icedove (38.6.0-1) unstable; urgency=medium . [ Guido Günther ] * [195730d] Clarify relation between icedove and the calendar extensions (Closes: #809017) . [ Christoph Goehre ] * [988ce5b] Imported Upstream version 38.6.0 * [6763f6f] debian/source.filter: remove evil-licensed jshint.js (Closes: #813053) icedove (38.6.0-1~deb8u1) stable-security; urgency=medium . * [988ce5b] Imported Upstream version 38.6.0 - MFSA 2015-150 aka CVE-2015-7575 - MFSA 2016-01 aka CVE-2016-1930 - MFSA 2016-03 aka CVE-2016-1935 - MFSA 2016-14 aka CVE-2016-1523 icedove (38.6.0-1~deb7u1) oldstable-security; urgency=medium . * [988ce5b] Imported Upstream version 38.6.0 - MFSA 2015-150 aka CVE-2015-7575 - MFSA 2016-01 aka CVE-2016-1930 - MFSA 2016-03 aka CVE-2016-1935 - MFSA 2016-14 aka CVE-2016-1523 icedove (38.5.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [6d45b0b] Imported Upstream version 38.5.0 * [316798f] debian/rules: split override_dh_install into arch and indep section (Closes: #806047) . [ Carsten Schoenert ] * [5b3cb7a] add myself to the uploaders icedove (38.5.0-1~deb8u1) stable-security; urgency=medium . * [6d45b0b] Imported Upstream version 38.5.0 - MFSA 2015-134 aka CVE-2015-7201 - MFSA 2015-139 aka CVE-2015-7212 - MFSA 2015-145 aka CVE-2015-7205 - MFSA 2015-146 aka CVE-2015-7213 - MFSA 2015-149 aka CVE-2015-7214 icedove (38.5.0-1~deb7u1) oldstable-security; urgency=medium . * [6d45b0b] Imported Upstream version 38.5.0 - MFSA 2015-134 aka CVE-2015-7201 - MFSA 2015-139 aka CVE-2015-7212 - MFSA 2015-145 aka CVE-2015-7205 - MFSA 2015-146 aka CVE-2015-7213 - MFSA 2015-149 aka CVE-2015-7214 icedove (38.4.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [754392e] Imported Upstream version 38.4.0 * [ef4b733] debian/watch: adjust download url . [ Carsten Schoenert ] * [f3f5455] lintian: remove icedove.menu file due CTTE#741573 icedove (38.4.0-1~deb8u1) stable-security; urgency=medium . * [754392e] Imported Upstream version 38.4.0 - MFSA 2015-116 aka CVE-2015-4513 - MFSA 2015-122 aka CVE-2015-7188 - MFSA 2015-123 aka CVE-2015-7189 - MFSA 2015-127 aka CVE-2015-7193 - MFSA 2015-128 aka CVE-2015-7194 - MFSA 2015-131 aka CVE-2015-7198, CVE-2015-7199, CVE-2015-7200 - MFSA 2015-132 aka CVE-2015-7197 - MFSA 2015-133 aka CVE-2015-7181, CVE-2015-7182, CVE-2015-7183 icedove (38.4.0-1~deb7u1) oldstable-security; urgency=medium . * [754392e] Imported Upstream version 38.4.0 - MFSA 2015-116 aka CVE-2015-4513 - MFSA 2015-122 aka CVE-2015-7188 - MFSA 2015-123 aka CVE-2015-7189 - MFSA 2015-127 aka CVE-2015-7193 - MFSA 2015-128 aka CVE-2015-7194 - MFSA 2015-131 aka CVE-2015-7198, CVE-2015-7199, CVE-2015-7200 - MFSA 2015-132 aka CVE-2015-7197 - MFSA 2015-133 aka CVE-2015-7181, CVE-2015-7182, CVE-2015-7183 * [2a139f9] debian/rules: build with gcc 4.7 icedove (38.3.0-2) unstable; urgency=medium . * [c988747] Add unminified jquery and jquery-ui files with the exact version as used by upstream thunderbird. We don't want to use the minified versions mozilla ships and can't use what is currently packaged in Jessie or Stretch since these are too recent. (Closes: #802281) icedove (38.3.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [0f8b6a4] Imported Upstream version 38.3.0 * [566273a] debian/copyright: fixup's and update icedove (38.3.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [0f8b6a4] Imported Upstream version 38.3.0 * [1c01f2a] rebuild patch queue from patch-queue branch added patches: - debian-hacks/changing-the-default-search-engine.patch - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patch - reproducible/Generate-sorted-libical-header-list - jessie-security/decrease-SQLVERSION-to-jessie-version.patch - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch removed patches: - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - iceowl/adjust-calendar-google-provider-to-Google-Calendar-A.patch - iceowl/get-rid-of-subdir-shim-in-gdata-provider.patch - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch - porting-armhf/FTBFS-armhf-fixing-ARM-CPU-detection.patch * [8de7b23] Revert "debian/rules: move some gdata modules into 'shim' subdir" * [8d744ab] debian/rules: be more flexible on *.xpi files * [fbf3c49] d/icedove.install: mozilla-xremote-client was removed * [b92379b] debian/control: increase package versions * [8f37331] lintian: adding one more source override * [b52a791] lintian: adding new override for the icedove package * [cb23f5e] icedove branding: adopt upstream changes * [33712e9] debian/control: increase b-d versions * [9b536a7] debian/control: adding new package to Breaks field * [ed27ae0] mozconfig.default: adding some explicit configure options * [fabbf70] complete rewrite of copyright information * [a82b740] switching to libgstreamer1.0* * [a872e7b] debian/rules: setting MOZ_BUILD_DATE explicitly * [7f4711f] debian/copyright: more minor updates to the copyright file * [4288e0b] debian/rules: adding switch for no icedove-dbg build * [1e5040f] debian/control: icedove is now recommending iceowl-extension * [f76c02a] adding release related information * [7aae173] debian/vendor.js: adjusting WhatNew link to more dedicated URL * [08ef111] mozconfig.default: don't use icu from system * [d909565] debian/iceowl-extension.lintian-overrides: remove file * [7d730ac] debian/source.lintian-overrides: adding new entries * [8ca9fa4] debian/icedove-dev.links: adding some extra links * [18fd52b] debian/icedove.lintian-overrides: adding more overrides * [9c0a259] debian/mozconfig.default: switch to use internal libs * [5b0a7d6] debian/mozconfig.default: order arch in alphabetical order * [68b5122] debian/rules: remove more dev-libs before linking * [5e8c3d2] debian/copyright: fixup's and update * [1ae0cc6] debian/control: adjust Build-Depends due usage of internal libs * [644e9e4] debian/source.filter: adopt filter list from master . [ Christoph Goehre ] * [e6dc2df] debian/NEWS: adding notes around new security changes * [b573ec6] add missing epoch in libnss3-dev build depends * [39e5656] lintian: fix spelling error in debian/README.Debian * [ff339ce] Add unminified jquery and jquery-ui files (Closes: #802281) . [ Dominik George ] * [0515ab0] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) icedove (38.3.0-1~deb7u1) oldstable-security; urgency=medium . [ Carsten Schoenert ] * [0f8b6a4] Imported Upstream version 38.3.0 * [911052d] rebuild patch queue from patch-queue branch added patches: - debian-hacks/changing-the-default-search-engine.patch - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - porting-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - porting/ppc-fix-divide-page-size-in-jemalloc.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patch - reproducible/generate-sorted-output-while-header-creation.patch - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch modified patches: - debian-hacks/remove-non-free-W3C-icon-valid.png.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch - wheezy-security/sqlite-dev-revert-version-to-3.7.13.patch deleted patches: - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - iceowl/adjust-calendar-google-provider-to-Google-Calendar-A.patch - iceowl/get-rid-of-subdir-shim-in-gdata-provider.patch - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch * [590a0df] Revert "debian/rules: move some gdata modules into 'shim' subdir" * [9b0e68b] lintian: adding one more source override * [f914904] lintian: adding new override for the icedove package * [63bd065] icedove branding: adopt upstream changes * [b2d897c] debian/control: adding new package to Breaks field * [2113754] mozconfig.default: adding some explicit configure options * [b1ae394] complete rewrite of copyright information * [98a5a00] debian/rules: setting MOZ_BUILD_DATE explicitly * [c1e3dae] debian/copyright: more minor updates to the copyright file * [bddd498] debian/rules: adding switch for no icedove-dbg build * [68981d0] debian/control: icedove is now recommending iceowl-extension * [5c9665c] adding release related information * [1e683cd] debian/vendor.js: adjusting WhatNew link to more dedicated URL * [1e449ff] mozconfig.default: don't use icu from system * [18160f3] debian/iceowl-extension.lintian-overrides: remove file * [76d32d8] debian/source.lintian-overrides: adding new entries * [48c6c84] debian/icedove-dev.links: adding some extra links * [fb1f375] debian/icedove.lintian-overrides: adding more overrides * [10d441d] debian/mozconfig.default: order arch in alphabetical order * [b600d0a] debian/copyright: fixup's and update * [e72dc60] debian/source.filter: adopt filter list from master * [96ec240] debian/rules: be more flexible on *.xpi files . [ Christoph Goehre ] * [f3764f5] debian/NEWS: adding notes around new security changes * [65d5220] debian/rules: fix icedove-dbg build switch * [27d8f5f] lintian: fix spelling error in debian/README.Debian * [64c635a] Add unminified jquery and jquery-ui files (Closes: #802281) . [ Dominik George ] * [bb837cd] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) icedove (38.2.0-2) unstable; urgency=medium . * [8bcb08b] relax optimize to -O1 on s390x (Closes: #797551) * [6aa0915] debian/rules: Disable jit on mips (Closes: #797548) icedove (38.2.0-1) unstable; urgency=medium . * [d46d5f6] rebuild patch queue from patch-queue branch added patches: - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch icedove (38.2.0-1~stretch) stretch; urgency=medium . [ Carsten Schoenert ] * [05b245f] Imported Upstream version 38.2.0 (Closes: #796323) - MFSA 2015-59 aka CVE-2015-2724, CVE-2015-2725, CVE-2015-2726 - MFSA 2015-63 aka CVE-2015-2731 - MFSA 2015-66 aka CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740 - MFSA 2015-70 aka CVE-2015-4000 - MFSA 2015-71 aka CVE-2015-2721 - MFSA 2015-65 aka CVE-2015-2741 - MFSA 2015-79 aka CVE-2015-4474 * [43c8195] rebuild patch queue from patch-queue branch * [c75bdad] debian/control: increase B-D on libnss3-dev * [942bcbe] debian/iceowl-extension.lintian-overrides: remove file * [7131e4d] debian/source.lintian-overrides: adding new entries * [8882360] mozconfig.default: don't use icu from system icedove (38.1.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3d27760] Imported Upstream version 38.1.0 (Closes: #790651) * [2cb6cd7] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - reproducible/Generate-sorted-libical-header-list (Closes: #794456) icedove (38.0.1-1) unstable; urgency=medium . [ Carsten Schoenert ] * [5acef6a] debian/gbp.conf: adopt new upstream branch * [6f88792] Imported Upstream version 38.0.1 (Closes: #358680, #472601, #634316, #691176, #751786, #777908) * [18bba9d] debian/gbp.conf: respect new git-buildpackage behaviour * [26bbdac] rebuild patch queue from patch-queue branch added patches: - debian-hacks/changing-the-default-search-engine.patch (Closes: #780595) - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patc deleted patches: - debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch * [71938b9] debian/rules: setting MOZ_BUILD_DATE explicitly * [e50d708] debian/copyright: more minor updates to the copyright file * [b232895] debian/rules: adding switch for no icedove-dbg build * [bcc15aa] debian/control: icedove is now recommending iceowl-extension * [564a19e] adding release related information * [2ec0053] debian/vendor.js: adjusting WhatNew link to more dedicated URL . [ Christoph Goehre ] * [a9c25b6] lintian: fix spelling error in debian/README.Debian * [2cc2c07] debian/rules: fix icedove-dbg build switch . icedove (38.0~b5-1) experimental; urgency=medium . [ Carsten Schoenert ] * [7e3cab4] Imported Upstream version 38.0~b5 * [3edbafc] Revert "debian/control: remove build-dep on libnotify-dev" * [5e69bab] debian/control: increase b-d versions * [6e6ae36] rebuild patch queue from patch-queue branch added patches: - debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch obsolete patches (fixed in Debian): - adopting-SQLITE3-version.patch * [ac7b760] mozconfig.default: adding some explicit configure options * [81fd6e6] complete rewrite of copyright information * [327dd45] switching to libgstreamer1.0* . [ Christoph Goehre ] * [9877ea3] lintian: add override for libpng . icedove (38.0~b2-1) experimental; urgency=medium . [ Carsten Schoenert ] * [b08d966] debian/source.filter: modifying file list to ignore * [88fd018] Imported Upstream version 38.0~b2 * [e9da8f8] icedove branding: adopt upstream changes * [3610daa] debian/control: increase b-d versions * [950fae7] rebuild patch queue from patch-queue branch modified patches: - system-libs/Allow-to-build-against-system-libffi.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch obsolete patches (fixed upstream): - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch * [1820d7c] debian/control: adding xul-ext-compactheader to Breaks field . [ Dominik George ] * [4181126] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) . icedove (36.0~b1-2) experimental; urgency=medium . * [26c0027] rebuild patch queue from patch-queue branch added patches: - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - porting/ppc-fix-divide-page-size-in-jemalloc.patch (Closes: #780404) . icedove (36.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [68112a3] Imported Upstream version 36.0~b1 * [3120361] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch modified patches: - debian-hacks/Strip-version-number.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/correcting-file-inclusion-for-kfreebsd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [ee185a2] d/icedove.install: mozilla-xremote-client was removed * [64adc44] debian/source.filter: modifying file list to ignore * [dbdd152] debian/control: increase package versions * [fb3307c] lintian: adding one more source override * [2a07495] lintian: adding new override for the icedove package * [38c21ad] debian/README.Debian: adding note around HTTPS Everythere (Closes: #774790) . [ Christoph Goehre ] * [3dce89c] debian/icedove.desktop: correct StartupWMClass to 'Icedove' (Closes: #773876) * [deb3f58] debian/icedove.desktop: add MimeType text/calendar (Closes: #762190) * [4dd96fe] rebuild patch queue from patch-queue branch added patches: - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - p-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch (Closes: #772933) modified patches: - p-kfree-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS-systems.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [373ed05] add missing epoch in libnss3-dev build depends . icedove (34.0~b1-2) experimental; urgency=low . [ Carsten Schoenert ] * [7a4edc4] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch . icedove (34.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [1be8ab1] debian/source.filter: more files to ignore * [66e6488] debian/README.source: adjust description for beta versions * [e63d375] Imported Upstream version 34.0~b1 (Closes: #770180) * [1cb54d2] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch * [ad29bb1] debian/rules: be more flexible on *.xpi files * [b055e78] debian/NEWS: fixing default SSL/TLS behavior description * [d64a847] debian/NEWS: adding notes around new security changes . icedove (33.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [5029c8b] debian/source.filter: more files to ignore * [d4b03d9] README.source: let's use xz while creating the orig.tar.xz * [ebd442f] debian/gbp.conf: some instructions for git-dch * [cc594ea] Imported Upstream version 33.0~b1 * [23b57cf] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - debian-hacks/pass-OS_LDFLAGS-to-all-ldap-libraries.patch modified patches: - debian-hacks/Strip-version-number.patch - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - obsolete patches (fixed upstream): - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - porting-alpha/fix-FTBFS-on-alpha.patch * [a5a2a1b] adding additional config options for hppa and ppc64 Both platforms failing on running xpcshell. . [ Christoph Goehre ] * [5a0ba43] linitan: bump up standards version to 3.9.6 * [aaca6a7] debian/NEWS: adding note around increased default TLS version 1.2 (Closes: #761245) . icedove (32.0~b1-1) experimental; urgency=low . [ Christoph Goehre ] * [65ad797] icedove.postinst: remove obsolete symlink handling . [ Carsten Schoenert ] * [baef95a] debian/gbp.conf: adopting experimental branch * [8384eee] Imported Upstream version 32.0~b1 * [75145f3] rebuild patch queue from patch-queue branch modified patches: - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - debian-hacks/remove-non-free-W3C-icon-valid.png.patch obsolete patches (fixed upstream): - porting-armel/fix-skia-for-ARMv4.patch . [ Christoph Goehre ] * [51c3cee] cleanup branding patch icedove (38.0~b5-1) experimental; urgency=medium . [ Carsten Schoenert ] * [7e3cab4] Imported Upstream version 38.0~b5 * [3edbafc] Revert "debian/control: remove build-dep on libnotify-dev" * [5e69bab] debian/control: increase b-d versions * [6e6ae36] rebuild patch queue from patch-queue branch added patches: - debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch obsolete patches (fixed in Debian): - adopting-SQLITE3-version.patch * [ac7b760] mozconfig.default: adding some explicit configure options * [81fd6e6] complete rewrite of copyright information * [327dd45] switching to libgstreamer1.0* . [ Christoph Goehre ] * [9877ea3] lintian: add override for libpng icedove (38.0~b2-1) experimental; urgency=medium . [ Carsten Schoenert ] * [b08d966] debian/source.filter: modifying file list to ignore * [88fd018] Imported Upstream version 38.0~b2 * [e9da8f8] icedove branding: adopt upstream changes * [3610daa] debian/control: increase b-d versions * [950fae7] rebuild patch queue from patch-queue branch modified patches: - system-libs/Allow-to-build-against-system-libffi.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch obsolete patches (fixed upstream): - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch * [1820d7c] debian/control: adding xul-ext-compactheader to Breaks field . [ Dominik George ] * [4181126] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) icedove (36.0~b1-2) experimental; urgency=medium . * [26c0027] rebuild patch queue from patch-queue branch added patches: - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - porting/ppc-fix-divide-page-size-in-jemalloc.patch (Closes: #780404) icedove (36.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [68112a3] Imported Upstream version 36.0~b1 * [3120361] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch modified patches: - debian-hacks/Strip-version-number.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/correcting-file-inclusion-for-kfreebsd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [ee185a2] d/icedove.install: mozilla-xremote-client was removed * [64adc44] debian/source.filter: modifying file list to ignore * [dbdd152] debian/control: increase package versions * [fb3307c] lintian: adding one more source override * [2a07495] lintian: adding new override for the icedove package * [38c21ad] debian/README.Debian: adding note around HTTPS Everythere (Closes: #774790) . [ Christoph Goehre ] * [3dce89c] debian/icedove.desktop: correct StartupWMClass to 'Icedove' (Closes: #773876) * [deb3f58] debian/icedove.desktop: add MimeType text/calendar (Closes: #762190) * [4dd96fe] rebuild patch queue from patch-queue branch added patches: - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - p-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch (Closes: #772933) modified patches: - p-kfree-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS-systems.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [373ed05] add missing epoch in libnss3-dev build depends icedove (34.0~b1-2) experimental; urgency=low . [ Carsten Schoenert ] * [7a4edc4] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch icedove (34.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [1be8ab1] debian/source.filter: more files to ignore * [66e6488] debian/README.source: adjust description for beta versions * [e63d375] Imported Upstream version 34.0~b1 (Closes: #770180) * [1cb54d2] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch * [ad29bb1] debian/rules: be more flexible on *.xpi files * [b055e78] debian/NEWS: fixing default SSL/TLS behavior description * [d64a847] debian/NEWS: adding notes around new security changes icedove (33.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [5029c8b] debian/source.filter: more files to ignore * [d4b03d9] README.source: let's use xz while creating the orig.tar.xz * [ebd442f] debian/gbp.conf: some instructions for git-dch * [cc594ea] Imported Upstream version 33.0~b1 * [23b57cf] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - debian-hacks/pass-OS_LDFLAGS-to-all-ldap-libraries.patch modified patches: - debian-hacks/Strip-version-number.patch - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - obsolete patches (fixed upstream): - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - porting-alpha/fix-FTBFS-on-alpha.patch * [a5a2a1b] adding additional config options for hppa and ppc64 Both platforms failing on running xpcshell. . [ Christoph Goehre ] * [5a0ba43] linitan: bump up standards version to 3.9.6 * [aaca6a7] debian/NEWS: adding note around increased default TLS version 1.2 (Closes: #761245) icedove (32.0~b1-1) experimental; urgency=low . [ Christoph Goehre ] * [65ad797] icedove.postinst: remove obsolete symlink handling . [ Carsten Schoenert ] * [baef95a] debian/gbp.conf: adopting experimental branch * [8384eee] Imported Upstream version 32.0~b1 * [75145f3] rebuild patch queue from patch-queue branch modified patches: - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - debian-hacks/remove-non-free-W3C-icon-valid.png.patch obsolete patches (fixed upstream): - porting-armel/fix-skia-for-ARMv4.patch . [ Christoph Goehre ] * [51c3cee] cleanup branding patch icedove (31.8.0-1~deb8u1+kbsd11) jessie-kfreebsd; urgency=medium . * Import nss/kbsd patch from nss package icedove-l10n (1:38.0.1-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [fef2b1f] Imported Upstream version 38.0.1 * [3f34092] icedove-l10n-fi: replace myspell-fi with xul-ext-mozvoikko (Closes: #792367) . [ Christoph Goehre ] * [384dc4f] adjust icedove depends >= 38.0~ and icedove << 39 icedove-l10n (1:38.0.1-1~deb7u1) oldstable-security; urgency=medium . [ Carsten Schoenert ] * [fef2b1f] Imported Upstream version 38.0.1 * [c3d1a0b] icedove-l10n-fi: replace myspell-fi with xul-ext-mozvoikko (Closes: #792367) . [ Christoph Goehre ] * [31a9a5b] adjust icedove depends >= 38.0~ and icedove << 39 icedove-l10n (1:38.0~b2-1) experimental; urgency=medium . * [3978e11] debian/gbp.conf: correct upstream-branch assignment * [3f3a36e] Imported Upstream version 38.0~b2 * [c06cb1f] rebuild patch queue from patch-queue branch * [4693943] adjust icedove depends >= 38.0~ and icedove << 39 icedove-l10n (1:36.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [ae1ec3e] debian/c-u-t: adding new helper script (cherry-picked from master) * [97c472d] Imported Upstream version 36.0~b1 * [c5d70b5] rebuild patch queue from patch-queue branch * [fd71069] adjust icedove depends >= 36.0~ and icedove << 37 icedove-l10n (1:34.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [dba229d] Imported Upstream version 34.0~b1 * [17f58e7] rebuild patch queue from patch-queue branch * [b66c03a] adjust icedove depends >= 34.0~ and icedove << 35 * [312f280] debian/control: fix recommends for icedove-l10n-sr (Closes: #767635) icedove-l10n (1:33.0~b1-1) experimental; urgency=low . * [90dac17] Imported Upstream version 33.0~b1 * [4aa4a4c] rebuild patch queue from patch-queue branch * [3cdac77] adjust icedove depends >= 33.0~ and icedove << 34 * [313729d] linitan: bump up standards version to 3.9.6 icedove-l10n (1:32.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [32b4f8e] Imported Upstream version 32.0~b1 * [8bc4841] rebuild patch queue from patch-queue branch * [920724e] adjust icedove depends >= 32.0~ and icedove << 33 icedtea-web (1.5.3-1) jessie; urgency=medium . * New upstream release, fixes CVE-2015-5235 and CVE-2015-5234 icedtea-web (1.5.2-1.1) unstable; urgency=medium . * Non-maintainer upload. * Fix alternatives handling in icedtea-netx.postinst.in (closes: #778631). icedtea-web (1.5.2-1) unstable; urgency=medium . * IcedTea-Web 1.5.2 release. icedtea-web (1.5.2~rc1-1) unstable; urgency=medium . * IcedTea-Web 1.5.2 release candidate 1. - RH1095311, PR574 - Build fix for JDK9 (references class sun.misc.Ref removed in OpenJDK 9). - RH1154177 - decoded file needed from cache. - fixed NPE in https dialog. - empty codebase behaves as ".". * Remove the support for OpenJDK 8, breaks for OpenJDK 7, when 8 is not installed. Closes: #759226. LP: #1363785. icedtea-web (1.5.1-1) unstable; urgency=medium . * IcedTea-Web 1.5.1 release. * Build for ppc64 and ppc64el. * Add build support for OpenJDK 8 (Emmanuel Bourg). Closes: #751173. iceowl-l10n (4.0.0.1-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [7e5fbca] Imported Upstream version 4.0.0.1 . [ Christoph Goehre ] * [9aae603] rebuild patch queue from patch-queue branch * [1ea3c92] debian/rules: disable language check for stable security * [a0dc6a8] adjusting iceowl-extension deps iceowl-l10n (3.8~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [04148a7] Imported Upstream version 3.8~b1 * [f37ada5] rebuild patch queue from patch-queue branch * [4517e52] adjusting iceowl-extension deps iceowl-l10n (3.6~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [fdb2f58] Imported Upstream version 3.6~b1 * [b34a916] adjusting iceowl-extension deps iceowl-l10n (3.5~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [7de1625] Imported Upstream version 3.5~b1 * [ad9c17b] debian/c-u-t: remove once more bashism * [5bbf3f7] adjusting iceowl-extension deps * [52e0970] linitan: bump up standards version to 3.9.6 iceowl-l10n (3.4~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [911db09] Imported Upstream version 3.4~b1 - added new languages: Finnish, Scottisch Galic, Indonesian, Lithuanian, Bokmaal (Norway), Punjabi (India), Portuguese, Albanian, Turkish, Ukrainian - removed languages: Bulgarian, Korean, Croatian * [7956683] debian/control*: removing various iceowl-l10n-* * [068e2d7] debian/control*: adding iceowl-l10n-fi * [ced4b41] debian/control*: adding iceowl-l10n-gd * [3071f62] debian/control*: adding iceowl-l10n-id * [7c566da] debian/control*: adding iceowl-l10n-lt * [7a13341] debian/control*: adding iceowl-l10n-sq * [40efed1] debian/control*: adding iceowl-l10n-tr * [b311af1] debian/control*: adding iceowl-l10n-uk * [1f4ba33] debian/control*: adding iceowl-l10n-nb-no * [0d29b2d] debian/control*: adding iceowl-l10n-pa-in * [5bf4729] debian/control*: adding iceowl-l10n-pt-pt * [d04527c] adjusting iceowl-extension deps iceweasel (38.8.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,44,47}, also known as: CVE-2016-2807, CVE-2016-2805, CVE-2016-2814, CVE-2016-2808. iceweasel (38.8.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,44,47}, also known as: CVE-2016-2807, CVE-2016-2805, CVE-2016-2814, CVE-2016-2808. ikiwiki (3.20141016.3) jessie-security; urgency=high . [ Simon McVittie ] * img: stop ImageMagick trying to be clever if filenames contain a colon, avoiding mis-processing * HTML-escape error messages, in one case avoiding potential cross-site scripting (OVE-20160505-0012) * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714: - img: force common Web formats to be interpreted according to extension, so that "allowed_attachments: '*.jpg'" does what one might expect - img: restrict to JPEG, PNG and GIF images by default, again mitigating CVE-2016-3714 and similar vulnerabilities - img: check that the magic number matches what we would expect from the extension before giving common formats to ImageMagick . [ Joey Hess ] * img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser, which is supported by all commonly used browsers these days. SVG scaling by img directives has subtly changed; where before size=wxh would preserve aspect ratio, this cannot be done when passing them through and so specifying both a width and height can change the SVG's aspect ratio. imagemagick (8:6.8.9.9-5+deb8u2) jessie-security; urgency=high . * ImageTragick: The coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT are disabled via policy.xml file, since they are vulnerable to code injection. This mitigates CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, and CVE-2016-3718. Since ImageMagick reverts to its internal SVG renderer (which uses MVG coder) if Inkscape or RSVG is not used, the option --with-rsvg is included. Closes: 823542. In addition, some other actions were taken with respect to these vulnerabilities: - Drop the PLT/Gnuplot decoder, which was vulnerable to command injection. - Some sanitization for input filenames in http/https delegates is added. - Indirect filename are now authorized by policy. - Indirect reads with label:@ are prevented. - Less secure coders (such as MVG, TEXT, and MSL) require explicit reference in the filename (e.g. mvg:my-graph.mvg). imlib2 (1.4.6-2+deb8u2) jessie-security; urgency=high . * Fix divide-by-zero on 2x1 ellipse as per CVE-2011-5326 (Closes: #639414) * Fix integer overflow as per CVE-2014-9771 (Closes: #820206) * Fix off-by-one OOB read as per CVE-2016-3993 (Closes: #819818) * Fix out-of-bounds read in the GIF loader as per CVE-2016-3994 (Closes: #785369) * Fix integer overflow as per CVE-2016-4024 (Closes: #821732) imlib2 (1.4.6-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2014-9762: Fix segmentation fault on images without colormap. * CVE-2014-9763: Prevent division-by-zero crashes. * CVE-2014-9764: Fix segfault when opening specially crafted input with feh. initramfs-tools (0.120+deb8u2) jessie; urgency=medium . * [7863219] hook-functions: Include drivers/nvme in block driver modules (Closes: #807000) * [fcef753] hook-functions: Create ORDER files even if there are no valid scripts (Closes: #814965) jansson (2.7-1+deb8u1) jessie-security; urgency=high . * Fix stack exhaustion when parsing JSON as per CVE-2016-4425 (Closes: #823238) kamailio (4.2.0-2+deb8u1) jessie-security; urgency=medium . * CVE-2016-2385 lhasa (0.2.0+git3fe46-1+deb8u1) jessie-security; urgency=high . * Security update. Includes a fix for TALOS-CAN-0095: an integer underflow vulnerability in the code for doing LZH level 3 header decodes. Thanks go to Marcin Noga and Regina Wilson of Cisco TALOS for reporting this vulnerability. libarchive (3.1.2-11+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1541: heap-based buffer overflow due to improper input validation (Closes: #823893) libcrypto++ (5.6.1-6+deb8u2) jessie; urgency=medium . * Fix CVE-2016-3995, Rijndael timing attack counter measure. libdatetime-timezone-perl (1:1.75-2+2016d) jessie; urgency=medium . * Update to Olson database version 2016d. Add patch debian/patches/olson-2016d, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Russia and Venezuela. libebml (1.3.0-2+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Add CVE-2015-8789.patch. Fix use-after-free vulnerability in the EbmlMaster::Read function. * Add CVE-2015-8790.patch. Fix EbmlUnicodeString::UpdateFromUTF8 function that allowed context-dependent attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string. * Add CVE-2015-8791.patch. Fix EbmlElement::ReadCodedSizeValue function that allowed context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id. libgd2 (2.1.0-5+deb8u3) jessie-security; urgency=high . * [CVE-2015-8877]: Fix gdImageScaleTwoPass memory leak * Upstream patches: + Fixed memory overrun bug in gdImageScaleTwoPass + Fix for segfaults on gdImageScale with most interpolation modes libgd2 (2.1.0-5+deb8u2) jessie-security; urgency=high . * [CVE-2015-8874]: Stack consumption vulnerability in GD allows remote attackers to cause a denial of service via a crafted imagefilltoborder call (Closes: #824627) libgd2 (2.1.0-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3074: Signedness vulnerability causing heap overflow (Closes: #822242) libidn (1.29-1+deb8u1) jessie-security; urgency=high . [ Alessandro Ghedini ] * Fix out-of-bounds read on invalid UTF-8 input as per CVE-2015-2059 . [ Brian May ] * Skip info generation libksba (1.3.2-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Do not abort on decoder stack overflow (CVE-2016-4353) * Fix integer overflow in the BER decoder (CVE-2016-4354 CVE-2016-4355) * Fix encoding of invalid utf-8 strings in dn.c (CVE-2016-4356) * Fix an OOB read access in _ksba_dn_to_str * Fix possible read access beyond the buffer (CVE-2016-4579) libndp (1.4-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3698: Improper input validation and origin check during reception of NDP messages libpam-sshauth (0.3.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-4422: local root privilege escalation. Return PAM_AUTH_ERR when a system user. This prevents the pam module from returning success without asking for authentication credentials. Thanks to Vagrant Cascadian libreoffice (1:4.3.3-2+deb8u4) jessie; urgency=medium . * debian/patches/ppc64el-jdk-paths.diff: fix ppc64el FTBFS due to changed OpenJDK paths, thanks Slavek Banko (closes: #819375) . * debian/rules: - fix logic to not install sound files (closes: #780497) libreoffice (1:4.3.3-2+deb8u3) jessie-security; urgency=high . * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro TabRack Buffer Overflow Vulnerability" * debian/patches/V-pxk0pgyk9d.diff: fix "LibreOffice Writer Lotus Word Pro 'ReadRootData' Buffer Overflow Vulnerability" * debian/patches/V-mgylorku1q.diff: fix "LibreOffice Writer Lotus Word Pro Bullet Buffer Overflow Vulnerability" (CVE-2016-0794) * debian/patches/V-a7vjdei7l7.diff: fix "LibreOffice Writer Lotus Word Pro 'TocSuperLayout' Buffer Overflow Vulnerability" (CVE-2016-0795) libreoffice (1:4.3.3-2+deb8u3~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . * debian/rules: - comment out some conditionals and they don't exactly do what we want on wheezy-backports and use hardcoded values - fix coinmp conditional, use internal one on wheezy... - use internal icu - see https://bugs.freedesktop.org/show_bug.cgi?id=82229#c38 * debian/rules, debian/shlibs.local.coin: add shlibs.local.coin to override all the internal coin dynamic libraries.... * debian/shlibs.override.icu: update to actual current SOVERSION * debian/rules, debian/shlibs.override.libc: revert libc hack again * debian/patches/icu-icudata-link-fix-armhf.diff: fix internal icu build on armhf ("stolen" from icu package) librsvg (2.40.5-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. Thanks to Brian May for the preliminary work. * state: Store mask as reference (CVE-2016-4348) * state: Look up clip path lazily * rsvg: Add rsvg_acquire_node() (CVE-2015-7558 CVE-2016-4347) libtasn1-6 (4.2-3+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-4008: infinite loop while parsing DER certificates libxstream-java (1.4.7-2+deb8u1) jessie-security; urgency=high . * Security update: - CVE-2016-3674: XML external entity injection vulnerability (Closes: #819455) linux (3.16.7-ckt25-2) jessie; urgency=medium . * Revert "drm/radeon: hold reference to fences in radeon_sa_bo_new" (Closes: #819881) * Revert "drm/radeon: call hpd_irq_event on resume", reported to cause regressions (crash/hang) on some systems * Revert "usb: hub: do not clear BOS field during reset device" (Closes: #820176) linux (3.16.7-ckt25-2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt25-2) jessie; urgency=medium . * Revert "drm/radeon: hold reference to fences in radeon_sa_bo_new" (Closes: #819881) * Revert "drm/radeon: call hpd_irq_event on resume", reported to cause regressions (crash/hang) on some systems * Revert "usb: hub: do not clear BOS field during reset device" (Closes: #820176) lvm2 (2.02.111-2.2+deb8u1) jessie; urgency=medium . * Set default pid directory to /run. (closes: #783120) mathematica-fonts (17+deb8u1) jessie; urgency=medium . * Adopt the package. * New upstream release (10). + Version 7 is no longer downloadable (closes: #789211) + Server-side fonts are no longer included (closes: #573479) + Neither is a copy of Bitstream Vera (closes: #670216) * Drop README.Debian, it talked about type1 X integration. * Add missing Depends: wget (closes: #817820). mercurial (3.1.2-2+deb8u3) jessie-security; urgency=high . * CVE-2016-3105: + convert: pass absolute paths to git mercurial (3.1.2-2+deb8u2) jessie-security; urgency=high . * CVE-2016-3630: + parsers: fix list sizing rounding error + parsers: detect short records * CVE-2016-3068: + subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols * CVE-2016-3069: + convert: add new, non-clowny interface for shelling out to git + convert: rewrite calls to Git to use the new shelling mechanism + convert: dead code removal - old git calling functions + convert: rewrite gitpipe to use common.commandline + convert: test for shell injection in git calls Closes: #819504 mysql-5.5 (5.5.49-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.5.49 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html - CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0666 CVE-2016-2047 (Closes: #821100) nam (1.15-3.1~deb8u1) stable; urgency=medium . * Non-maintainer upload. (Closes: #784433) * debian/control: - set tcl-dev and tk-dev to '>=8.6'. * debian/patches: - init_tcltk_with_stub.diff unused. Commented (#) in series file. nginx (1.6.2-5+deb8u1) jessie-security; urgency=high . [ Christos Trochalakis ] * Fixes multiple resolver CVEs, CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 Closes: #812806 nginx (1.6.2-5+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for jessie-backports. . nginx (1.6.2-5+deb8u1) jessie-security; urgency=high . [ Christos Trochalakis ] * Fixes multiple resolver CVEs, CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 Closes: #812806 nginx (1.6.2-5+a.exp1) experimental; urgency=medium . [ Christos Trochakis ] * debian/patches/ + Backport upstream patch from 1.7.8 fixing spdy delays. ngspice (26-1.1~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . ngspice (26-1.1) unstable; urgency=medium . * Non-maintainer upload. * Run lyx with a temporary -userdir to not rely on $HOME, thanks to Johann Klammer. (Closes: #813119) nlpsolver (0.9~beta1-10+deb8u1) jessie; urgency=medium . * add missing Depends: on libreoffice-java-common (closes: #728792) nmap (6.47-3+deb8u2) jessie; urgency=medium . * Fix versioned Breaks/Depends for ndiff (Closes: #825528) nmap (6.47-3+deb8u1) jessie; urgency=medium . * Added upstream patch to deal with unuseable socks proxy (Closes: #773817) * Apply patch by Jan Nordholz to ignore unenumerable interfaces (Closes: #821913) * Moved ndiff.py from zenmap to ndiff, added versioned Breaks/Replaces (Closes: #789776, #789897) oar (2.5.4-2+deb8u1) jessie-security; urgency=high . [ Pierre Neyron ] * Add patch: fix a vulnerability in the oarsh command (CVE-2016-1235; Closes: #819952) opam (1.2.0-1+deb8u1) jessie; urgency=medium . * Stop using insecure and no-check-certificate flags when fetching files using wget and curl (Closes: #818081). openafs (1.6.9-2+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-8312: afs: pioctl kernel memory overrun * CVE-2016-2860: group creation by foreign users openjdk-7 (7u101-2.6.6-2~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. openjdk-7 (7u101-2.6.6-1) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.6 (based on 7u101): * Security fixes - S8129952, CVE-2016-0686: Ensure thread consistency - S8132051, CVE-2016-0687: Better byte behavior - S8138593, CVE-2016-0695: Make DSA more fair - S8139008: Better state table management - S8143167, CVE-2016-3425: Better buffering of XML strings - S8144430, CVE-2016-3427: Improve JMX connections - S8146494: Better ligature substitution - S8146498: Better device table adjustments * debian/patches/jdk-8152335-improve-methodhandle-consistency.patch: removed, fix is upstream since 2.6.5 . [ Matthias Klose ] * Fix handling of /usr/lib/jvm/*/jre/lib/zi if internal tzdata is used (Andreas Beckmann). Closes: #821858. openjdk-7 (7u101-2.6.6-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u95-2.6.4-3) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * SECURITY UPDATE: Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets. - d/p/jdk-8152335-improve-methodhandle-consistency.patch: S8152335, CVE-2016-0636: Improve MethodHandle consistency . [ Matthias Klose ] * Use internal tzdata for builds in stretch, unstable, experimental. Closes: #818308. openjdk-7 (7u95-2.6.4-2) experimental; urgency=medium . * Upload to experimental. openjdk-7 (7u95-2.6.4-1) unstable; urgency=high . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.4 (based on 7u95): * Security fixes - S8059054, CVE-2016-0402: Better URL processing - S8130710, CVE-2016-0448: Better attributes processing - S8132210: Reinforce JMX collector internals - S8132988: Better printing dialogues - S8133962, CVE-2016-0466: More general limits - S8137060: JMX memory management improvements - S8139012: Better font substitutions - S8139017, CVE-2016-0483: More stable image decoding - S8140543, CVE-2016-0494: Arrange font actions - S8143185: Cleanup for handling proxies - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays - S8144773, CVE-2015-7575: Further reduce use of MD5 (SLOTH) * debian/patches/it-debian-build-flags.diff: refreshed * debian/patches/it-set-compiler.diff: refreshed * debian/patches/it-use-quilt.diff: refreshed * debian/patches/it-jamvm-2.0.diff: refreshed * debian/patches/icedtea-pretend-memory.diff: refreshed * debian/patches/fix_extra_flags-default.diff: refreshed * debian/patches/zero-sparc.diff: refreshed . [ Matthias Klose ] * Remove obsolete IcedTea configure options. * Fix build failure on squeeze (Thorsten Glaser). Closes: #809205. * Don't run the test on mips, still having stone age buildd hardware and empty promises to fix these issues since 2010. openjdk-7 (7u95-2.6.4-1~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-7 (7u91-2.6.3-3) unstable; urgency=medium . * Fix stripping packages (use bash instead of expr substring). * openjdk-jre-headless: Add dependency on the package containing the mountpoint binary. Closes: #803717. * openjdk-7-jdk: Fix typo in sdk provides. Closes: #803150. * Build using giflib 5. openjdk-7 (7u91-2.6.3-2) unstable; urgency=medium . * Enable sparc64 for hotspot (John Paul Adrian Glaubitz). * Add debian/patches/sparc-libproc-fix.diff to include missing headers on sparc64 (David Matthew Mattli). Closes: #805846. openjdk-7 (7u91-2.6.3-1) unstable; urgency=medium . [ Tiago Stürmer Daitx ] * Icedtea release 2.6.3 (based on 7u91): * Security fixes - S8142882, CVE-2015-4871: rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed openssh (1:6.7p1-5+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes openssl (1.0.1t-1+deb8u2) jessie; urgency=medium . * add Update-S-MIME-certificates.patch to update expired certificates to pass the test suite openssl (1.0.1t-1+deb8u1) jessie; urgency=medium . [ Sebastian Andrzej Siewior ] * Update to 1.0.1t stable release (drop applied patches and refresh existing ones). - Use alternate trust chains part of 1.0.1n (Closes: #774882). - Use correct digest when exporting keying material (Closes: #807057) - Fix CVE-2015-3197 (not affected, SSLv2 disabled) - Fix CVE-2015-1793 (1.0.1n+ is affected and last upload was k) openssl (1.0.1k-3+deb8u5) jessie-security; urgency=medium . * Fix CVE-2016-2105 * Fix CVE-2016-2106 * Fix CVE-2016-2107 * Fix CVE-2016-2108 * Fix CVE-2016-2109 * Fix CVE-2016-2176 openvswitch (2.3.0+git20140819-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2074: Buffer overflow for crafted MPLS packets optipng (0.7.5-1+deb8u1) jessie-security; urgency=medium . * CVE-2016-2191 ovito (2.3.3-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * No-change rebuild against botan1.10. pdns (3.4.1-4+deb8u5) jessie-security; urgency=high . * Non-maintainer upload. * No-change rebuild against botan1.10. pepperflashplugin-nonfree (1.8.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Update Google public key. Closes: #823005. * Remove 32 bit support. Closes: #816848. perl (5.20.2-3+deb8u5) jessie; urgency=medium . * Apply patch from Niko Tyni fixing debugperl crashes with XS modules (Closes: #816280) * [SECURITY] CVE-2015-8853 fix regexp engine hang on illegal UTF8 input (Closes: #821848) * Fix UTF8-related regexp engine crash (Closes: #820328) * Apply selected bug-fix patches taken from 5.20.3 (Closes: #822336) - /usr/share/doc/perl/perldebdelta.pod describes the changes in more detail php5 (5.6.20+dfsg-0+deb8u1) jessie-security; urgency=medium . * Imported Upstream version 5.6.20+dfsg * Rebase patches on top of 5.6.20+dfsg release php5 (5.6.19+dfsg-2) unstable; urgency=medium . * Return /usr/share/php to the default include_path that got dropped when we stopped building PEAR from this source package (Closes: #817769) php5 (5.6.19+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.19+dfsg * Rebase patches on top of 5.6.19+dfsg release * Stop building php-pear from src:php5 sources poppler (0.26.5-2+deb8u1) jessie-security; urgency=medium . * Backport upstream commit b3425dd3261679958cd56c0f71995c15d2124433 to fix a crash on invalid files, reported also as CVE-2015-8868; patch upstream_Do-not-crash-on-invalid-files.patch. (Closes: #822578) postgresql-9.1 (9.1.22-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.21-0+deb8u1) jessie; urgency=medium . * New upstream version, relevant PL/Perl change: + Correctly handle empty arrays in plperl_ref_from_pg_array. postgresql-9.1 (9.1.21-0+deb7u1) wheezy; urgency=medium . * New upstream bugfix release. postgresql-9.4 (9.4.8-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. postgresql-9.4 (9.4.7-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. * Remove obsolete .bzr-builddeb/default.conf. postgresql-9.4 (9.4.7-0+deb8u1~bpo70+2) wheezy-backports; urgency=low . * Fix alignment issue in contrib/test_decoding only visible on sparc. Thanks to Andres Freund and Tom Lane for patches. * Update branch in Vcs-Git field. postgresql-9.4 (9.4.7-0+deb8u1~bpo70+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . postgresql-9.4 (9.4.7-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. * Remove obsolete .bzr-builddeb/default.conf. postgresql-9.4 (9.4.6-0+deb8u1) jessie-security; urgency=medium . * New upstream version. + Fix infinite loops and buffer-overrun problems in regular expressions. Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) + Fix privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCs) for PL/Java will now be modifiable only by the database superuser. (CVE-2016-0766) + Users will need to reindex any jsonb_path_ops indexes they have created, in order to fix a persistent issue with missing index entries. postgresql-9.4 (9.4.6-0+deb8u1~bpo70+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . postgresql-9.4 (9.4.6-0+deb8u1) jessie-security; urgency=medium . * New upstream version. + Fix infinite loops and buffer-overrun problems in regular expressions. Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) + Fix privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCs) for PL/Java will now be modifiable only by the database superuser. (CVE-2016-0766) + Users will need to reindex any jsonb_path_ops indexes they have created, in order to fix a persistent issue with missing index entries. postgresql-9.4 (9.4.5-2) unstable; urgency=medium . * 64-pg_upgrade-sockdir: Fix off-by-one error in max path length. * 90-libmxl-808325: Work around regression in libxml2 2.9.3+dfsg1-1 which provides less context in error messages, breaking the xml regression tests. Analysis by Niko Tyni, thanks! (Closes: #808325) postgresql-9.4 (9.4.5-1) unstable; urgency=medium . * New upstream version. . + Guard against stack overflows in json parsing (Oskari Saarenmaa) . If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289) . + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) . Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) . * debian/rules: Call dh without --parallel, it's not supported upstream. python-django (1.7.7-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2512: Prevented spoofing is_safe_url() with basic auth. Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. (Closes: #816434) * is_safe_url() crashes with a byestring URL on Python 2. Fixes a regression introduced by the original fix for CVE-2016-2512. * CVE-2016-2513: Fixed user enumeration timing attack during login (Closes: #816434) * Add Build-Depends on python-mock and python3-mock qemu (1:2.1+dfsg-12+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3710: Banked access to VGA memory (VBE) uses inconsistent bounds checks * CVE-2016-3712: potential integer overflow or OOB read access issues qtcreator (3.2.1+dfsg-7+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * No-change rebuild against botan1.10. quota (4.01-8+deb8u1) jessie-proposed-updates; urgency=medium . * Change invocation of quota services, so systemd takes over most of the work. Only the initial check is still performed by the service file provide by quota. (Closes: #753939, #788963) redmine (3.0~20140825-8~deb8u3) jessie; urgency=medium . * gemfile-adjustments.patch: load all database drivers for all Redmine instances (Closes: #819815) softhsm (1.3.7-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * No-change rebuild against botan1.10. srtp (1.4.5~20130609~dfsg-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Add CVE-2015-6360.patch. Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. (Closes: #807698) subversion (1.8.10-6+deb8u4) jessie-security; urgency=high . + patches/CVE-2016-2167: svnserve/sasl may authenticate users using the wrong realm + patches/CVE-2016-2168: Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE authorization check swift-plugin-s3 (1.7-5+deb8u1) jessie-security; urgency=high . * CVE-2015-8466: replay attack - date/date header unvalidated (Closes: #822688) tardiff (0.1-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add fix for shell command injection via tar filename itself. This fix is as well part of the CVE-2015-0857 assignment but was previously missed. tardiff (0.1-2+deb8u1) jessie-security; urgency=high . * Add patch to fix miscalculated statistics. (Closes: #802098) * Add patches to fix two security issues: + CVE-2015-0857: shell command injection through file names + CVE-2015-0858: /tmp race condition in handling temporary directory Issues found and reported by Rainer Müller and Florian Weimer. Additional necessary changes: + Add new run-time dependency on libtext-diff-perl. tklib (0.6-1+deb8u1) stable; urgency=medium . * Fixed typo in Plotchart version which prevented its loading. tomcat6 (6.0.45+dfsg-1~deb8u1) jessie-security; urgency=high . * Imported Upstream version 6.0.45+dfsg. Fixes all current known security vulnerabilities in the source package. Users were not directly affected since we only build the servlet API and documentation. This update simplifies upgrades from Wheezy. tomcat6 (6.0.45+dfsg-1~deb7u1) wheezy-security; urgency=high . * Team upload. * The full list of changes between 6.0.35 (the version previously available in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html * This update fixes the following security issues: - CVE-2014-0033: prevent remote attackers from conducting session fixation attacks via crafted URLs. - CVE-2014-0119: Fix not properly constraining class loader that accesses the XML parser used with an XSLT stylesheet which allowed remote attackers to read arbitrary files via crafted web applications. - CVE-2014-0099: Fix integer overflow in java/org/apache/tomcat/util/buf/Ascii.java. - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote attackers to bypass security-manager restrictions. - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2013-4590: prevent "Tomcat internals" information leaks. - CVE-2013-4322: prevent remote attackers from doing denial of service attacks. - CVE-2013-4286: reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. - Avoid CVE-2013-1571 when generating Javadoc. * CVE-2014-0227.patch: - Add error flag to allow subsequent attempts at reading after an error to fail fast. * CVE-2014-0230: Add support for maxSwallowSize. * CVE-2014-7810: - Fix potential BeanELResolver issue when running under a security manager. Some classes may not be accessible but may have accessible interfaces. * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 processes redirects before considering security constraints and Filters. * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list which allows remote authenticated users to bypass intended SecurityManager restrictions. * CVE-2016-0714: The session-persistence implementation in Apache Tomcat before 6.0.45 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions. * CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. * CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Drop the following patches. Applied upstream. - 0011-CVE-2012-0022-regression-fix.patch - 0012-CVE-2012-3544.patch - 0014-CVE-2012-4534.patch - 0015-CVE-2012-4431.patch - 0016-CVE-2012-3546.patch - 0017-CVE-2013-2067.patch - cve-2012-2733.patch - cve-2012-3439.patch - CVE-2014-0227.patch - CVE-2014-0230.patch - CVE-2014-7810-1.patch - CVE-2014-7810-2.patch - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch tomcat6 (6.0.45-1~deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS team. * Backport version 6.0.45 to Squeeze-LTS. The full list of changes between 6.0.41 (the version previously available in Squeeze-LTS) and 6.0.45 can be seen in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html * This update fixes the following security vulnerabilities: - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 processes redirects before considering security constraints and Filters. - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list which allows remote authenticated users to bypass intended SecurityManager restrictions. - CVE-2016-0714: The session-persistence implementation in Apache Tomcat before 6.0.45 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions. - CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. - CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Drop the following patches. They were applied upstream. - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch. - CVE-2014-0227.patch. - CVE-2014-0230.patch. - CVE-2014-7810-1.patch. - CVE-2014-7810-2.patch. tomcat6 (6.0.41-4) unstable; urgency=medium . * Removed the timstamp from the Javadoc of the Servlet API to make the build reproducible tomcat7 (7.0.56-3+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. * Fix CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. * Fix CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. * Fix CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Fix CVE-2016-0706: Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. * Fix CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. * Fix CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. tzdata (2016d-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Caracas. Closes: #821147. - Asia/Magadan - Asia/Tomsk (new timezone). * Update translations from the sid package. tzdata (2016d-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Caracas. Closes: #821147. - Asia/Magadan - Asia/Tomsk (new timezone). * Update translations from the sid package. tzdata (2016c-1) unstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Santiago - Asia/Baku websvn (2.3.3-1.2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1236: XSS via directory or file in a repository containing XSS payload wireshark (1.12.1+g01b65bf-4+deb8u6) jessie-security; urgency=medium . * security fixes from Wireshark 1.12.11: - PKTC dissector crashes (CVE-2016-4080, CVE-2016-4079) - IAX2 dissector infinite loop (CVE-2016-4081) - Wireshark and TShark could exhaust the stack (CVE-2016-4006) - GSM CBCH dissector crash (CVE-2016-4082) - NCP dissector crash (CVE-2016-4085) wmforecast (0.8-1+deb8u1) jessie; urgency=medium . * debian/control - Update Maintainer and add Uploaders. * debian/patches/new_yahoo_api.patch - New patch; modifications to work with new Yahoo! weather API. Backported from upstream. xapian-core (1.2.19-1+deb8u1) stable; urgency=medium . * New patch increment-cursor-version-on-cancel-or-reopen.patch fixing possible database corruption, especially with recoll. (Closes: #808610) xarchiver (1:0.5.4-1+deb8u1) jessie; urgency=medium . * Add cancel-extraction-crash.patch. When using the "extract here" feature of Xarchiver's Thunar plugin, the attempt to cancel the extraction could crash the application or even the whole desktop session. (Closes: #802019) xen (4.4.1-9+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3158, CVE-2016-3159: broken AMD FPU FIP/FDP/FOP leak workaround * CVE-2016-3960: x86 shadow pagetables: address width overflow xerces-c (3.1.1-5.1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2099: Use-after-free in heap on specially crafted XML input (Closes: #823863) xscreensaver (5.30-1+deb8u2) jessie; urgency=medium . * Disable Easter egg about "outdated" version (closes: #819703) xymon (4.3.17-6+deb8u1) jessie-security; urgency=high . * Security update. Several issues were reported by Markus Krell: + Resolve buffer overflow when handling "config" file requests (CVE-2016-2054) + Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory (symlinks disallowed). Also, require that the initial filename end in '.cfg' by default. (CVE-2016-2055) + Resolve shell command injection vulnerability in useradm CGI (CVE-2016-2056) + Tighten permissions on the xymond BFQ used for message submission to restrict access to the xymon user and group. It is now 0620. (CVE-2016-2057) + Restrict javascript execution in current and historical status messages by the addition of appropriate Content-Security-Policy headers to prevent XSS attacks. (CVE-2016-2058) zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium . * Fix regression from ZF2015-08: binary data corruption * Backport security fix from 1.12.18: - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 http://framework.zend.com/security/advisory/ZF2016-01 ====================================== Sat, 02 Apr 2016 - Debian 8.4 released ====================================== ========================================================================= [Date: Sat, 02 Apr 2016 08:34:59 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: gnome-gmail | 1.8.3-1 | source, all Closed bugs: 814860 ------------------- Reason ------------------- RoM; broken ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 08:35:28 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: nautilus-pastebin | 0.7.1-1 | source, all Closed bugs: 815026 ------------------- Reason ------------------- RoM; unmaintained upstream ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 08:49:48 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libclamunrar6 | 0.98.5-1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by libclamunrar) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 08:50:36 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libclamav6 | 0.98.7+dfsg-0+deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by clamav) ---------------------------------------------- ========================================================================= activemq (5.6.0+dfsg1-4+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2015-5254: Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. amavisd-new (1:2.10.1-2~deb8u1) stable; urgency=medium . * Backport LC_ALL change to stable. amd64-microcode (2.20160316.1~deb8u1) stable; urgency=critical . * This is exactly the same release as 2.20160316.1 . amd64-microcode (2.20160316.1) unstable; urgency=critical . * Upstream release 20160316 built from linux-firmware: + Updated Microcodes: sig 0x00600f20, patch id 0x0600084f, 2016-01-25 + This microcode updates fixes a critical erratum on NMI handling introduced by microcode patch id 0x6000832 from the 20141028 update. The erratum is also present on microcode patch id 0x6000836. + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER AMD PILEDRIVER PROCESSORS, including: + AMD Opteron 3300, 4300, 6300 + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx) + AMD processors with family 21, model 2, stepping 0 * Robert Święcki, while fuzzing the kernel using the syzkaller tool, uncovered very strange behavior on an AMD FX-8320, later reproduced on other AMD Piledriver model 2, stepping 0 processors including the Opteron 6300. Robert discovered, using his proof-of-concept exploit code, that the incorrect behavior allows an unpriviledged attacker on an unpriviledged VM to corrupt the return stack of the host kernel's NMI handler. At best, this results in unpredictable host behavior. At worst, it allows for an unpriviledged user on unpriviledged VM to carry a sucessful host-kernel ring 0 code injection attack. * The erratum is timing-dependant, easily triggered by workloads that cause a high number of NMIs, such as running the "perf" tool. amd64-microcode (2.20160316.1~bpo70+1) wheezy-backports; urgency=critical . * Rebuild for jessie-backports (no changes). * This is the same package as 2.20160316.1 and 2.20160316.1~deb8u1. . amd64-microcode (2.20160316.1) unstable; urgency=critical . * Upstream release 20160316 built from linux-firmware: + Updated Microcodes: sig 0x00600f20, patch id 0x0600084f, 2016-01-25 + This microcode updates fixes a critical erratum on NMI handling introduced by microcode patch id 0x6000832 from the 20141028 update. The erratum is also present on microcode patch id 0x6000836. + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER AMD PILEDRIVER PROCESSORS, including: + AMD Opteron 3300, 4300, 6300 + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx) + AMD processors with family 21, model 2, stepping 0 * Robert Święcki, while fuzzing the kernel using the syzkaller tool, uncovered very strange behavior on an AMD FX-8320, later reproduced on other AMD Piledriver model 2, stepping 0 processors including the Opteron 6300. Robert discovered, using his proof-of-concept exploit code, that the incorrect behavior allows an unpriviledged attacker on an unpriviledged VM to corrupt the return stack of the host kernel's NMI handler. At best, this results in unpredictable host behavior. At worst, it allows for an unpriviledged user on unpriviledged VM to carry a sucessful host-kernel ring 0 code injection attack. * The erratum is timing-dependant, easily triggered by workloads that cause a high number of NMIs, such as running the "perf" tool. apt (1.0.9.8.3) jessie; urgency=medium . * apt-pkg/algorithms.cc: Avoid stack buffer overflow in KillList (Closes: #701069) aptdaemon (1.1.1-4+deb8u1) stable-proposed-updates; urgency=medium . * Non maintainer upload * Add CVE-2015-1323.patch to address CVE-2015-1323 - taken from 1.1.1-1ubuntu5.2 (Closes: #789162) ardour (1:2.8.16+git20131003+dfsg1-1~deb8u1) jessie; urgency=medium . * Repack to remove libs/pdb/dmalloc.cc. (Closes: #810754) * debian/patches/debian/patches/190_exclude_dmalloc.patch: Do not build dmalloc.cc. * debian/copyright: - Add libs/pdb/dmalloc.cc to Files-Excluded. - Remove libs/pdb/dmalloc.cc paragraph. base-files (8+deb8u4) stable; urgency=low . * Changed /etc/debian_version to 8.4, for Debian 8.4 point release. bind9 (1:9.9.5.dfsg-9+deb8u6) jessie-security; urgency=high . * Fix CVE-2016-1285: error parsing control channel input. * Fix CVE-2016-1286: error parsing DNAME resource records. bind9 (1:9.9.5.dfsg-9+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-8704: Specific APL data could trigger an INSIST in apl_42.c. A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c. bsh (2.0b4-15+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2016-2510. An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. cacti (0.8.8b+dfsg-8+deb8u4) jessie-security; urgency=high . * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php * CVE-2015-8604: Fix SQL Injection vulnerability in graphs_new.php cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium . * Fix CVE-2016-3190 chromium-browser (49.0.2623.108-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu. - CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. - CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. - CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt. - CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (49.0.2623.87-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-1643: Type confusion in Blink. Credit to cloudfuzzer. - CVE-2016-1644: Use-after-free in Blink. Credit to Atte Kettunen. - CVE-2016-1645: Out-of-bounds write in PDFium. chromium-browser (49.0.2623.87-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-1643: Type confusion in Blink. Credit to cloudfuzzer. - CVE-2016-1644: Use-after-free in Blink. Credit to Atte Kettunen. - CVE-2016-1645: Out-of-bounds write in PDFium. chromium-browser (49.0.2623.75-2) unstable; urgency=medium . * Update standards version. * Add libffi-dev build dependency. chromium-browser (49.0.2623.75-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski. - CVE-2016-1632: Bad cast in Extensions. Credit to anonymous. - CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu. - CVE-2016-1636: SRI Validation Bypass. Credit to ryan@cyph.com. - CVE-2015-8126: Out-of-bounds access in libpng. Credit to joerg.bornemann. - CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy. - CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu. - CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani. - CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan Herrera. - CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen. - CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in libv8 (version 4.9.385.26). * Set use_sysroot=0 to continue using system libraries. chromium-browser (49.0.2623.75-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski. - CVE-2016-1632: Bad cast in Extensions. Credit to anonymous. - CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu. - CVE-2016-1636: SRI Validation Bypass. Credit to ryan@cyph.com. - CVE-2015-8126: Out-of-bounds access in libpng. Credit to joerg.bornemann. - CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy. - CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu. - CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani. - CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan Herrera. - CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen. - CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in libv8 (version 4.9.385.26). * Add libffi-dev build dependency. * Set use_sysroot=0 to continue using system libraries. chromium-browser (48.0.2564.116-1) unstable; urgency=medium . * New stable security release: - CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous. - CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli. - CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn. - CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous. - CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives. - CVE-2016-1628: Out-of-bounds read in PDFium. Credit to anonymous. - CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous. chromium-browser (48.0.2564.116-1~deb8u1) jessie-security; urgency=medium . * New stable security release: - CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous. - CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli. - CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn. - CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous. - CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives. - CVE-2016-1628: Out-of-bounds read in PDFium. Credit to anonymous. - CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous. chromium-browser (48.0.2564.82-2) unstable; urgency=medium . * Build with gcc instead of clang. * Use ld.gold to avoid memory exhaustion while linking (closes: #812569). chromium-browser (48.0.2564.82-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-1612: Bad cast in V8. Credit to cloudfuzzer. - CVE-2016-1613: Use-after-free in PDFium. Credit to anonymous. - CVE-2016-1614: Information leak in Blink. Credit to Christoph Diehl. - CVE-2016-1615: Origin confusion in Omnibox. Credit to Ron Masas. - CVE-2016-1616: URL Spoofing. Credit to Luan Herrera. - CVE-2016-1617: History sniffing with HSTS and CSP. Credit to jenuis. - CVE-2016-1618: Weak random number generator in Blink. Credit to Aaron Toponce. - CVE-2016-1619: Out-of-bounds read in PDFium. Credit to Keve Nagy. - CVE-2016-1620: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch (currently 4.8.271.17). chromium-browser (48.0.2564.82-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-1612: Bad cast in V8. Credit to cloudfuzzer. - CVE-2016-1613: Use-after-free in PDFium. Credit to anonymous. - CVE-2016-1614: Information leak in Blink. Credit to Christoph Diehl. - CVE-2016-1615: Origin confusion in Omnibox. Credit to Ron Masas. - CVE-2016-1616: URL Spoofing. Credit to Luan Herrera. - CVE-2016-1617: History sniffing with HSTS and CSP. Credit to jenuis. - CVE-2016-1618: Weak random number generator in Blink. Credit to Aaron Toponce. - CVE-2016-1619: Out-of-bounds read in PDFium. Credit to Keve Nagy. - CVE-2016-1620: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch (currently 4.8.271.17). * Use ld.gold to avoid memory exhaustion while linking (closes: #812569). chromium-browser (48.0.2564.23-1) experimental; urgency=medium . * New upstream beta release. chromium-browser (47.0.2526.111-1) unstable; urgency=medium . * New upstream stable release: - Removes native_client/toolchain files introduced in the previous upstream version (closes: #807973) * Drop libssl-dev build dependency. * Migrate to dbgsym debug packages. * Recommend fonts-liberation (closes: #808106). chromium-browser (47.0.2526.80-3) unstable; urgency=medium . * Drop change to the fullscreen UI (closes: #808076). * Fix installation of the English language pak (closes: #808046). * Avoid symbol conflicts between the jpeg library embedded in pdfium and the system jpeg library (closes: #794031). chromium-browser (47.0.2526.80-2) unstable; urgency=medium . * Greatly simplify the arch:all build. * Don't hide the UI in fullscreen mode. * Ignore the GPU blacklist (closes: #802933). * Fix WMClass in the desktop launcher (closes: #803989). * Set the correct file name for the desktop launcher (closes: #806402). chromium-browser (47.0.2526.80-1) unstable; urgency=medium . * New upstream stable release: - Multiple vulnerabilities fixed in libv8 4.7.80.23. - CVE-2015-6788: Type confusion in extensions. Credit to anonymous. - CVE-2015-6789: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2015-6790: Escaping issue in saved pages. Credit to Inti De Ceukelaire. - CVE-2015-6791: Various fixes from internal audits, fuzzing and other initiatives. * Add support for ffmpeg 2.9 (closes: #803806). * Disable accelerated video decoding (closes: #804901). cinnamon-settings-daemon (2.2.4.repack-7+deb8u1) stable; urgency=medium . * Add debian/patches/csd-datetime-polkit-auth to fix a minor security bug. http://www.openwall.com/lists/oss-security/2015/10/28/3 clamav (0.99+dfsg-0+deb8u2) stable; urgency=medium . * Add libclamav-yara-avoid-unaliged-access-to-64bit-variab.patch to get the testsuite passed on sparc. It also seem avoid invalid loads on ARMv5 cpus. clamav (0.99+dfsg-0+deb8u1) stable; urgency=medium . [ Andreas Cadhalpun ] * Import final release of 0.99 * Drop patches included upstream: - Avoid-emitting-incremental-progress-messages.patch - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. * Drop patch numbers, because they cause too much diff noise. * Add patch to support LLVM 3.6. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Bump the version for the PidFile removal check in the clamav-daemon and clamav-freshclam postinst scripts (Closes: #767353) * Add database existence check also to clamav-daemon.socket. This works around systemd bug #775458. (Closes: #775112) . [ Sebastian Andrzej Siewior ] * suggest libclamunrar7 instead of libclamunrar6 * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * depend on libpcre3-dev, required for YARA support * add new PCRE related options postinst script for clamd * record new symbols in libclamav6.symbols * also remove debian/clamav-freshclam.prerm clean * Remove Fix-compiling-on-Hurd.patch included upstream. * Add patch to allow M suffix for PCREMaxFileSize as the config file suggests that this should be possible. * Cherry pick tfm-fix-compile-errors.patch from tfm upstream. * add a LFS safe fts() implementation from glibc clamav (0.99+dfsg-0+deb7u2) oldstable; urgency=medium . * Add libclamav-yara-avoid-unaliged-access-to-64bit-variab.patch to get the testsuite passed on sparc. It also seem avoid invalid loads on ARMv5 cpus. clamav (0.99+dfsg-0+deb7u1) oldstable; urgency=medium . [ Andreas Cadhalpun ] * Import final release of 0.99 * Drop patches included upstream: - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. * Drop patch numbers, because they cause too much diff noise. * Add patch to support LLVM 3.6. * Add patch to support system tomsfastmath. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Move the PidFile variable from the clamd/freshclam configuration files to the init scripts. This makes the init scripts more robust against misconfiguration and avoids error messages with systemd. (Closes: #767353) * Bump the version for the PidFile removal check in the clamav-daemon and clamav-freshclam postinst scripts (Closes: #767353) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. consistent with the other postinst scripts. . [ Sebastian Andrzej Siewior ] * suggest libclamunrar7 instead of libclamunrar6 * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * depend on libpcre3-dev, required for YARA support * add new PCRE related options postinst script for clamd * record new symbols in libclamav6.symbols * also remove debian/clamav-freshclam.prerm clean * Remove Fix-compiling-on-Hurd.patch included upstream. * Add patch to allow M suffix for PCREMaxFileSize as the config file suggests that this should be possible. * Cherry pick tfm-fix-compile-errors.patch from tfm upstream. * add a LFS safe fts() implementation from glibc * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. clamav (0.99+dfsg-0+deb6u1) squeeze-lts; urgency=medium . [ Andreas Cadhalpun ] * Import final release of 0.99 * Drop patches included upstream: - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. * Drop patch numbers, because they cause too much diff noise. * Add patch to support LLVM 3.6. * Add patch to support system tomsfastmath. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. consistent with the other postinst scripts. . [ Sebastian Andrzej Siewior ] * suggest libclamunrar7 instead of libclamunrar6 * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * depend on libpcre3-dev, required for YARA support * add new PCRE related options postinst script for clamd * record new symbols in libclamav6.symbols * also remove debian/clamav-freshclam.prerm clean * Remove Fix-compiling-on-Hurd.patch included upstream. * Add patch to allow M suffix for PCREMaxFileSize as the config file suggests that this should be possible. * Cherry pick tfm-fix-compile-errors.patch from tfm upstream. * add a LFS safe fts() implementation from glibc * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. . [ Scott Kitterman ] * Drop build-dep on llvm-dev since squeeze version is too old to use * Manually autoreconf since squeeze tools are too old for dh-autoreconf to be reliable clamav (0.99~rc2+dfsg-2) experimental; urgency=medium . * Drop LLVM usage on powerpc (it is broken since the v3.6 switch). clamav (0.99~rc2+dfsg-1) experimental; urgency=medium . [ Andreas Cadhalpun ] * Import first upstream release candidate for 0.99. * Drop patches included upstream: - Avoid-emitting-incremental-progress-messages.patch - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Disable Large File Support because it is incompatible with fts.h, which is required by the new upstream release. * Drop patches needing LFS: - libclamav-use-libmspack.patch - fix-ssize_t-size_t-off_t-printf-modifier.patch * Disable valgrind in the test suite again. It is too flaky. * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. . [ Sebastian Andrzej Siewior ] * add a LFS safe fts() implementation from glibc * bring back libmspack related patches (libclamav-use-libmspack.patch + fix-ssize_t-size_t-off_t-printf-modifier.patch) and -D_FILE_OFFSET_BITS=64 * fix a crash in clamdscan if file is passed via fd * Import second upstream release candidate for 0.99. clamav (0.99~beta1+dfsg-1) experimental; urgency=medium . * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * import new beta from upstream * depend on libpcre3-dev, required for YARA support * add new PCRE related options postist script for clamd * record new symbols in libclamav6.symbols * enable valgrind in the test suite and see how well it works across all architecures. clamav (0.98.7+dfsg-5) unstable; urgency=medium . [ Andreas Cadhalpun ] * Drop patch numbers, because they cause too much diff noise. * Fix use-pkg-config-to-determine-CHECK_LIBS.patch so that the tests actually get run again. . [ Sebastian Andrzej Siewior ] * Drop LLVM usage on powerpc (it is broken since the v3.6 switch). clamav (0.98.7+dfsg-4) unstable; urgency=medium . * Add patch to support LLVM 3.6. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Add patch to use pkg-config to determine CHECK_LIBS. The linker flags for check changed making the hardcoded flags useless. clamav (0.98.7+dfsg-3) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * add 0013-tfm-fix-compile-errors.patch and 0014-tfm-duct-tape-misscompile-on-armhf.patch to get it built on armhf with gcc-5. . [ Andreas Cadhalpun ] * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) clamav (0.98.7+dfsg-2) unstable; urgency=medium . [ Andreas Cadhalpun ] * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Bump the version for the PidFile removal check in the clamav-daemon and clamav-freshclam postinst scripts (Closes: #767353) * Add database existence check also to clamav-daemon.socket. This works around systemd bug #775458. (Closes: #775112) . [ Sebastian Andrzej Siewior ] * also remove debian/clamav-freshclam.prerm clean clamav (0.98.7+dfsg-1) unstable; urgency=high . [ Andreas Cadhalpun ] * Use SocketUser, SocketGroup and RemoveOnStop systemd socket options instead of using ExecStartPost and ExecStopPost for that. * Respect clamav-daemon's LocalSocket* options with the systemd unit by extending the clamav-daemon.socket file appropriately, when running dpkg-reconfigure clamav-daemon. (Closes: #783720) * Disable this extendend configuration, when handling the configuration file with debconf is disabled. * Disable clamav-daemon.socket in prerm script. . [ Sebastian Andrzej Siewior ] * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. claws-mail (3.11.1-3+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload (with maintainer approval) * Add range checks to functions converting between Japanese text encodings (CVE-2015-8614, CVE-2015-8708) conkeror (1.0~~pre-1+git141025-1+deb8u1) jessie; urgency=medium . * Cherry-pick 6906955e from upstream master branch to fix matching of module load error messages to work with Firefox 36 and later (including the ESR release 38.x in Debian Jessie). (Closes: #795597) cpio (2.11+dfsg-4.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2037: 1-byte out-of-bounds write (Closes: #812401) ctdb (2.5.4+debian0-4+deb8u1) jessie-security; urgency=high . * Fix CTDB behavior since CVE-2015-8543 (Closes: #813406) curl (7.38.0-4+deb8u3) jessie-security; urgency=medium . * Fix NTLM credentials not-checked for proxy connection re-use as per CVE-2016-0755 http://curl.haxx.se/docs/adv_20160127A.htm debian-installer-netboot-images (20150422+deb8u3.b1) jessie; urgency=medium . * Update to 20150422+deb8u3+b1 images, from jessie-proposed-updates didiwiki (0.5-11+deb8u1) jessie-security; urgency=high . * NMU by the Security Team; thanks to Ignace Mouzannar and Alexander Izmailov for providing the patch for CVE-2013-7448, correcting a major security issue allowing didiwiki to display any file on the filesystem. (Closes: #815111) didiwiki (0.5-11+deb7u1) wheezy-security; urgency=high . * NMU by the Security Team; thanks to Ignace Mouzannar and Alexander Izmailov for providing the patch for CVE-2013-7448, correcting a major security issue allowing didiwiki to display any file on the filesystem. (Closes: #815111) dolibarr (3.5.5+dfsg1-1+deb8u1) jessie; urgency=high . * Fix CVE-2016-1912 (Closes: #812496) * Fix CVE-2015-8685 (Closes: #812449) * Fix CVE-2015-3935 (Closes: #787762) drupal7 (7.32-1+deb8u6) stable-security; urgency=high . * Backported from 7.43 (plus minor needed bits from 7.36 and 7.30 in modules/file/file.module): SA-CORE-2016-001: Fixes several security vulnerabilities: + File upload access bypass and DoS + Brute force amplification attack via XML-RPC + Open redirect via path manipulation + Reflected file download + Wrong modes set on some user accounts setting saves + Information disclosure of email addresses CVE IDs not yet assigned ecryptfs-utils (103-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1572: privilege escalation by mounting over /proc/$pid. espeakup (1:0.71-19+deb8u1) jessie; urgency=medium . * espeakup-udeb.restart: - Make looking up available languages independent from file hierarchy, thus fixing all language (but de, en, fr, pt which were still working)... This also allows dropping special-casing nb into no. - Use portuguese for galician, since they are so close, and portuguese will always be better than english anyway. * synth.c: Fix looking up voices by language name. exactimage (0.8.9-7+deb8u2) jessie; urgency=high . * debian/patches: - Add Fix-CVE-2015-8366-Index-overflow-in-smal_decode_segment.patch, Fix CVE-2015-8366: Index overflow in smal_decode_segment exim4 (4.84.2-1) jessie-security; urgency=high . * New upstream security release. + Fix CVE-2016-1531, a local privilege escalation issue when perl_startup is used. + New options keep_environment/add_environment which are empty by default, i.e. any subprocesses start in a clean (empty) environment. + -C requires an absolute path. + Exim changes it's working directory to / right after startup. * Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new options. Set "keep_environment =" by default to avoid a runtime warning. Bump exim4-config Breaks to exim4-daemon-* (<< 4.84.2). * 89_01_only_warn_on_nonempty_environment.diff, 89_02_Store-the-initial-working-directory.diff: Upstream followups on the CVE fix (Thanks, Heiko Schlittermann!): + Runtime warning is only generated if (and only if) keep_environment is unset and environment is nonempty. + Store the initial working directory and make it available in the new expansion variable $initial_cwd. * Add NEWS entry to warn of potential breakage. fglrx-driver (1:15.9-4~deb8u2) jessie; urgency=medium . * libfglrx-amdxvba1: Add Breaks+Replaces: xvba-va-driver (<< 0.8.0-9+deb) since we now ship fglrx_drv_video.so and xvba_drv_video.so. (Closes: #813427) flash-kernel (3.35+deb8u3) stable; urgency=medium . [ Karsten Merker ] * Disable the use of modprobe and udevadm in the mtdblock() function while running the testsuite. . [ Ian Campbell ] * Use /dev/mtdN when flashing, rather than needlessly going through the mtdblock layer (which is problematic on some platforms/kernels). (Closes: #794265) . [ Uwe Kleine-König ] * use nandwrite when writing to nand flash. (Closes: #813995) fonts-sil-andika (1.004-2+deb8u2) stable; urgency=medium . * Correct conffile removal rule for /etc/fonts/conf.avail/65-andika.conf. Remove for packages before 1.004-2+deb8u2~. fonts-sil-andika (1.004-2+deb8u1) stable; urgency=low . * Backport fix from unstable. * really remove 65-andika.conf, Closes: #768232, #766055 delete d/links with useless symlink d/maintscript to remove 65-andika.conf fuse (2.9.3-15+deb8u2) jessie-security; urgency=high . * Fix permissions on cuse character device to be accessible by root only. gajim (0.16-1+deb8u1) jessie-security; urgency=high . * debian/patches/fix-cve-2015-8688.patch: backport a fix for CVE-2015-8688. giflib (4.1.6-11+deb8u1) stable-proposed-updates; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2015-7555: bail out if Width > SWidth. Cherry-picked upstream commit 179510be300bf11115e37528d79619b53c884a63 (Closes: #808704) git (1:2.1.4-2.1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix remote code execution via buffer overflows (CVE-2016-2315, CVE-2016-2324) (Closes: #818318) glibc (2.19-18+deb8u4) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fixes bug18240 failing with a timeout on machines with a lot of swap. * patches/any/cvs-grantpt-pty-owner.diff: new patch from upstream to improve granpt when /dev/pts is not mounted with the correct options. * rules.d/debhelper.mk: only install pt_chown when built. * sysdeps/linux.mk: don't build pt_chown (CVE-2013-2207). Closes: #717544. glibc (2.19-18+deb8u3) stable-security; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fix segmentation fault caused by passing out-of-range data to strftime() (CVE-2015-8776). Closes: #812445. - Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778). Closes: #812441. - Fix multiple unbounded stack allocations in catopen() (CVE-2015-8779). Closes: #812455. * patches/any/local-CVE-2015-7547.diff: new patch to fix glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547). gnome-shell-extension-weather (0~20151125.gitccaa1eb-1~deb8u1) jessie; urgency=medium . * New upstream snapshot. + Compatible with the new API of openweathermap.org. (Closes: #804505) + No need to manually enter an API key, since this release ships with a default one. This restores the behavior of the applet that was effective by the time of the jessie release. * Drop d/p/missing-api-key.patch. No longer needed, since this new release ships with a default API key. * d/copyright: reflect upstream changes. gnome-shell-extension-weather (0~20151023.git34aa242-1) unstable; urgency=medium . * New upstream snapshot. + Now warns about missing API key. (Closes: #801979) gnome-shell-extension-weather (0~20151003.git339ec8a-1) unstable; urgency=medium . * New upstream snapshot. * d/control: this release is compatible with GNOME 3.18. * d/copyright: reflect upstream changes. * d/NEWS: fix urgency of latest entry to make lintian happy. gnome-shell-extension-weather (0~20150615.git0162cf7-1) unstable; urgency=medium . * New upstream snapshot. Compatible with GNOME Shell 3.16. (Closes: #788789) gnupg (1.4.18-7+deb8u1) stable; urgency=medium . [ Jonathan McDowell ] * Import upstream bugfix for handling unknown subkey types (Closes: #787046) graphite2 (1.3.6-1~deb8u1) stable-security; urgency=high . * rebuild for stable-security * revert ddeb-migration graphite2 (1.3.5-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.5-1~deb8u1) stable-security; urgency=high . * rebuild for stable-security * revert ddeb-migration graphite2 (1.3.5-1~deb7u1) oldstable-security; urgency=high . * rebuild for oldstable-security * revert ddeb-migration * revert package rename to -3 and go back to -2.0.0 to avoid changing the package name (ABI compatibility is there). Also dd patch to revert back to .so.2.0.0 as SONAME. graphite2 (1.3.4-2) unstable; urgency=medium . * debian/patches/revert-collision-info-refactoring-to-fix-alignment.diff: add from upstream git, thanks Tim Eves (closes: #805323) * debian/patches/reproducible-build.diff: tell dblatex to use a static path to make build reproduceable, thanks Reiner Herrmann (closes: #807838) * use -DGRAPHITE2_NTRACING:BOOL=ON (instead of :bool=1) * fix Maintainer: * migrate from manual -dbg to ddeb graphite2 (1.3.4-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.3-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.2-4) unstable; urgency=medium . * upload to unstable . * add graphviz to B-D-I... graphite2 (1.3.2-3) experimental; urgency=medium . * don't run dh_auto_install when ./build/src/libgraphite2.so.3 doesn't exist (as for dh_auto_test) so that we don't run a graphite build after building the docs (as make install of course requires that). Install the docs manually using .install graphite2 (1.3.2-2) experimental; urgency=medium . * check for existence of ./build/src/libgraphite2.so.3 before running dh_auto_test to skip the tests on "all" builds where we don't build graphite at all. graphite2 (1.3.2-1) experimental; urgency=medium . * New upstream release . * use --parallel in dh_auto_build (not in docs build and tests; the former doesn't build with parallelism) * Standards-Versions: 3.9.1 -> 3.9.6, no changes needed graphite2 (1.3.0-2) experimental; urgency=medium . * backport fixes from http://hg.palaso.org/graphitedev/raw-rev/cfab7499b46b: - fix tests on !linux (closes: #79499) - increase test timeout from 10s to 120s to make them succeed on mips(el) graphite2 (1.3.0-1) experimental; urgency=medium . * New upstream release gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium . * CVE-2013-7447 (Closes: #799275) gummi (0.6.5-3+deb8u2) stable; urgency=medium . * no-predictable-tmpfiles.patch: use upstream fix (Closes: #812577). iceweasel (38.7.1esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. - Disables Graphite font shaping library. iceweasel (38.7.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{16-17,20-21,23-25,27-28,31,34-35,37}, also known as: CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1958, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1964, CVE-2016-1965, CVE-2016-1966, CVE-2016-1974, CVE-2016-1950, CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802. iceweasel (38.6.1esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-14, also known as CVE-2016-1523. iceweasel (38.6.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{01,03}, also known as: CVE-2016-1930, CVE-2016-1935. iceweasel (38.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. imagemagick (8:6.8.9.9-5+deb8u1) stable; urgency=medium . * Fix build on mips by printing progress (Closes: #770009). * Fix a few security bugs: - A DOS on specially crafted MIFF file. - A DOS on specially crafted Vicar file. - A DOS on specially crafted HDR file. - A DOs on specially crafted PDB file. - Fix a Null dereference in coders/png.c (LP: #1492881). - Fix a double free in coders/tga.c (LP: #1490362). - Avoid a DOS for RLE file. - Avoid a bufer overflow by using field limit in sprintf. - Avoid a stack overflow in fx handling. - Fixed size of memory allocation in RLE coder to avoid segfault (LP: #1496649). - Add extra checks to avoid out of bounds error when parsing the 8bim profile. (LP: #1496645). - Fixed memory leak when reading incorrect PSD files (closes: #811308) http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791 - Fix PixelColor off by one on i386.(closes: #811308) https://github.com/ImageMagick/ImageMagick/issues/54 - Fix out of bounds error in -splice operator. - Prevent null pointer access in magick/constitute.c (closes: #811308) https://github.com/ImageMagick/ImageMagick/pull/34 - Fix another memory leak in string handling. - Fix an integer overflow that can lead to a buffer overrun in the icon parsing code (LP: #1459747, closes: #806441) - Fix an integer overflow that can lead to a double free in pict parsing (LP: #1448803, closes: #806441). initramfs-tools (0.120+deb8u1) jessie; urgency=medium . [ Ben Hutchings ] * [c367d7d] scripts/functions: Use shell to create stamp file instead of 'touch' (Closes: #783291) * [d22b95b] update-initramfs: Run 'sync' after writing the initramfs (Closes: #783620) * [c22cefe] hook-functions: Add support for nvme devices with MODULES=dep (Closes: #785147) * [e0b23a1] hook-functions: Add support for LVM/LUKS on mmcblk and nvme devices with MODULES=dep (Closes: #747871, #810808) * [0e905aa] scripts/functions: Fix fsck display options (Closes: #781239) . [ Laurent Bigonville ] * [3c4b38a] Support fsck.mode= and fsck.repair= parameters as known by systemd-fsck (Closes: #783410, #792557) * [dcb0f0c] Run new panic scripts just before dropping to a shell (Closes: #602331) . [ Boris Egorov ] * [2c82cf4] mkinitramfs: fix bashism in script (Closes: #633582) . [ Andy Whitcroft ] * [97b664e] When adding i8042 also add psmouse as some keyboards are behind the mouse (Closes: #795839) . [ Salvatore Bonaccorso ] * [71e5b62] scripts/nfs: Check return value from nfs_mount_root_impl (Closes: #782641) inspircd (2.0.17-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * Reject replies to DNS PTR requests that contain invalid characters (CVE-2015-8702) installation-guide (20150423+deb8u2) jessie; urgency=medium . [ Martin Michlmayr ] * Added QNAP TS-109, TS-209, TS-409 and TS-409U as supporteded models again. jasper (1.900.1-debian1-2.4+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy() (Closes: #816625) * CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip() (Closes: #812978) * CVE-2016-2116: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf() (Closes: #816626) krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Verify decoded kadmin C strings [CVE-2015-8629] CVE-2015-8629: An authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database. (Closes: #813296) * Check for null kadm5 policy name [CVE-2015-8630] CVE-2015-8630: An authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying a null policy value but including KADM5_POLICY in the mask. (Closes: #813127) * Fix leaks in kadmin server stubs [CVE-2015-8631] CVE-2015-8631: An authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory. (Closes: #813126) libav (6:11.6-1~deb8u1) jessie-security; urgency=medium . * New upstream release fixing multiple security issues. - concat: disable by default (CVE-2016-1897, CVE-2016-1898) - aac_parser: add required padding for GetBitContext buffer - ac3_parser: add required padding for GetBitContext buffer - imc: add required padding for GetBitContext buffer - h263: Always check both dimensions - opusdec: properly handle mismatching configurations in multichannel streams - mov: Correctly allocate ctts_data - aac: Wait to know the channels before allocating frame - rtpdec_asf: Check memory allocation and free memory on error - jack: Check memory allocation - mov: Check memory allocation - mkv: Correctly report the latest packet had been flushed - aic: Fix slice size computation for widths multiples of 32 macroblocks - webp: Make sure enough bytes are available - g726: Do not crash on user mistake - bytestream2: set the reader to the end when reading more than available - vp7: bound checking in vp7_decode_frame_header - mux: Make sure that the data is actually written - file: properly forward errors from file_read() and file_write() - mmvideo: Make sure the rle does not write over the frame boundaries - opus: Buffer the samples from the correct offset - nut: Use the correct codec_tag when multiple are available - truemotion2: Fix the buffer check - mimic: Always return on failure - msnwc_tcp: Correctly report failure - rpza: Check the blocks left before processing one - dvdsubdec: Validate the RLE offsets - avi: Validate the stream-id for DV as well - mov: Use the correct type for size * debian/confflags: Force --disable-protocol=concat. * debian/patches/CVE-2016-2326.patch: avformat/asfenc: Check pts. (CVE-2016-2326) libav (6:11.4-2) unstable; urgency=medium . * debian/*.lintian-overrides: Use architecture specific overrides to fix arch-dependent files in M-A: same package. (Closes: #787406) * debian/changelog: Wrap some lines at 80 characters to make lintian happy. libav (6:11.4-1) unstable; urgency=high . [ Reinhard Tartler ] * Bumped urgency because of two security patches, see below * Imported Upstream version 11.4 - h264: Make sure reinit failures mark the context as not initialized (CVE-2015-3417) - msrle: Use FFABS to determine the frame size in msrle_decode_pal4 (CVE-2015-3395) - cavs: Remove an unneeded scratch buffer - configure: Disable i686 for i586 and lower CPUs (debian/783082) - mjpegenc: Fix JFIF header byte ordering (bug/808) - nut: Make sure to clean up on read_header failure - png: Set the color range as full range - avi: Validate sample_size - nut: Check chapter creation in decode_info_header - alac: Reject rice_limit 0 if compression is used - ape: Support _0000 files with nblock smaller than 64 - mux: Do not leave stale side data pointers in ff_interleave_add_packet() - avresample: Reallocate the internal buffer to the correct size (bug/825) - mpegts: Update the PSI/SI table only if the version change - rtsp: Make sure we don't write too many transport entries into a fixed-size array - rtpenc_jpeg: Handle case of picture dimensions not dividing by 8 - mov: Fix little endian audio detection - x86: Put COPY3_IF_LT under HAVE_6REGS (gentoo/541930) - roqvideoenc: set enc->avctx in roq_encode_init - mp3: Properly use AVCodecContext API - libvpx: Fix mixed use of av_malloc() and av_reallocp() - Revert "lavfi: always check av_expr_parse_and_eval() return value" - alsdec: only adapt order for positive max_order - alsdec: check sample pointer range in revert_channel_correlation - aacpsy: correct calculation of minath in psy_3gpp_init - alsdec: limit avctx->bits_per_raw_sample to 32 - aasc: return correct buffer size from aasc_decode_frame - matroskadec: fix crash when parsing invalid mkv - avconv: do not overwrite the stream codec context for streamcopy - webp: ensure that each transform is only used once - h264_ps: properly check cropping parameters against overflow - hevc: zero the correct variables on invalid crop parameters - hevc: make the crop sizes unsigned * drop 01-configure-disable-i686-for-i586 . [ Sebastian Ramacher ] * debian/control: - Remove obsolete Breaks, Replaces and Conflicts. - Fix description to make lintian happy. * debian/rules: - Remove dh_builddeb compression override. This is the default since dpkg 1.17.0. - Use dh_installdocs to install documentation. - Use dh_minstallman to install manpages. * debian/{libav-tools.links,rules}: De-duplicate documentation * debian/*.lintian-overrides: - Install non-fpic code lintian overrides only for i386 packages. * debian/source/lintian-overrides: Removed obsolete lintian override. * debian/*.doc-base: Add more doc-base registrations * debian/copyright: - Remove files that do no longer exist. - Update some copyright years. libclamunrar (0.99-0+deb8u1) stable; urgency=medium . [ Scott Kitterman ] * Correct debian/copyright to add missing copyright declarations/dates . [ Sebastian Andrzej Siewior ] * Bumped standards version to 3.9.6 (no changes required). * Import new upstream. This is required because clamav's major .so version changed. * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break * don't links against libpcre if available. libclamunrar (0.99-0+deb7u1) oldstable; urgency=medium . [ Scott Kitterman ] * Correct debian/copyright to add missing copyright declarations/dates . [ Sebastian Andrzej Siewior ] * Bumped standards version to 3.9.6 (no changes required). * Import new upstream. This is required because clamav's major .so version changed. * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break * don't link against libpcre if available. libclamunrar (0.99-0+deb6u1) squeeze-lts; urgency=medium . [ Scott Kitterman ] * Correct debian/copyright to add missing copyright declarations/dates * Manually autreconf and add as patch since dh-autoreconf in squeeze is too old. . [ Sebastian Andrzej Siewior ] * Bumped standards version to 3.9.6 (no changes required). * Import new upstream. This is required because clamav's major .so version changed. * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break * don't link against libpcre if available. libdatetime-timezone-perl (1:1.75-2+2016c) jessie; urgency=medium . * Update to Olson database version 2016c. Add patch debian/patches/olson-2016c, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Azerbaijan and Chile. libdatetime-timezone-perl (1:1.75-2+2016b) jessie; urgency=medium . * Update to Olson database version 2016b. Add patch debian/patches/olson-2016b, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Russia, Haiti, and Palestine. * Fix spelling of Chita in the previous changelog entry. Thanks to Stepan Golosunov for the bug report. (Closes: #813631) libdatetime-timezone-perl (1:1.75-2+2016a) jessie; urgency=medium . * Update to Olson database version 2016a. Add patch debian/patches/olson-2016a, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for the Cayman Islands, Iran, and Chrita, Russia. libgcrypt20 (1.6.3-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * ecc: input validation on ECDH * ecc: Constant-time multiplication for Weierstrass curve (CVE-2015-7511) libmatroska (1.4.1-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * CVE-2015-8792: Fix invalid memory access issue. (patch taken from the squeeze version) libotr (4.1.0-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2851: Integer overflow on 64-bit architectures when receiving 4GB messages librsvg (2.40.5-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file. libsndfile (1.0.25-9.1+deb8u1) jessie; urgency=medium . * Fix denial of service through division by zero (CVE-2014-9756) -> 03_file_io_divide_by_zero.diff (Closes: #804447) * Fix heap overflow in AIFF parser (CVE-2015-7805) -> 04_fix_aiff_heap_overflow.diff (Closes: #804445) libssh (0.6.3-4+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0739: Truncated Diffie-Hellman secret length (Closes: #815663) libssh2 (1.4.3-4.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0787: Truncated Difffie-Hellman secret length libvirt (1.2.9-9+deb8u2) jessie; urgency=medium . [ Philipp Hahn ] * [16e52e6] CVE-2015-5313: Don't allow allow '/' in filesystem volume (Closes: #808273) * [e69dd73] libvirt-daemon: Expect qemu-bridge-helper in /usr/lib/qemu like we fixed #790935 in sid. (Closes: #816602) . [ Guido Günther ] * [72db643] Allow autopkg tests to print to stderr libvirt (1.2.9-9+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Remaining changes: * [b46b754] Drop sheepdog support not available in Wheezy * [31a2113] Use libnl1 since libnetcf1 is linked against libnl1 in Wheezy. Also make sure we don't pickup up libnetcf-dev using libnl3. * [4ca4854] Make sure the cgroup update notice is also shown in backports * [c5a59dd] Drop version in polkit-1 dependency. This reintroduces CVE-2013-4311 since we don't have a recent enough polkit-1 in wheezy. * [4db6aaa] Disable xenlight support not available in wheezy * [314c4aa] Use libgcrpt/gnutls versions from wheezy * [c0f79f1] gbp.conf: use wheezy-backports * [d20e1f7] autopkgtest: Remove allow-stderr restriction not present in wheezy. Therefore drop "-x" so we don't print to stderr. . libvirt (1.2.9-9+deb8u2) jessie; urgency=medium . [ Philipp Hahn ] * [16e52e6] CVE-2015-5313: Don't allow allow '/' in filesystem volume (Closes: #808273) * [e69dd73] libvirt-daemon: Expect qemu-bridge-helper in /usr/lib/qemu like we fixed #790935 in sid. (Closes: #816602) . [ Guido Günther ] * [72db643] Allow autopkg tests to print to stderr . libvirt (1.2.9-9+deb8u1) jessie; urgency=medium . [ Guido Günther ] * [8e4cf5a] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm or kqemu. Thanks to Luke Faraone for the report (Closes: #786650) * [ad1ff0b] Adjust gbp.conf for jessie * [c830a54] Disable test suite due to libxml2 bug #781232 in jessie * [be70aec] Fix crash on live migration this supplements 07dbec0a64783f644854a22aa0355720f0328d17. Thanks to Eckebrecht von Pappenheim (Closes: #788171) . [ Felix Geyer ] * [9fb6c59] Allow access to libnl-3 configuration (Closes: #786652) . [ intrigeri ] * Allow-access-to-libnl-3-config-files.patch: revert changes that are unrelated to the bug this patch is meant to fix. . [ Daniel P. Berrange ] * [afae69a] Report original error when QMP probing fails with new QEMU (Closes: #780093) linux (3.16.7-ckt25-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt21 - irda: precedence bug in irlmp_seq_hb_idx() - macvtap: unbreak receiving of gro skb with frag list - RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv - stmmac: Correctly report PTP capabilities. - ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context. - sit: fix sit0 percpu double allocations - packet: race condition in packet_bind - net: avoid NULL deref in inet_ctl_sock_destroy() - net: fix a race in dst_release() - Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount - [x86] xen: Do not clip xen_e820_map to xen_e820_map_entries when sanitizing map - HID: core: Avoid uninitialized buffer access - [media] v4l2-compat-ioctl32: fix alignment for ARM64 - [armhf] net: mvneta: Fix CPU_MAP registers initialisation - mtd: mtdpart: fix add_mtd_partitions error path - [armel,armhf] 8426/1: dma-mapping: add missing range check in dma_mmap() - [armel,armhf] 8427/1: dma-mapping: add support for offset parameter in dma_mmap() - spi: ti-qspi: Fix data corruption seen on r/w stress test - lockd: create NSM handles per net namespace - Btrfs: fix file corruption and data loss after cloning inline extents - [armel,armhf] common: edma: Fix channel parameter for irq callbacks - [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints - ext4: fix potential use after free in __ext4_journal_stop - ext4: fix calculation of meta_bg descriptor backups - ext4, jbd2: ensure entering into panic after recording an error in superblock - vTPM: fix memory allocation flag for rtce buffer at kernel boot - spi: dw: explicitly free IRQ handler in dw_spi_remove_host() - media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish - Bluetooth: hidp: fix device disconnect on idle timeout - Bluetooth: ath3k: Add new AR3012 0930:021c id - Bluetooth: ath3k: Add support of AR3012 0cf3:817b device - spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word - ACPI: Use correct IRQ when uninstalling ACPI interrupt handler - [x86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after resume back - megaraid_sas: Do not use PAGE_SIZE for max_sectors - [s390x] KVM: SCA must not cross page boundaries - [arm64] Fix compat register mappings - can: Use correct type in sizeof() in nla_put() - mtd: blkdevs: fix potential deadlock + lockdep warnings - Revert "dm mpath: fix stalls when handling invalid ioctls" - [x86] drm/i915: add quirk to enable backlight on Dell Chromebook 11 (2015) - crypto: algif_hash - Only export and import on sockets with data - xtensa: fixes for configs without loop option - megaraid_sas : do not access user memory from IOCTL code - mac80211: fix divide by zero when NOA update - mac80211: allow null chandef in tracing - [x86] KVM: VMX: fix SMEP and SMAP without EPT - [armhf] thermal: exynos: Fix unbalanced regulator disable on probe failure - [x86] ALSA: hda - Apply pin fixup for HP ProBook 6550b - firewire: ohci: fix JMicron JMB38x IT context discovery - scsi: restart list search after unlock in scsi_remove_target - mm: slab: only move management objects off-slab for sizes larger than KMALLOC_MIN_SIZE - [x86] Input: elantech - add Fujitsu Lifebook U745 to force crc_enabled - proc: actually make proc_fd_permission() thread-friendly - [x86] setup: Extend low identity map to cover whole kernel range - [x86] setup: Fix low identity map for >= 2GB kernel range - [x86] cpu: Call verify_cpu() after having entered long mode too - Btrfs: fix race leading to incorrect item deletion when dropping extents - Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow - perf: Fix inherited events vs. tracepoint filters - scsi_sysfs: Fix queue_ramp_up_period return code - Btrfs: fix race when listing an inode's xattrs - [x86] ideapad-laptop: Add Lenovo Yoga 900 to no_hw_rfkill dmi list - [x86] storvsc: Don't set the SRB_FLAGS_QUEUE_ACTION_ENABLE flag - [x86] KVM: Defining missing x86 vectors - drivers: of: of_reserved_mem: fixup the alignment with CMA setup - drm/ast: Initialized data needed to map fbdev memory - FS-Cache: Increase reference of parent after registering, netfs success - FS-Cache: Don't override netfs's primary_index if registering failed - binfmt_elf: Don't clobber passed executable's file header - fs/pipe.c: return error code rather than 0 in pipe_write() - mac80211: fix driver RSSI event calculations - wm831x_power: Use IRQF_ONESHOT to request threaded IRQs - mwifiex: fix mwifiex_rdeeprom_read() - dmaengine: dw: convert to __ffs() - usb: ehci-orion: fix probe for !GENERIC_PHY - devres: fix a for loop bounds check - netfilter: remove dead code - ipv4: Fix ip_queue_xmit to pass sk into ip_local_out_sk - packet: fix match_fanout_group() - hsi: fix double kfree - hsi: omap_ssi_port: Prevent warning if cawake_gpio is not defined. - ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in - drm: Fix return value of drm_framebuffer_init() - ALSA: fireworks: use u32 type for be32_to_cpup() macro - ALSA: bebob: use correct type for __be32 data - tcp: apply Kern's check on RTTs used for congestion control - clk: versatile-icst: fix memory leak - mfd: twl6040: Fix deferred probe handling for clk32k - of/fdt: fix error checking for earlycon address - netfilter: nfnetlink: don't probe module if it exists - xprtrdma: Re-arm after missed events - ceph: fix message length computation - ipv6: fix tunnel error handling - perf trace: Fix documentation for -i - bonding: fix panic on non-ARPHRD_ETHER enslave failure - rtc: ds1307: Fix alarm programming for mcp794xx - TPM: Avoid reference to potentially freed memory - md/raid0: update queue parameter in a safer location. - md/raid0: apply base queue limits *before* disk_stack_limits - drm/radeon: add quirk for MSI R7 370 - drm/radeon: add quirk for ASUS R7 370 - drm/radeon: fix quirk for MSI R7 370 Armor 2X - tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c - fs/proc, core/debug: Don't expose absolute kernel addresses via wchan - ALSA: hda - Disable 64bit address for Creative HDA controllers - printk: prevent userland from spoofing kernel messages - FS-Cache: Handle a write to the page immediately beyond the EOF marker http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt22 - iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock - iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success - iio: ad5064: Fix ad5629/ad5669 shift - iio:ad7793: Fix ad7785 product ID - [x86] fpu: Fix 32-bit signal frame handling - iio: adc: xilinx: Fix VREFN scale - [x86] drm/i915: quirk backlight present on Macbook 4, 1 - USB: qcserial: Add support for Quectel EC20 Mini PCIe module - USB: serial: option: add support for Novatel MiFi USB620L - USB: ti_usb_3410_5052: Add Honeywell HGI80 ID - [x86] drm/i915: get runtime PM reference around GEM set_caching IOCTL - drm/radeon: unconditionally set sysfs_initialized - USB: qcserial: Fix support for HP lt4112 LTE/HSPA+ Gobi 4G Modem - [arm64] kernel: pause/unpause function graph tracer in cpu_suspend() - usb: dwc3: gadget: let us set lower max_speed - usb: chipidea: debug: disable usb irq while role switch - xhci: Workaround to get Intel xHCI reset working more reliably - xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices - [x86] cpu: Fix SMAP check in PVOPS environments - [arm64] restore bogomips information in /proc/cpuinfo - USB: option: add XS Stick W100-2 from 4G Systems - usblp: do not set TASK_INTERRUPTIBLE before lock - fat: fix fake_offset handling on error path - kernel/signal.c: unexport sigsuspend() - ocfs2: fix umask ignored issue - mmc: remove bondage between REQ_META and reliable write - packet: do skb_probe_transport_header when we actually have data - packet: only allow extra vlan len on ethernet devices - packet: fix tpacket_snd max frame len - sctp: translate host order to network order when setting a hmacid - net/mlx4_core: Avoid returning success in case of an error flow - usb: musb: core: fix order of arguments to ulpi write callback - FS-Cache: Add missing initialization of ret in cachefiles_write_page() - macvlan: fix leak in macvlan_handle_frame - packet: always probe for transport header - packet: infer protocol from ethernet header if unset - ip_tunnel: disable preemption when updating per-cpu tstats - snmp: Remove duplicate OUTMCAST stat increment - tcp: initialize tp->copied_seq in case of cross SYN connection - net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds - net: ipmr: fix static mfc/dev leaks on table destruction - net: ip6mr: fix static mfc/dev leaks on table destruction - ipv6: distinguish frag queues by device for multicast and link-local packets - ipv6: add complete rcu protection around np->opt - net/neighbour: fix crash at dumping device-agnostic proxy entries - ipv6: sctp: implement sctp_v6_destroy_sock() - xfs: allow inode allocations in post-growfs disk space (Closes: #802885) - ALSA: usb-audio: add packet size quirk for the Medeli DD305 - ALSA: usb-audio: prevent CH345 multiport output SysEx corruption - ALSA: usb-audio: work around CH345 input SysEx corruption - dm thin: restore requested 'error_if_no_space' setting on OODS to WRITE transition - dm: fix ioctl retry termination with signal - ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 - mac: validate mac_partition is within sector - ALSA: hda - Apply HP headphone fixups more generically - fix sysvfs symlinks - vfs: Make sendfile(2) killable even better - vfs: Avoid softlockups with sendfile(2) - nfs4: start callback_ident at idr 1 - ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3 - [arm64] KVM: Fix AArch32 to AArch64 register mapping - drm/radeon: make rv770_set_sw_state failures non-fatal - ALSA: hda - Fix noise on Gigabyte Z170X mobo - drm/radeon: make some dpm errors debug only - nfs: if we have no valid attrs, then don't declare the attribute cache valid - xen/gntdev: Grant maps should not be subject to NUMA balancing - iscsi-target: Fix rx_login_comp hang after login failure - target: Fix race for SCF_COMPARE_AND_WRITE_POST checking - target: fix COMPARE_AND_WRITE non zero SGL offset data corruption - [armel/kirkwood] dts: Fix QNAP TS219 power-off - netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse - netfilter: nf_tables: fix bogus warning in nft_data_uninit() - netfilter: ip6t_SYNPROXY: fix NULL pointer dereference - gre6: allow to update all parameters via rtnl - atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation - sctp: use the same clock as if sock source timestamps were on - sctp: update the netstamp_needed counter when copying sockets - ipv6: sctp: clone options to avoid use after free - vlan: Fix untag operations of stacked vlans with REORDER_HEADER off - skbuff: Fix offset error in skb_reorder_vlan_header - af_unix: Revert 'lock_interruptible' in stream receive code - ip6mr: call del_timer_sync() in ip6mr_free_table() - [x86] drm/i915: Disable PSMI sleep messages on all rings around context switches (Closes: #777231) - crypto: nx - Fix timing leak in GCM and CCM decryption - crypto: talitos - Fix timing leak in ESP ICV verification - ASoC: wm8962: correct addresses for HPF_C_0/1 - mac80211: mesh: fix call_rcu() usage - mac80211: ensure we don't update tx power on a non-running sdata - can: sja1000: clear interrupts on start - ring-buffer: Update read stamp with first real commit on page - block: Always check queue limits for cloned requests - Fix a memory leak in scsi_host_dev_release() - wan/x25: Fix use-after-free in x25_asy_open_tty() - mac80211: do not actively scan DFS channels - locking: Add WARN_ON_ONCE lock assertion - drm: Fix an unwanted master inheritance v2 - sched/core: Clear the root_domain cpumasks in init_rootdomain() - [x86] signal: Fix restart_syscall number for x32 tasks - isdn: Partially revert debug format string usage clean up - remoteproc: avoid stack overflow in debugfs file - [armhf] net: mvneta: add configuration for MBUS windows access protection - [armhf] net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG - [armhf] net: mvneta: fix bit assignment for RX packet irq enable - ipv4: igmp: Allow removing groups from a removed interface - sched/core: Remove false-positive warning from wake_up_process() - btrfs: fix signed overflows in btrfs_sync_file http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt23 - iio: fix some warning messages - USB: cp210x: Remove CP2110 ID from compatibility list - USB: cdc_acm: Ignore Infineon Flash Loader utility - USB: serial: Another Infineon flash loader USB ID - ext4: Fix handling of extended tv_sec - jbd2: Fix unreclaimed pages after truncate in data=journal mode - drm/ttm: Fixed a read/write lock imbalance - AHCI: Fix softreset failed issue of Port Multiplier - sata_sil: disable trim - usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter JMicron - staging: lustre: echo_copy.._lsm() dereferences userland pointers directly - irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB - usb: core : hub: Fix BOS 'NULL pointer' kernel panic - USB: whci-hcd: add check for dma mapping error - dm btree: fix leak of bufio-backed block in btree_split_sibling error path - SCSI: Fix NULL pointer dereference in runtime PM - perf: Fix PERF_EVENT_IOC_PERIOD deadlock - usb: xhci: fix config fail of FS hub behind a HS hub with MTT - ALSA: rme96: Fix unexpected volume reset after rate changes - ALSA: hda - Add inverted dmic for Packard Bell DOTS - virtio: fix memory leak of virtio ida cache layers - nfs4: limit callback decoding to received bytes - SUNRPC: Fix callback channel - IB/srp: Fix possible send queue overflow - ALSA: hda - Fixing speaker noise on the two latest thinkpad models - 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping - radeon/cik: Fix GFX IB test on Big-Endian - radeon: Fix VCE ring test for Big-Endian systems - radeon: Fix VCE IB test on Big-Endian systems - ALSA: hda - Fix noise problems on Thinkpad T440s - dm thin metadata: fix bug when taking a metadata snapshot - dm space map metadata: fix ref counting bug when bootstrapping a new space map - ipmi: move timer init to before irq is setup - dm btree: fix bufio buffer leaks in dm_btree_del() error path - vgaarb: fix signal handling in vga_get() - xhci: fix usb2 resume timing and races. - USB: add quirk for devices with broken LPM - [hppa] iommu: fix panic due to trying to allocate too large region - mm: hugetlb: fix hugepage memory leak caused by wrong reserve count - mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make any progress - mm: hugetlb: call huge_pte_alloc() only if ptep is null - drivers/base/memory.c: prohibit offlining of memory blocks with missing sections - ocfs2: fix SGID not inherited issue - usb: musb: USB_TI_CPPI41_DMA requires dmaengine support - efi: Disable interrupts around EFI calls, not in the epilog/prolog calls - [armhf] i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs - xen/events/fifo: Consume unprocessed events when a CPU dies - video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented - crypto: skcipher - Copy iv from desc even for 0-len walks - rfkill: copy the name into the rfkill struct - ses: Fix problems with simple enclosures - Revert "SCSI: Fix NULL pointer dereference in runtime PM" - ses: fix additional element traversal bug - powercap / RAPL: fix BIOS lock check - n_tty: Fix poll() after buffer-limited eof push read - tty: Fix GPF in flush_to_ldisc() - ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly - [armel,armhf] 8471/1: need to save/restore arm register(r11) when it is corrupted - ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd - spi: fix parent-device reference leak - dma-debug: Fix dma_debug_entry offset calculation - [powerpc*] powernv: Fix the overflow of OPAL message notifiers head array - [powerpc*] powernv: pr_warn_once on unsupported OPAL_MSG type - USB: ipaq.c: fix a timeout loop - USB: fix invalid memory access in hub_activate() - pinctrl: bcm2835: Fix initial value for direction_output - net: phy: mdio-mux: Check return value of mdiobus_alloc() - mISDN: fix a loop count - qlcnic: fix a timeout loop - ser_gigaset: fix deallocation of platform device structure - include/linux/mmdebug.h: should include linux/bug.h - [x86] drm/i915: Fix SRC_COPY width on 830/845g - vmstat: allocate vmstat_wq before it is used - [powerpc*] KVM: Book3S HV: Prohibit setting illegal transaction state in MSR - ASoC: wm8974: set cache type for regmap - [armhf] dts: imx6: Fix Ethernet PHY mode on Ventana boards - ALSA: hda - Set SKL+ hda controller power at freeze() and thaw() - [s390x] dis: Fix handling of format specifiers - [hppa] Fix syscall restarts - ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2) - ocfs2: fix BUG when calculate new backup super - mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() - net/mlx4_en: Remove dependency between timestamping capability and service_task - net/mlx4_en: Fix HW timestamp init issue upon system startup - ipv6/addrlabel: fix ip6addrlbl_get() - qlcnic: fix a loop exit condition better - genirq: Prevent chip buslock deadlock - ftrace/scripts: Fix incorrect use of sprintf in recordmcount - tracing: Fix setting of start_index in find_next() - [armhf] dts: vt8500: Add SDHC node to DTS file for WM8650 - [x86] mce: Ensure offline CPUs don't participate in rendezvous process - ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz - async_tx: use GFP_NOWAIT rather than GFP_IO - ftrace/module: Call clean up function when module init fails early - ASoC: Use nested lock for snd_soc_dapm_mutex_lock - net: filter: make JITs zero A for SKF_AD_ALU_XOR_X - net: possible use after free in dst_release - [x86] kvm: only channel 0 of the i8254 is linked to the HPET - firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6 http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt24 - drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c - veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. - sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close - connector: bump skb->users before callback invocation - unix: properly account for FDs passed over unix sockets - bridge: Only call /sbin/bridge-stp for the initial network namespace - vxlan: fix test which detect duplicate vxlan iface - net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory - tcp_yeah: don't set ssthresh below 2 - bonding: Prevent IPv6 link local address on enslaved devices - phonet: properly unshare skbs in phonet_rcv() - net: bpf: reject invalid shifts - ipv6: update skb->csum when CE mark is propagated - team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid - xen-netback: respect user provided max_queues - xen-netfront: respect user provided max_queues - xen-netfront: print correct number of queues - xen-netfront: update num_queues to real created - xfrm: dst_entries_init() per-net dst_ops - sctp: convert sack_needed and sack_generation to bits - sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING - nfs: Fix unused variable error - media: gspca: ov534/topro: prevent a division by 0 - media: media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode - [x86] KVM: expose MSR_TSC_AUX to userspace - [x86] KVM: correctly print #AC in traces - drm/radeon: call hpd_irq_event on resume - xhci: refuse loading if nousb is used - [arm64] Clear out any singlestep state on a ptrace detach operation - time: Avoid signed overflow in timekeeping_get_ns() - Bluetooth: Add support of Toshiba Broadcom based devices - rtlwifi: fix memory leak for USB device - wlcore/wl12xx: spi: fix oops on firmware load - EDAC: Fix the leak of mci->bus->name when bus_register fails - EDAC, mc_sysfs: Fix freeing bus' name - EDAC: Robustify workqueues destruction - [arm64] mm: ensure that the zero page is visible to the page table walker - [powerpc*] Make value-returning atomics fully ordered - [powerpc*] Make {cmp}xchg* and their atomic_ versions fully ordered - dm space map metadata: remove unused variable in brb_pop() - dm thin: fix race condition when destroying thin pool workqueue - futex: Drop refcount if requeue_pi() acquired the rtmutex - [arm64] mdscr_el1: avoid exposing DCC to userspace - [arm64] kernel: enforce pmuserenr_el0 initialization and restore - drm/radeon: clean up fujitsu quirks - mmc: sdio: Fix invalid vdd in voltage switch power cycle - mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off() - udf: limit the maximum number of indirect extents in a row - nfs: Fix race in __update_open_stateid() - USB: cp210x: add ID for ELV Marble Sound Board 1 - posix-clock: Fix return code on the poll method's error path - rtlwifi: rtl8192de: Fix incorrect module parameter descriptions - rtlwifi: rtl8192se: Fix module parameter initialization - rtlwifi: rtl8192ce: Fix handling of module parameters - rtlwifi: rtl8192cu: Add missing parameter setup - NFSv4: Don't perform cached access checks before we've OPENed the file - NFS: Fix attribute cache revalidation - bcache: fix a livelock when we cause a huge number of cache misses - bcache: Add a cond_resched() call to gc - bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device - bcache: fix a leak in bch_cached_dev_run() - bcache: unregister reboot notifier if bcache fails to unregister device - bcache: allows use of register in udev to avoid "device_busy" error. - bcache: prevent crash on changing writeback_running - bcache: Change refill_dirty() to always scan entire disk if necessary - wlcore/wl12xx: spi: fix NULL pointer dereference (Oops) - Input: i8042 - add Fujitsu Lifebook U745 to the nomux list - libxfs: pack the agfl header structure so XFS_AGFL_SIZE is correct - [x86] xen: don't reset vcpu_info on a cancelled suspend - udf: Prevent buffer overrun with multi-byte characters - udf: Check output buffer length when converting name to CS0 - PCI: Fix minimum allocation address overwrite - PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD - iwlwifi: update and fix 7265 series PCI IDs - locks: fix unlock when fcntl_setlk races with a close - ASoC: compress: Fix compress device direction check - dm snapshot: fix hung bios when copy error occurs - uml: fix hostfs mknod() - uml: flush stdout before forking - drm/nouveau/kms: take mode_config mutex in connector hotplug path - [x86] boot: Double BOOT_HEAP_SIZE to 64KB - [s390x] fix normalization bug in exception table sorting - xfs: inode recovery readahead can race with inode buffer creation - xfs: handle dquot buffer readahead in log recovery correctly - clocksource/drivers/vt8500: Increase the minimum delta - Input: elantech - mark protocols v2 and v3 as semi-mt - [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] - virtio_balloon: fix race by fill and leak - virtio_balloon: fix race between migration and ballooning - [hppa] Fix __ARCH_SI_PREAMBLE_SIZE - scripts/recordmcount.pl: support data in text section on powerpc - [powerpc*] module: Handle R_PPC64_ENTRY relocations - dmaengine: dw: fix cyclic transfer setup - dmaengine: dw: fix cyclic transfer callbacks - mmc: mmci: fix an ages old detection error - [sparc64] fix incorrect sign extension in sys_sparc64_personality - cifs: fix race between call_async() and reconnect() - cifs_dbg() outputs an uninitialized buffer in cifs_readdir() - dma-debug: switch check from _text to _stext - ocfs2/dlm: ignore cleaning the migration mle that is inuse - zram/zcomp: use GFP_NOIO to allocate streams - zram: try vmalloc() after kmalloc() - mm: soft-offline: check return value in second __get_any_page() call - memcg: only free spare array when readers are done - panic: release stale console lock to always get the logbuf printed out - kernel/panic.c: turn off locks debug before releasing console lock - printk: do cond_resched() between lines while outputting to consoles - ALSA: hda - Fix bass pin fixup for ASUS N550JX - crypto: af_alg - Disallow bind/setkey/... after accept(2) - crypto: af_alg - Fix socket double-free when accept fails - crypto: af_alg - Add nokey compatibility path - crypto: hash - Add crypto_ahash_has_setkey - crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey path - crypto: af_alg - Forbid bind(2) when nokey child sockets are present - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode - ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 - crypto: algif_skcipher - Load TX SG list after waiting - crypto: crc32c - Fix crc32c soft dependency - IB/qib: fix mcast detach when qp not attached - IB/qib: Support creating qps with GFP_NOIO flag - [x86] ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill dmi list - iscsi-target: Fix potential dead-lock during node acl delete - ALSA: timer: Handle disconnection more safely - ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock - [x86] ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list - [x86] drm/i915: avoid deadlock on failure paths in __intel_framebuffer_create() - [x86] drm/i915: On fb alloc failure, unref gem object where it gets refed - media: rc: allow rc modules to be loaded if rc-main is not a module - SCSI: initio: remove duplicate module device table - [arm64] clk: xgene: Fix divider with non-zero shift value - clk: st: avoid uninitialized variable use - ath9k_htc: check for underflow in ath9k_htc_rx_msg() - mtd: nand: fix ONFI parameter page layout - mtd: nand: denali: add missing nand_release() call in denali_remove() - mtd: nand: remove unused and buggy get_platform_nandchip() helper function - ALSA: fm801: propagate TUNER_ONLY bit when autodetected - pinctrl: bcm2835: Fix memory leak in error path - [x86] LDT: Print the real LDT base address - sysrq: Fix warning in sysrq generated crash. - kconfig: return 'false' instead of 'no' in bool function - [x86] perf: Fix filter_events() bug with event mappings - power: test_power: correctly handle empty writes - firmware: actually return NULL on failed request_firmware_nowait() - target: Fix a memory leak in target_dev_lba_map_store() - um: Fix build error and kconfig for i386 - ipv6: tcp: add rcu locking in tcp_v6_send_synack() - mmc: sd: limit SD card power limit according to cards capabilities - Btrfs: clean up an error code in btrfs_init_space_info() - bridge: fix lockdep addr_list_lock false positive splat - batman-adv: Avoid recursive call_rcu for batadv_bla_claim - batman-adv: Avoid recursive call_rcu for batadv_nc_node - batman-adv: fix potential TT client + orig-node memory leak - batman-adv: Drop immediate batadv_orig_ifinfo free function - batman-adv: Drop immediate batadv_neigh_node free function - batman-adv: Drop immediate neigh_ifinfo free function - batman-adv: Drop immediate batadv_hard_iface free function - batman-adv: Drop immediate orig_node free function - printk: help pr_debug and pr_devel to optimize out arguments - mmc: debugfs: correct wrong voltage value - IB/mlx4: Initialize hop_limit when creating address handle - net/mlx4: Remove unused macro - cifs: Ratelimit kernel log messages - HID: usbhid: fix recursive deadlock http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt25 - ASN.1: Fix non-match detection failure on data overrun - qeth: initialize net_device with carrier off - EVM: Use crypto_memneq() for digest comparisons - iio: adis_buffer: Fix out-of-bounds memory access - [powerpc*] KVM: Fix emulation of H_SET_DABR/X on POWER8 - [x86] irq: Call chip->irq_set_affinity in proper context - ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot() - usb: cdc-acm: handle unlinked urb in acm read callback - usb: cdc-acm: send zero packet for intel 7260 modem - cdc-acm:exclude Samsung phone 04e8:685d - usb: hub: do not clear BOS field during reset device - USB: cp210x: add ID for IAI USB to RS485 adaptor - USB: visor: fix null-deref at probe - USB: serial: option: Adding support for Telit LE922 - ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() - ALSA: seq: Degrade the error message for too many opens - USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable - USB: option: fix Cinterion AHxx enumeration - ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures - ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay - virtio_pci: fix use after free on release - ALSA: bebob: Use a signed return type for get_formation_index - [arm64] errata: Add -mpc-relative-literal-loads to build flags - [powerpc*] eeh: Fix PE location code - SCSI: fix crashes in sd and sr runtime PM - n_tty: Fix unsafe reference to "other" ldisc - staging/speakup: Use tty_ldisc_ref() for paste kworker - ALSA: dummy: Disable switching timer backend via sysfs - [x86] drm/vmwgfx: respect 'nomodeset' - [x86] mm/pat: Avoid truncation when converting cpa->numpages to address - perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed - perf hists: Fix HISTC_MEM_DCACHELINE width setting - [powerpc*] perf: Remove PPMU_HAS_SSLOT flag for Power8 - vmstat: explicitly schedule per-cpu work on the CPU we need it to run on - umount: Do not allow unmounting rootfs. - crypto: algif_skcipher - Require setkey before accept(2) - crypto: algif_skcipher - Add nokey compatibility path - crypto: algif_hash - Require setkey before accept(2) - crypto: skcipher - Add crypto_skcipher_has_setkey - crypto: algif_skcipher - Add key check exception for cipher_null - crypto: algif_hash - Remove custom release parent function - crypto: algif_skcipher - Remove custom release parent function - crypto: algif_hash - Fix race condition in hash_check_key - crypto: algif_skcipher - Fix race condition in skcipher_check_key - iio: add HAS_IOMEM dependency to VF610_ADC - iio: dac: mcp4725: set iio name property in sysfs - ASoC: rt5645: fix the shift bit of IN1 boost - cgroup: make sure a parent css isn't offlined before its children - PCI/AER: Flush workqueue on device remove to avoid use-after-free - libata: disable forced PORTS_IMPL for >= AHCI 1.3 - mac80211: Requeue work after scan complete for all VIF types. - rfkill: fix rfkill_fop_read wait_event usage - crypto: shash - Fix has_key setting - [x86] drm/i915/dp: fall back to 18 bpp when sink capability is unknown - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors - crypto: algif_hash - wait for crypto_ahash_init() to complete - iio: inkern: fix a NULL dereference on error - iio: pressure: mpl115: fix temperature offset sign - [x86] intel_scu_ipcutil: underflow in scu_reg_access() - ALSA: seq: Fix race at closing in virmidi driver - ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check - ALSA: pcm: Fix potential deadlock in OSS emulation - ALSA: seq: Fix yet another races among ALSA timer accesses - ALSA: timer: Code cleanup - ALSA: timer: Fix link corruption due to double start or stop - libata: fix sff host state machine locking while polling - [mips*] Fix buffer overflow in syscall_get_arguments() - cputime: Prevent 32bit overflow in time[val|spec]_to_cputime() - ASoC: dpcm: fix the BE state on hw_free - module: wrapper for symbol name. - ALSA: hda - Add fixup for Mac Mini 7,1 model - ALSA: rawmidi: Make snd_rawmidi_transmit() race-free - ALSA: rawmidi: Fix race at copying & updating the position - ALSA: seq: Fix lockdep warnings due to double mutex locks - drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration - radix-tree: fix race in gang lookup - [x86] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms - xhci: Fix list corruption in urb dequeue at host removal - media: tda1004x: only update the frontend properties if locked - ALSA: timer: Fix leftover link at closing - media: saa7134-alsa: Only frees registered sound cards - Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl - scsi_dh_rdac: always retry MODE SELECT on command lock violation - SCSI: Add Marvell Console to VPD blacklist - drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil - ALSA: hda - Fix static checker warning in patch_hdmi.c - Revert "ALSA: hda - Fix noise on Gigabyte Z170X mobo" - dump_stack: avoid potential deadlocks - mm, vmstat: fix wrong WQ sleep when memory reclaim doesn't make any progress - ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery cleanup - mm: replace vma_lock_anon_vma with anon_vma_lock_read/write - radix-tree: fix oops after radix_tree_iter_retry - crypto: user - lock crypto_alg_list on alg dump - serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485) - pty: fix possible use after free of tty->driver_data - pty: make sure super_block is still valid in final /dev/tty close - ALSA: hda - Fix speaker output from VAIO AiO machines - klist: fix starting point removed bug in klist iterators - ALSA: dummy: Implement timer backend switching more safely - ALSA: timer: Fix wrong instance passed to slave callbacks - [armel,armhf] 8517/1: ICST: avoid arithmetic overflow in icst_hz() - ALSA: timer: Fix race between stop and interrupt - ALSA: timer: Fix race at concurrent reads - [armhf] phy: twl4030-usb: Relase usb phy on unload - [x86] ahci: Intel DNV device IDs SATA - workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup - drm/radeon: hold reference to fences in radeon_sa_bo_new - [armel,armhf] 8519/1: ICST: try other dividends than 1 - btrfs: properly set the termination value of ctx->pos in readdir - net: phy: Fix phy_mac_interrupt() - af_unix: fix struct pid memory leak - pptp: fix illegal memory access caused by multiple bind()s - sctp: allow setting SCTP_SACK_IMMEDIATELY by the application - netlink: not trim skb for mmaped socket when dump - ipv6: fix a lockdep splat - sctp: translate network order to host order when users get a hmacid - IB/mlx5: Fix RC transport send queue overhead computation - [x86] drm/vmwgfx: Fix an fb unlocking bug - net: phy: fix PHY_RUNNING in phy_state_machine - net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS . [ Ben Hutchings ] * udeb: Add dm-service-time to multipath-modules (Closes: #806131) * net: Ignore ABI changes due to "ipv6: add complete rcu protection around np->opt", which don't appear to affect out-of-tree modules * crypto: {blk,giv}cipher: Set has_setkey (avoids regressing cryptsetup; see #815480) * net: Fix regression in ip_vti/ip6_vti in 3.16.7-ckt11 (Closes: #813594): - ip_vti/ip6_vti: Do not touch skb->mark on xmit - xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input - ip_vti/ip6_vti: Preserve skb->mark after rcv_cb call . [ Aurelien Jarno ] * [mips*] Add support for MIPS 5KE CPU. * [mips*] Backport math emulation fix from 4.5. linux (3.16.7-ckt20-1+deb8u4) jessie-security; urgency=high . * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) * aufs: Fix regression due to "mm: make sendfile(2) killable" (Closes: #812207) - tiny, extract a new func xino_fwrite_wkq() - XINO handles EINTR from the dying process * [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization (CVE-2016-2069) * [x86] mm: Improve switch_mm() barrier comments * pipe: limit the per-user amount of pages allocated in pipes (CVE-2013-4312) * iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812) * af_unix: Guard against other == sk in unix_dgram_sendmsg (regression in 3.16.7-ckt20-1+deb8u1) * Revert "workqueue: make sure delayed work run in local cpu" (regression in 3.16.7-ckt20) * ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-2384) * unix: correctly track in-flight fds in sending process user_struct (regression in 3.16.7-ckt20-1+deb8u3) (CVE-2016-2550) * USB: fix invalid memory access in hub_activate() (CVE-2015-8816) * ALSA: seq: Fix missing NULL check at remove_events ioctl (CVE-2016-2543) * ALSA: seq: Fix race at timer setup and close (CVE-2016-2544) * ALSA: timer: Fix double unlink of active_list (CVE-2016-2545) * ALSA: timer: Fix race among timer ioctls (CVE-2016-2546) * ALSA: timer: Harden slave timer list handling (CVE-2016-2547, CVE-2016-2548) * ALSA: hrtimer: Fix stall by hrtimer_cancel() (CVE-2016-2549) * AIO: properly check iovec sizes linux (3.16.7-ckt20-1+deb8u4~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut linux (3.16.7-ckt20-1+deb8u3) jessie-security; urgency=high . [ Ben Hutchings ] * usb: serial: visor: fix crash on detecting device without write_urbs (CVE-2015-7566) * sctp: Prevent soft lockup when sctp_accept() is called during a timeout event (CVE-2015-8767) * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723) . [ Salvatore Bonaccorso ] * unix: properly account for FDs passed over unix sockets (CVE-2013-4312) * KEYS: Fix keyring ref leak in join_session_keyring() (CVE-2016-0728) linux (3.16.7-ckt20-1+deb8u3~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt20-1+deb8u3) jessie-security; urgency=high . [ Ben Hutchings ] * usb: serial: visor: fix crash on detecting device without write_urbs (CVE-2015-7566) * sctp: Prevent soft lockup when sctp_accept() is called during a timeout event (CVE-2015-8767) * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723) . [ Salvatore Bonaccorso ] * unix: properly account for FDs passed over unix sockets (CVE-2013-4312) * KEYS: Fix keyring ref leak in join_session_keyring() (CVE-2016-0728) mariadb-10.0 (10.0.23-0+deb8u1) jessie-security; urgency=high . * New upstream release 10.0.23. Includes fixes for the following security vulnerabilities: - CVE-2016-2047 - CVE-2016-0616 - CVE-2016-0609 - CVE-2016-0608 - CVE-2016-0606 - CVE-2016-0600 - CVE-2016-0598 - CVE-2016-0597 - CVE-2016-0596 - CVE-2016-0546 - CVE-2016-0505 * Update TokuDB plugin install and copyright paths to match latest release done under Percona ownership mariadb-10.0 (10.0.22-6) unstable; urgency=low . * Add patches to make passwordless root login default on all new installs in all situations. Make auth_socket a built-in plugin. * Clean up previous passwordless root implementation so that it applies only to new installs and existing databases continue to operate with the passwords defined in their user tables * As disabled.def intrepreted test names in a special way, switch back to using --skip-test-list option * Make the watch file to make it better suited for the git-buildpackage workflow and remove call to uupdate mariadb-10.0 (10.0.22-5) unstable; urgency=low . * Fix non-working path of unstable-test in d/rules * Add unstable test for amd64 to fix reproducible builds mariadb-10.0 (10.0.22-4) unstable; urgency=low . * Upload to unstable mariadb-10.0 (10.0.22-4~exp1) experimental; urgency=low . * Rewrite unstable tests section in d/rules that was not working mariadb-10.0 (10.0.22-3) unstable; urgency=low . * Fix typo in d/rules * Extend list of unstable tests for arch mips, mipsel64 and alpha mariadb-10.0 (10.0.22-2) unstable; urgency=low . * Escape d/rules file correctly to avoid parse error. * Remove patches/os_sync_Free patch that is not intended for production use. mariadb-10.0 (10.0.22-2~exp2) experimental; urgency=low . [Alexander Barkov] * Backport patch from upstream to fix MDEV-9091: mysqld crashes on shutdown after running TokuDB tests on Ubuntu * Backport patch from upstream to fix MDEV-8692: prefschema test failures . [Otto Kekäläinen] * Replace old 'make test' structure with direct call on mysql-test-run and parallelize the test suite run in the Debian build. * Print in build log env info to help debug builds on different platforms. * Keep a list of unstable tests that are to be skipped on official builds. mariadb-10.0 (10.0.22-2~exp1) experimental; urgency=low . * Add diagnostics to find out the problem in os_sync_free() * Backport fix for TokuDB crashes in build tests on Launchpad and enable TokuDB builds mariadb-10.0 (10.0.22-1) unstable; urgency=low . [ Otto Kekäläinen ] * New upstream release. Includes fixes for the following security vulnerabilities (Closes: #802874): - CVE-2015-4802 - CVE-2015-4807 - CVE-2015-4815 - CVE-2015-4826 - CVE-2015-4830 - CVE-2015-4836 - CVE-2015-4858 - CVE-2015-4861 - CVE-2015-4870 - CVE-2015-4913 - CVE-2015-4792 * New release includes updated man pages (Closes: #779992) * Update the most recent patches with proper DEP-3 compliant headers * Add CVE IDs to previous changelog entries . [ Jean Weisbuch ] * Update mysqlreport to version 4.0 mongrel2 (1.9.1-6+deb8u1) jessie; urgency=medium . * Comment out failing test caused by an expired certificate. (Closes: Bug#804331) mozilla-devscripts (0.39+deb8u1) jessie; urgency=medium . * Update dh_xul-ext's substvar generation for the upcoming transitions in stable from iceweasel to firefox-esr, and from icedove to thunderbird. (Closes: ##818013, #818756) * Update test suite expected values accordingly. mysql-5.5 (5.5.47-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.5.47 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0546 CVE-2016-0505 CVE-2016-0596 CVE-2016-0597 CVE-2016-0616 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 (Closes: #811428) * fix-test-suite-failure-caused-by-arbitrary-date-in-the-future-patch is no longer needed, as bug is fixed in new Upstream version mysql-5.5 (5.5.47-0+deb7u1) wheezy-security; urgency=high . * Imported Upstream version 5.5.47 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0546 CVE-2016-0505 CVE-2016-0596 CVE-2016-0597 CVE-2016-0616 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 (Closes: #811428) * fix-test-suite-failure-caused-by-arbitrary-date-in-the-future-patch is no longer needed, as bug is fixed in new Upstream version mysql-5.5 (5.5.47-0+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * Merged from package proposed for wheezy by Lars Tangvald * New upstream version that fixes the following issues: - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0546 CVE-2016-0505 CVE-2016-0596 CVE-2016-0597 CVE-2016-0616 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 (Closes: #811428) * fix-test-suite-failure-caused-by-arbitrary-date-in-the-future-patch is no longer needed, as bug is fixed in new Upstream version nettle (2.7.1-5+deb8u1) stable; urgency=low . * Fix CVE-2015-8803, CVE-2015-8804, and CVE-2015-8805 (Closes: #813679). nss-pam-ldapd (0.9.4-3+deb8u1) stable; urgency=low . * fix-issues-withdaemonising.patch, avoid-signal-race.patch: patches to fix issues with daemonising nslcd and avoid a race condition in signal handling during start-up (closes: #759544) * ensure proper return code of init script (closes: #794686) * fix-ppolicy-expiration-warnings.patch: fix password policy expiration warnings (closes: #794068) openssl (1.0.1k-3+deb8u4) jessie-security; urgency=medium . * Fix CVE-2016-0797 * Fix CVE-2016-0798 * Fix CVE-2016-0799 * Fix CVE-2016-0702 * Fix CVE-2016-0705 * Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800) makes use of those, and SLOTH attack (CVE-2015-7575) can make use of them too. osmo (0.2.12-1+deb8u1) jessie; urgency=medium . * Add libarchive-i386.patch. Fix corrupt data backup on i386. Thanks to Christian Buchmüller for the report and Maxim Gordienko for the patch. (Closes: #813414) pagekite (0.5.6d-3+deb8u1) stable; urgency=low . * Add missing build dependency python-openssl to fix test failure (Closes: #790271). pcre3 (2:8.35-3.3+deb8u4) jessie; urgency=medium . * Non-maintainer upload. * Add 0001-Fixed-an-issue-with-nested-table-jumps.patch. Fixes issue with nested table jumps. (Closes: #819050) pcre3 (2:8.35-3.3+deb8u3) jessie; urgency=medium . * Non-maintainer upload. * Refresh CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch. Drop addition of "error text" for error ERR86 in pcre_compile.c. This change belongs to upstream revision 1481 (Give error for \x{} and \o{}). * Add 0001-Give-error-for-x-and-o.patch. Give error for \x{} and \o{}. * Add 0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch. CVE-2016-3191: workspace overflow for (*ACCEPT) with deeply nested parentheses. (Closes: #815921) * Add 0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch. CVE-2016-1283: heap buffer overflow in handling of duplicate named groups. (Closes: #809706) perl (5.20.2-3+deb8u4) jessie-security; urgency=high . * Work around a t/op/stat.t failure on GNU/kFreeBSD, possibly related to softupdates. Fix by Steven Chamberlain. (Closes: #796798) * [SECURITY] CVE-2016-2381 fix duplicate environment variable taint checking issue perl (5.20.2-3+deb8u3+kbsd1) jessie-kfreebsd; urgency=medium . * Porter upload. * Work around a t/op/stat.t failure on GNU/kFreeBSD, possibly related to softupdates. Fix by Steven Chamberlain. (Closes: #796798) pgplot5 (5.2.2-19+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Use multiarch path to zconf.h (Closes: #784743) (thanks to Edmund Grimley Evans and Vincent McIntyre) php-dompdf (0.6.1+dfsg-2+deb8u1) jessie; urgency=medium . * [22610bd] Add 0.6.2 hotfix patch which bundles CVE hotfixes from the upstream release. (Closes: #813849) . This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf [1]. Please read the new document and take appropriate measures to protect your systems. . This update addresses the following announced vulnerabilities: . * CVE-2014-5011 - Information Disclosure * CVE-2014-5012 - Denial Of Service Vector * CVE-2014-5013 - Remote Code Execution (complement of CVE-2014-2383) php-horde (5.2.1+debian0-2+deb8u3) jessie-security; urgency=high . * Fix CVE-2016-2228: XSS vulnerability in menu bar (Closes: #813573) php-horde-core (2.15.0+debian0-1+deb8u1) jessie-security; urgency=high . * CVE-2015-8807: Escape form value, fix XSS in Horde_Core_VarRenderer_Html (Closes: #813590) php-mail-mime (1.8.9-1+deb8u1) jessie; urgency=medium . * Add dependency on php-pear (Closes: #817828) php-net-ldap2 (2.0.12-1+deb8u1) jessie; urgency=medium . * Add Fix_Fatal_error_with_PEAR_1.10.0.patch (Closes: #812788) php5 (5.6.19+dfsg-0+deb8u1) jessie-security; urgency=medium . * Imported Upstream version 5.6.19+dfsg * Rebase patches on top of 5.6.19+dfsg release * Allow multiple whitespace in php5-fpm init script (Closes: #818102) . php5 (5.6.18+dfsg-0+deb8u1) jessie-security; urgency=medium . * Merge patch for ODBC bug fix varchars returning with length zero * Fix missing phpdbg sapi from the for loop that prevented the modules to be enabled for phpdbg SAPI * Fail gracefully when other PHP module is enabled in Apache2 * php5-maintscript-helper needs update for phpdbg * Imported Upstream version 5.6.18+dfsg * Rebase patches on top of 5.6.18 release * Revert PEAR version to last working version from PHP 5.6.14 (Closes: #812788) php5 (5.6.18+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.18+dfsg - Core: . Fixed bug #71039 (exec functions ignore length but look for NULL termination). . Fixed bug #71089 (No check to duplicate zend_extension). . Fixed bug #71201 (round() segfault on 64-bit builds). . Added support for new HTTP 451 code. . Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash). . Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input). . Fixed bug #71459 (Integer overflow in iptcembed()). - Apache2handler: . Fix >2G Content-Length headers in apache2handler. - FTP: . Implemented FR #55651 (Option to ignore the returned FTP PASV address). - Opcache: . Fixed bug #71127 (Define in auto_prepend_file is overwrite). . Fixed bug #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server). - Phar: . Fixed bug #71354 (Heap corruption in tar/zip/phar parser). . Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()). . Fixed bug #71488 (Stack overflow when decompressing tar archives). - Session: . Fixed bug #69111 (Crash in SessionHandler::read()). - SOAP: . Fixed bug #70979 (crash with bad soap request). - SPL: . Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading). - WDDX: . Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization). * Rebase patches on top of 5.6.18 release * Add support for libtool >= 2.4.6 ltmain.sh location php5 (5.6.17+dfsg-3) unstable; urgency=medium . * Fail gracefully when other PHP module is enabled in Apache2 * php5-maintscript-helper needs update for phpdbg to fix postinst failure php5 (5.6.17+dfsg-1) unstable; urgency=medium . * Build-Depend just on libpng-dev * Imported Upstream version 5.6.17+dfsg * Rebase patches on top of 5.6.17 release pidgin-otr (4.0.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2015-8833: Heap use-after-free issue during SMP. pillow (2.6.1-2+deb8u2) jessie-security; urgency=medium . * CVE-2016-0740 * Add hopper.pcd to test case added for CVE-2016-2533 pillow (2.6.1-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2016-0775: Fix buffer overflow in FliDecode.c (Closes: #813909) * CVE-2016-2533: Fix buffer overflow in PcdDecode.c. polarssl (1.3.9-2.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Backport patches for CVE-2015-5291 and CVE-2015-8036 (Closes: #801413) * Add simple smoke test postgresql-9.1 (9.1.20-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.20-0+deb7u1) wheezy-security; urgency=medium . * New upstream version. + Fix infinite loops and buffer-overrun problems in regular expressions. Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) + Fix privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCs) for PL/Java will now be modifiable only by the database superuser. (CVE-2016-0766) postgresql-common (165+deb8u1) jessie; urgency=medium . * pg_upgradecluster: Set default dynamic_shared_memory_type = mmap. (Closes: #784005, #812206) . This primarily avoids problems with upgrading existing clusters in a LXC container. As earlier PG versions did not have d_s_m_t, the upgraded postgresql.conf won't have this setting either, yielding the compiled-in default of 'posix' which doesn't work in LXC. Pick something else here to avoid that problem. Notably, it's important that this problem is fixed in pg_upgradecluster itself because working around the problem is hard as the upgrade will fail early without the possibility of manually fixing the config. (Newly created clusters do not have that problem because initdb probes for a method working in the given system.) . * t/040_upgrade.t: Skip testing pg_upgrade with datallowconn = f, it does not support that anymore as of May 2015. (Cherry-pick from master to allow testing the pg_upgradecluster fix) privoxy (3.0.21-7+deb8u1) jessie-security; urgency=high . * 40_CVE-2016-1982: Prevent invalid reads in case of corrupt chunk-encoded content. * 41_CVE-2016-1983: Remove empty Host headers in client requests. Previously they would result in invalid reads. prosody (0.9.7-2+deb8u3) jessie-security; urgency=high . * CVE-2016-0756: insecure dialback key generation/validation algorithm * Fix for regression introduced in the previous CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only. python-rsa (3.1.4-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * CVE-2016-1494: Possible signature forgery using Bleichenbacher'06 attack (Closes: #809980) qemu (1:2.1+dfsg-12+deb8u5a) jessie-security; urgency=high . * applied 3 patches from upstream to fix virtio-net possible remote DoS (Closes: #799452 CVE-2015-7295) * pcnet-add-check-to-validate-receive-data-size-CVE-2015-7504.patch (Closes: #806742, CVE-2015-7504) * pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch (Closes: #806741, CVE-2015-7512) * msix-implement-pba-write-but-read-only-CVE-2015-7549.patch (Closes: #808131, CVE-2015-7549) * eepro100-prevent-two-endless-loops-CVE-2015-8345.patch (Closes: #806373, CVE-2015-8345) * vnc-avoid-floating-point-exception-CVE-2015-8504.patch (Closes: #808130, CVE-2015-8504) * ehci-make-idt-processing-more-robust-CVE-2015-8558.patch (Closes: #808144, CVE-2015-8558) * two upstream patches from xsa-155 fixing unsafe shared memory access in xen (Closes: #809229, CVE-2015-8550) * net-ne2000-fix-bounds-check-in-ioport-operations-CVE-2015-8743.patch (Closes: #810519, CVE-2015-8743) * net-vmxnet3-avoid-memory-leakage-in-activate_device-[...].patch (Closes: #808145, CVE-2015-8567, CVE-2015-8568) * scsi-initialise-info-object-with-appropriate-size-CVE-2015-8613.patch (Closes: #809232, CVE-2015-8613) * vmxnet3-refine-l2-header-validation-CVE-2015-8744.patch (Closes: CVE-2015-8744) * vmxnet3-support-reading-IMR-registers-on-bar0-CVE-2015-8745.patch (Closes: CVE-2015-8745) * ide-ahci-reset-ncq-object-to-unused-on-error-CVE-2016-1568.patch (Closes: #810527, CVE-2016-1568) * fw_cfg-add-check-to-validate-current-entry-value-CVE-2016-1714.patch (Closes: CVE-2016-1714) * i386-avoid-null-pointer-dereference-CVE-2016-1922.patch (Closes: #811201, CVE-2016-1922) * e1000-eliminate-infinite-loops-on-out-of-bounds-start-CVE-2016-1981.patch (Closes: #812307, CVE-2016-1981) * hmp-fix-sendkey-out-of-bounds-write-CVE-2015-8619.patch (Closes: #809237, CVE-2015-8619) qemu (1:2.1+dfsg-12+deb8u5a~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports: - disable seccomp (not in wheezy) - build-depend on iasl|acpica-tools - s/python:any/python/ in build-depends . qemu (1:2.1+dfsg-12+deb8u5a) jessie-security; urgency=high . * applied 3 patches from upstream to fix virtio-net possible remote DoS (Closes: #799452 CVE-2015-7295) * pcnet-add-check-to-validate-receive-data-size-CVE-2015-7504.patch (Closes: #806742, CVE-2015-7504) * pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch (Closes: #806741, CVE-2015-7512) * msix-implement-pba-write-but-read-only-CVE-2015-7549.patch (Closes: #808131, CVE-2015-7549) * eepro100-prevent-two-endless-loops-CVE-2015-8345.patch (Closes: #806373, CVE-2015-8345) * vnc-avoid-floating-point-exception-CVE-2015-8504.patch (Closes: #808130, CVE-2015-8504) * ehci-make-idt-processing-more-robust-CVE-2015-8558.patch (Closes: #808144, CVE-2015-8558) * two upstream patches from xsa-155 fixing unsafe shared memory access in xen (Closes: #809229, CVE-2015-8550) * net-ne2000-fix-bounds-check-in-ioport-operations-CVE-2015-8743.patch (Closes: #810519, CVE-2015-8743) * net-vmxnet3-avoid-memory-leakage-in-activate_device-[...].patch (Closes: #808145, CVE-2015-8567, CVE-2015-8568) * scsi-initialise-info-object-with-appropriate-size-CVE-2015-8613.patch (Closes: #809232, CVE-2015-8613) * vmxnet3-refine-l2-header-validation-CVE-2015-8744.patch (Closes: CVE-2015-8744) * vmxnet3-support-reading-IMR-registers-on-bar0-CVE-2015-8745.patch (Closes: CVE-2015-8745) * ide-ahci-reset-ncq-object-to-unused-on-error-CVE-2016-1568.patch (Closes: #810527, CVE-2016-1568) * fw_cfg-add-check-to-validate-current-entry-value-CVE-2016-1714.patch (Closes: CVE-2016-1714) * i386-avoid-null-pointer-dereference-CVE-2016-1922.patch (Closes: #811201, CVE-2016-1922) * e1000-eliminate-infinite-loops-on-out-of-bounds-start-CVE-2016-1981.patch (Closes: #812307, CVE-2016-1981) * hmp-fix-sendkey-out-of-bounds-write-CVE-2015-8619.patch (Closes: #809237, CVE-2015-8619) qemu (1:2.1+dfsg-12+deb8u5) jessie-security; urgency=high . * applied 3 patches from upstream to fix virtio-net possible remote DoS (Closes: #799452 CVE-2015-7295) * pcnet-add-check-to-validate-receive-data-size-CVE-2015-7504.patch (Closes: #806742, CVE-2015-7504) * pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch (Closes: #806741, CVE-2015-7512) * msix-implement-pba-write-but-read-only-CVE-2015-7549.patch (Closes: #808131, CVE-2015-7549) * eepro100-prevent-two-endless-loops-CVE-2015-8345.patch (Closes: #806373, CVE-2015-8345) * vnc-avoid-floating-point-exception-CVE-2015-8504.patch (Closes: #808130, CVE-2015-8504) * ehci-make-idt-processing-more-robust-CVE-2015-8558.patch (Closes: #808144, CVE-2015-8558) * two upstream patches from xsa-155 fixing unsafe shared memory access in xen (Closes: #809229, CVE-2015-8550) * net-ne2000-fix-bounds-check-in-ioport-operations-CVE-2015-8743.patch (Closes: #810519, CVE-2015-8743) * net-vmxnet3-avoid-memory-leakage-in-activate_device-[...].patch (Closes: #808145, CVE-2015-8567, CVE-2015-8568) * scsi-initialise-info-object-with-appropriate-size-CVE-2015-8613.patch (Closes: #809232, CVE-2015-8613) * vmxnet3-refine-l2-header-validation-CVE-2015-8744.patch (Closes: CVE-2015-8744) * vmxnet3-support-reading-IMR-registers-on-bar0-CVE-2015-8745.patch (Closes: CVE-2015-8745) * ide-ahci-reset-ncq-object-to-unused-on-error-CVE-2016-1568.patch (Closes: #810527, CVE-2016-1568) * fw_cfg-add-check-to-validate-current-entry-value-CVE-2016-1714.patch (Closes: CVE-2016-1714) * i386-avoid-null-pointer-dereference-CVE-2016-1922.patch (Closes: #811201, CVE-2016-1922) quagga (0.99.23.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2342: VPNv4 NLRI parses memcpys to stack on unchecked length (Closes: #819179) radicale (0.9-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2015-8748 and CVE-2015-8747: Fix insecure path handling by sanitizing system paths and always making them absolute. Fix multifilesystem backend allowed access to arbitrary files on all platforms. (Closes: #809920) rails (2:4.1.8-1+deb8u2) jessie-security; urgency=high . * Security updates: - [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack - [CVE-2016-2097] Possible Information Leak Vulnerability in Action View. rails (2:4.1.8-1+deb8u1) jessie-security; urgency=high . * Security updates: - [CVE-2015-3227] Possible Denial of Service attack in Active Support (Closes: #790487) - [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode (Closes: #790486) - [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller. - [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack - [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record. - [CVE-2016-0752] Possible Information Leak Vulnerability in Action View - [CVE-2016-0753] Possible Input Validation Circumvention in Active Model - [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack rdesktop (1.8.2-3+deb8u1) jessie; urgency=medium . * Fix sigsegv while using credssp and kerberos without specifying domainname as argument (closes: #784634). redmine (3.0~20140825-8~deb8u2) jessie-security; urgency=high . * Security update. Includes fixes for the following vulnerabilities: - CVE-2015-8346: Data disclosure on the time logging form (Closes: #806376) - CVE-02015-8474: open redirect vulnerability (Closes: #807272) - CVE-2015-8473: Issues API may disclose changeset messages that are not visible (Closes: #807345) - CVE-2015-8537: Data disclosure in atom feed (Closes: #807826) roundup (1.4.20-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2014-6276: Disclosure of user hashed passwords roundup (1.4.20-1.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2014-6276: Disclosure of user hashed passwords rsnapshot (1.3.1-4+deb8u1) jessie; urgency=medium . * debian/patches/14_fix_rsh_args: fix regression on --rsh with args: Applied patch from Upstream to fix --rsh command line arguments with quotes. The --rsh=... argument to rsync was erroneously quoted when added to the @rsync_long_args_stack with options set. Thanks Jonas Genannt for the help. ruby-defaults (1:2.1.5+deb8u2) jessie; urgency=medium . * ruby: make the conflict on ruby-activesupport-2.3 versioned on (<< 2:4) to allow transitional package to be installed (Closes: #798712) ruby-standalone (0.5+deb8u1) jessie; urgency=medium . * Install `rubyX.Y` as a link to `ruby` so that binaries installed by bundler work. (Bundler forces Rubygems to use a shebang like `/usr/bin/env rubyX.Y`). ruby-tzinfo (1.1.0-2+deb8u1) jessie; urgency=medium . * Add debian/gbp.conf. * Add patch to load iso3166.tab and zone.tab as UTF-8 (Closes: #798348). s3ql (2.11.1+dfsg-3) jessie; urgency=medium . * Add support to upgrade from file systems created with the S3QL version in Debian Wheezy. Closes: #792685. samba (2:4.1.17+dfsg-2+deb8u2) jessie-security; urgency=high . * Add vfs_stat_smb_basename.diff; adds function required by cve_2015_7560.diff. * Add patch cve_2015_7560.diff, fixes: - CVE-2015-7560: Incorrect ACL get/set allowed on symlink path. * Add patch cve_2016_0771.diff, fixes: - CVE-2016-0771: Out-of-bounds read in internal DNS server. * Add patch root-share-path.patch, to fix regression sharing root directory introduced by fix for CVE-2015-5252. Closes: #812429 sane-backends (1.0.24-8+deb8u1) stable; urgency=medium . * Cherry-picked systemd handling from unstable (Closes: #791961): - Rewrite debian/saned@.service to prevent errors by network scanning. - New debian/sane-utils.links: + Add a link from /dev/null to /lib/systemd/system/saned.service to prevent start via fallback script /etc/init.d/saned. - Add year 2016 to debian/copyright. sitesummary (0.1.17+deb8u1) jessie; urgency=medium . * Backport RC fixes from unstable. . [ Dominik George ] * Fix hanging postinst script (Closes: #785214). * Fix dangling symlink in apache config after removal (Closes: #785215, #794606). spip (3.0.17-2+deb8u2) jessie-security; urgency=high . * Backport security fixes from 3.0.22 - PHP code injection - Objects injection via unserialize * Update security screen to 1.2.4 squid3 (3.4.8-6+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2571: better handling of huge response headers in src/http.cc squid3 (3.4.8-6+deb8u2~bpo70+1) wheezy-backports; urgency=medium . [ Luigi Gangitano ] * Rebuild for wheezy-backports. . squid3 (3.4.8-6+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2571: better handling of huge response headers in src/http.cc . squid3 (3.4.8-6+deb8u1) jessie-security; urgency=high . [ Luigi Gangitano ] * debian/patches/36-squid-3.4-13225.patch - Added upstream patch fixing Improper Protection of Alternate Path (Ref: SQUID-2015:2, CVE-2015-5400) (Closes: #793128) . squid3 (3.4.8-6) unstable; urgency=medium . [ Luigi Gangitano ] * debian/patches/31-squid-3.4-13199.patch - Added upstream patch fixing excessive CPU usage (Closes: #776461) . * debian/patches/32-squid-3.4-13210.patch - Added upstream patch fixing excessive CPU and memory usage in NTLM and Negotiate authentication helpers (Closes: #776463) . * debian/patches/33-squid-3.4-13211.patch - Added upstream patch fixing a possible replay vulnerability on Digest authentication (Closes: #776464) . * debian/patches/34-squid-3.4-13213.patch - Added upstream patch fixing incorrect security permissions for TOS/DiffServ packet marking (Closes: #776468) . * debian/patches/35-squid-3.4-13203.patch - Added upstream patch fixing squidclient unable to connect to host with both IPv4 and IPv6 addresses (Closes: #742425) stress (1.0.1-1+deb8u1) jessie; urgency=medium . * debian/rules: avoid to install info/dir.gz file. (Closes: #799717) subversion (1.8.10-6+deb8u3) jessie; urgency=medium . * patches/r1701440-kwallet-segfault: Fix segfault when using kwallet to store authentication information. (Closes: #736879) suckless-tools (40-1+deb8u1) stable-proposed-updates; urgency=medium . * Set myself as the maintainer. Package has already been adopted in unstable (ITA: #776482). * Patch slock to properly resize the cover window. The cover window now resizes correctly when new screens are added or the resolution is changed while the lock is active. * Add libxrandr-dev to build dependencies (needed by the above patch). sus (7.20160312~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . sus (7.20160312) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 changed; update checksum (Closes: #817819) * urgency=medium since susv4 is no longer installable * debian/control: - Bump Standards-Version to 3.9.7 (No changes needed) sus (7.20160107) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 changed; update checksum (Closes: #790535) | The chapters on m4 and expr seems to have been improved slightly * urgency=medium since susv4 is no longer installable systemd (215-17+deb8u4) stable; urgency=medium . [ Martin Pitt ] * debian/udev.prerm: Add missing "deconfigure" action. (Closes: #809744) * udev.postinst: Don't call addgroup with --quiet, so that if the "input" group already exists as a non-system group you get a sensible error message. Some broken tutorials forget the --system option. (Closes: #769948, LP: #1455956) * systemd.postinst: Drop the --quiet from the addgroup calls as well, same reason as above. (Closes: #762275) . [ Michael Biebl ] * Make sure all swap units are ordered before the swap target. This avoids that swap devices are being stopped prematurely during shutdown. (Closes: #805133) * Only skip the filesystem check for /usr if the /run/initramfs/fsck-usr flag file exists. Otherwise we break booting with dracut which uses systemd inside the initramfs. (Closes: #810748) * Fix --network-interface in systemd-nspawn to not fail when modifying an existing link. (Closes: #813696) tiff (4.0.3-12.3+deb8u1) jessie-security; urgency=high . * Backport upstream fixes for: - CVE-2015-8665 an out-of-bound read in TIFFRGBAImage interface (closes: #808968), - CVE-2015-8683 an out-of-bounds read in CIE Lab image format (closes: #809021), - CVE-2015-8781 out of bounds write at tif_luv.c:208, - CVE-2015-8782 potential out-of-bound writes in decode, - CVE-2015-8783 potential out-of-bound reads in case of short input data, - CVE-2015-8784 potential out-of-bound write in NeXTDecode(). tomcat7 (7.0.56-3+deb8u1) jessie-security; urgency=medium . * Fixed CVE-2014-7810: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. torbrowser-launcher (0.1.9-1+deb8u3) jessie; urgency=medium . * Add these patches backported from 0.2.3-1 and 0.2.4-1: - 0011-Fix-issue-with-detecting-language-fixes-220.patch to fix issue with detecting language (Closes: #753173) - 0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch - 0012a-Remove-certificate-pinning--github-issue-224.patch to avoid issues with upcoming certificate change, thus the minimum Tor Browser version was hard-coded in the release (Closes: #811499) For more info on patch 0012 and 0012a see https://github.com/micahflee/torbrowser-launcher/issues/229 - 0013-Prevent-signature-verification-attack-by-passing-bot.patch fixing CVE-2016-3180, for more info see https://github.com/micahflee/torbrowser-launcher/issues/229 - 0014-Prevent-attempts-at-directory-traversal-attacks-even.patch This is an improvement for patch 0012. - 0099-Bump-version-to-0.1.9-deb8u3.patch to bump version to 0.1.9+deb8u3 in share/torbrowser-launcher/version. tzdata (2016c-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Santiago - Asia/Baku tzdata (2016c-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Santiago - Asia/Baku tzdata (2016b-1) unstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Port-au-Prince - Asia/Gaza - Asia/Hebron * debian/rules: remove emdebian ifdefs. * debian/compat, debian/control, debian/rules: rewrite using dh and debhelper compatibility 9. * Update French debconf translation, by Christian Perrier. Closes: #814831. * Update Japanese debconf translation, by Takuma Yamada. Closes: #815386. * Drop the tzdata-java package. Closes: #814073. * debian/control: Update Standards-Version to 3.9.7, no changes. tzdata (2016b-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Cayman - America/Port-au-Prince - Asia/Chita - Asia/Gaza - Asia/Hebron - Asia/Tehran tzdata (2016b-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Cayman - America/Port-au-Prince - Asia/Chita - Asia/Gaza - Asia/Hebron - Asia/Tehran tzdata (2016a-1) unstable; urgency=medium . [ Aurelien Jarno ] * Add Vcs-Git and Vcs-Browser fields to debian/control. * New upstream version, affecting the following future time stamps: - America/Cayman - Asia/Chita - Asia Tehran * Change /etc/timezone into a symlink (closes: #803144) tzdata (2015g-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) unbound (1.4.22-3+deb8u1) jessie; urgency=medium . * iterator/iter_hints.c: Update hints for H.ROOT-SERVERS.NET (Closes: #815370) virtualbox (4.3.36-dfsg-1+deb8u1) jessie-security; urgency=medium . * New upstream bugfix release. - Addressed CVE-2016-0592, CVE-2016-0495, CVE-2015-8104, CVE-2015-7183, CVE-2015-5307 vsftpd (3.0.2-17+deb8u1) stable; urgency=medium . * Add patch debian/patches/0050-CVE-2015-1419.patch from 3.0.2-18: - Fix config option "deny_file" not always being handled correctly CVE-2015-1419 (Closes: #776922). * Add patch debian/patches/0055-set_default_listen.patch from 3.0.2-19: - Set the default value of tunable_listen to the same value of listen from the man page vsftpd.conf (Closes: #783077). * Add year 2015 to debian/copyright. websvn (2.3.3-1.2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team * Properly escape user-supplied input (CVE-2016-2511) whatmaps (0.0.9-1+deb8u1) stable-proposed-updates; urgency=medium . * [920f1dd] Respect jessie apache package rename (Closes: #791569) * [7c61790] Adjust gbp.conf for Jessie wireshark (1.12.1+g01b65bf-4+deb8u5) jessie-security; urgency=medium . * security fixes from Wireshark 1.12.10: - DNP dissector infinite loop (CVE-2016-2523) - RSL dissector crash (CVE-2016-2530 CVE-2016-2531) - LLRP dissector crash (CVE-2016-2532) - GSM A-bis OML dissector crash - ASN.1 BER dissector crashes * security fixes from Wireshark 1.12.9: - RSL dissector crash (CVE-2015-8731) wireshark (1.12.1+g01b65bf-4+deb8u4) jessie-security; urgency=high . * security fixes from Wireshark 1.12.8: - Pcapng file parser crash. Discovered by Dario Lombardo and Shannon Sabens.(CVE-2015-7830) * Enable all hardening flags * security fixes from Wireshark 1.12.9: - NBAP dissector crashes (CVE-2015-8711) - UMTS FP dissector crashes (CVE-2015-8712, CVE-2015-8713) - DCOM dissector crash (CVE-2015-8714) - AllJoyn dissector infinite loop (CVE-2015-8715) - T.38 dissector crash (CVE-2015-8716) - SDP dissector crash (CVE-2015-8717) - NLM dissector crash (CVE-2015-8718) - DNS dissector crash (CVE-2015-8719) - BER dissector crash (CVE-2015-8720) - Zlib decompression crash (CVE-2015-8721) - SCTP dissector crash (CVE-2015-8722) - 802.11 decryption crash (CVE-2015-8723, CVE-2015-8724) - DIAMETER dissector crash (CVE-2015-8725) - VeriWave file parser crashes (CVE-2015-8726) - RSVP dissector crash (CVE-2015-8727) - ANSI A & GSM A dissector crashes (CVE-2015-8728) - Ascend file parser crash (CVE-2015-8729) - NBAP dissector crash (CVE-2015-8730) - ZigBee ZCL dissector crash (CVE-2015-8732) - Sniffer file parser crash (CVE-2015-8733) wordpress (4.1+dfsg-1+deb8u8) jessie-security; urgency=high . * Changeset 36435 fixes SSRF for URLs CVE-2016-2222 * Changeset 36444 improved redirect checking CVE-2016-2221 * Closes: #813697 xdelta3 (3.0.8-dfsg-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix LZMA tests (Closes: #740284) * CVE-2014-9765: buffer overflow in main_get_appheader (Closes: #814067) xen (4.4.1-9+deb8u4) jessie-security; urgency=medium . * CVE-2015-8339 * CVE-2015-8340 * CVE-2015-8341 * CVE-2015-8550 * CVE-2015-8555 * CVE-2016-1570 * CVE-2016-1571 * CVE-2016-2270 * CVE-2016-2271 * XSA166 xerces-c (3.1.1-5.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0729: Buffer overlows during processing and error reporting xvba-video (0.8.0-9+deb8u1) jessie; urgency=medium . * xvba-va-driver as a separate package has been obsoleted by fglrx-driver 1:15.9, turn it into an empty metapackage. * Stop shipping fglrx_drv_video.so and xvba_drv_video.so. (Closes: #813427) * Bump Depends on libfglrx-amdxvba1 to (>= 1:15.9) which provides them. * This breaks compatibility with libfglrx-legacy-amdxvba1 (but that package exists only in wheezy-backports). ====================================== Sat, 23 Jan 2016 - Debian 8.3 released ====================================== ========================================================================= [Date: Sat, 23 Jan 2016 10:22:05 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceweasel-vimperator | 3.8.2-2 | all vimperator | 3.8.2-2 | source Closed bugs: 801617 ------------------- Reason ------------------- RoM; incompatible with newer iceweasel versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:22:57 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: core-network | 4.7-2 | source, all core-network-daemon | 4.7-2 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x core-network-gui | 4.7-2 | all Closed bugs: 803590 ------------------- Reason ------------------- RoST; security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:24:00 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: elasticsearch | 1.0.3+dfsg-5+deb8u1 | source, all Closed bugs: 805586 ------------------- Reason ------------------- RoST; no longer supported ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:24:24 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: googlecl | 0.9.13-2 | source, all Closed bugs: 806468 ------------------- Reason ------------------- RoM; broken due to relying on obsolete APIs ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:25:05 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnsgif | 0.0.1-1.1 | source libnsgif0 | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libnsgif0-dbg | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libnsgif0-dev | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 808436 ------------------- Reason ------------------- RoST; unmaintained, security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:25:49 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnsbmp | 0.0.1-1.1 | source libnsbmp0 | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libnsbmp0-dbg | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libnsbmp0-dev | 0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 808439 ------------------- Reason ------------------- RoST; unmaintained, security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jan 2016 10:47:05 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: python3-yaql | 0.2.3-2 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= apache2 (2.4.10-10+deb8u4) jessie; urgency=medium . * Add versioned replaces/breaks for libapache2-mod-macro to apache2, for the config files in /etc. Closes: #806326 * Fix split-logfile to work with current perl. Closes: #803472 * Fix tests on deferred mpm switch. Add special casing for mpm_itk, which is not an mpm anymore, despite the name. Closes: #789914 Closes: #791902 * Fix secondary-init-script to not source the main init script with 'set -e'. Closes: #803177 apt (1.0.9.8.2) jessie; urgency=medium . [ David Kalnischkies ] * hide first pdiff merge failure debug message (Closes: 793444) * mark again deps of pkgs in APT::Never-MarkAuto-Sections as manual. Thanks to Raphaël Hertzog and Adam Conrad for detailed reports and initial patches (Closes: 793360) (LP: 1479207) . [ Julian Andres Klode ] * Do not parse Status fields from remote sources . [ Michael Vogt ] * Use xgettext --no-location in make update-pot apt-dater-host (1.0.0-2+deb8u1) stable; urgency=low . * Add patch 01-jessie-kernel-detection to fix Linux Kernel status detection with newer Jessie images. Thanks to Robert Bihlmeyer. Closes: #794630 apt-offline (1.5.1) jessie; urgency=medium . * [67c2ba5] Add python-apt to Depends. Thanks Paul Wise (Closes: #801502) arb (6.0.2-1+deb8u1) jessie; urgency=medium . * Skip compiler version check at all Closes: #793187 augeas (1.2.0-0.2+deb8u1) jessie-proposed-updates; urgency=medium . * Non-maintainer upload. . [ Yann Soubeyrand ] * Httpd lense: - Allow EOL comments after section tags (thanks Dominic Cleal from Red Hat for reporting the patch) (Closes: #802665) - Include /etc/apache2/conf-available directory (Closes: #764699) . [ Mattia Rizzolo ] * debian/patches/0003-Httpd-Allow-eol-comments-after-section-tags.patch: + Rewrite DEP-3 header. augeas (1.2.0-0.2+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Non-maintainer upload. * Rebuild for wheezy-backports. . augeas (1.2.0-0.2+deb8u1) jessie-proposed-updates; urgency=medium . * Non-maintainer upload. . [ Yann Soubeyrand ] * Httpd lense: - Allow EOL comments after section tags (thanks Dominic Cleal from Red Hat for reporting the patch) (Closes: #802665) - Include /etc/apache2/conf-available directory (Closes: #764699) . [ Mattia Rizzolo ] * debian/patches/0003-Httpd-Allow-eol-comments-after-section-tags.patch: + Rewrite DEP-3 header. . augeas (1.2.0-0.2~bpo70+2) wheezy-backports; urgency=medium . * libaugeas0: Use a strict version for augeas-lenses dependency, otherwise an incompatible augeas-lenses from stable is installed by default. . augeas (1.2.0-0.2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * libaugeas0: Pre-Depend on multiarch-support (required for wheezy). base-files (8+deb8u3) stable; urgency=low . * Changed /etc/debian_version to 8.3, for Debian 8.3 point release. * os-release: Drop trailing slash in SUPPORT_URL variable, as the URL is not supposed to have it. Closes: #781809, #800791. bcfg2 (1.3.5-1+deb8u1) stable; urgency=medium . * Apply patch from Jonas Jochmaring to support Django 1.7 (Closes: #755645) * Add fix for reports.wsgi to the Django 1.7 patch * Install the new south_migrations into the package ben (0.7.0+deb8u1) jessie; urgency=medium . [ Emilio Pozuelo Monfort ] * Fix buildd.debian.org compact links . [ Mehdi Dogguy ] * Ignore potential errors when deleting lock file * Call dose-debcheck with --deb-native-arch bind9 (1:9.9.5.dfsg-9+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to fix CVE-2015-8000. CVE-2015-8000: Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. bind9 (1:9.9.5.dfsg-9+deb8u3) jessie-security; urgency=medium . * CVE-2015-5722 blueman (1.99~alpha1-1+deb8u1) jessie-security; urgency=medium . * Fix local privilege escalation in blueman.Mechanism bouncycastle (1.49+dfsg-3+deb8u1) jessie-security; urgency=high . * Team upload. * CVE-2015-7940: fix invalid curve attack as described in http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html (Closes: #802671) ca-certificates (20141019+deb8u1) stable; urgency=medium . * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.6. Closes: #806239 The following certificate authorities were added (+): + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + "Certinomis - Root CA" + "CFCA EV ROOT" + "COMODO RSA Certification Authority" + "Entrust Root Certification Authority - EC1" + "Entrust Root Certification Authority - G2" + "GlobalSign ECC Root CA - R4" + "GlobalSign ECC Root CA - R5" + "IdenTrust Commercial Root CA 1" + "IdenTrust Public Sector Root CA 1" + "OISTE WISeKey Global Root GB CA" + "S-TRUST Universal Root CA" + "Staat der Nederlanden EV Root CA" + "Staat der Nederlanden Root CA - G3" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" + "USERTrust ECC Certification Authority" + "USERTrust RSA Certification Authority" The following certificate authorities were removed (-): - "A-Trust-nQual-03" - "America Online Root Certification Authority 1" - "America Online Root Certification Authority 2" - "Buypass Class 3 CA 1" - "ComSign Secured CA" - "Digital Signature Trust Co. Global CA 1" - "Digital Signature Trust Co. Global CA 3" - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" - "GTE CyberTrust Global Root" - "SG TRUST SERVICES RACINE" - "TC TrustCenter Class 2 CA II" - "TC TrustCenter Universal CA I" - "Thawte Premium Server CA" - "Thawte Server CA" - "TURKTRUST Certificate Services Provider Root 1" - "TURKTRUST Certificate Services Provider Root 2" - "UTN DATACorp SGC Root CA" - "Verisign Class 4 Public Primary Certification Authority - G3" cacti (0.8.8b+dfsg-8+deb8u3) jessie-security; urgency=high . * Add upstream patch to fix (Closes: #807599) - CVE-2015-8369 SQL Injection vulnerability in graph.php ceph (0.80.7-2+deb8u1) jessie; urgency=medium . * [61b5e0] Patch to fix CVE-2015-5245 applied from upstream (Closes: #798567) charybdis (3.4.2-5~deb8u1) stable; urgency=high . * switch to new anonscm hostnames * initialise gnutls properly (Closes: #768339, #705369) * add fix for CVE-2015-5290, cherry-picked from upstream d5f856c^..172b58f chromium-browser (47.0.2526.80-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - Multiple vulnerabilities fixed in libv8 4.7.80.23. - CVE-2015-6788: Type confusion in extensions. Credit to anonymous. - CVE-2015-6789: Use-after-free in Blink. Credit to cloudfuzzer. - CVE-2015-6790: Escaping issue in saved pages. Credit to Inti De Ceukelaire. - CVE-2015-6791: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (47.0.2526.73-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1302: Information leak in PDF viewer. Credit to Rob Wu. - CVE-2015-6765: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6766: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6767: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6768: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6769: Cross-origin bypass in core. Credit to Mariusz Mlynski. - CVE-2015-6770: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6771: Out of bounds access in v8. Credit to anonymous. - CVE-2015-6772: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6764: Out of bounds access in v8. Credit to Guang Gong. - CVE-2015-6773: Out of bounds access in Skia. Credit to cloudfuzzer. - CVE-2015-6774: Use-after-free in Extensions. Credit to anonymous. - CVE-2015-6775: Type confusion in PDFium. Credit to Atte Kettunen. - CVE-2015-6776: Out of bounds access in PDFium. Credit to Hanno Böck. - CVE-2015-6777: Use-after-free in DOM. Credit to Long Liu. - CVE-2015-6778: Out of bounds access in PDFium. Credit to Karl Skomski. - CVE-2015-6779: Scheme bypass in PDFium. Credit to Til Jasper Ullrich. - CVE-2015-6780: Use-after-free in Infobars. Credit to Khalil Zhani. - CVE-2015-6781: Integer overflow in Sfntly. Credit to miaubiz. - CVE-2015-6782: Content spoofing in Omnibox. Credit to Luan Herrera. - CVE-2015-6784: Escaping issue in saved pages. Credit to Inti De Ceukelaire. - CVE-2015-6785: Wildcard matching issue in CSP. Credit to Michael Ficarra. - CVE-2015-6786: Scheme bypass in CSP. Credit to Michael Ficarra. * Lengthen GPU timeout (closes: #781940). * Enable accelerated video decoding (closes: #793815). chromium-browser (47.0.2526.73-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2015-1302: Information leak in PDF viewer. Credit to Rob Wu. - CVE-2015-6765: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6766: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6767: Use-after-free in AppCache. Credit to anonymous. - CVE-2015-6768: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6769: Cross-origin bypass in core. Credit to Mariusz Mlynski. - CVE-2015-6770: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6771: Out of bounds access in v8. Credit to anonymous. - CVE-2015-6772: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-6764: Out of bounds access in v8. Credit to Guang Gong. - CVE-2015-6773: Out of bounds access in Skia. Credit to cloudfuzzer. - CVE-2015-6774: Use-after-free in Extensions. Credit to anonymous. - CVE-2015-6775: Type confusion in PDFium. Credit to Atte Kettunen. - CVE-2015-6776: Out of bounds access in PDFium. Credit to Hanno Böck. - CVE-2015-6777: Use-after-free in DOM. Credit to Long Liu. - CVE-2015-6778: Out of bounds access in PDFium. Credit to Karl Skomski. - CVE-2015-6779: Scheme bypass in PDFium. Credit to Til Jasper Ullrich. - CVE-2015-6780: Use-after-free in Infobars. Credit to Khalil Zhani. - CVE-2015-6781: Integer overflow in Sfntly. Credit to miaubiz. - CVE-2015-6782: Content spoofing in Omnibox. Credit to Luan Herrera. - CVE-2015-6784: Escaping issue in saved pages. Credit to Inti De Ceukelaire. - CVE-2015-6785: Wildcard matching issue in CSP. Credit to Michael Ficarra. - CVE-2015-6786: Scheme bypass in CSP. Credit to Michael Ficarra. chromium-browser (47.0.2526.16-1) experimental; urgency=medium . * New upstream beta release. * Lengthen GPU timeout (closes: #781940). * Enable accelerated video decoding (closes: #793815). chromium-browser (46.0.2490.71-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-6755: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-6756: Use-after-free in PDFium. Credit to anonymous. - CVE-2015-6757: Use-after-free in ServiceWorker. Credit to Collin Payne. - CVE-2015-6758: Bad-cast in PDFium. Credit to Atte Kettunen of OUSPG. - CVE-2015-6759: Information leakage in LocalStorage. Credit to Muneaki Nishimura. - CVE-2015-6760: Improper error handling in libANGLE. Credit to Ronald Crane, an independent security researcher. - CVE-2015-6762: CORS bypass via CSS fonts. Credit to Muneaki Nishimura. - CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 4.6.85.23). chromium-browser (46.0.2490.71-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2015-1303: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-1304: Cross-origin bypass in V8. Credit to Mariusz Mlynski. - CVE-2015-6755: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-6756: Use-after-free in PDFium. Credit to anonymous. - CVE-2015-6757: Use-after-free in ServiceWorker. Credit to Collin Payne. - CVE-2015-6758: Bad-cast in PDFium. Credit to Atte Kettunen of OUSPG. - CVE-2015-6759: Information leakage in LocalStorage. Credit to Muneaki Nishimura. - CVE-2015-6760: Improper error handling in libANGLE. Credit to Ronald Crane, an independent security researcher. - CVE-2015-6761: Memory corruption in FFMpeg. Credit to Aki Helin and Khalil Zhani. - CVE-2015-6762: CORS bypass via CSS fonts. Credit to Muneaki Nishimura. - CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 4.6.85.23). chromium-browser (46.0.2490.13-1) experimental; urgency=medium . * New upstream beta release. chromium-browser (45.0.2454.101-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1303: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-1304: Cross-origin bypass in V8. Credit to Mariusz Mlynski. chromium-browser (45.0.2454.85-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1291: Cross-origin bypass in DOM. Credit to anonymous. - CVE-2015-1292: Cross-origin bypass in ServiceWorker. Credit to Mariusz Mlynski. - CVE-2015-1293: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-1294: Use-after-free in Skia. Credit to cloudfuzzer. - CVE-2015-1295: Use-after-free in Printing. Credit to anonymous. - CVE-2015-1296: Character spoofing in omnibox. Credit to zcorpan. - CVE-2015-1297: Permission scoping error in WebRequest. Credit to Alexander Kashev. - CVE-2015-1298: URL validation error in extensions. Credit to Rob Wu. - CVE-2015-1299: Use-after-free in Blink. Credit to taro.suzuki.dev. - CVE-2015-1300: Information leak in Blink. Credit to cgvwzq. - CVE-2015-1301: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in the libv8 library (updated to 4.5.103.29). chromium-browser (45.0.2454.85-1~deb8u1) jessie-security; urgency=high . * New upstream stable release: - CVE-2015-1291: Cross-origin bypass in DOM. Credit to anonymous. - CVE-2015-1292: Cross-origin bypass in ServiceWorker. Credit to Mariusz Mlynski. - CVE-2015-1293: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-1294: Use-after-free in Skia. Credit to cloudfuzzer. - CVE-2015-1295: Use-after-free in Printing. Credit to anonymous. - CVE-2015-1296: Character spoofing in omnibox. Credit to zcorpan. - CVE-2015-1297: Permission scoping error in WebRequest. Credit to Alexander Kashev. - CVE-2015-1298: URL validation error in extensions. Credit to Rob Wu. - CVE-2015-1299: Use-after-free in Blink. Credit to taro.suzuki.dev. - CVE-2015-1300: Information leak in Blink. Credit to cgvwzq. - CVE-2015-1301: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in the libv8 library (updated to 4.5.103.29). chromium-browser (44.0.2403.157-1) unstable; urgency=medium . * New upstream stable release: - GPU process race condition fixed (closes: #794472). * Use system ffmpeg (closes: #763632): - Thanks to Andreas Cadhalpun. chromium-browser (44.0.2403.107-2) unstable; urgency=medium . * More updates to debian/copyright. * Add some more instructions for bug presubmission. * Remove no longer needed mainscript and preinst scripts. * Use chromium.png in the desktop launcher (closes: #794818). chromium-browser (44.0.2403.107-1) unstable; urgency=medium . * New upstream stable release. * More updates to debian/copyright. chromium-browser (44.0.2403.89-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen. - CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer. - CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva. - CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft. - CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to andrewm.bpi. - CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte). - CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne. - CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined. - CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva. - CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon. - CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer. - CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa. - CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva. - CVE-2015-1283: Heap-buffer-overflow in expat. Credit to Huzaifa Sidhpurwala. - CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen. - CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes. - CVE-2015-1286: UXSS in blink. Credit to anonymous. - CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor. - CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to Mike Ruddy. - CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives. * Remove hotword patch, now disabled by default upstream. chrony (1.30-2+deb8u1) jessie; urgency=medium . * Build depend on libcap-dev. Without it, chronyd can’t drop root privileges. (Closes: #768803) commons-httpclient (3.1-11+deb8u1) jessie; urgency=high . * Team upload. * Add CVE-2015-5262.patch. Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during SSL Handshake. (Closes: #798650) cpuset (1.5.6-4+deb8u1) jessie; urgency=high . * Update filesystem namespace prefix patch (Closes: #796893) cups-filters (1.0.61-5+deb8u3) jessie-security; urgency=high . * Backport upstream fixes to also consider the semicolon (';') as an illegal shell escape character (CVE-2015-8560, Closes: #807930) cups-filters (1.0.61-5+deb8u2) jessie-security; urgency=high . * Backport upstream fixes to also consider the back tick ('`') as an illegal shell escape character (CVE-2015-8327) curlftpfs (0.9.2-9~deb8u1) jessie; urgency=medium . * Non-maintainer upload with maintainer approval. * Rebuild for jessie. . curlftpfs (0.9.2-9) unstable; urgency=medium . * Avoid unsafe cast for getpass() on 64-bit archs. Closes: #795879. * Bump Standards-Version to 3.9.6. cyrus-sasl2 (2.1.26.dfsg1-13+deb8u1) jessie-security; urgency=high . * [CVE-2013-4122]: Handle NULL returns from glibc 2.17+ crypt() (Closes: #784112) dbconfig-common (1.8.47+nmu3+deb8u1) jessie; urgency=medium . * Fix permission of PostgreSQL backup files, thanks Simon Ruderich (Closes: #805638) * Repair permissions of already created backups, but only when upgrading from versions before this one (but not from versions after wheezy's point update). debian-handbook (8.20151209~deb8u1) jessie; urgency=medium . * Upload jessie version of the book to jessie. debian-handbook (8.20151102) unstable; urgency=medium . [ Roland Mas ] * Update chapters 5, 6, 8, 9, 10, 11 for Debian 8 Jessie. * Update appendix A for Debian 8 Jessie. * easy-rsa is now in its own package (closes: #691983). * Remove historical information about IDE drives. . [ Raphaël Hertzog ] * Update the foreword for Debian 8 Jessie. * Update chapters 1, 2, 3, 4, 7, 12, 13, 14, 15 for Debian 8 Jessie. * Update appendix B for Debian 8 Jessie. * Fix typo OPSF -> OSPF and Traditionnally -> Traditionally. Closes: #737255, #737884 Thanks to Anders Jonsson for the patches. * Fix typo possibbility -> possibility. Closes: #754481 Thanks to Julian Weber for the patch. * Be more gender neutral. Closes: #736588 Thanks to Johannes Schauer for the patch. * Multiples updates requested by Cyril Brulebois: - drop Joey from d-i coordinators - drop Cyril from XSF coordinators - mention Steve McIntyre for debian-cd - virtualbox-ose-guest-dkms -> virtualbox-guest-dkms - virtualbox is now in contrib - chromium is well established by now Closes: #757388 * Replace some textual references by true . Closes: #788940 * Replace incorrect option --log-priority with --log-level for LOG target of iptables. Closes: #789285 Thanks to Ryuunosuke AYANOKOUZI for the patch. * Add small tip explaining the possibily to put a user in the libvirt group. Thanks to Paul Chavent for the suggestion. Closes: #734397 * Document suricata instead of snort. * Add a section on “dpkg --verify”. * Add a section on AppArmor. * Add a new section on RTC services. Thanks to Daniel Pocock. Closes: #800884, #802682 debian-handbook (7.20150828) unstable; urgency=medium . * Fixed small typo in preface of german version. Closes: #792605 Thanks to Georg Faerber for the patch. * Update all PO files so that they work with publican 4.3.2 from unstable. Closes: #791812 debian-handbook (7.20150616) unstable; urgency=medium . * Fix typo OPSF -> OSPF and Traditionnally -> Traditionally. Closes: #737255, #737884 Thanks to Anders Jonsson for the patches. * Fix typo possibbility -> possibility. Closes: #754481 Thanks to Julian Weber for the patch. * Use same build script as for debian-handbook.info. * Include all translations in the package. * Update Standards-Version to 3.9.6 * Save space by dropping useless files. Closes: #672459 debian-installer (20150422+deb8u3) jessie; urgency=medium . [ Samuel Thibault ] * Add beep to UEFI x86 boot menu (Closes: #796591). * Add 's' shortcut for speech to UEFI x86 boot menu. . [ Steve McIntyre ] * Add the part_gpt module into the core grub image to make it easier for users doing slightly different things with our images; include support for GPT partition tables as well as msdos (Closes: #789600). . [ Martin Michlmayr ] * Exclude usb-serial-modules from the armel network-console image since it's not useful there (Closes: #809301). * Exclude usb-modules explicitly on armel/orion5x network-console to work around bug in util/pkg-list. * Drop the file extension from the initrd for QNAP devices. * Re-introduce installer images for QNAP TS-x09. * Provide u-boot images for plug computers. . [ Cyril Brulebois ] * Adjust p-u support to handle file:// instead of (f|ht)tp:// only, thanks to Łukasz Stelmach for both the report and the patch (Closes: #803711). debian-installer-netboot-images (20150422+deb8u3) jessie; urgency=medium . * Update to 20150422+deb8u3 images, from jessie-proposed-updates docbook2x (0.8.8-9+deb8u1) jessie; urgency=medium . [ Santiago Vila ] * d/p/07_fix_597454_usr_share_info_dir_gz.patch: do not install info/dir.gz files. (Closes: #799700) doctrine (2.4.6-1+deb8u1) jessie; urgency=medium . * gbp.conf: Track the jessie branch * Fix security misconfiguration vulnerability [CVE-2015-5723] dpkg (1.17.26) jessie-security; urgency=high . [ Guillem Jover ] * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic. Reported by Jacek Wielemborek . Closes: #798324 * Fix an off-by-one write access in dpkg-deb when parsing the old format .deb control member size. Thanks to Hanno Böck . Fixes CVE-2015-0860. * Fix an off-by-one read access in dpkg-deb when parsing ar member names. Thanks to Hanno Böck . . [ Updated programs translations ] * Catalan (Jordi Mallach). * Turkish (Mert Dirik). Closes: #785095 . [ Updated scripts translations ] * German (Helge Kreutzmann). (Various fixes) * Spanish (Santiago Vila). Closes: #799020 . [ Updated manpages translations ] * German (Helge Kreutzmann). (Various fixes) drbd-utils (8.9.2~rc1-2+deb8u1) jessie; urgency=medium . * Fix drbdadm adjust with IPv6 peer addresses (Closes: #808315) drupal7 (7.32-1+deb8u5) stable-security; urgency=high . * Backported from 7.39: SA-CORE-2015-003 (cross site scripting, access bypass, SQL injection, open redirect). CVE IDs not yet assigned. drupal7 (7.32-1+deb8u5~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports * Backported from 7.39: SA-CORE-2015-003 (cross site scripting, access bypass, SQL injection, open redirect). CVE IDs not yet assigned. ejabberd (14.07-4+deb8u3) jessie; urgency=medium . * Add patch to fix broken ldap queries (Closes: #797645) exfat-utils (1.1.0-2+deb8u1) jessie; urgency=medium . * Add the fix for https://github.com/relan/exfat/issues/5 found and reported by The Fuzzing Project. Check sector and cluster size. * Add the fix for https://github.com/relan/exfat/issues/6 found and reported by The Fuzzing Project. Detect infinite loop. exim4 (4.84-8+deb8u2) jessie; urgency=medium . * 87_Fix-transport-results-pipe-for-multiple-recipients-c.patch: Pull and unfuzz bd21a78 from upstream GIT, to fix a bug causing duplicate deliveries especially on TLS connections. Closes: #805576 exim4 (4.84-8+deb8u1) jessie; urgency=medium . * Pull 85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch and 86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch from upstream GIT to fixup more MIME ACL related crashes. (Thanks, Lutz Preßler) Closes: #803562 fglrx-driver (1:15.9-4~deb8u1) jessie; urgency=medium . * Rebuild for jessie. * Reinstate the libxvbaw-dev package. * Remove Conflicts/Replaces: xvba-va-driver. * Revert patches 12-4.3.0-build and 13-4.4.0-build, the patched kernel module does not work on Linux 4.3. (See #809638 for details.) . fglrx-driver (1:15.9-4) unstable; urgency=medium . * Fix spelling error in long description. * Add patch 06-spelling-error-manpage to fix a spelling error in atieventsd manpage. * Add patch 13-4.4.0-build from Ubuntu to fix a FTBFS with Linux 4.4. . fglrx-driver (1:15.9-3) unstable; urgency=high . [ Andreas Beckmann ] * d/rules: Move tar option --no-recursion before the list of files. * fglrx-atieventsd.init: Fix 'stop' and implement 'status', thanks to D. Leggett. (Closes: #803494) * Reinstate breaks between fglrx-driver and libgl1-fglrx-glx. * Update lintian overrides. . [ Patrick Matthäi ] * Add Ubuntu patch 12-4.3.0-build. Closes: #807965 . fglrx-driver (1:15.9-2) unstable; urgency=medium . * amd-opencl-icd: Ship libamdocl12cl{32,64}.so. (Closes: #793488) . fglrx-driver (1:15.9-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release 15.9 (2015-09-15) (15.201.1151). (Closes: #799439) * Fixes CVE-2015-7724. (Closes: #803517) * Use signature from 15.7. * Update watch file. * Update lintian overrides. . [ Patrick Matthäi ] * Refresh patch 04-3.17rc6-no_hotplug. * Rewrite patch 05-4.0.0-build. * Drop merged patch 06-4.0.0-build-2. * Rewrite patch 07-4.1.0-build. * Rewrite patch 08-4.2.0-build. * Rewrite patch 09-4.2.0-build.fpregs_active. * Rewrite patch 10-4.2.0-build.copy_xregs_to_kernel. * Rewrite patch 11-4.1.0-gpl-only. . fglrx-driver (1:15.7-3) unstable; urgency=high . * Add patch 11-4.1.0-gpl-only to finaly allow fglrx to build with Linux 4.1. . fglrx-driver (1:15.7-2) unstable; urgency=high . [ Andreas Beckmann ] * Drop libxvbaw-dev package. * fglrx-driver, fglrx-kernel-*: Report in the package description the latest tested Linux version that can build the kernel module. . [ Patrick Matthäi ] * Add Ubuntu patch 06-4.0.0-build-2. * Add Ubuntu patch 07-4.1.0-build to fix a FTBFS with Linux 4.1. Closes: #795222, #795230 * Add Ubuntu patches 08-4.2.0-build, 09-4.2.0-build.fpregs_active and 10-4.2.0-build.copy_xregs_to_kernel so fglrx may work with Linux 4.2. . fglrx-driver (1:15.7-1) unstable; urgency=medium . [ Andreas Beckmann ] * libfglrx-amdxvba1: Can be used as a va-driver backend. - Provides: va-driver since libXvBAW.so.1 now contains the required entrypoints. - Conflicts/Provides/Replaces: xvba-va-driver since that wrapper is no longer needed. - Ship dri/{xvba,fglrx}_drv_video.so symlinks. * Update list of supported models. * Create /usr/src/fglrx.tar.bz2 reproducibly. . [ Patrick Matthäi ] * New upstream release 15.7 (2015-07-0?) (15.20.1046). Closes: #791905 - Refresh hunky patch 04-3.17rc6-no_hotplug. - Rewrite patch 05-4.0.0-build. - Xorg 1.17 is supported now. Closes: #784903 * Fixes CVE-2015-7723. * Use signature from upstream package. * Remove breaks between fglrx-driver and libgl1-fglrx-glx, since it confuses dpkg. . fglrx-driver (1:15.5-1) unstable; urgency=low . * New upstream release 15.5 (2015-06-02) (15.101.1001). Closes: #790794 - Adjust some lintian overrides. * Updated dutch translation from Frans Spiesschaert. Closes: #776756 * Adjust patch 05-4.0.0-build so it works again. . fglrx-driver (1:14.12-2) unstable; urgency=low . [ Andreas Beckmann ] * fglrx_3.17rc6-no_hotplug.patch: New patch, add support for Linux >= 3.17. Found in the kanotix package. (Closes: #768397) . [ Michael Gilbert ] * Remove myself from the uploaders list. . [ Patrick Matthäi ] * Uploading to unstable. * Rename patches (correct order). * Add patch 05-4.0.0-build from Michael Rasmussen to fix a FTBFS with Linux 4.0.0. Thanks! Closes: #785150 * Remove unused lintian override. . fglrx-driver (1:14.12-1) experimental; urgency=medium . * New upstream release 14.12 (2014-12-09) (14.501.1003). (Closes: #764523) * Update watch file, thanks to Bart Martens. * amd-opencl-dev: Bump the Breaks/Replaces on nvidia-libopencl1 to cover new upstream releases of nvidia-graphics-drivers-legacy-304xx in wheezy. * New Dutch (nl) debconf translation thanks to Frans Spiesschaert. (Closes: #767493) * Upload to experimental. fglrx-driver (1:15.9-3) unstable; urgency=high . [ Andreas Beckmann ] * d/rules: Move tar option --no-recursion before the list of files. * fglrx-atieventsd.init: Fix 'stop' and implement 'status', thanks to D. Leggett. (Closes: #803494) * Reinstate breaks between fglrx-driver and libgl1-fglrx-glx. * Update lintian overrides. . [ Patrick Matthäi ] * Add Ubuntu patch 12-4.3.0-build. Closes: #807965 fglrx-driver (1:15.9-3~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . fglrx-driver (1:15.9-3) unstable; urgency=high . [ Andreas Beckmann ] * d/rules: Move tar option --no-recursion before the list of files. * fglrx-atieventsd.init: Fix 'stop' and implement 'status', thanks to D. Leggett. (Closes: #803494) * Reinstate breaks between fglrx-driver and libgl1-fglrx-glx. * Update lintian overrides. . [ Patrick Matthäi ] * Add Ubuntu patch 12-4.3.0-build. Closes: #807965 fglrx-driver (1:15.9-2) unstable; urgency=medium . * amd-opencl-icd: Ship libamdocl12cl{32,64}.so. (Closes: #793488) fglrx-driver (1:15.9-2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . fglrx-driver (1:15.9-2) unstable; urgency=medium . * amd-opencl-icd: Ship libamdocl12cl{32,64}.so. (Closes: #793488) . fglrx-driver (1:15.9-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release 15.9 (2015-09-15) (15.201.1151). (Closes: #799439) * Use signature from 15.7. * Update watch file. * Update lintian overrides. . [ Patrick Matthäi ] * Refresh patch 04-3.17rc6-no_hotplug. * Rewrite patch 05-4.0.0-build. * Drop merged patch 06-4.0.0-build-2. * Rewrite patch 07-4.1.0-build. * Rewrite patch 08-4.2.0-build. * Rewrite patch 09-4.2.0-build.fpregs_active. * Rewrite patch 10-4.2.0-build.copy_xregs_to_kernel. * Rewrite patch 11-4.1.0-gpl-only. fglrx-driver (1:15.9-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release 15.9 (2015-09-15) (15.201.1151). (Closes: #799439) * Use signature from 15.7. * Update watch file. * Update lintian overrides. . [ Patrick Matthäi ] * Refresh patch 04-3.17rc6-no_hotplug. * Rewrite patch 05-4.0.0-build. * Drop merged patch 06-4.0.0-build-2. * Rewrite patch 07-4.1.0-build. * Rewrite patch 08-4.2.0-build. * Rewrite patch 09-4.2.0-build.fpregs_active. * Rewrite patch 10-4.2.0-build.copy_xregs_to_kernel. * Rewrite patch 11-4.1.0-gpl-only. fglrx-driver (1:15.9-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . fglrx-driver (1:15.9-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release 15.9 (2015-09-15) (15.201.1151). (Closes: #799439) * Use signature from 15.7. * Update watch file. * Update lintian overrides. . [ Patrick Matthäi ] * Refresh patch 04-3.17rc6-no_hotplug. * Rewrite patch 05-4.0.0-build. * Drop merged patch 06-4.0.0-build-2. * Rewrite patch 07-4.1.0-build. * Rewrite patch 08-4.2.0-build. * Rewrite patch 09-4.2.0-build.fpregs_active. * Rewrite patch 10-4.2.0-build.copy_xregs_to_kernel. * Rewrite patch 11-4.1.0-gpl-only. . fglrx-driver (1:15.7-3) unstable; urgency=high . * Add patch 11-4.1.0-gpl-only to finaly allow fglrx to build with Linux 4.1. fglrx-driver (1:15.7-3) unstable; urgency=high . * Add patch 11-4.1.0-gpl-only to finaly allow fglrx to build with Linux 4.1. fglrx-driver (1:15.7-3~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . fglrx-driver (1:15.7-3) unstable; urgency=high . * Add patch 11-4.1.0-gpl-only to finaly allow fglrx to build with Linux 4.1. . fglrx-driver (1:15.7-2) unstable; urgency=high . [ Andreas Beckmann ] * Drop libxvbaw-dev package. * fglrx-driver, fglrx-kernel-*: Report in the package description the latest tested Linux version that can build the kernel module. . [ Patrick Matthäi ] * Add Ubuntu patch 06-4.0.0-build-2. * Add Ubuntu patch 07-4.1.0-build to fix a FTBFS with Linux 4.1. Closes: #795222, #795230 * Add Ubuntu patches 08-4.2.0-build, 09-4.2.0-build.fpregs_active and 10-4.2.0-build.copy_xregs_to_kernel so fglrx may work with Linux 4.2. . fglrx-driver (1:15.7-1) unstable; urgency=medium . [ Andreas Beckmann ] * libfglrx-amdxvba1: Can be used as a va-driver backend. - Provides: va-driver since libXvBAW.so.1 now contains the required entrypoints. - Conflicts/Provides/Replaces: xvba-va-driver since that wrapper is no longer needed. - Ship dri/{xvba,fglrx}_drv_video.so symlinks. * Update list of supported models. * Create /usr/src/fglrx.tar.bz2 reproducibly. . [ Patrick Matthäi ] * New upstream release. Closes: #791905 - Refresh hunky patch 04-3.17rc6-no_hotplug. - Rewrite patch 05-4.0.0-build. - Xorg 1.17 is supported now. Closes: #784903 * Use signature from upstream package. * Remove breaks between fglrx-driver and libgl1-fglrx-glx, since it confuses dpkg. . fglrx-driver (1:15.5-1) unstable; urgency=low . * New upstream release. Closes: #790794 - Adjust some lintian overrides. * Updated dutch translation from Frans Spiesschaert. Closes: #776756 * Adjust patch 05-4.0.0-build so it works again. . fglrx-driver (1:14.12-2) unstable; urgency=low . [ Andreas Beckmann ] * fglrx_3.17rc6-no_hotplug.patch: New patch, add support for Linux >= 3.17. Found in the kanotix package. (Closes: #768397) . [ Michael Gilbert ] * Remove myself from the uploaders list. . [ Patrick Matthäi ] * Uploading to unstable. * Rename patches (correct order). * Add patch 05-4.0.0-build from Michael Rasmussen to fix a FTBFS with Linux 4.0.0. Thanks! Closes: #785150 * Remove unused lintian override. . fglrx-driver (1:14.12-1) experimental; urgency=medium . * New upstream release 14.12 (2014-12-09) (14.501.1003). (Closes: #764523) * Update watch file, thanks to Bart Martens. * amd-opencl-dev: Bump the Breaks/Replaces on nvidia-libopencl1 to cover new upstream releases of nvidia-graphics-drivers-legacy-304xx in wheezy. * New Dutch (nl) debconf translation thanks to Frans Spiesschaert. (Closes: #767493) * Upload to experimental. fglrx-driver (1:15.7-2) unstable; urgency=high . [ Andreas Beckmann ] * Drop libxvbaw-dev package. * fglrx-driver, fglrx-kernel-*: Report in the package description the latest tested Linux version that can build the kernel module. . [ Patrick Matthäi ] * Add Ubuntu patch 06-4.0.0-build-2. * Add Ubuntu patch 07-4.1.0-build to fix a FTBFS with Linux 4.1. Closes: #795222, #795230 * Add Ubuntu patches 08-4.2.0-build, 09-4.2.0-build.fpregs_active and 10-4.2.0-build.copy_xregs_to_kernel so fglrx may work with Linux 4.2. fglrx-driver (1:15.7-1) unstable; urgency=medium . [ Andreas Beckmann ] * libfglrx-amdxvba1: Can be used as a va-driver backend. - Provides: va-driver since libXvBAW.so.1 now contains the required entrypoints. - Conflicts/Provides/Replaces: xvba-va-driver since that wrapper is no longer needed. - Ship dri/{xvba,fglrx}_drv_video.so symlinks. * Update list of supported models. * Create /usr/src/fglrx.tar.bz2 reproducibly. . [ Patrick Matthäi ] * New upstream release. Closes: #791905 - Refresh hunky patch 04-3.17rc6-no_hotplug. - Rewrite patch 05-4.0.0-build. - Xorg 1.17 is supported now. Closes: #784903 * Use signature from upstream package. * Remove breaks between fglrx-driver and libgl1-fglrx-glx, since it confuses dpkg. fglrx-driver (1:15.5-1) unstable; urgency=low . * New upstream release. Closes: #790794 - Adjust some lintian overrides. * Updated dutch translation from Frans Spiesschaert. Closes: #776756 * Adjust patch 05-4.0.0-build so it works again. fglrx-driver (1:14.12-2) unstable; urgency=low . [ Andreas Beckmann ] * fglrx_3.17rc6-no_hotplug.patch: New patch, add support for Linux >= 3.17. Found in the kanotix package. (Closes: #768397) . [ Michael Gilbert ] * Remove myself from the uploaders list. . [ Patrick Matthäi ] * Uploading to unstable. * Rename patches (correct order). * Add patch 05-4.0.0-build from Michael Rasmussen to fix a FTBFS with Linux 4.0.0. Thanks! Closes: #785150 * Remove unused lintian override. fglrx-driver (1:14.12-1) experimental; urgency=medium . * New upstream release 14.12 (2014-12-09) (14.501.1003). (Closes: #764523) * Update watch file, thanks to Bart Martens. * amd-opencl-dev: Bump the Breaks/Replaces on nvidia-libopencl1 to cover new upstream releases of nvidia-graphics-drivers-legacy-304xx in wheezy. * New Dutch (nl) debconf translation thanks to Frans Spiesschaert. (Closes: #767493) * Upload to experimental. file (1:5.22+15-2+deb8u1) stable; urgency=medium . * Fix handling of file's --parameter option. Closes: #798410 - The file program segfaults after processing the --parameter parameter. [commit FILE5_24-22-g27b4e34] - Any --parameter values have no effect if used with --files-from. [commit FILE5_24-23-g4ddb783] flash-kernel (3.35+deb8u2) stable; urgency=medium . [ Ian Campbell ] * Avoid waiting for Ctrl-C if any debconf frontend is in use, not just non-interactive. (Closes: #791794) foomatic-filters (4.0.17-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-8327.patch patch. CVE-2015-8327: foomatic-rip did not consider the back tick as an illegal shell escape character allowing arbitrary code execution. (Closes: #806886) * Add CVE-2015-8560.patch patch. CVE-2015-8560: code execution via improper escaping of ; (semicolon). (Closes: #807993) freeimage (3.15.4-4.2) jessie-security; urgency=high . * Non-maintainer upload. * Fix integer overflow CVE-2015-0852. (Closes: #797165) freetype (2.5.2-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * CVE-2014-9745: Fix Savannah bug #41590. Protect against invalid number in t1load.c parse_encoding(). * CVE-2014-9746, CVE-2014-9747: Fix Savannah bug #41309. Correct use of uninitialized data in t1load.c, cidload.c, t42parse.c and psobjs.c. freexl (1.0.0g-1+deb8u3) jessie-security; urgency=high . * Add patch to fix regression introduced by afl-vulnerabilitities.patch. fuse-exfat (1.1.0-2+deb8u1) jessie; urgency=medium . * Add the fix for https://github.com/relan/exfat/issues/5 found and reported by The Fuzzing Project. Check sector and cluster size. * Add the fix for https://github.com/relan/exfat/issues/6 found and reported by The Fuzzing Project. Detect infinite loop. ganeti (2.12.4-1+deb8u3) jessie-security; urgency=high . * Fix gnt-instance info regression after CVE-2015-7945 (Closes: #810850) ganeti (2.12.4-1+deb8u2) jessie-security; urgency=medium . * Redact the DRBD secret in instance queries (CVE-2015-7945). * RAPI hardening: bind to lo and require authentication (CVE-2015-7944). * Add NEWS entry documenting RAPI hardening. * Add DEP-8 tests from unstable + Ship missing QA files from upstream git. ganeti (2.12.4-1) unstable; urgency=medium . * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz), including the following fixes: + Fix a performance regression in 2.12 during gnt-cluster verify and gnt-cluster verify-disks (high CPU usage) (closes: #784620). + Make the RAPI responsive after master-failover. + Fix gnt-cluster verify reporting existing instance disks on non-default VGs as missing. * Drop GHC 7.8 patch + It is part of the 2.12.4 release. * Drop dh_autoreconf + Not needed after removing the GHC 7.8 patch. ganglia-modules-linux (1.3.6-1+deb8u1) stable; urgency=medium . * Only restart service if already running. (Closes: #790951) gdk-pixbuf (2.31.1-2+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add additional patch for CVE-2015-4491. The n_x variable could be made large enough to overflow, which was missed in the initial commit upstream. gdk-pixbuf (2.31.1-2+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to fix CVE-2015-7673. CVE-2015-7673: Heap overflow and DoS vulnerability when scaling a TGA file. * Add patch to fix CVE-2015-7674. CVE-2015-7674: Heap overflow when scaling a GIF file. getmail4 (4.46.0-1+deb8u1) jessie; urgency=low . * The Python 2.7.9 introduced a regression while addressing CVE-2013-1752 with poplib._MAXLINE=2048 which causes problem for some HTML mails etc.. This fix sets poplib._MAXLINE=1MB as in the getmail 4.48.0. Closes: #782614 git (1:2.1.4-2.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2015-7545, arbitrary code execution issues via URLs with: - 01-CVE-2015-7545-1.patch: add a protocol-whitelist environment variable - 02-CVE-2015-7545-2.patch: allow only certain protocols for submodule fetches - 03-CVE-2015-7545-3.patch: refactor protocol whitelist code - 04-CVE-2015-7545-4.patch: limit redirection to protocol-whitelist - 05-CVE-2015-7545-5.patch: limit redirection depth * Make new tests executable. glance (2014.1.3-12+deb8u1) jessie-proposed-updates; urgency=medium . * CVE-2015-5251: Glance image status manipulation. Applied upstream patch after rebasing it from Juno to Icehouse (Closes: #799931). glibc (2.19-18+deb8u2) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fix getaddrinfo sometimes returning uninitialized data with nscd. Closes: #798515. - Fix data corruption while reading the NSS files database (CVE-2015-5277). Closes: #799966. - Fix buffer overflow (read past end of buffer) in internal_fnmatch. - Fix _IO_wstr_overflow integer overflow. - Fix unexpected closing of nss_files databases after lookups, causing denial of service (CVE-2014-8121). Closes: #779587. - Fix NSCD netgroup cache. Closes: #800523. * patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to unconditionally disable LD_POINTER_GUARD. Closes: #798316, #801691. * patches/any/cvs-mangle-tls_dtor_list.diff: new patch from upstream to mangle function pointers in tls_dtor_list. Closes: #802256. * patches/any/cvs-strxfrm-buffer-overflows.diff: new patch from upstream to fix memory allocations issues that can lead to buffer overflows on the stack. Closes: #803927. . [ Henrique de Moraes Holschuh ] * Replace patches/amd64/local-blacklist-on-TSX-Haswell.diff by local-blacklist-for-Intel-TSX.diff also blacklisting some Broadwell models. Closes: #800574. gnome-orca (3.14.0-4+deb8u1) jessie; urgency=medium . * Team upload. * patches/password-not-spoken.diff: Make sure to bring focus on password entry when typing a key, so we don't echo it. (Closes: #800602). gnome-shell-extension-weather (0~20140924.git7e28508-1+deb8u1) jessie; urgency=medium . * d/p/missing-api-key.patch: new patch. Displays a warning if API key has not been supplied by the user, since querying openweathermap.org no longer works without such a key. (Closes: #801979) grub2 (2.02~beta2-22+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2015-8370: buffer overflow when checking password entered during bootup (Closes: #807614). gummi (0.6.5-3+deb8u1) stable; urgency=medium . * Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432). human-icon-theme (0.28.debian-3.4~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . human-icon-theme (0.28.debian-3.4) unstable; urgency=medium . * Non-maintainer upload. * debian/clean-up.sh: Do not run processes in background. (Closes: #793062) icedove (31.8.0-1~deb8u1) stable-security; urgency=medium . * [d427fea] Imported Upstream version 31.8.0 - MFSA 2015-59 aka CVE-2015-2724 - MFSA 2015-66 aka CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740 - MFSA 2015-70 aka CVE-2015-4000 - MFSA 2015-71 aka CVE-2015-2721 * [6516780] lintian: add override for libpng * [1c33ec2] build against internal libnss3 icedove (31.8.0-1~deb7u1) oldstable-security; urgency=medium . * [d427fea] Imported Upstream version 31.8.0 - MFSA 2015-59 aka CVE-2015-2724 - MFSA 2015-66 aka CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740 - MFSA 2015-70 aka CVE-2015-4000 - MFSA 2015-71 aka CVE-2015-2721 * [a906439] lintian: add override for libpng icedove (31.7.0-1) unstable; urgency=medium . * [c3c81df] Imported Upstream version 31.7.0 * [471ec7c] rebuild patch queue from patch-queue branch added patches: - fixes/vp8_impl.cc-backporting-naming-for-const.patch (Closes: #785429) * [137ee51] lintian: add override for libpng iceweasel (38.5.0esr-1~deb8u2) stable-security; urgency=medium . * security/nss/lib/ckfw/builtins/certdata.txt: Remove the SPI Inc. and CAcert.org CA certificates. The former was removed in NSS 3.21-1 and the latter in 3.16-1, and remained here largely overlooked. . iceweasel (38.5.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. iceweasel (38.5.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. iceweasel (38.5.0esr-1~deb7u2) oldstable-security; urgency=medium . * security/nss/lib/ckfw/builtins/certdata.txt: Remove the SPI Inc. and CAcert.org CA certificates. The former was removed in NSS 3.21-1 and the latter in 3.16-1, and remained here largely overlooked. . iceweasel (38.5.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. iceweasel (38.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116,122-123,127-128,130-132}, also known as: CVE-2015-4513, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197. iceweasel (38.4.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116,122-123,127-128,130-133}, also known as: CVE-2015-4513, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197, CVE-2015-7181, CVE-2015-7182, CVE-2015-7183. . * debian/control*: Bump nspr and nss build dependencies. iceweasel (38.4.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116,122-123,127-128,130-133}, also known as: CVE-2015-4513, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197, CVE-2015-7181, CVE-2015-7182, CVE-2015-7183. . * debian/control*: Bump nspr and nss build dependencies. iceweasel (38.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,105-106,110-112}, also known as: CVE-2015-4500, CVE-2015-4511, CVE-2015-4509, CVE-2015-4519, CVE-2015-4520, CVE-2015-7174. . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * config/system-headers: Fix build against latest freetype code. bz#1143411, bz#1194520. iceweasel (38.3.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,101,105-106,110-112}, also known as: CVE-2015-4500, CVE-2015-4506, CVE-2015-4511, CVE-2015-4509, CVE-2015-4519, CVE-2015-4520, CVE-2015-7174. . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * config/system-headers: Fix build against latest freetype code. bz#1143411, bz#1194520. iceweasel (38.3.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,101,105-106,110-112}, also known as: CVE-2015-4500, CVE-2015-4506, CVE-2015-4511, CVE-2015-4509, CVE-2015-4519, CVE-2015-4520, CVE-2015-7174. . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * config/system-headers: Fix build against latest freetype code. bz#1143411, bz#1194520. iceweasel (38.2.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (38.2.0esr-2) UNRELEASED; urgency=medium . * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. . icu (52.1-8+deb8u3) jessie-security; urgency=high . * Fix CVE-2015-1270 - uninitialized memory read (closes: #798647). ieee-data (20150531.1~deb8u1) stable; urgency=medium . * New iab.txt url updated. * SSL connections disable, since standards.ieee.org uses TLS AIA and many dowloaders do not support it. Closes: #783096, #779543. * Files mam.txt and oui36.txt added. intel-microcode (3.20151106.1~deb8u1) stable; urgency=medium . * Rebuild for jessie (stable update), no changes required * This is the same package as 3.20151106.1~bpo8+1 (jessie-backports) and 3.20151106.1 (unstable, stretch) . intel-microcode (3.20151106.1) unstable; urgency=medium . * New upstream microcode data file 20151106 + New Microcodes: sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336 sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264 + Updated Microcodes: sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288 sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504 sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384 sig 0x000306f2, pf mask 0x6f, 2015-08-10, rev 0x0036, size 30720 sig 0x00040651, pf mask 0x72, 2015-08-13, rev 0x001d, size 20480 * This massive Haswell + Broadwell (and related Xeons) update fixes several critical errata, including the high-hitting BDD86/BDM101/ HSM153(?) which triggers an MCE and locks the processor core (LP: #1509764) * Might fix critical errata BDD51, BDM53 (TSX-related) * source: remove superseded upstream data file: 20150121 * Add support for supplementary microcode bundles: + README.source: update and mention supplementary microcode + Makefile: support supplementary microcode Add support for supplementary microcode bundles, which (unlike .fw microcode override files) can be superseded by a higher revision microcode from the latest regular microcode bundle. Also, fix the "oldies" target to have its own exclude filter (IUC_OLDIES_EXCLUDE) * Add support for x32 arch: + README.source: mention x32 + control,rules: enable building on x32 arch (Closes: #777356) * ucode-blacklist: add Broadwell and Haswell-E signatures Add a missing signature for Haswell Refresh (Haswell-E) to the "must be updated only by the early microcode update driver" list. There is at least one report of one of the Broadwell microcode updates disabling TSX-NI, so add them as well just in case intel-microcode (3.20151106.1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20151106.1) unstable; urgency=medium . * New upstream microcode data file 20151106 + New Microcodes: sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336 sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264 + Updated Microcodes: sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288 sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504 sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384 sig 0x000306f2, pf mask 0x6f, 2015-08-10, rev 0x0036, size 30720 sig 0x00040651, pf mask 0x72, 2015-08-13, rev 0x001d, size 20480 * This massive Haswell + Broadwell (and related Xeons) update fixes several critical errata, including the high-hitting BDD86/BDM101/ HSM153(?) which triggers an MCE and locks the processor core (LP: #1509764) * Might fix critical errata BDD51, BDM53 (TSX-related) * source: remove superseded upstream data file: 20150121 * Add support for supplementary microcode bundles: + README.source: update and mention supplementary microcode + Makefile: support supplementary microcode Add support for supplementary microcode bundles, which (unlike .fw microcode override files) can be superseded by a higher revision microcode from the latest regular microcode bundle. Also, fix the "oldies" target to have its own exclude filter (IUC_OLDIES_EXCLUDE) * Add support for x32 arch: + README.source: mention x32 + control,rules: enable building on x32 arch (Closes: #777356) * ucode-blacklist: add Broadwell and Haswell-E signatures Add a missing signature for Haswell Refresh (Haswell-E) to the "must be updated only by the early microcode update driver" list. There is at least one report of one of the Broadwell microcode updates disabling TSX-NI, so add them as well just in case iptables-persistent (1.0.3+deb8u1) jessie; urgency=medium . * [10cab8] Stop rules files being world-readable. Thanks to Bernhard Thaler (Closes: #764645) * [dbeffc] Rewrite README, install for both packages (Closes: #807285) * [dcd3f5] Update VCS links * [e0e1cf] Re-tab plugins/15-ip4tables and plugins/25-ip6tables isc-dhcp (4.3.1-6+deb8u2) jessie-security; urgency=high . * Fix CVE-2015-8605: maliciously crafted IPv4 packet can cause any of the running DHCP applications (server, client, or relay) to crash. isc-dhcp (4.3.1-6+deb8u1) jessie; urgency=medium . [ Michael Gilbert ] * Fix error when max lease time is used on 64-bit systems (closes: #795227). keepassx (0.4.3+dfsg-0.1+deb8u1) jessie; urgency=medium . * Add patch that fixes CVE-2015-8378 (Closes: #791858) krb5 (1.12.1+dfsg-19+deb8u1) jessie-security; urgency=high . * Import upstream patches for four CVEs: - CVE-2015-2695: SPNEGO context aliasing during establishment, Closes: #803083 - CVE-2015-2696: IAKERB context aliasing during establishment, Closes: #803084 - CVE-2015-2697: unsafe string handling in TGS processing, Closes: #803088 - CVE-2015-2698: regression (memory corruption) in patch for CVE-2015-2696 * In addition to CVE-2015-2698, the upstream patches for CVE-2015-2695 and CVE-2015-2696 introduced regressions preventing the use of gss_import_sec_context() with contexts established using IAKERB or SPNEGO; the fixes for those regressions are included here. ldb (2:1.1.17-2+deb8u1) jessie-security; urgency=high . * Add patch CVE-2015-3223: Fixes CVE-2015-3223: Denial of Service. * Add patch CVE-2015-5330: Fixes CVE-2015-5330: Remote memory read. libapache-mod-fastcgi (2.4.7~0910052141-1.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Switch B-D from libtool to libtool-bin to fix FTBFS. (Closes: #793189) libapache2-mod-perl2 (2.0.9~1624218-2+deb8u1) jessie; urgency=medium . * Apply upstream 2.0.9 patches fixing crashes in modperl_interp_unselect(). Thanks to Patrick Matthäi. (Closes: #803043) libcgi-session-perl (4.48-1+deb8u1) jessie; urgency=medium . * Team upload. * Untaint raw data coming from session storage backends. + fixes a taint regression caused by CVE-2015-8607 fixes in perl (Closes: #810799) libcommons-collections3-java (3.2.1-7+deb8u1) jessie-security; urgency=medium . * Backported a modification from commons-collections 3.2.2 disabling the deserialization of the functors classes unless the system property org.apache.commons.collections.enableUnsafeSerialization is set to true. This fixes a vulnerability in unsafe applications deserializing objects from untrusted sources without sanitizing the input data. libdatetime-timezone-perl (1:1.75-2+2015g) jessie; urgency=medium . * Update to Olson database version 2015g. Add patch debian/patches/olson-2015g, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Turkey, Norfolk, Fiji, and Fort Nelson. libencode-perl (2.63-1+deb8u1) jessie; urgency=medium . * Add patch dont-die-without-bom.patch. The decode() routine died when no BOM was found. This patch, backported from upstream's 2.77 release, changes the behaviour to fall back to BE according to RFC2781 and the Unicode Standard version 8.0. (Closes: #799086) libhtml-scrubber-perl (0.11-1+deb8u1) jessie; urgency=medium . * [SECURITY] CVE-2015-5667: Backport upstream patch fixing a cross-site scripting vulnerability in comments. (Closes: #803943) libinfinity (0.6.7-1~deb8u1) jessie; urgency=medium . * Upload to Debian jessie. . libinfinity (0.6.7-1) unstable; urgency=medium . * New upstream release libinfinity (0.6.6-1) unstable; urgency=medium . * New upstream release - Check certificates for expiration and weak algorithms even if the CA is trusted. (Closes: #783601) libiptables-parse-perl (1.1-1+deb8u1) jessie; urgency=medium . * Team upload. * Add CVE-2015-8326.patch patch. CVE-2015-8326: Use of predictable names for temporary files. libiptables-parse-perl (1.1-1+deb7u1) wheezy; urgency=medium . * Team upload. * Add CVE-2015-8326.patch patch. CVE-2015-8326: Use of predictable names for temporary files. libphp-phpmailer (5.2.9+dfsg-2+deb8u1) jessie-security; urgency=high . * gbp.conf: Track the jessie branch * Backport fix from 5.2.14: PHPMailer Message Injection Vulnerability [CVE-2015-8476] (Closes: #807265) libpng (1.2.50-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to address CVE-2015-8472. CVE-2015-8472: Incomplete fix for callers on png_set_PLTE. (Closes: #807112) * Add CVE-2015-8540.patch patch. CVE-2015-8540: underflow read in png_check_keyword(). (Closes: #807694) libpng (1.2.50-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7981.patch patch. CVE-2015-7981: Out-of-bounds read in png_convert_to_rfc1123. (Closes: #803078) * Add Prevent-writing-over-length-PLTE-chunk-Cosm.patch patch. CVE-2015-8126: Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions. (Closes: #805113) * Add Fixed-new-bug-with-CRC-error-after-reading-.patch patch. Fixed new bug with CRC error after reading an over-length palette. libraw (0.16.0-9+deb8u2) stable; urgency=high . * debian/patches/: patchset updated - 0002-Fix_CVE-2015-8366_CVE-2015-8367.patch added | CVE-2015-8366: Index overflow in smal_decode_segment | CVE-2015-8367: Memory objects are not intialized properly libreoffice (1:4.3.3-2+deb8u2) jessie-security; urgency=high . * debian/patches/CVE-2015-4551.diff: backport fix for Arbritary file disclosure vulnerability (CVE-2014-4551) from libreoffice-4-4-4 branch * debian/patches/ww8dontwrap.diff: fix 'LibreOffice "Piece Table Counter" Invalid Check Design Error Vulnerability' (CVE-2015-5213), from libreoffice-4-4-5 branch * debian/patches/coverity-1266485.diff: fix 'LibreOffice "PrinterSetup Length" Integer Underflow Vulnerability' (CVE-2015-5212), from libreoffice-4-4-5 branch * debian/patches/pStatus-vector-offsets.diff: fix 'LibreOffice Bookmark Status Memory Corruption Vulnerability' (CVE-2015-5214), from libreoffice-4-4 branch libssh (0.6.3-4+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * debian/patches: - Add 0002_CVE-2015-3146.patch Fix "null pointer dereference due to a logical error in the handling of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" (Closes: #784404, CVE-2015-3146) libvdpau (0.8-3+deb8u2) jessie-security; urgency=medium . * Cherry-pick upstream commit to fix crash with the DRI_PRIME environment variable set on 64-bit systems, regression caused by switch to secure_getenv(3). (Closes: #802625) - [1cda354] 0034-mesa_dri2-Add-missing-include-of-config.h-to-define.patch libvdpau (0.8-3+deb8u1) jessie-security; urgency=high . * Patch for CVE 2015-5198, 2015-5199, 2015-5200 - Use secure_getenv(3) to improve security (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895. * Add myself to Uploaders libxml2 (2.9.1+dfsg1-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to address CVE-2015-7941. CVE-2015-7941: Denial of service via out-of-bounds read. (Closes: #783010) * Add 0058-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch. CVE-2015-1819: Enforce the reader to run in constant memory. (Closes: #782782) * Add patches to address CVE-2015-8317. CVE-2015-8317: Out-of-bounds heap read when parsing file with unfinished xml declaration. * Add patches to address CVE-2015-7942. CVE-2015-7942: heap-based buffer overflow in xmlParseConditionalSections(). (Closes: #802827) * Add 0063-Fix-parsing-short-unclosed-comment-uninitialized-acc.patch patch. Parsing an unclosed comment can result in `Conditional jump or move depends on uninitialised value(s)` and unsafe memory access. (Closes: #782985) * Add 0064-CVE-2015-8035-Fix-XZ-compression-support-loop.patch patch. CVE-2015-8035: DoS when parsing specially crafted XML document if XZ support is enabled. (Closes: #803942) * Add 0065-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch patch. CVE-2015-8241: Buffer overread with XML parser in xmlNextChar. (Closes: #806384) * Add 0066-Avoid-processing-entities-after-encoding-conversion-.patch patch. CVE-2015-7498: Heap-based buffer overflow in xmlParseXmlDecl. * Add 0067-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch patch. CVE-2015-7497: Heap-based buffer overflow in xmlDictComputeFastQKey. * Add 0068-CVE-2015-5312-Another-entity-expansion-issue.patch patch. CVE-2015-5312: CPU exhaustion when processing specially crafted XML input. * Add patches to address CVE-2015-7499. CVE-2015-7499: Heap-based buffer overflow in xmlGROW. * Add 0071-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch patch. CVE-2015-7500: Heap buffer overflow in xmlParseMisc. linux (3.16.7-ckt20-1+deb8u2) jessie-security; urgency=medium . * [xen] Fix race conditions in back-end drivers (CVE-2015-8550, XSA-155) * [xen] pciback: Fix state validation in MSI control operations (CVE-2015-8551, CVE-2015-8852, XSA-157) * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (CVE-2015-8569) * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575) * ptrace: being capable wrt a process requires mapped uids/gids (CVE-2015-8709) * KEYS: Fix race between read and revoke (CVE-2015-7550) * [x86] KVM: Reload pit counters for all channels when restoring state (CVE-2015-7513) * udp: properly support MSG_PEEK with truncated buffers (Closes: #808293, regression in 3.16.7-ckt17) * Revert "xhci: don't finish a TD if we get a short transfer event mid TD" (Closes: #808602, #808953, regression in 3.16.7-ckt20) linux (3.16.7-ckt20-1+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt20-1+deb8u2) jessie-security; urgency=medium . * [xen] Fix race conditions in back-end drivers (CVE-2015-8550, XSA-155) * [xen] pciback: Fix state validation in MSI control operations (CVE-2015-8551, CVE-2015-8852, XSA-157) * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (CVE-2015-8569) * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575) * ptrace: being capable wrt a process requires mapped uids/gids (CVE-2015-8709) * KEYS: Fix race between read and revoke (CVE-2015-7550) * [x86] KVM: Reload pit counters for all channels when restoring state (CVE-2015-7513) * udp: properly support MSG_PEEK with truncated buffers (Closes: #808293, regression in 3.16.7-ckt17) * Revert "xhci: don't finish a TD if we get a short transfer event mid TD" (Closes: #808602, #808953, regression in 3.16.7-ckt20) . linux (3.16.7-ckt20-1+deb8u1) jessie-security; urgency=medium . [ Salvatore Bonaccorso ] * [x86] KVM: rename update_db_bp_intercept to update_bp_intercept . [ Ben Hutchings ] * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe() * media: usbvision: fix crash on detecting device with invalid configuration (CVE-2015-7833, partly fixed in 3.16.7-ckt11-1+deb8u6) * splice: sendfile() at once fails for big files (Closes: #785189) * unix: avoid use-after-free in ep_remove_wait_queue (CVE-2013-7446) * Btrfs: fix truncation of compressed and inlined extents (CVE-2015-8374) * net: add validation for the socket syscall protocol argument (CVE-2015-8543) . linux (3.16.7-ckt20-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt18 - mac80211: enable assoc check for mesh interfaces - PCI: Add VPD function 0 quirk for Intel Ethernet devices - staging: comedi: usbduxsigma: don't clobber ai_timer in command test - staging: comedi: usbduxsigma: don't clobber ao_timer in command test - [armhf] usb: dwc3: ep0: Fix mem corruption on OUT transfers of more than 512 bytes - [x86] KVM: MMU: fix validation of mmio page fault (regression in 3.11) - iio: industrialio-buffer: Fix iio_buffer_poll return value (regression in 3.13) - iio: event: Remove negative error code from iio_event_poll (regression in 3.13) - NFSv4: don't set SETATTR for O_RDONLY|O_EXCL - fs: Set the size of empty dirs to 0. (regression in 3.16.7-ckt15) - [x86] staging: comedi: adl_pci7x3x: fix digital output on PCI-7230 - blk-mq: fix buffer overflow when reading sysfs file of 'pending' - NFS: nfs_set_pgio_error sometimes misses errors - NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client - usb: host: ehci-sys: delete useless bus_to_hcd conversion - USB: symbolserial: Use usb_get_serial_port_data (regression in 3.10) - igb: Fix oops caused by missing queue pairing (regression in 3.14) - eCryptfs: Invalidate dcache entries when lower i_nlink is zero - libxfs: readahead of dir3 data blocks should use the read verifier - xfs: Fix xfs_attr_leafblock definition - [arm64] kconfig: Move LIST_POISON to a safe value - Btrfs: check if previous transaction aborted to avoid fs corruption - xfs: Fix file type directory corruption for btree directories - [arm64] flush FP/SIMD state correctly after execve() - xfs: return errors from partial I/O failures to files - drm/radeon/atom: Send out the full AUX address - [x86] drm/i915: Always mark the object as dirty when used by the GPU - IB/uverbs: reject invalid or unknown opcodes - [x86] crypto: ghash-clmulni: specify context size for ghash async algorithm - fs: create and use seq_show_option for escaping - scsi: fix scsi_error_handler vs. scsi_host_dev_release race - [x86] drm/i915: Limit the number of loops for reading a split 64bit register (regression in 3.16.7-ckt16) - hfs,hfsplus: cache pages correctly between bnode_create and bnode_free - hfs: fix B-tree corruption after insertion at position 0 - [armel/versatile,armhf] Input: ambakmi - fix system PM by converting to modern callbacks (regression in 3.14) - svcrdma: Fix send_reply() scatter/gather set-up - [x86] mm: Initialize pmd_idx in page_table_range_init_count() - batman-adv: fix multicast counter when purging originators - batman-adv: fix counter for multicast supporting nodes - batman-adv: Fix potential synchronization issues in mcast tvlv handler - batman-adv: Fix potentially broken skb network header access - [powerpc/powerpc64] mm: Fix pte_pagesize_index() crash on 4K w/64K hash - ath10k: fix dma_mapping_error() handling - mmc: sdhci: also get preset value and driver type for MMC_DDR52 (regression in 3.16) - IB/mlx4: Fix potential deadlock when sending mad to wire - IB/mlx4: Forbid using sysfs to change RoCE pkeys - IB/uverbs: Fix race between ib_uverbs_open and remove_one - mmc: core: fix race condition in mmc_wait_data_done - task_work: remove fifo ordering guarantee - netlink, mmap: fix edge-case leakages in nf queue zero-copy - md: flush ->event_work before stopping array. - md/raid10: always set reshape_safe when initializing reshape_position. - ext4: fix loss of delalloc extent info in ext4_zero_range() - [powerpc,ppc64el] MSI: Fix race condition in tearing down MSI interrupts - UBI: block: Add missing cache flushes - net/ipv6: Correct PIM6 mrt_lock handling - netlink, mmap: transform mmap skb into full skb on taps - openvswitch: Zero flows on allocation. - fib_rules: fix fib rule dumps across multiple skbs http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt19 - CIFS: fix type confusion in copy offload ioctl - [x86] apic: Serialize LVTT and TSC_DEADLINE writes - [arm64] head.S: initialise mdcr_el2 in el2_setup - kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd - kvm: fix double free for fast mmio eventfd - [powerpc*] mm: Recompute hash value after a failed update (regression in 3.11) - [i386] platform: Fix Geode LX timekeeping in the generic x86 build - [arm64,armhf] KVM: Disable virtual timer even if the guest is not using it - [x86] hp-wmi: limit hotkey enable - zram: fix possible use after free in zcomp_create() (regression in 3.15) - [x86] drm/vmwgfx: Fix up user_dmabuf refcounting - [armhf] dts: omap3-beagle: make i2c3, ddc and tfp410 gpio work again (regression in 3.15) - Btrfs: fix read corruption of compressed and shared extents - btrfs: skip waiting on ordered range for special files - [armhf] usb: chipidea: udc: using the correct stall implementation - [armhf] net: mvneta: fix DMA buffer unmapping in mvneta_rx() (regression in 3.16.7-ckt16) - iser-target: remove command with state ISTATE_REMOVE - [x86] KVM: trap AMD MSRs for the TSeg base and mask - usb: Use the USB_SS_MULT() macro to get the burst multiplier. - xhci: give command abortion one more chance before killing xhci - usb: xhci: Clear XHCI_STATE_DYING on start - xhci: change xhci 1.0 only restrictions to support xhci 1.1 - xhci: init command timeout timer earlier to avoid deleting it uninitialized - cifs: use server timestamp for ntlmv2 authentication - [x86] paravirt: Replace the paravirt nop with a bona fide empty function - [amd64] nmi: Fix a paravirt stack-clobbering bug in the NMI code (regression in 3.16.7-ckt16) - ocfs2/dlm: fix deadlock when dispatch assert master - [x86] drm/i915/bios: handle MIPI Sequence Block v3+ gracefully - drm/qxl: only report first monitor as connected if we have no state - PCI: Fix devfn for VPD access through function 0 (regression in 3.16.7-ckt18) - PCI: Use function 0 VPD for identical functions, regular VPD for others - netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC - vxlan: set needed headroom correctly - jbd2: avoid infinite loop when destroying aborted journal - asix: Don't reset PHY on if_up for ASIX 88772 - asix: Do full reset during ax88772_bind - fib_rules: Fix dump_rules() not to exit early - net/xen-netfront: only napi_synchronize() if running - [x86] intel_pstate: Fix overflow in busy_scaled due to long delay - UBI: Validate data_size - UBI: return ENOSPC if no enough space available - [mips*/4kc-malta] dma-default: Fix 32-bit fall back to GFP_DMA - [x86] efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down - [x86] Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS - mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault - [x86] mm: Set NX on gap between __ex_table and rodata - clocksource: Fix abs() usage w/ 64bit values - [x86] drm/vmwgfx: Fix kernel NULL pointer dereference on older hardware - fs: if a coredump already exists, unlink and recreate with O_EXCL - sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state - l2tp: protect tunnel->del_work by ref_count - af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag - net/unix: fix logic about sk_peek_offset - skbuff: Fix skb checksum flag on skb pull - skbuff: Fix skb checksum partial check. - net: add pfmemalloc check in sk_add_backlog() - ppp: don't override sk->sk_state in pppoe_flush_dev() - ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings - ovs: do not allocate memory from offline numa node - netlink: Trim skb to alloc size to avoid MSG_TRUNC - net: add length argument to skb_copy_and_csum_datagram_iovec (regression in 3.16.7-ckt17) (CVE-2015-8019) - Btrfs: update fix for read corruption of compressed and shared extents http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt20 - regmap: debugfs: Ensure we don't underflow when printing access masks - regmap: debugfs: Don't bother actually printing when calculating max length - [x86] xen: Support kexec/kdump in HVM guests by doing a soft reset - svcrdma: handle rdma read with a non-zero initial page offset (regression in 3.16) - dm: fix AB-BA deadlock in __dm_destroy() (regression in 3.16.7-ckt10) - cifs: [SMB3] Do not fall back to SMBWriteX in set_file_size error cases - dm raid: fix round up of default region size - staging: speakup: fix speakup-r regression - [arm64] readahead: fault retry breaks mmap file read random detection - sched/core: Fix TASK_DEAD race in finish_task_switch() - dm cache: fix NULL pointer when switching from cleaner policy - 3w-9xxx: don't unmap bounce buffered commands (regression in 3.16.7-ckt17) - workqueue: make sure delayed work run in local cpu - drm/radeon: add pm sysfs files late - drm/nouveau/fbcon: take runpm reference when userspace has an open fd - crypto: ahash - ensure statesize is non-zero - btrfs: check unsupported filters in balance arguments - btrfs: fix use after free iterating extrefs - btrfs: fix possible leak in btrfs_ioctl_balance() - drm: Reject DRI1 hw lock ioctl functions for kms drivers - usb: xhci: Add support for URB_ZERO_PACKET to bulk/sg transfers - rbd: fix double free on rbd_dev->header_name - ath9k: declare required extra tx headroom - iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() - xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) - iio: mxs-lradc: Fix temperature offset - [x86] drm/i915: Deny wrapping an userptr into a framebuffer - xhci: don't finish a TD if we get a short transfer event mid TD - xhci: handle no ping response error properly - drm/nouveau/gem: return only valid domain when there's only one - [powerpc*] rtas: Validate rtas.entry before calling enter_rtas() - mm: make sendfile(2) killable - rbd: don't leak parent_spec in rbd_dev_probe_parent() - rbd: prevent kernel stack blow up on rbd map - dm btree remove: fix a bug when rebalancing nodes after removal - dm btree: fix leak of bufio-backed block in btree_split_beneath error path - IB/cm: Fix rb-tree duplicate free and use-after-free - iwlwifi: mvm: init card correctly on ctkill exit check (regression in 3.16.7-ckt2) - module: Fix locking in symbol_put_addr() - crypto: api - Only abort operations on fatal signal - md/raid1: submit_bio_wait() returns 0 on success - md/raid10: submit_bio_wait() returns 0 on success - [x86] iommu/amd: Don't clear DTE flags when modifying it - [armel,armhf] i2c: mv64xxx: really allow I2C offloading - drm/radeon: don't try to recreate sysfs entries on resume - mvsas: Fix NULL pointer dereference in mvs_slot_task_free - [arm64] Revert "ARM64: unwind: Fix PC calculation" - rbd: require stable pages if message data CRCs are enabled - md/raid5: fix locking in handle_stripe_clean_event() - Revert "md: allow a partially recovered device to be hot-added to an array." (regression in 3.14) - ipv6: Fix IPsec pre-encap fragmentation check - ppp: fix pppoe_dev deletion condition in pppoe_release() - ipv6: gre: support SIT encapsulation (regression in 3.13) - isdn_ppp: Add checks for allocation failure in isdn_ppp_open() - ppp, slip: Validate VJ compression slot parameters completely (CVE-2015-7799) - staging/dgnc: fix info leak in ioctl - sched/preempt: Fix cond_resched_lock() and cond_resched_softirq() (regression in 3.13) . [ Aurelien Jarno ] * [mips*/octeon] Enable CAVIUM_CN63XXP1 (Closes: #800595) . [ Ben Hutchings ] * nbd: Restore request timeout detection (Closes: #770479) * netlink: Fix ABI change in 3.16.7-ckt18 * [x86] Enable PINCTRL_BAYTRAIL (Closes: #797949) * firmware_class: Fix condition in directory search loop (Closes: #804862) * ehci: Fix ABI change in 3.16.7-ckt19 * [arm64] Defer workaround for erratum #843419 * [x86] KVM: svm: unconditionally intercept #DB (CVE-2015-8104) . linux (3.16.7-ckt17-1) jessie; urgency=medium . * New upstream stable updates: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt12 - [x86] reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag - UBI: fix soft lockup in ubi_check_volume() - mnt: Fail collect_mounts when applied to unmounted mounts - btrfs: unlock i_mutex after attempting to delete subvolume during send (regression in 3.16) - [arm64] dma-mapping: always clear allocated buffers - ALSA: emu10k1: Fix card shortname string buffer overflow - SCSI: add 1024 max sectors black list flag - 3w-sas,3w-xxxx,3w-9xxx: fix command completion race - [armhf] usb: chipidea: otg: remove mutex unlock and lock while stop and start role (regression in 3.16) - cdc-acm: prevent infinite loop when parsing CDC headers. (regression in 3.16.7-ckt8) - ALSA: emux: Fix mutex deadlock in OSS emulation - rbd: end I/O the entire obj_request on error - mlx4_en: Use correct loop cursor in error path. - [armhf,arm64] KVM: Fix and refactor unmap_range - [armhf] KVM: Unmap IPA on memslot delete/move - [armhf] KVM: user_mem_abort: support stage 2 MMIO page mapping - [armhf,arm64] KVM: avoid returning negative error code as bool - [armhf,arm64] KVM: fix use of WnR bit in kvm_is_write_fault() - [armhf] KVM: vgic: plug irq injection race - [armhf,arm64] KVM: Fix set_clear_sgi_pend_reg offset - [armhf,arm64] KVM: Fix VTTBR_BADDR_MASK and pgd alloc - [armhf,arm64] KVM: fix potential NULL dereference in user_mem_abort() - [armhf,arm64] KVM: Ensure memslots are within KVM_PHYS_SIZE - [arm64] KVM: fix unmapping with 48-bit VAs - [armhf,arm64] kvm: drop inappropriate use of kvm_is_mmio_pfn() - [armhf,arm64] KVM: Reset the HCR on each vcpu when resetting the vcpu - [armhf,arm64] KVM: Introduce stage2_unmap_vm - [armhf,arm64] KVM: Don't allow creating VCPUs after vgic_initialized - [armhf,arm64 KVM: Require in-kernel vgic for the arch timers - [arm64] KVM: Fix TLB invalidation by IPA/VMID - [arm64] KVM: Fix HCR setting for 32bit guests - [arm64] KVM: Do not use pgd_index to index stage-2 pgd - net: make skb_gso_segment error handling more robust - blk-mq: fix CPU hotplug handling - mm/memory-failure: call shake_page() when error hits thp tail page - nilfs2: fix sanity check of btree level in nilfs_btree_root_broken() - ocfs2: dlm: fix race between purge and get lock resource - drm/radeon: make VCE handle check more strict - drm/radeon: make UVD handle checking more strict - drm/radeon: more strictly validate the UVD codec - mnt: Fix fs_fully_visible to verify the root directory is visible - pinctrl: Don't just pretend to protect pinctrl_maps, do it for real - crush: ensuring at most num-rep osds are selected - netfilter: nf_tables: fix error handling of rule replacement - netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() - netfilter: nf_tables: check for overflow of rule dlen field - netfilter: nft_rbtree: fix locking - sched/autogroup: Fix failure to set cpu.rt_runtime_us - xprtrdma: Free the pd if ib_query_qp() fails - xfs: ensure truncate forces zeroed blocks to disk http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt13 - usb: gadget: configfs: Fix interfaces array NULL-termination - nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op - libata: Blacklist queued TRIM on all Samsung 800-series (Closes: #790520) - md/raid5: don't record new size if resize_stripes fails. - sched: Handle priority boosted tasks proper in setscheduler() - [armel,armhf] net fix emit_udiv() for BPF_ALU | BPF_DIV | BPF_K intruction. - drm/radeon: add new bonaire pci id (Closes: #792099) - firmware: dmi_scan: Fix ordering of product_uuid - ext4: fix NULL pointer dereference when journal restart fails (regression in 3.11) - ext4: check for zero length extent explicitly (regression in 3.13) - jbd2: fix r_count overflows leading to buffer overflow in journal recovery - igb: Fix oops on changing number of rings - igb: Fix NULL assignment to incorrect variable in igb_reset_q_vector - [arm64] add missing PAGE_ALIGN() to __dma_free() - net: socket: Fix the wrong returns for recvmsg and sendmsg (regression in 3.16.7-ckt9) - mac80211: move WEP tailroom size check - [x86] KVM: MMU: fix smap permission check - [x86] KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages - [x86] KVM: MMU: fix SMAP virtualization - sd: Disable support for 256 byte/sector disks - xen/events: don't bind non-percpu VIRQs with percpu chip - libceph: request a new osdmap if lingering request maps to no osd - [s390x] crypto: ghash - Fix incorrect ghash icv buffer handling. - ipvs: fix memory leak in ip_vs_ctl.c - ipv6: fix ECMP route replacement - ipv4: Avoid crashing in ip_error - bridge: fix parsing of MLDv2 reports - module: Call module notifier on failure after complete_formation() (regression in 3.16) - [x86] gpio: gpio-kempld: Fix get_direction return value (regression in 3.12) - [armel,armhf] 8356/1: mm: handle non-pmd-aligned end of RAM - mac80211: don't use napi_gro_receive() outside NAPI context - xfs: xfs_attr_inactive leaves inconsistent attr fork state behind - fs, omfs: add NULL terminator in the end up the token list - vfs: d_walk() might skip too much (regression in 3.16.7-ckt4) - target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST - net_sched: invoke ->attach() after setting dev->qdisc - fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings (regression in 3.16.7-ckt11) http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt14 - n_tty: Fix auditing support for cannonical mode (regression in 3.12) - lib: Fix strnlen_user() to not touch memory after specified maximum - xfrm: fix a race in xfrm_state_lookup_byspi - thermal: step_wise: Revert optimization (regression in 3.12) - net: dp83640: fix broken calibration routine. - net: dp83640: reinforce locking rules. - unix/caif: sk_socket can disappear when state is unlocked - xen/netback: Properly initialize credit_bytes (regression in 3.16) - ipv4/udp: Verify multicast group is ours in upd_v4_early_demux() (regression in 3.13) - bridge: disable softirqs around br_fdb_update to avoid lockup - Btrfs: send, add missing check for dead clone root - Btrfs: send, don't leave without decrementing clone root's send_progress - btrfs: incorrect handling for fiemap_fill_next_extent return - btrfs: cleanup orphans while looking up default subvolume - [x86] iommu/vt-d: Allow RMRR on graphics devices too (regression in 3.16.3) - [armhf] irqchip: sunxi-nmi: Fix off-by-one error in irq iterator - mm/memory_hotplug.c: set zone->wait_table to null after freeing it - block: fix ext_dev_lock lockdep report (regression in 3.16.4) - iser-target: Fix variable-length response error completion (regression in 3.16) - iser-target: release stale iser connections http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt15 - [x86] KVM: nSVM: Check for NRIPS support before updating control field - nfs: take extra reference to fl->fl_file when running a setlk - net: don't wait for order-3 page allocation - bridge: fix br_stp_set_bridge_priority race conditions - packet: read num_members once in packet_rcv_fanout() - packet: avoid out of bounds read in round robin fanout - neigh: do not modify unlinked entries - tcp: Do not call tcp_fastopen_reset_cipher from interrupt context (regression in 3.13) - sctp: Fix race between OOTB responce and route removal - media: s5h1420: fix a buffer overflow when checking userspace params - media: cx24116: fix a buffer overflow when checking userspace params - media: af9013: Don't accept invalid bandwidth - media: cx24117: fix a buffer overflow when checking userspace params - spi: fix race freeing dummy_tx/rx before it is unmapped - mtd: fix: avoid race condition when accessing mtd->usecount - intel_pstate: set BYT MSR with wrmsrl_on_cpu() (regression in 3.14) - leds / PM: fix hibernation on arm when gpio-led used with CPU led trigger (regression in 3.11) - mnt: Refactor the logic for mounting sysfs and proc in a user namespace - scsi_transport_srp: Fix a race condition - w1_therm reference count family data - drm/radeon: take the mode_config mutex when dealing with hpds (v2) - [armhf] usb: dwc3: gadget: return error if command sent to DGCMD register fails - rcu: Correctly handle non-empty Tiny RCU callback list with none ready - [armhf] usb: dwc3: gadget: don't clear EP_BUSY too early - staging: rtl8712: prevent buffer overrun in recvbuf2recvframe - SUNRPC: Fix a memory leak in the backchannel code - ieee802154: Fix sockaddr_ieee802154 implicit padding information leak. - mnt: Modify fs_fully_visible to deal with locked ro nodev and atime - regulator: core: fix constraints output buffer - ACPI / PM: Add missing pm_generic_complete() invocation (regression in 3.16) - [armel,armh] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup - [arm64] Do not attempt to use init_mm in reset_context() - ext4: fix race between truncate and __ext4_journalled_writepage() - [x86] pcmcia: Disable write buffering on Toshiba ToPIC95 - fs/ufs: revert "ufs: fix deadlocks introduced by sb mutex merge" (regression in 3.16.4) - jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail() - jbd2: fix ocfs2 corrupt when updating journal superblock fails - fs/ufs: restore s_lock mutex (regression in 3.16) - regmap: Fix possible shift overflow in regmap_field_init() - [x86] PCI: Use host bridge _CRS info on systems with >32 bit addressing (regression in 3.14) - libata: Do not blacklist Micron M500DC (regression in 3.14) - [x86] iommu/amd: Handle large pages correctly in free_pagetable (regression in 3.11) - ext4: call sync_blockdev() before invalidate_bdev() in put_super() - xfs: fix remote symlinks on V5/CRC filesystems - ext4: don't retry file block mapping on bigalloc fs with non-extent file - xfs: don't truncate attribute extents if no extents exist - NET: ROSE: Don't dereference NULL neighbour pointer. - netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook - fs: Fix S_NOSEC handling - stmmac: troubleshoot unexpected bits in des0 & des1 - PM / sleep: Increase default DPM watchdog timeout to 60 (regression in 3.13) - [armhf] clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier (regression in 3.11) - drm/radeon: compute ring fix hibernation (CI GPU family) v2. - drm/radeon: SDMA fix hibernation (CI GPU family). - [armhf] net: mvneta: disable IP checksum with jumbo frames for Armada 370 - [arm64] Don't report clear pmds and puds as huge - fuse: initialize fc->release before calling it - vfs: Ignore unlocked mounts in fs_fully_visible - proc: Allow creating permanently empty directories that serve as mount points - mnt: Update fs_fully_visible to test for permanently empty directories - ACPICA: Tables: Enable both 32-bit and 64-bit FACS (regression in 3.14) - ACPICA: Tables: Fix an issue that FACS initialization is performed twice - ACPICA: Tables: Enable default 64-bit FADT addresses favor - [x86] KVM: make vapics_in_nmi_mode atomic - [s390x] KVM: virtio-ccw: don't overwrite config space values - 9p: forgetting to cancel request on interrupted zero-copy RPC - e1000e: Cleanup handling of VLAN_HLEN as a part of max frame size (regression in 3.15) - ath9k_htc: memory corruption calling set_bit() - mac80211: prevent possible crypto tx tailroom corruption - cfg80211: ignore netif running state when changing iftype - Btrfs: lock superblock before remounting for rw subvol (regression in 3.15) - of: return NUMA_NO_NODE from fallback of_node_to_nid() (regression in 3.13) - sched/fair: Prevent throttling in early pick_next_task_fair() (regression in 3.15) - ACPI / init: Switch over platform to the ACPI mode later (regression in 3.14) - [armhf] drm/tegra: dpaux: Fix transfers larger than 4 bytes - mmc: card: Fixup request missing in mmc_blk_issue_rw_rq - perf: Fix ring_buffer_attach() RCU sync, again - LZ4 : fix the data abort issue http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt16 - Btrfs: use kmem_cache_free when freeing entry in inode cache - Btrfs: fix race between caching kthread and returning inode to inode cache - Btrfs: fix fsync data loss after append write - ext4: fix reservation release on invalidatepage for delalloc fs - ext4: be more strict when migrating to non-extent based file - ext4: correctly migrate a file with a hole at the beginning - 9p: don't leave a half-initialized inode sitting around - thermal: step_wise: fix: Prevent from binary overflow when trend is dropping - dm btree remove: fix bug in redistribute3 - [armhf] crypto: omap-des - Fix unmapping of dma channels - [armhf] usb: musb: host: rely on port_mode to call musb_start() (regression in 3.13) - drm: add a check for x/y in drm_mode_setcrtc - bio integrity: do not assume bio_integrity_pool exists if bioset exists - Btrfs: fix memory leak in the extent_same ioctl - Btrfs: fix list transaction->pending_ordered corruption - Btrfs: fix file corruption after cloning inline extents - [armel,armhf] 8404/1: dma-mapping: fix off-by-one error in bitmap size check (regression in 3.15) - net: graceful exit from netif_alloc_netdev_queues() - ip_tunnel: fix ipv4 pmtu check to honor inner ip header df (regression in 3.11) - net: do not process device backlog during unregistration - rds: rds_ib_device.refcount overflow - mm: avoid setting up anonymous pages into file mapping - HID: cp2112: fix to force single data-report reply - [armhf] net: mvneta: fix refilling for Rx DMA buffers - [armhf] usb: dwc3: gadget: return error if command sent to DEPCMD register fails - usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function - usb: core: lpm: set lpm_capable for root hub device (regression in 3.15) - USB: OHCI: Fix race between ED unlink and URB submission (regression in 3.16.2) - usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 - md/raid1: fix test for 'was read error from last working device'. - [armhf] mmc: omap_hsmmc: Fix DTO and DCRC handling - bonding: correctly handle bonding type change on enslave failure - inet: frags: fix defragmented packet's IP header for af_packet - vfs: freeing unlinked file indefinitely delayed - mmc: sdhci: Fix FSL ESDHC reset handling quirk (regression in 3.16) http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt17 - sysfs: Create mountpoints with sysfs_create_mount_point - iscsi-target: Fix use-after-free during TPG session shutdown - iscsi-target: Fix iscsit_start_kthreads failure OOPs (regression in 3.16.7-ckt11) - iscsi-target: Fix iser explicit logout TX kthread leak (regression in 3.16.7-ckt11) - xfs: remote attribute headers contain an invalid LSN - xfs: remote attributes need to be considered data - [x86] drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop - ipr: Fix locking for unit attention handling - ipr: Fix invalid array indexing for HRRQ - [x86] xen: Probe target addresses in set_aliased_prot() before the hypercall - netfilter: ctnetlink: put back references to master ct and expect object (regression in 3.12) - ipvs: do not use random local source address for tunnels - ipvs: fix crash if scheduler is changed - ipvs: fix crash with sync protocol v0 and FTP - NFS: Don't revalidate the mapping if both size and change attr are up to date (regression in 3.16) - packet: missing dev_put() in packet_do_bind() - packet: tpacket_snd(): fix signed/unsigned comparison - net: sched: fix refcount imbalance in actions - act_pedit: check binding before calling tcf_hash_release() - nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem - [armel/ixp4xx] crypto: Remove bogus BUG_ON on scattered dst buffer - rbd: fix copyup completion race - md/bitmap: return an error when bitmap superblock is corrupt. - md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies - [armhf] thermal: exynos: Disable the regulator on probe failure - xhci: fix off by one error in TRB DMA address boundary check - mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations - [mips*] Make set_pte() SMP safe. - ipc: modify message queue accounting to not take kernel data structures into account - ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() - fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() - rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver - net/tipc: initialize security state for new connection socket - net: call rcu_read_lock early in process_backlog - net: Clone skb before setting peeked flag - net: Fix skb csum races when peeking - net: Fix skb_set_peeked use-after-free bug - ipv6: lock socket in ip6_datagram_connect() - netlink: don't hold mutex in rcu callback when releasing mmapd ring - rds: fix an integer overflow test in rds_info_getsockopt() - udp: fix dst races with multicast early demux - bna: fix interrupts storm caused by erroneous packets (regression in 3.14) - net: gso: use feature flag argument in all protocol gso handlers - ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp - xen-blkfront: don't add indirect pages to list when !feature_persistent - xen-blkback: replace work_pending with work_busy in purge_persistent_gnt() - regmap: regcache-rbtree: Clean new present bits on present bitmap resize (regression in 3.12) - target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT - [x86] ldt: Make modify_ldt synchronous - [x86] ldt: Correct LDT access in single stepping logic - [i386] ldt: Correct FPU emulation access to LDT - dm btree: add ref counting ops for the leaves of top level btrees - libfc: Fix fc_exch_recv_req() error path (regression in 3.13) - libfc: Fix fc_fcp_cleanup_each_cmd() - [x86] drm/vmwgfx: Fix execbuf locking issues - mm/hwpoison: fix page refcount of unknown non LRU page - ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits - ipc/sem.c: change memory barrier in sem_lock() to smp_rmb() - ipc/sem.c: update/correct memory barriers - [mips*] Fix seccomp syscall argument for MIPS64 (regression in 3.15) - [i386] ldt: Further fix FPU emulation - ALSA: usb-audio: Fix runtime PM unbalance (regression in 3.15) - libata: Add factory recertified Crucial M500s to blacklist - [arm64] KVM: Fix host crash when injecting a fault into a 32bit guest - batman-adv: fix kernel crash due to missing NULL checks (regression in 3.16) - batman-adv: protect tt_local_entry from concurrent delete events - perf: Fix PERF_EVENT_IOC_PERIOD migration race (regression in 3.14) - net: Fix RCU splat in af_key - ip6_gre: release cached dst on tunnel removal - xen/gntdevt: Fix race condition in gntdev_release() - signalfd: fix information leak in signalfd_copyinfo - signal: fix information leak in copy_siginfo_to_user - signal: fix information leak in copy_siginfo_from_user32 . [ Ben Hutchings ] * [x86] vmwgfx: Enable DRM_VMWGFX_FBCON (Closes: #714929) * [x86] edac: Add edac_ie31200 driver from Linux 3.17 (Closes: #780773) * [mips*] Correct FP ISA requirements (Closes: #781892) * Revert "ACPICA: Utilities: split IO address types from data type models." to avoid ABI change on i386 * libata: add ATA_HORKAGE_NOTRIM * libata: force disable trim for SuperSSpeed S238 * block: Do a full clone when splitting discard bios (Closes: #793326) * [armel,sh4] linux-image: Recommend u-boot-tools rather than the obsolete uboot-mkimage package (Closes: #793608) * linux-source: Depend on xz-utils, not bzip2 (Closes: #796940) * [x86] i2c: i801: Use wait_event_timeout to wait for interrupts (Closes: #799786) * Adjust for migration to git: - Update .gitignore files - debian/control: Update Vcs-* fields - README.Debian, README.source: Update references to svn * media: uvcvideo: Disable hardware timestamps by default (Closes: #794327) . [ Ian Campbell ] * [xen] xen-netback: return correct ethtool stats (Closes: #786936) * of: make sure of_alias is initialized before accessing it. (Closes: #784053) . [ Uwe Kleine-König ] * Merge jessie-security changes . [ Aurelien Jarno ] * [mips*] Correct FP emulation delay slot exception propagation. * [mips*el/loongson3] Set Loongson 3 ISA to MIPS64R1 to correctly emulate the corresponding FP instructions. linux (3.16.7-ckt20-1+deb8u1) jessie-security; urgency=medium . [ Salvatore Bonaccorso ] * [x86] KVM: rename update_db_bp_intercept to update_bp_intercept . [ Ben Hutchings ] * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe() * media: usbvision: fix crash on detecting device with invalid configuration (CVE-2015-7833, partly fixed in 3.16.7-ckt11-1+deb8u6) * splice: sendfile() at once fails for big files (Closes: #785189) * unix: avoid use-after-free in ep_remove_wait_queue (CVE-2013-7446) * Btrfs: fix truncation of compressed and inlined extents (CVE-2015-8374) * net: add validation for the socket syscall protocol argument (CVE-2015-8543) linux (3.16.7-ckt20-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt18 - mac80211: enable assoc check for mesh interfaces - PCI: Add VPD function 0 quirk for Intel Ethernet devices - staging: comedi: usbduxsigma: don't clobber ai_timer in command test - staging: comedi: usbduxsigma: don't clobber ao_timer in command test - [armhf] usb: dwc3: ep0: Fix mem corruption on OUT transfers of more than 512 bytes - [x86] KVM: MMU: fix validation of mmio page fault (regression in 3.11) - iio: industrialio-buffer: Fix iio_buffer_poll return value (regression in 3.13) - iio: event: Remove negative error code from iio_event_poll (regression in 3.13) - NFSv4: don't set SETATTR for O_RDONLY|O_EXCL - fs: Set the size of empty dirs to 0. (regression in 3.16.7-ckt15) - [x86] staging: comedi: adl_pci7x3x: fix digital output on PCI-7230 - blk-mq: fix buffer overflow when reading sysfs file of 'pending' - NFS: nfs_set_pgio_error sometimes misses errors - NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client - usb: host: ehci-sys: delete useless bus_to_hcd conversion - USB: symbolserial: Use usb_get_serial_port_data (regression in 3.10) - igb: Fix oops caused by missing queue pairing (regression in 3.14) - eCryptfs: Invalidate dcache entries when lower i_nlink is zero - libxfs: readahead of dir3 data blocks should use the read verifier - xfs: Fix xfs_attr_leafblock definition - [arm64] kconfig: Move LIST_POISON to a safe value - Btrfs: check if previous transaction aborted to avoid fs corruption - xfs: Fix file type directory corruption for btree directories - [arm64] flush FP/SIMD state correctly after execve() - xfs: return errors from partial I/O failures to files - drm/radeon/atom: Send out the full AUX address - [x86] drm/i915: Always mark the object as dirty when used by the GPU - IB/uverbs: reject invalid or unknown opcodes - [x86] crypto: ghash-clmulni: specify context size for ghash async algorithm - fs: create and use seq_show_option for escaping - scsi: fix scsi_error_handler vs. scsi_host_dev_release race - [x86] drm/i915: Limit the number of loops for reading a split 64bit register (regression in 3.16.7-ckt16) - hfs,hfsplus: cache pages correctly between bnode_create and bnode_free - hfs: fix B-tree corruption after insertion at position 0 - [armel/versatile,armhf] Input: ambakmi - fix system PM by converting to modern callbacks (regression in 3.14) - svcrdma: Fix send_reply() scatter/gather set-up - [x86] mm: Initialize pmd_idx in page_table_range_init_count() - batman-adv: fix multicast counter when purging originators - batman-adv: fix counter for multicast supporting nodes - batman-adv: Fix potential synchronization issues in mcast tvlv handler - batman-adv: Fix potentially broken skb network header access - [powerpc/powerpc64] mm: Fix pte_pagesize_index() crash on 4K w/64K hash - ath10k: fix dma_mapping_error() handling - mmc: sdhci: also get preset value and driver type for MMC_DDR52 (regression in 3.16) - IB/mlx4: Fix potential deadlock when sending mad to wire - IB/mlx4: Forbid using sysfs to change RoCE pkeys - IB/uverbs: Fix race between ib_uverbs_open and remove_one - mmc: core: fix race condition in mmc_wait_data_done - task_work: remove fifo ordering guarantee - netlink, mmap: fix edge-case leakages in nf queue zero-copy - md: flush ->event_work before stopping array. - md/raid10: always set reshape_safe when initializing reshape_position. - ext4: fix loss of delalloc extent info in ext4_zero_range() - [powerpc,ppc64el] MSI: Fix race condition in tearing down MSI interrupts - UBI: block: Add missing cache flushes - net/ipv6: Correct PIM6 mrt_lock handling - netlink, mmap: transform mmap skb into full skb on taps - openvswitch: Zero flows on allocation. - fib_rules: fix fib rule dumps across multiple skbs http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt19 - CIFS: fix type confusion in copy offload ioctl - [x86] apic: Serialize LVTT and TSC_DEADLINE writes - [arm64] head.S: initialise mdcr_el2 in el2_setup - kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd - kvm: fix double free for fast mmio eventfd - [powerpc*] mm: Recompute hash value after a failed update (regression in 3.11) - [i386] platform: Fix Geode LX timekeeping in the generic x86 build - [arm64,armhf] KVM: Disable virtual timer even if the guest is not using it - [x86] hp-wmi: limit hotkey enable - zram: fix possible use after free in zcomp_create() (regression in 3.15) - [x86] drm/vmwgfx: Fix up user_dmabuf refcounting - [armhf] dts: omap3-beagle: make i2c3, ddc and tfp410 gpio work again (regression in 3.15) - Btrfs: fix read corruption of compressed and shared extents - btrfs: skip waiting on ordered range for special files - [armhf] usb: chipidea: udc: using the correct stall implementation - [armhf] net: mvneta: fix DMA buffer unmapping in mvneta_rx() (regression in 3.16.7-ckt16) - iser-target: remove command with state ISTATE_REMOVE - [x86] KVM: trap AMD MSRs for the TSeg base and mask - usb: Use the USB_SS_MULT() macro to get the burst multiplier. - xhci: give command abortion one more chance before killing xhci - usb: xhci: Clear XHCI_STATE_DYING on start - xhci: change xhci 1.0 only restrictions to support xhci 1.1 - xhci: init command timeout timer earlier to avoid deleting it uninitialized - cifs: use server timestamp for ntlmv2 authentication - [x86] paravirt: Replace the paravirt nop with a bona fide empty function - [amd64] nmi: Fix a paravirt stack-clobbering bug in the NMI code (regression in 3.16.7-ckt16) - ocfs2/dlm: fix deadlock when dispatch assert master - [x86] drm/i915/bios: handle MIPI Sequence Block v3+ gracefully - drm/qxl: only report first monitor as connected if we have no state - PCI: Fix devfn for VPD access through function 0 (regression in 3.16.7-ckt18) - PCI: Use function 0 VPD for identical functions, regular VPD for others - netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC - vxlan: set needed headroom correctly - jbd2: avoid infinite loop when destroying aborted journal - asix: Don't reset PHY on if_up for ASIX 88772 - asix: Do full reset during ax88772_bind - fib_rules: Fix dump_rules() not to exit early - net/xen-netfront: only napi_synchronize() if running - [x86] intel_pstate: Fix overflow in busy_scaled due to long delay - UBI: Validate data_size - UBI: return ENOSPC if no enough space available - [mips*/4kc-malta] dma-default: Fix 32-bit fall back to GFP_DMA - [x86] efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down - [x86] Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS - mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault - [x86] mm: Set NX on gap between __ex_table and rodata - clocksource: Fix abs() usage w/ 64bit values - [x86] drm/vmwgfx: Fix kernel NULL pointer dereference on older hardware - fs: if a coredump already exists, unlink and recreate with O_EXCL - sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state - l2tp: protect tunnel->del_work by ref_count - af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag - net/unix: fix logic about sk_peek_offset - skbuff: Fix skb checksum flag on skb pull - skbuff: Fix skb checksum partial check. - net: add pfmemalloc check in sk_add_backlog() - ppp: don't override sk->sk_state in pppoe_flush_dev() - ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings - ovs: do not allocate memory from offline numa node - netlink: Trim skb to alloc size to avoid MSG_TRUNC - net: add length argument to skb_copy_and_csum_datagram_iovec (regression in 3.16.7-ckt17) (CVE-2015-8019) - Btrfs: update fix for read corruption of compressed and shared extents http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt20 - regmap: debugfs: Ensure we don't underflow when printing access masks - regmap: debugfs: Don't bother actually printing when calculating max length - [x86] xen: Support kexec/kdump in HVM guests by doing a soft reset - svcrdma: handle rdma read with a non-zero initial page offset (regression in 3.16) - dm: fix AB-BA deadlock in __dm_destroy() (regression in 3.16.7-ckt10) - cifs: [SMB3] Do not fall back to SMBWriteX in set_file_size error cases - dm raid: fix round up of default region size - staging: speakup: fix speakup-r regression - [arm64] readahead: fault retry breaks mmap file read random detection - sched/core: Fix TASK_DEAD race in finish_task_switch() - dm cache: fix NULL pointer when switching from cleaner policy - 3w-9xxx: don't unmap bounce buffered commands (regression in 3.16.7-ckt17) - workqueue: make sure delayed work run in local cpu - drm/radeon: add pm sysfs files late - drm/nouveau/fbcon: take runpm reference when userspace has an open fd - crypto: ahash - ensure statesize is non-zero - btrfs: check unsupported filters in balance arguments - btrfs: fix use after free iterating extrefs - btrfs: fix possible leak in btrfs_ioctl_balance() - drm: Reject DRI1 hw lock ioctl functions for kms drivers - usb: xhci: Add support for URB_ZERO_PACKET to bulk/sg transfers - rbd: fix double free on rbd_dev->header_name - ath9k: declare required extra tx headroom - iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() - xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) - iio: mxs-lradc: Fix temperature offset - [x86] drm/i915: Deny wrapping an userptr into a framebuffer - xhci: don't finish a TD if we get a short transfer event mid TD - xhci: handle no ping response error properly - drm/nouveau/gem: return only valid domain when there's only one - [powerpc*] rtas: Validate rtas.entry before calling enter_rtas() - mm: make sendfile(2) killable - rbd: don't leak parent_spec in rbd_dev_probe_parent() - rbd: prevent kernel stack blow up on rbd map - dm btree remove: fix a bug when rebalancing nodes after removal - dm btree: fix leak of bufio-backed block in btree_split_beneath error path - IB/cm: Fix rb-tree duplicate free and use-after-free - iwlwifi: mvm: init card correctly on ctkill exit check (regression in 3.16.7-ckt2) - module: Fix locking in symbol_put_addr() - crypto: api - Only abort operations on fatal signal - md/raid1: submit_bio_wait() returns 0 on success - md/raid10: submit_bio_wait() returns 0 on success - [x86] iommu/amd: Don't clear DTE flags when modifying it - [armel,armhf] i2c: mv64xxx: really allow I2C offloading - drm/radeon: don't try to recreate sysfs entries on resume - mvsas: Fix NULL pointer dereference in mvs_slot_task_free - [arm64] Revert "ARM64: unwind: Fix PC calculation" - rbd: require stable pages if message data CRCs are enabled - md/raid5: fix locking in handle_stripe_clean_event() - Revert "md: allow a partially recovered device to be hot-added to an array." (regression in 3.14) - ipv6: Fix IPsec pre-encap fragmentation check - ppp: fix pppoe_dev deletion condition in pppoe_release() - ipv6: gre: support SIT encapsulation (regression in 3.13) - isdn_ppp: Add checks for allocation failure in isdn_ppp_open() - ppp, slip: Validate VJ compression slot parameters completely (CVE-2015-7799) - staging/dgnc: fix info leak in ioctl - sched/preempt: Fix cond_resched_lock() and cond_resched_softirq() (regression in 3.13) . [ Aurelien Jarno ] * [mips*/octeon] Enable CAVIUM_CN63XXP1 (Closes: #800595) . [ Ben Hutchings ] * nbd: Restore request timeout detection (Closes: #770479) * netlink: Fix ABI change in 3.16.7-ckt18 * [x86] Enable PINCTRL_BAYTRAIL (Closes: #797949) * firmware_class: Fix condition in directory search loop (Closes: #804862) * ehci: Fix ABI change in 3.16.7-ckt19 * [arm64] Defer workaround for erratum #843419 * [x86] KVM: svm: unconditionally intercept #DB (CVE-2015-8104) linux (3.16.7-ckt17-1) jessie; urgency=medium . * New upstream stable updates: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt12 - [x86] reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag - UBI: fix soft lockup in ubi_check_volume() - mnt: Fail collect_mounts when applied to unmounted mounts - btrfs: unlock i_mutex after attempting to delete subvolume during send (regression in 3.16) - [arm64] dma-mapping: always clear allocated buffers - ALSA: emu10k1: Fix card shortname string buffer overflow - SCSI: add 1024 max sectors black list flag - 3w-sas,3w-xxxx,3w-9xxx: fix command completion race - [armhf] usb: chipidea: otg: remove mutex unlock and lock while stop and start role (regression in 3.16) - cdc-acm: prevent infinite loop when parsing CDC headers. (regression in 3.16.7-ckt8) - ALSA: emux: Fix mutex deadlock in OSS emulation - rbd: end I/O the entire obj_request on error - mlx4_en: Use correct loop cursor in error path. - [armhf,arm64] KVM: Fix and refactor unmap_range - [armhf] KVM: Unmap IPA on memslot delete/move - [armhf] KVM: user_mem_abort: support stage 2 MMIO page mapping - [armhf,arm64] KVM: avoid returning negative error code as bool - [armhf,arm64] KVM: fix use of WnR bit in kvm_is_write_fault() - [armhf] KVM: vgic: plug irq injection race - [armhf,arm64] KVM: Fix set_clear_sgi_pend_reg offset - [armhf,arm64] KVM: Fix VTTBR_BADDR_MASK and pgd alloc - [armhf,arm64] KVM: fix potential NULL dereference in user_mem_abort() - [armhf,arm64] KVM: Ensure memslots are within KVM_PHYS_SIZE - [arm64] KVM: fix unmapping with 48-bit VAs - [armhf,arm64] kvm: drop inappropriate use of kvm_is_mmio_pfn() - [armhf,arm64] KVM: Reset the HCR on each vcpu when resetting the vcpu - [armhf,arm64] KVM: Introduce stage2_unmap_vm - [armhf,arm64] KVM: Don't allow creating VCPUs after vgic_initialized - [armhf,arm64 KVM: Require in-kernel vgic for the arch timers - [arm64] KVM: Fix TLB invalidation by IPA/VMID - [arm64] KVM: Fix HCR setting for 32bit guests - [arm64] KVM: Do not use pgd_index to index stage-2 pgd - net: make skb_gso_segment error handling more robust - blk-mq: fix CPU hotplug handling - mm/memory-failure: call shake_page() when error hits thp tail page - nilfs2: fix sanity check of btree level in nilfs_btree_root_broken() - ocfs2: dlm: fix race between purge and get lock resource - drm/radeon: make VCE handle check more strict - drm/radeon: make UVD handle checking more strict - drm/radeon: more strictly validate the UVD codec - mnt: Fix fs_fully_visible to verify the root directory is visible - pinctrl: Don't just pretend to protect pinctrl_maps, do it for real - crush: ensuring at most num-rep osds are selected - netfilter: nf_tables: fix error handling of rule replacement - netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() - netfilter: nf_tables: check for overflow of rule dlen field - netfilter: nft_rbtree: fix locking - sched/autogroup: Fix failure to set cpu.rt_runtime_us - xprtrdma: Free the pd if ib_query_qp() fails - xfs: ensure truncate forces zeroed blocks to disk http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt13 - usb: gadget: configfs: Fix interfaces array NULL-termination - nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op - libata: Blacklist queued TRIM on all Samsung 800-series (Closes: #790520) - md/raid5: don't record new size if resize_stripes fails. - sched: Handle priority boosted tasks proper in setscheduler() - [armel,armhf] net fix emit_udiv() for BPF_ALU | BPF_DIV | BPF_K intruction. - drm/radeon: add new bonaire pci id (Closes: #792099) - firmware: dmi_scan: Fix ordering of product_uuid - ext4: fix NULL pointer dereference when journal restart fails (regression in 3.11) - ext4: check for zero length extent explicitly (regression in 3.13) - jbd2: fix r_count overflows leading to buffer overflow in journal recovery - igb: Fix oops on changing number of rings - igb: Fix NULL assignment to incorrect variable in igb_reset_q_vector - [arm64] add missing PAGE_ALIGN() to __dma_free() - net: socket: Fix the wrong returns for recvmsg and sendmsg (regression in 3.16.7-ckt9) - mac80211: move WEP tailroom size check - [x86] KVM: MMU: fix smap permission check - [x86] KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages - [x86] KVM: MMU: fix SMAP virtualization - sd: Disable support for 256 byte/sector disks - xen/events: don't bind non-percpu VIRQs with percpu chip - libceph: request a new osdmap if lingering request maps to no osd - [s390x] crypto: ghash - Fix incorrect ghash icv buffer handling. - ipvs: fix memory leak in ip_vs_ctl.c - ipv6: fix ECMP route replacement - ipv4: Avoid crashing in ip_error - bridge: fix parsing of MLDv2 reports - module: Call module notifier on failure after complete_formation() (regression in 3.16) - [x86] gpio: gpio-kempld: Fix get_direction return value (regression in 3.12) - [armel,armhf] 8356/1: mm: handle non-pmd-aligned end of RAM - mac80211: don't use napi_gro_receive() outside NAPI context - xfs: xfs_attr_inactive leaves inconsistent attr fork state behind - fs, omfs: add NULL terminator in the end up the token list - vfs: d_walk() might skip too much (regression in 3.16.7-ckt4) - target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST - net_sched: invoke ->attach() after setting dev->qdisc - fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings (regression in 3.16.7-ckt11) http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt14 - n_tty: Fix auditing support for cannonical mode (regression in 3.12) - lib: Fix strnlen_user() to not touch memory after specified maximum - xfrm: fix a race in xfrm_state_lookup_byspi - thermal: step_wise: Revert optimization (regression in 3.12) - net: dp83640: fix broken calibration routine. - net: dp83640: reinforce locking rules. - unix/caif: sk_socket can disappear when state is unlocked - xen/netback: Properly initialize credit_bytes (regression in 3.16) - ipv4/udp: Verify multicast group is ours in upd_v4_early_demux() (regression in 3.13) - bridge: disable softirqs around br_fdb_update to avoid lockup - Btrfs: send, add missing check for dead clone root - Btrfs: send, don't leave without decrementing clone root's send_progress - btrfs: incorrect handling for fiemap_fill_next_extent return - btrfs: cleanup orphans while looking up default subvolume - [x86] iommu/vt-d: Allow RMRR on graphics devices too (regression in 3.16.3) - [armhf] irqchip: sunxi-nmi: Fix off-by-one error in irq iterator - mm/memory_hotplug.c: set zone->wait_table to null after freeing it - block: fix ext_dev_lock lockdep report (regression in 3.16.4) - iser-target: Fix variable-length response error completion (regression in 3.16) - iser-target: release stale iser connections http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt15 - [x86] KVM: nSVM: Check for NRIPS support before updating control field - nfs: take extra reference to fl->fl_file when running a setlk - net: don't wait for order-3 page allocation - bridge: fix br_stp_set_bridge_priority race conditions - packet: read num_members once in packet_rcv_fanout() - packet: avoid out of bounds read in round robin fanout - neigh: do not modify unlinked entries - tcp: Do not call tcp_fastopen_reset_cipher from interrupt context (regression in 3.13) - sctp: Fix race between OOTB responce and route removal - media: s5h1420: fix a buffer overflow when checking userspace params - media: cx24116: fix a buffer overflow when checking userspace params - media: af9013: Don't accept invalid bandwidth - media: cx24117: fix a buffer overflow when checking userspace params - spi: fix race freeing dummy_tx/rx before it is unmapped - mtd: fix: avoid race condition when accessing mtd->usecount - intel_pstate: set BYT MSR with wrmsrl_on_cpu() (regression in 3.14) - leds / PM: fix hibernation on arm when gpio-led used with CPU led trigger (regression in 3.11) - mnt: Refactor the logic for mounting sysfs and proc in a user namespace - scsi_transport_srp: Fix a race condition - w1_therm reference count family data - drm/radeon: take the mode_config mutex when dealing with hpds (v2) - [armhf] usb: dwc3: gadget: return error if command sent to DGCMD register fails - rcu: Correctly handle non-empty Tiny RCU callback list with none ready - [armhf] usb: dwc3: gadget: don't clear EP_BUSY too early - staging: rtl8712: prevent buffer overrun in recvbuf2recvframe - SUNRPC: Fix a memory leak in the backchannel code - ieee802154: Fix sockaddr_ieee802154 implicit padding information leak. - mnt: Modify fs_fully_visible to deal with locked ro nodev and atime - regulator: core: fix constraints output buffer - ACPI / PM: Add missing pm_generic_complete() invocation (regression in 3.16) - [armel,armh] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup - [arm64] Do not attempt to use init_mm in reset_context() - ext4: fix race between truncate and __ext4_journalled_writepage() - [x86] pcmcia: Disable write buffering on Toshiba ToPIC95 - fs/ufs: revert "ufs: fix deadlocks introduced by sb mutex merge" (regression in 3.16.4) - jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail() - jbd2: fix ocfs2 corrupt when updating journal superblock fails - fs/ufs: restore s_lock mutex (regression in 3.16) - regmap: Fix possible shift overflow in regmap_field_init() - [x86] PCI: Use host bridge _CRS info on systems with >32 bit addressing (regression in 3.14) - libata: Do not blacklist Micron M500DC (regression in 3.14) - [x86] iommu/amd: Handle large pages correctly in free_pagetable (regression in 3.11) - ext4: call sync_blockdev() before invalidate_bdev() in put_super() - xfs: fix remote symlinks on V5/CRC filesystems - ext4: don't retry file block mapping on bigalloc fs with non-extent file - xfs: don't truncate attribute extents if no extents exist - NET: ROSE: Don't dereference NULL neighbour pointer. - netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook - fs: Fix S_NOSEC handling - stmmac: troubleshoot unexpected bits in des0 & des1 - PM / sleep: Increase default DPM watchdog timeout to 60 (regression in 3.13) - [armhf] clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier (regression in 3.11) - drm/radeon: compute ring fix hibernation (CI GPU family) v2. - drm/radeon: SDMA fix hibernation (CI GPU family). - [armhf] net: mvneta: disable IP checksum with jumbo frames for Armada 370 - [arm64] Don't report clear pmds and puds as huge - fuse: initialize fc->release before calling it - vfs: Ignore unlocked mounts in fs_fully_visible - proc: Allow creating permanently empty directories that serve as mount points - mnt: Update fs_fully_visible to test for permanently empty directories - ACPICA: Tables: Enable both 32-bit and 64-bit FACS (regression in 3.14) - ACPICA: Tables: Fix an issue that FACS initialization is performed twice - ACPICA: Tables: Enable default 64-bit FADT addresses favor - [x86] KVM: make vapics_in_nmi_mode atomic - [s390x] KVM: virtio-ccw: don't overwrite config space values - 9p: forgetting to cancel request on interrupted zero-copy RPC - e1000e: Cleanup handling of VLAN_HLEN as a part of max frame size (regression in 3.15) - ath9k_htc: memory corruption calling set_bit() - mac80211: prevent possible crypto tx tailroom corruption - cfg80211: ignore netif running state when changing iftype - Btrfs: lock superblock before remounting for rw subvol (regression in 3.15) - of: return NUMA_NO_NODE from fallback of_node_to_nid() (regression in 3.13) - sched/fair: Prevent throttling in early pick_next_task_fair() (regression in 3.15) - ACPI / init: Switch over platform to the ACPI mode later (regression in 3.14) - [armhf] drm/tegra: dpaux: Fix transfers larger than 4 bytes - mmc: card: Fixup request missing in mmc_blk_issue_rw_rq - perf: Fix ring_buffer_attach() RCU sync, again - LZ4 : fix the data abort issue http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt16 - Btrfs: use kmem_cache_free when freeing entry in inode cache - Btrfs: fix race between caching kthread and returning inode to inode cache - Btrfs: fix fsync data loss after append write - ext4: fix reservation release on invalidatepage for delalloc fs - ext4: be more strict when migrating to non-extent based file - ext4: correctly migrate a file with a hole at the beginning - 9p: don't leave a half-initialized inode sitting around - thermal: step_wise: fix: Prevent from binary overflow when trend is dropping - dm btree remove: fix bug in redistribute3 - [armhf] crypto: omap-des - Fix unmapping of dma channels - [armhf] usb: musb: host: rely on port_mode to call musb_start() (regression in 3.13) - drm: add a check for x/y in drm_mode_setcrtc - bio integrity: do not assume bio_integrity_pool exists if bioset exists - Btrfs: fix memory leak in the extent_same ioctl - Btrfs: fix list transaction->pending_ordered corruption - Btrfs: fix file corruption after cloning inline extents - [armel,armhf] 8404/1: dma-mapping: fix off-by-one error in bitmap size check (regression in 3.15) - net: graceful exit from netif_alloc_netdev_queues() - ip_tunnel: fix ipv4 pmtu check to honor inner ip header df (regression in 3.11) - net: do not process device backlog during unregistration - rds: rds_ib_device.refcount overflow - mm: avoid setting up anonymous pages into file mapping - HID: cp2112: fix to force single data-report reply - [armhf] net: mvneta: fix refilling for Rx DMA buffers - [armhf] usb: dwc3: gadget: return error if command sent to DEPCMD register fails - usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function - usb: core: lpm: set lpm_capable for root hub device (regression in 3.15) - USB: OHCI: Fix race between ED unlink and URB submission (regression in 3.16.2) - usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 - md/raid1: fix test for 'was read error from last working device'. - [armhf] mmc: omap_hsmmc: Fix DTO and DCRC handling - bonding: correctly handle bonding type change on enslave failure - inet: frags: fix defragmented packet's IP header for af_packet - vfs: freeing unlinked file indefinitely delayed - mmc: sdhci: Fix FSL ESDHC reset handling quirk (regression in 3.16) http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt17 - sysfs: Create mountpoints with sysfs_create_mount_point - iscsi-target: Fix use-after-free during TPG session shutdown - iscsi-target: Fix iscsit_start_kthreads failure OOPs (regression in 3.16.7-ckt11) - iscsi-target: Fix iser explicit logout TX kthread leak (regression in 3.16.7-ckt11) - xfs: remote attribute headers contain an invalid LSN - xfs: remote attributes need to be considered data - [x86] drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop - ipr: Fix locking for unit attention handling - ipr: Fix invalid array indexing for HRRQ - [x86] xen: Probe target addresses in set_aliased_prot() before the hypercall - netfilter: ctnetlink: put back references to master ct and expect object (regression in 3.12) - ipvs: do not use random local source address for tunnels - ipvs: fix crash if scheduler is changed - ipvs: fix crash with sync protocol v0 and FTP - NFS: Don't revalidate the mapping if both size and change attr are up to date (regression in 3.16) - packet: missing dev_put() in packet_do_bind() - packet: tpacket_snd(): fix signed/unsigned comparison - net: sched: fix refcount imbalance in actions - act_pedit: check binding before calling tcf_hash_release() - nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem - [armel/ixp4xx] crypto: Remove bogus BUG_ON on scattered dst buffer - rbd: fix copyup completion race - md/bitmap: return an error when bitmap superblock is corrupt. - md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies - [armhf] thermal: exynos: Disable the regulator on probe failure - xhci: fix off by one error in TRB DMA address boundary check - mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations - [mips*] Make set_pte() SMP safe. - ipc: modify message queue accounting to not take kernel data structures into account - ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() - fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() - rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver - net/tipc: initialize security state for new connection socket - net: call rcu_read_lock early in process_backlog - net: Clone skb before setting peeked flag - net: Fix skb csum races when peeking - net: Fix skb_set_peeked use-after-free bug - ipv6: lock socket in ip6_datagram_connect() - netlink: don't hold mutex in rcu callback when releasing mmapd ring - rds: fix an integer overflow test in rds_info_getsockopt() - udp: fix dst races with multicast early demux - bna: fix interrupts storm caused by erroneous packets (regression in 3.14) - net: gso: use feature flag argument in all protocol gso handlers - ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp - xen-blkfront: don't add indirect pages to list when !feature_persistent - xen-blkback: replace work_pending with work_busy in purge_persistent_gnt() - regmap: regcache-rbtree: Clean new present bits on present bitmap resize (regression in 3.12) - target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT - [x86] ldt: Make modify_ldt synchronous - [x86] ldt: Correct LDT access in single stepping logic - [i386] ldt: Correct FPU emulation access to LDT - dm btree: add ref counting ops for the leaves of top level btrees - libfc: Fix fc_exch_recv_req() error path (regression in 3.13) - libfc: Fix fc_fcp_cleanup_each_cmd() - [x86] drm/vmwgfx: Fix execbuf locking issues - mm/hwpoison: fix page refcount of unknown non LRU page - ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits - ipc/sem.c: change memory barrier in sem_lock() to smp_rmb() - ipc/sem.c: update/correct memory barriers - [mips*] Fix seccomp syscall argument for MIPS64 (regression in 3.15) - [i386] ldt: Further fix FPU emulation - ALSA: usb-audio: Fix runtime PM unbalance (regression in 3.15) - libata: Add factory recertified Crucial M500s to blacklist - [arm64] KVM: Fix host crash when injecting a fault into a 32bit guest - batman-adv: fix kernel crash due to missing NULL checks (regression in 3.16) - batman-adv: protect tt_local_entry from concurrent delete events - perf: Fix PERF_EVENT_IOC_PERIOD migration race (regression in 3.14) - net: Fix RCU splat in af_key - ip6_gre: release cached dst on tunnel removal - xen/gntdevt: Fix race condition in gntdev_release() - signalfd: fix information leak in signalfd_copyinfo - signal: fix information leak in copy_siginfo_to_user - signal: fix information leak in copy_siginfo_from_user32 . [ Ben Hutchings ] * [x86] vmwgfx: Enable DRM_VMWGFX_FBCON (Closes: #714929) * [x86] edac: Add edac_ie31200 driver from Linux 3.17 (Closes: #780773) * [mips*] Correct FP ISA requirements (Closes: #781892) * Revert "ACPICA: Utilities: split IO address types from data type models." to avoid ABI change on i386 * libata: add ATA_HORKAGE_NOTRIM * libata: force disable trim for SuperSSpeed S238 * block: Do a full clone when splitting discard bios (Closes: #793326) * [armel,sh4] linux-image: Recommend u-boot-tools rather than the obsolete uboot-mkimage package (Closes: #793608) * linux-source: Depend on xz-utils, not bzip2 (Closes: #796940) * [x86] i2c: i801: Use wait_event_timeout to wait for interrupts (Closes: #799786) * Adjust for migration to git: - Update .gitignore files - debian/control: Update Vcs-* fields - README.Debian, README.source: Update references to svn * media: uvcvideo: Disable hardware timestamps by default (Closes: #794327) . [ Ian Campbell ] * [xen] xen-netback: return correct ethtool stats (Closes: #786936) * of: make sure of_alias is initialized before accessing it. (Closes: #784053) . [ Uwe Kleine-König ] * Merge jessie-security changes . [ Aurelien Jarno ] * [mips*] Correct FP emulation delay slot exception propagation. * [mips*el/loongson3] Set Loongson 3 ISA to MIPS64R1 to correctly emulate the corresponding FP instructions. linux (3.16.7-ckt11-1+deb8u6~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt11-1+deb8u6) jessie-security; urgency=medium . [ Salvatore Bonaccorso ] * KEYS: Fix race between key destruction and finding a keyring by name * KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring (CVE-2015-7872) * KEYS: Don't permit request_key() to construct a new keyring . [ Ben Hutchings ] * usbvision: fix overflow of interfaces array (CVE-2015-7833) * RDS: fix race condition when sending a message on unbound socket (CVE-2015-7990) * [x86] KVM: Intercept #AC to avoid guest->host denial-of-service (CVE-2015-5307) . linux (3.16.7-ckt11-1+deb8u5) jessie-security; urgency=medium . [ Ben Hutchings ] * USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257) * sctp: fix race on protocol/netns initialization (CVE-2015-5283) . [ Salvatore Bonaccorso ] * ipc: fully initialize sem_array before making it visible * ipc: Initialize msg/shm IPC objects before doing ipc_addid() (CVE-2015-7613) linux (3.16.7-ckt11-1+deb8u4) jessie-security; urgency=medium . * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272) * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156) * vhost: actually track log eventfd file (CVE-2015-6252) * aufs3: mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036) * RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937) * vfs: Fix possible escape from mount namespace (CVE-2015-2925): - namei: lift (open-coded) terminate_walk() in follow_dotdot_rcu() into callers - dcache: Handle escaped paths in prepend_path - vfs: Test for and handle paths that are unreachable from their mnt_root linux (3.16.7-ckt11-1+deb8u4~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt11-1+deb8u4) jessie-security; urgency=medium . * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272) * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156) * vhost: actually track log eventfd file (CVE-2015-6252) * aufs3: mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036) * RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937) * vfs: Fix possible escape from mount namespace (CVE-2015-2925): - namei: lift (open-coded) terminate_walk() in follow_dotdot_rcu() into callers - dcache: Handle escaped paths in prepend_path - vfs: Test for and handle paths that are unreachable from their mnt_root linux-tools (3.16.7-ckt20-1) jessie; urgency=medium . * New upstream stable update - perf session: Do not fail on processing out of order event - tools lib traceevent kbuffer: Remove extra update to data pointer in PADDING - kconfig: Fix warning "‘jump’ may be used uninitialized" - scripts/sortextable: suppress warning: `relocs_size' may be used uninitialized - perf symbols: Store if there is a filter in place - perf hists browser: Take the --comm, --dsos, etc filters into account - perf hists: Update the column width for the "srcline" sort key - perf stat: Get correct cpu id for print_aggr - perf header: Fixup reading of HEADER_NRCPUS feature - tools lib traceevent: Fix string handling in heterogeneous arch environments - perf tools: Fix copying of /proc/kcore . [ Ben Hutchings ] * [x86] Add hyperv-daemons package, thanks to Hideki Yamane (closes: #782761) - Apply upstream bug fixes up to Linux 4.1 inclusive * Adjust for migration to git: - Update .gitignore files - debian/control: Update Vcs-* fields - debian/rules: Exclude .git from maintainerclean rule * debian/lib/python/debian_linux/debian.py: Change package version regexp to match linux package lldpd (0.7.11-2+deb8u1) jessie; urgency=medium . * Fix a segfault when receiving incorrectly formed LLDP management addresses: - 0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch * Fix an assert error when receiving incorrectly formed LLDP management addresses: - 0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch lxc (1:1.0.6-6+deb8u2) jessie-security; urgency=high . * CVE-2015-1335: prevent local containment administrator from escaping container via symlink attack. (Closes: #800471). Also include 2 followup patches that fixed regressions in the original fix. Patches obtained from the Ubuntu package: - 0020-CVE-2015-1335.patch - 0021-CVE-2015-1335-2.patch - 0022-CVE-2015-1335-3.patch lxc (1:1.0.6-6+deb8u2~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. madfuload (1.2-4+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Use autoreconf -fi to fix FTBFS with automake 1.14. (Closes: #793190) mariadb-10.0 (10.0.22-0+deb8u1) jessie-security; urgency=high . [ Otto Kekäläinen ] * New upstream release 10.0.22. Includes fixes for the following security vulnerabilities (Closes: #802874): - CVE-2015-4802 - CVE-2015-4807 - CVE-2015-4815 - CVE-2015-4826 - CVE-2015-4830 - CVE-2015-4836 - CVE-2015-4858 - CVE-2015-4861 - CVE-2015-4870 - CVE-2015-4913 - CVE-2015-4792 * New release includes updated man pages (Closes: #779992) * Add CVE IDs to previous changelog entries . [ Arnaud Fontaine ] * New upstream release 10.0.21. + Refreshed debian/patches/*. + Upstream changed mysqld_safe_syslog.cnf to fix logging error + Includes fixes the following security vulnerabilities: - CVE-2015-4816 - CVE-2015-4819 - CVE-2015-4879 - CVE-2015-4895 mariadb-10.0 (10.0.21-3) unstable; urgency=low . * Updated Brazilian Portuguese translation (Closes: #798048) * Upload 10.0.21 and all changes tested initially in experimental to unstable. Now sensible as mysql-5.6 has entered testing. mariadb-10.0 (10.0.21-2) experimental; urgency=low . * Update gdb.conf to have tags signed by default * Add CVE IDs to previous changelog entries * Pass DEB_BUILD_ARCH to CMake options to enhance buils on some platforms * Test suite failures are now fatal on all platforms and not ignored anywhere * Revert most of commit 579282f and re-enable Mroonga mariadb-10.0 (10.0.21-1) experimental; urgency=low . [ Otto Kekäläinen ] * Created libmariadbd18 and moved .so file from libmariadbd-dev there * Reproducible build improvement: Add LC_ALL=C to mysql.sym sort command * New upstream release. - Upstream added skip_log_error to mysqld_safe config (Closes: #781945) - Diffie-Helman modulus increased to 2048-bits (Closes: #788905) * Split mariadb-test-data-10.0 out of the main test package. This will save disk space in Debian archives as the arch independent data files are in one single package that can be used on all platforms and the package that is built on multiple platform shrinks significantly. . [ Jean Weisbuch ] * The MYCHECK_RCPT variable can now be set from the default file. * The check_for_crashed_tables() function on the debian-start script has been fixed to be able to log (and email) the errors it encountered : Errors are sent to stderr by the CLI while only stdout was captured by the function. * The same function now also checks Aria tables along with MyISAM ones. mariadb-10.0 (10.0.20-3) unstable; urgency=medium . [ Andreas Beckmann ] * mariadb-common: Depend on a version of mysql-common that ships /usr/share/mysql-common/configure-symlinks. (Closes: #787533) * mariadb-common.postinst: Drop fallback my.cnf symlink management. * mariadb-common.preinst: Clean up my.cnf/my.cnf.old from the fallback. . [ Otto Kekäläinen ] * Clean up old cruft from rules file after review by Sergei Golubchik * Unified config file layout with upstream .cnf layout * Recover mysql-upgrade dir/link handlig wrongly removed in f7caa041db * Minor Lintian and documentation fixes * Switch 'nm -n' to 'nm --defined-only' to improve reproducible builds . [ Olaf van der Spek ] * Minor spell checking (Closes: #792123) . [ Israel Tsadok ] * Fix mariadb-server-10.0.preinst script that failed to save a new /var/lib/mysql-upgrade/DATADIR.link if a previous DATADIR.link existed and the /var/lib/mysql directory was a symbolic link with an absolute path as target (Closes: #792918) . [ Jean Weisbuch ] * Added a Debian default file for the mariadb-server-10.0 package which allows one to set the MYSQLD_STARTUP_TIMEOUT variable used in the init script mariadb-10.0 (10.0.20-2) unstable; urgency=low . * Fix bash test logic in postinstall (Closes: #789589) * Add extra sort in d/rules mysqld.sym.gz command to satisfy Debian reproducible build requirements * Switch to utf8mb4 as default character set mariadb-10.0 (10.0.20-1) unstable; urgency=low . * New upstream release. Includes fix for the following security vulnerability: - CVE-2015-3152: Client command line option --ssl-verify-server-cert (and MYSQL_OPT_SSL_VERIFY_SERVER_CERT option of the client API) when used together with --ssl will ensure that the established connection is SSL-encrypted and the MariaDB server has a valid certificate. * New release includes fix for memory corruption on arm64 (Closes: #787221) * Added patch to enhance build reproducibility regarding the file INFO_BIN mariadb-10.0 (10.0.20-0+deb8u1) jessie-security; urgency=high . [ Otto Kekäläinen ] * New upstream release 10.0.20. Includes fixes for the following security vulnerabilities: - CVE-2015-3152: Client command line option --ssl-verify-server-cert (and MYSQL_OPT_SSL_VERIFY_SERVER_CERT option of the client API) when used together with --ssl will ensure that the established connection is * Includes fixes done in 10.0.18 for the following security vulnerabilities: - CVE-2014-8964 bundled PCRE contained heap-based buffer overflow vulnerability that allowed the server to crash or have other unspecified impact via a crafted regular expression made possible with the REGEXP_SUBSTR function (MDEV-8006). - CVE-2015-0501 - CVE-2015-2571 - CVE-2015-0505 - CVE-2015-0499 * Includes fixes done in 10.0.17 for the following security vulnerabilities: - CVE-2015-2568 - CVE-2015-2573 - CVE-2015-0433 - CVE-2015-0441 * Import of 10.0.17 included updated lines to the mariadb-server-10.0.postinst (upstream commit dc94bd0) which add parameter '--disable-log-bin' to the 'mysql_install_db' and 'mysqld --bootstrap' commands * Security: improved hardening flags (hardening=+all,-pie) so that the resulting binaries would have closer to the same security features as the old binaries had when built using deprecated hardening-wrapper. * Removed /var/log/mysql.log from logrotate. No mysql related log should be directly under /var/log. The correct place is in /var/log/mysql * d/control: Related to innochecksum manpage move, also break/replace the mysql-client-5.5/6 packages (Closes: #779873) * Documentation changes: * Updated Swedish translation by Martin Bagge and Anders Jonsson (Closes: #781684) * Updated copyright file based on Lintian feedback . [ Robie Basak ] * Move innochecksum back to mariadb-server-core-10.0 to align with other variants (LP: #1421520). . [ Jan Wagner ] * Adding mysqld_multi.server_lsb-header.patch, provides LSB headers for example initscript (Closes: #778762) * Adding mysqld_multi_confd.patch, makes mysqld_multi reading conf.d (Closes: #778761) mariadb-10.0 (10.0.19-1) unstable; urgency=low . * New upstream release. Fixed the server crash caused by mysql_upgrade (MDEV-8115). * Upload to unstable from master branch as Jessie is not released. mariadb-10.0 (10.0.18-1~exp1) experimental; urgency=low . * New upstream release. Includes fixes for the following security vulnerabilities: - CVE-2014-8964 bundled PCRE contained heap-based buffer overflow vulnerability that allowed the server to crash or have other unspecified impact via a crafted regular expression made possible with the REGEXP_SUBSTR function (MDEV-8006). - CVE-2015-0501 - CVE-2015-2571 - CVE-2015-0505 - CVE-2015-0499 * Cleanup in d/copyright * Make the mariadb-common depends versioned to guarantee that latest config files are installed mariadb-10.0 (10.0.17-1) unstable; urgency=low . [ Robie Basak ] * Move innochecksum back to mariadb-server-core-10.0 to align with other variants (LP: #1421520). . [ Jan Wagner ] * Adding mysqld_multi.server_lsb-header.patch, provides LSB headers for example initscript (Closes: #778762) * Adding mysqld_multi_confd.patch, makes mysqld_multi reading conf.d (Closes: #778761) . [ Otto Kekäläinen ] * New upstream release * Remove /var/log/mysql.log from logrotate. Everything should be inside the mysql directory (/var/log/mysql/) and not directly on plain /var/log * d/control: Related to innochecksum manpage move, also break/replace the mysql-client-5.5/6 packages (Closes: #779873) * New release confirmed to build with GCC-5 (Closes: #777996) * Updated Swedish translation by Martin Bagge and Anders Jonsson (Closes: #781684) mariadb-10.0 (10.0.17-1~exp2) experimental; urgency=low . * d/control: Related to innochecksum manpage move, also break/replace the mysql-client-5.5/6 packages (Closes: #779873) * Add automatic fallback to the new /etc/mysql/my.cnf management scheme for cases where mysql-common/configure-symlinks is not yet available and users complain the installation ends up broken. * New release confirmed to build with GCC-5 (Closes: #777996) mariadb-10.0 (10.0.17-1~exp1) experimental; urgency=low . [ Jan Wagner ] * Adding mysqld_multi.server_lsb-header.patch, provides LSB headers for example initscript (Closes: #778762) * Adding mysqld_multi_confd.patch, makes mysqld_multi reading conf.d (Closes: #778761) . [ Robie Basak ] * Move innochecksum back to mariadb-server-core-10.0 to align with other variants (LP: #1421520). * Fix typo in mariadb-server-10.0.postinst. * Fix typo in postinst mktemp call (LP: #1420831). . [ Arnaud Fontaine ] * d/control: innochecksum manpage has been moved to mariadb-client-10.0 in 10.0.13-1 (ba97056), thus add Breaks/Replaces in mariadb-client-10.0 against mariadb-server-10.0 << 10.0.13-1~. . [ Otto Kekäläinen ] * Follow to new /etc/mysql/my.cnf management scheme * Remove the my.cnf move command as it increases complexity too much and might emit an error code if mariadb-common is upgraded before mysql-common is. * Add patch to enhance build reproducibility * Remove /var/log/mysql.log from logrotate. Everything should be inside the mysql directory (/var/log/mysql/) and not directly on plain /var/log * New upstream release mdadm (3.3.2-5+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * disable-incremental-assembly.patch: incremental assembly prevents booting in degraded mode (Closes: #784070) miniupnpc (1.9.20140610-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-6031.patch patch. CVE-2015-6031: Buffer overflow vulnerability in XML parser functionality. (Closes: #802650) mkvmlinuz (37+deb8u1) stable; urgency=medium . * Push run-parts output to stderr. (Closes: #741642) monit (1:5.9-1+deb8u1) jessie; urgency=medium . * Fix umask-related regression between 5.8.1 and 5.9 (Closes: #796989) mpm-itk (2.4.7-02-1.1+deb8u1) stable; urgency=medium . * Upload to stable to fix an RC bug. * 01-close-socket-in-correct-process.diff: New patch from upstream. Fix an issue where connections would be attempted closed in the parent instead of in the child. This would result in "Connection: close" not being honored, and various odd effects with SSL keepalive in certain browsers. (Closes: #798108) multipath-tools (0.5.0-6+deb8u2) jessie; urgency=medium . * fix discovery of devices with blank rev - 0014-libmultipath-discovery-blank-rev-attr.patch: * Updates for compatibility with commit "multipath: Implement 'property' blacklist". - 0015-libmultipath-property-whitelist-SCSI_IDENT.patch Thanks to Mauricio Faria de Oliveira (Closes: #782400, #782488) * [5ffc2f4] Add documentation to cover additional friendly names scenarios. Thanks to Scott Moser (Closes: #788841) * [af3f228] init: Fix stop failure when no root device is found (Closes: #795278) * [b77859e] Add debian/gbp.conf to use pristine-tar branch mysql-5.5 (5.5.46-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.46 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html - CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 (Closes: #802564) * Add fix-test-suite-failure-caused-by-arbitrary-date-in-the-future.patch. Fix test suite failure caused by arbitrary date in the future. Thanks to Marc Deslauriers mysql-5.5 (5.5.46-0+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.46 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html - CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 (Closes: #802564) * Add fix-test-suite-failure-caused-by-arbitrary-date-in-the-future.patch. Fix test suite failure caused by arbitrary date in the future. Thanks to Marc Deslauriers * Add revert-to-_sync_lock_test_and_set.patch. Fixes FTBFS on arm and powerpw by reverting to __sync_lock_test_and_set. The gcc version in wheezy is too old to have __atomic_*. Thanks to Marc Deslauriers for the patch. mysql-5.5 (5.5.46-0+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * Backport mysql-5.5 to squeeze from wheezy (Thanks to Salvatore Bonaccorso ). * Drop unversioned packages: libmysqld-pic, libmysqld-dev, libmysqlclient-dev: - Remove debian/install,dir files: libmysqlclient-dev.* libmysqld-dev.* libmysqld-pic.* * debian/control: - Remove Build-Depends on doxygen-latex - mysql-server-5.5: * Remove Replaces and Breaks: libmysqlclient-dev ( << 5.5.17~) * Remove versioned dependency on initscripts. 2.88dsf-13.3 not available on squeeze. * Provides: mysql-server - Move mysql-common to mysql-common-5.5: * Create a new mysql-common-5.5 package to avoid dist-upgrade to upgrade mysql-common (5.1). * Conflicts: mysql-common (>> ${source:Version}) for a clean upgrade to wheezy. * Remove Breaks: mysql-common - mysql-server and mysql-client include Depends: on mysql-server-5.1 and mysql-client-5.1. * debian/compat: Move from 9 to 8 * debian/patches: - 71_disable_rpl_tests.patch: * Add rpl_innodb_bug28430 to disabled tests. * Really disable fix +rpl_heartbeat_basic. * debian/rules: - Remove multiarch support - Remove specific override_dh_command-arch targets (supported by debhelper >= 8.9.7). netcfg (1.131+deb8u1) stable; urgency=medium . * Fix is_layer3_qeth on s390x to avoid bailing out if the network driver is not qeth. (Closes: #798376) nspr (2:4.10.7-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2015-7183, mfsa-2015-133: heap-buffer overflow in PL_ARENA_ALLOCATE ntp (1:4.2.6.p5+dfsg-7+deb8u1) jessie-security; urgency=medium . * Fix CVE-2015-7850 * Fix CVE-2015-7704 * Fix CVE-2015-7701 * Fix CVE-2015-7852 * Fix CVE-2015-7851 * Fix CVE-2015-7855 * Fix CVE-2015-7871 * Rename CVE-2014-9297.patch to CVE-2014-9750.patch * Rename CVE-2014-9298.patch to CVE-2014-9751.patch * Rename bug-2797.patch to CVE-2015-3405.patch * FIX CVE-2015-5146 * FIX CVE-2015-5194 * FIX CVE-2015-5195 * FIX CVE-2015-7703 * FIX CVE-2015-5219 * FIX CVE-2015-5300 * FIX CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 * Add build-depends on bison since one of the patches update the .y file. ntp (1:4.2.6.p5+dfsg-7+deb7u1) jessie-security; urgency=medium . * Fix CVE-2015-7850 * Fix CVE-2015-7704 * Fix CVE-2015-7701 * Fix CVE-2015-7852 * Fix CVE-2015-7853 * Fix CVE-2015-7851 * Fix CVE-2015-7705 * Fix CVE-2015-7855 * Fix CVE-2015-7871 * Rename CVE-2014-9297.patch to CVE-2014-9750.patch and add missing patch. * Rename CVE-2014-9298.patch to CVE-2014-9751.patch * Rename bug-2797.patch to CVE-2015-3405.patch * FIX CVE-2015-5146 * FIX CVE-2015-5194 * FIX CVE-2015-5195 * FIX CVE-2015-5196 * FIX CVE-2015-5219 * FIX CVE-2015-5300 * FIX CVE-2015-7691, CVE-2015-7962, CVE-2015-7702 * Add build-depends on bison since one of the patches update the .y file. nvidia-graphics-drivers (340.96-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.96 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805917) * Merge changes from 304.131-1. * Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * d/rules: Move tar option --no-recursion before the list of files. * d/control: Make dependencies on nvidia-alternative strictly versioned to prevent partial upgrades. * d/module/debian/control.template: Add armhf to the Architecture list, otherwise module-assistant can't build any module packages from nvidia-kernel-source on armhf. * Upload to jessie. nvidia-graphics-drivers (340.96-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-drivers (340.96-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.96 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805917) * Improved compatibility with recent Linux kernels. * Merge changes from 304.131-1. * Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * d/rules: Move tar option --no-recursion before the list of files. * d/control: Make dependencies on nvidia-alternative strictly versioned to prevent partial upgrades. * d/module/debian/control.template: Add armhf to the Architecture list, otherwise module-assistant can't build any module packages from nvidia-kernel-source on armhf. * Upload to jessie. nvidia-graphics-drivers (340.93-8) unstable; urgency=medium . * nvidia-detect: Fix lspci call if there are multiple NVIDIA GPUs installed and report driver support for each of them. (Closes: #804073) * bug-control: Report status of bumblebee and bumblebee-nvidia. * nvidia-alternative.postinst: Activate the register-glx-alternative-nvidia trigger with --no-await. * Update documentation to use update-glx to configure the 'nvidia' and 'glx' alternatives. nvidia-graphics-drivers (340.93-8~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers (340.93-8) unstable; urgency=medium . * nvidia-detect: Fix lspci call if there are multiple NVIDIA GPUs installed and report driver support for each of them. (Closes: #804073) * bug-control: Report status of bumblebee and bumblebee-nvidia. * nvidia-alternative.postinst: Activate the register-glx-alternative-nvidia trigger with --no-await. * Update documentation to use update-glx to configure the 'nvidia' and 'glx' alternatives. . nvidia-graphics-drivers (340.93-7) unstable; urgency=medium . * Ship the NEWS in xserver-xorg-video-nvidia and nvidia-kernel-dkms, too. * Bump glx-alternative-nvidia dependency to (>= 0.7) for Xorg autoconfig. . nvidia-graphics-drivers (340.93-6) unstable; urgency=medium . * nvidia-opencl-icd: Restore the Depends: libcuda1. * d/rules: Move tar option --no-recursion before the list of files. * Bump dependency to nvidia-kernel-common (>= 20151021) which no longer applies non-default permissions on the /dev/nvidia* device nodes. (See: #801598, #801869) (Closes: #801191, #801097) * nvidia-modprobe.conf: Re-enable the PCI ID matching aliases. . nvidia-graphics-drivers (340.93-5) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.128-1 (wheezy) and 340.93-0+deb8u1 (jessie). * nvidia-kernel-support: Ship nvidia-modprobe.conf (previously in nvidia-alternative), managed via nvidia-alternative. * nvidia-kernel-support: Ship nvidia-blacklists-nouveau.conf and nvidia-load.conf, managed via nvidia-alternative. * Reroute all kernel module dependencies through nvidia-kernel-support. (Closes: #801298) * nvidia-modprobe.conf: Temporarily disable the PCI-ID-match aliases and go back to insecure default permissions (root:root 0666). (See: #801869) * Xorg autoconfig does not cause the permission issues. (See: #801598) * Update lintian overrides. . [ Luca Boccassi ] * arm-outer-sync.patch: New patch to fix armhf kernel module build for Linux 4.3. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). . nvidia-graphics-drivers (340.93-4) unstable; urgency=medium . [ Andreas Beckmann ] * Update lintian overrides. * bug-script: Report device node permissions. * bug-control, bug-script: Report information about CUDA libraries. * libcuda1: Provides: libcuda1-any. * xserver-xorg-video-nvidia: Ship nvidia-drm-outputclass.conf, managed via nvidia-alternative. * Add nvidia-kernel-support package. . [ Luca Boccassi ] * seq-printf.patch: New patch to fix kernel module build for Linux 4.3. nvidia-graphics-drivers (340.93-7) unstable; urgency=medium . * Ship the NEWS in xserver-xorg-video-nvidia and nvidia-kernel-dkms, too. * Bump glx-alternative-nvidia dependency to (>= 0.7) for Xorg autoconfig. nvidia-graphics-drivers (340.93-6) unstable; urgency=medium . * nvidia-opencl-icd: Restore the Depends: libcuda1. * d/rules: Move tar option --no-recursion before the list of files. * Bump dependency to nvidia-kernel-common (>= 20151021) which no longer applies non-default permissions on the /dev/nvidia* device nodes. (See: #801598, #801869) (Closes: #801191, #801097) * nvidia-modprobe.conf: Re-enable the PCI ID matching aliases. nvidia-graphics-drivers (340.93-5) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.128-1 (wheezy) and 340.93-0+deb8u1 (jessie). * nvidia-kernel-support: Ship nvidia-modprobe.conf (previously in nvidia-alternative), managed via nvidia-alternative. * nvidia-kernel-support: Ship nvidia-blacklists-nouveau.conf and nvidia-load.conf, managed via nvidia-alternative. * Reroute all kernel module dependencies through nvidia-kernel-support. (Closes: #801298) * nvidia-modprobe.conf: Temporarily disable the PCI-ID-match aliases and go back to insecure default permissions (root:root 0666). (See: #801869) * Xorg autoconfig does not cause the permission issues. (See: #801598) * Update lintian overrides. . [ Luca Boccassi ] * Add patch to fix armhf kernel module build failure on 4.3 * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). nvidia-graphics-drivers (340.93-4) unstable; urgency=medium . [ Andreas Beckmann ] * Update lintian overrides. * bug-script: Report device node permissions. * bug-control, bug-script: Report information about CUDA libraries. * libcuda1: Provides: libcuda1-any. * xserver-xorg-video-nvidia: Ship nvidia-drm-outputclass.conf, managed via nvidia-alternative. * Add nvidia-kernel-support package. . [ Luca Boccassi ] * Add patch to fix kernel module build failure on 4.3 nvidia-graphics-drivers (340.93-3) unstable; urgency=medium . * Revert glx-alternative-nvidia dependency to (>= 0.5) because Xorg autoconfig causes some permission issues (see: #799948). * Document the permission issues. nvidia-graphics-drivers (340.93-3~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * nvidia-kernel-*: [i386] Restore support for building amd64 kernel modules, jessie still has linux-image-amd64:i386. (Closes: #800554) . nvidia-graphics-drivers (340.93-3) unstable; urgency=medium . * Revert glx-alternative-nvidia dependency to (>= 0.5) because Xorg autoconfig causes some permission issues (see: #799948). * Document the permission issues. . nvidia-graphics-drivers (340.93-2) unstable; urgency=medium . * nvidia-modprobe.conf: (Closes: #798207) - Don't use aliases for the renamed modules, only use install and remove commands. - Remodel the nvidia-uvm -> nvidia dependency via an install command. - Duplicate the module's built-in PCI-ID-match aliases to ensure they cause the virtual "nvidia" module to be loaded instead of a random one. * Drop instructions and debconf notes about manual xorg.conf creation. The driver now integrates with Xorg s.t. it is automatically detected and loaded if selected as the glx alternative. (Closes: #586502, #612093) * Add NEWS entry about no longer requiring manual xorg.conf creation. * Bump glx-alternative-nvidia dependency to (>= 0.6) for Xorg autoconfig. * libgl1-nvidia-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-legacy-304xx-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. . nvidia-graphics-drivers (340.93-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.93 (2015-09-02). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800566) - Fixed a bug that caused the X server to crash if an OpenGL application tried to allocate a drawable when GPU-accessible memory is exhausted. - Fixed a bug that could cause an Xid error when terminating a video playback application using the overlay presentation queue in VDPAU. - Fixed a rare deadlock condition when running applications that use OpenGL in multiple threads on a Quadro GPU. - Fixed a bug which caused truncation of the EGLAttribEXT value returned by eglQueryDeviceAttribEXT() on 64-bit systems. - Fixed a kernel memory leak that occurred when looping hardware- accelerated video decoding with VDPAU on Maxwell-based GPUs. - Fixed a bug that caused the X server to crash if a RandR 1.4 output provided by a Sink Output provider was selected as the primary output on X.Org xserver 1.17 and higher. - Fixed a bug that caused waiting on X Sync Fence objects in OpenGL to hang indefinitely in some cases. - Fixed a bug that prevented OpenGL from properly recovering from hardware errors or sync object waits that had timed out. * Improved compatibility with recent Linux kernels. * fixes-for-kernel-4.0.0.patch: Remove, fixed upstream. * conftest.h: - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * nvidia-driver-bin, libnvidia-compiler, libnvidia-eglcore: Add Provides+Conflicts: $pkg-${nvidia:Version} to forbid co-installation with the respective legacy packages from the same upstream version due to file conflicts on versioned files are not handled via alternatives. * bug-script: Report file information in arm-linux-gnueabihf directories. * bug-script: Collect information from /etc/modules{,-load.d/}. * nvidia-driver: Add Recommends: nvidia-persistenced. nvidia-graphics-drivers (340.93-2) unstable; urgency=medium . * nvidia-modprobe.conf: (Closes: #798207) - Don't use aliases for the renamed modules, only use install and remove commands. - Remodel the nvidia-uvm -> nvidia dependency via an install command. - Duplicate the module's built-in PCI-ID-match aliases to ensure they cause the virtual "nvidia" module to be loaded instead of a random one. * Drop instructions and debconf notes about manual xorg.conf creation. The driver now integrates with Xorg s.t. it is automatically detected and loaded if selected as the glx alternative. (Closes: #586502, #612093) * Add NEWS entry about no longer requiring manual xorg.conf creation. * Bump glx-alternative-nvidia dependency to (>= 0.6) for Xorg autoconfig. * libgl1-nvidia-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-legacy-304xx-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. nvidia-graphics-drivers (340.93-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.93 (2015-09-02). - Fixed a bug that caused the X server to crash if an OpenGL application tried to allocate a drawable when GPU-accessible memory is exhausted. - Fixed a bug that could cause an Xid error when terminating a video playback application using the overlay presentation queue in VDPAU. - Fixed a rare deadlock condition when running applications that use OpenGL in multiple threads on a Quadro GPU. - Fixed a bug which caused truncation of the EGLAttribEXT value returned by eglQueryDeviceAttribEXT() on 64-bit systems. - Fixed a kernel memory leak that occurred when looping hardware- accelerated video decoding with VDPAU on Maxwell-based GPUs. - Fixed a bug that caused the X server to crash if a RandR 1.4 output provided by a Sink Output provider was selected as the primary output on X.Org xserver 1.17 and higher. - Fixed a bug that caused waiting on X Sync Fence objects in OpenGL to hang indefinitely in some cases. - Fixed a bug that prevented OpenGL from properly recovering from hardware errors or sync object waits that had timed out. * Improved compatibility with recent Linux kernels. * fixes-for-kernel-4.0.0.patch: Remove, fixed upstream. * conftest.h: - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * nvidia-driver-bin, libnvidia-compiler, libnvidia-eglcore: Add Provides+Conflicts: $pkg-${nvidia:Version} to forbid co-installation with the respective legacy packages from the same upstream version due to file conflicts on versioned files. * bug-script: Report file information in arm-linux-gnueabihf directories. * bug-script: Collect information from /etc/modules{,-load.d/}. * nvidia-driver: Add Recommends: nvidia-persistenced. nvidia-graphics-drivers (340.93-0+deb8u1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.93 (2015-09-02). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800566) - Fixed a bug that caused the X server to crash if an OpenGL application tried to allocate a drawable when GPU-accessible memory is exhausted. - Fixed a bug that could cause an Xid error when terminating a video playback application using the overlay presentation queue in VDPAU. - Fixed a rare deadlock condition when running applications that use OpenGL in multiple threads on a Quadro GPU. - Fixed a bug which caused truncation of the EGLAttribEXT value returned by eglQueryDeviceAttribEXT() on 64-bit systems. - Fixed a kernel memory leak that occurred when looping hardware- accelerated video decoding with VDPAU on Maxwell-based GPUs. - Fixed a bug that caused the X server to crash if a RandR 1.4 output provided by a Sink Output provider was selected as the primary output on X.Org xserver 1.17 and higher. - Fixed a bug that caused waiting on X Sync Fence objects in OpenGL to hang indefinitely in some cases. - Fixed a bug that prevented OpenGL from properly recovering from hardware errors or sync object waits that had timed out. * Improved compatibility with recent Linux kernels. * fixes-for-kernel-4.0.0.patch: Remove, fixed upstream. * conftest.h: - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * nvidia-driver-bin, libnvidia-compiler, libnvidia-eglcore, libgl1-nvidia-glx: Add Provides+Conflicts: $pkg-${nvidia:Version} to forbid co-installation with the respective legacy packages from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. * bug-script: Report file information in arm-linux-gnueabihf directories. * bug-script: Collect information from /etc/modules{,-load.d/}. * bug-script: Report device node permissions. * bug-control, bug-script: Report information about CUDA libraries. * nvidia-detect: Update list of newer PCI IDs from release 346.87. * Merge changes from 304.128-1. . nvidia-graphics-drivers (340.76-4) unstable; urgency=medium . [ Andreas Beckmann ] * README.source: Document my schroot setup for testing module compilation. * Update lintian overrides. . [ Luca Boccassi ] * conftest.h: - dma_map_ops and dma_ops are available for PPC and ARM too * Add ignore_xen_on_arm.patch needed for dkms build on armhf: armmp kernel headers ship with CONFIG_XEN enabled, which breaks the build, so since running this driver on XEN is currently not supported, ignore the check for XEN in nv-linux.h as a workaround on arm, and also disable CONFIG_XEN and CONFIG_XEN_DOM0 if building on <= 3.16. (Closes: #794435) * README.source: Document armhf setup for testing module compilation. . nvidia-graphics-drivers (340.76-3) unstable; urgency=medium . [ Vincent Cheng ] * nvidia-detect: Detect stretch as supported suite, and parse -h as --help. (Closes: #792801) . [ Luca Boccassi ] * Fix nvidia-modprobe.conf module unload ordering, to stop nvidia-uvm getting stuck until a second modprobe -r nvidia-current is issued. Fix provided by Jö Fahlke. Thanks! (Closes: #793386) . [ Andreas Beckmann ] * Add Luca Boccassi to Uploaders. * nvidia-driver, nvidia-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * conftest.h: - Fix conftest.sh function write_cr4. - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. . nvidia-graphics-drivers (340.76-2) unstable; urgency=medium . * fixes-for-kernel-4.0.0.patch: New patch to add support for Linux 4.0, thanks to Jessie Frazelle. (Closes: #781810) * conftest.h: - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). * Split some old UNRELEASED changelog entries to linearize the BTS history. . nvidia-graphics-drivers (340.76-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.76 (2015-01-27). - Fixed a bug that caused frequent AMD-Vi page faults on systems with some AMD 8xx/9xx-series chipsets when used with some NVIDIA GPUs. - Fixed a regression that could cause system crashes when terminating the X server on systems with an NVIDIA Quadro SDI Capture card installed. - Fixed a bug that caused audio over HDMI to not work on some GPUs while using a display that supports HDMI 3D. * Improved compatibility with recent Linux kernels. (Closes: #778698) * nvidia-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-kernel.tar.xz. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). nvidia-graphics-drivers (340.93-0+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Replace 'dpkg-parsechangelog --show-field=Date' with a sed expression. . nvidia-graphics-drivers (340.93-0+deb8u1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.93 (2015-09-02). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800566) - Fixed a bug that caused the X server to crash if an OpenGL application tried to allocate a drawable when GPU-accessible memory is exhausted. - Fixed a bug that could cause an Xid error when terminating a video playback application using the overlay presentation queue in VDPAU. - Fixed a rare deadlock condition when running applications that use OpenGL in multiple threads on a Quadro GPU. - Fixed a bug which caused truncation of the EGLAttribEXT value returned by eglQueryDeviceAttribEXT() on 64-bit systems. - Fixed a kernel memory leak that occurred when looping hardware- accelerated video decoding with VDPAU on Maxwell-based GPUs. - Fixed a bug that caused the X server to crash if a RandR 1.4 output provided by a Sink Output provider was selected as the primary output on X.Org xserver 1.17 and higher. - Fixed a bug that caused waiting on X Sync Fence objects in OpenGL to hang indefinitely in some cases. - Fixed a bug that prevented OpenGL from properly recovering from hardware errors or sync object waits that had timed out. * Improved compatibility with recent Linux kernels. * fixes-for-kernel-4.0.0.patch: Remove, fixed upstream. * conftest.h: - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * nvidia-driver-bin, libnvidia-compiler, libnvidia-eglcore, libgl1-nvidia-glx: Add Provides+Conflicts: $pkg-${nvidia:Version} to forbid co-installation with the respective legacy packages from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. * bug-script: Report file information in arm-linux-gnueabihf directories. * bug-script: Collect information from /etc/modules{,-load.d/}. * bug-script: Report device node permissions. * bug-control, bug-script: Report information about CUDA libraries. * nvidia-detect: Update list of newer PCI IDs from release 346.87. * Merge changes from 304.128-1. . nvidia-graphics-drivers (340.76-4) unstable; urgency=medium . [ Andreas Beckmann ] * README.source: Document my schroot setup for testing module compilation. * Update lintian overrides. . [ Luca Boccassi ] * conftest.h: - dma_map_ops and dma_ops are available for PPC and ARM too * Add ignore_xen_on_arm.patch needed for dkms build on armhf: armmp kernel headers ship with CONFIG_XEN enabled, which breaks the build, so since running this driver on XEN is currently not supported, ignore the check for XEN in nv-linux.h as a workaround on arm, and also disable CONFIG_XEN and CONFIG_XEN_DOM0 if building on <= 3.16. (Closes: #794435) * README.source: Document armhf setup for testing module compilation. . nvidia-graphics-drivers (340.76-3) unstable; urgency=medium . [ Vincent Cheng ] * nvidia-detect: Detect stretch as supported suite, and parse -h as --help. (Closes: #792801) . [ Luca Boccassi ] * Fix nvidia-modprobe.conf module unload ordering, to stop nvidia-uvm getting stuck until a second modprobe -r nvidia-current is issued. Fix provided by Jö Fahlke. Thanks! (Closes: #793386) . [ Andreas Beckmann ] * Add Luca Boccassi to Uploaders. * nvidia-driver, nvidia-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * conftest.h: - Fix conftest.sh function write_cr4. - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. . nvidia-graphics-drivers (340.76-2) unstable; urgency=medium . * fixes-for-kernel-4.0.0.patch: New patch to add support for Linux 4.0, thanks to Jessie Frazelle. (Closes: #781810) * conftest.h: - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). * Split some old UNRELEASED changelog entries to linearize the BTS history. . nvidia-graphics-drivers (340.76-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.76 (2015-01-27). - Fixed a bug that caused frequent AMD-Vi page faults on systems with some AMD 8xx/9xx-series chipsets when used with some NVIDIA GPUs. - Fixed a regression that could cause system crashes when terminating the X server on systems with an NVIDIA Quadro SDI Capture card installed. - Fixed a bug that caused audio over HDMI to not work on some GPUs while using a display that supports HDMI 3D. * Improved compatibility with recent Linux kernels. (Closes: #778698) * nvidia-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-kernel.tar.xz. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). nvidia-graphics-drivers (340.76-5) unstable; urgency=medium . * Drop obsolete transitional package nvidia-glx. * nvidia-kernel-*: [i386] Drop support for building amd64 kernel modules. * Overhaul arch-specific UVM support. * nvidia-detect: Add support for the upcoming nvidia-legacy-340xx-driver. * Rename nvidia-uvm.ko to nvidia-{current,legacy-*}-uvm.ko. nvidia-graphics-drivers (340.76-5~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. (Closes: #795610) nvidia-graphics-drivers (340.76-4) unstable; urgency=medium . [ Andreas Beckmann ] * README.source: Document my schroot setup for testing module compilation. * Update lintian overrides. . [ Luca Boccassi ] * conftest.h: - dma_map_ops and dma_ops are available for PPC and ARM too * Add ignore_xen_on_arm.patch needed for dkms build on armhf: armmp kernel headers ship with CONFIG_XEN enabled, which breaks the build, so since running this driver on XEN is currently not supported, ignore the check for XEN in nv-linux.h as a workaround on arm, and also disable CONFIG_XEN and CONFIG_XEN_DOM0 if building on <= 3.16. (Closes: #794435) * README.source: Document armhf setup for testing module compilation. nvidia-graphics-drivers (340.76-3) unstable; urgency=medium . [ Vincent Cheng ] * nvidia-detect: Detect stretch as supported suite, and parse -h as --help. (Closes: #792801) . [ Luca Boccassi ] * Fix nvidia-modprobe.conf module unload ordering, to stop nvidia-uvm getting stuck until a second modprobe -r nvidia-current is issued. Fix provided by Jö Fahlke. Thanks! (Closes: #793386) . [ Andreas Beckmann ] * Add Luca Boccassi to Uploaders. * nvidia-driver, nvidia-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * conftest.h: - Fix conftest.sh function write_cr4. - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. nvidia-graphics-drivers (340.76-2) unstable; urgency=medium . * fixes-for-kernel-4.0.0.patch: New patch to add support for Linux 4.0, thanks to Jessie Frazelle. (Closes: #781810) * conftest.h: - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). nvidia-graphics-drivers (340.76-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.76 (2015-01-27). - Fixed a bug that caused frequent AMD-Vi page faults on systems with some AMD 8xx/9xx-series chipsets when used with some NVIDIA GPUs. - Fixed a regression that could cause system crashes when terminating the X server on systems with an NVIDIA Quadro SDI Capture card installed. - Fixed a bug that caused audio over HDMI to not work on some GPUs while using a display that supports HDMI 3D. * Improved compatibility with recent Linux kernels. (Closes: #778698) * nvidia-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-kernel.tar.xz. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76) nvidia-graphics-drivers-legacy-304xx (304.131-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.131 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805918) - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). * Improved compatibility with recent Linux kernels. * Synchronize packaging with nvidia-graphics-drivers 340.96-1: - d/control: Make dependencies on nvidia-legacy-304xx-alternative strictly versioned to prevent partial upgrades. * Synchronize packaging with nvidia-graphics-drivers 304.131-1: - Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. nvidia-graphics-drivers-legacy-304xx (304.131-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Replace 'dpkg-parsechangelog --show-field=Date' with a sed expression. . nvidia-graphics-drivers-legacy-304xx (304.131-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.131 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805918) - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). * Improved compatibility with recent Linux kernels. * Synchronize packaging with nvidia-graphics-drivers 340.96-1: - d/control: Make dependencies on nvidia-legacy-304xx-alternative strictly versioned to prevent partial upgrades. * Synchronize packaging with nvidia-graphics-drivers 304.131-1: - Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.128-8) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-5: * Synchronize packaging with nvidia-graphics-drivers 340.93-8: - bug-control: Report status of bumblebee and bumblebee-nvidia. - nvidia-legacy-340xx-alternative.postinst: Activate the register-glx-alternative-nvidia trigger with --no-await. - Update documentation to use update-glx to configure the 'nvidia' and 'glx' alternatives. nvidia-graphics-drivers-legacy-304xx (304.128-8~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * nvidia-kernel-*: [i386] Restore support for building amd64 kernel modules, jessie still has linux-image-amd64:i386. (Closes: #799960) . nvidia-graphics-drivers-legacy-304xx (304.128-8) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-5: * Synchronize packaging with nvidia-graphics-drivers 340.93-8: - bug-control: Report status of bumblebee and bumblebee-nvidia. - nvidia-legacy-340xx-alternative.postinst: Activate the register-glx-alternative-nvidia trigger with --no-await. - Update documentation to use update-glx to configure the 'nvidia' and 'glx' alternatives. . nvidia-graphics-drivers-legacy-304xx (304.128-7) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-4: * Synchronize packaging with nvidia-graphics-drivers 340.93-7: - Ship the NEWS in xserver-xorg-video-nvidia and nvidia-kernel-dkms, too. - Bump glx-alternative-nvidia dependency to (>= 0.7) for Xorg autoconfig. * Synchronize packaging with nvidia-graphics-drivers 340.93-6: - d/rules: Move tar option --no-recursion before the list of files. - Bump dependency to nvidia-kernel-common (>= 20151021) which no longer applies non-default permissions on the /dev/nvidia* device nodes. - nvidia-modprobe.conf: Re-enable the PCI ID matching aliases. * Synchronize packaging with nvidia-graphics-drivers 340.93-2: - Add NEWS entry about no longer requiring manual xorg.conf creation. . nvidia-graphics-drivers-legacy-304xx (304.128-6) unstable; urgency=medium . * Add nvidia-legacy-304xx-kernel-support package. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-2: * Synchronize packaging with nvidia-graphics-drivers 340.93-5: - nvidia-legacy-304xx-kernel-support: Ship nvidia-modprobe.conf (previously in nvidia-legacy-304xx-alternative), managed via nvidia-legacy-304xx-alternative. - nvidia-legacy-304xx-kernel-support: Ship nvidia-blacklists-nouveau.conf and nvidia-load.conf, managed via nvidia-legacy-304xx-alternative. - Reroute all kernel module dependencies through nvidia-legacy-304xx-kernel-support. - nvidia-modprobe.conf: Temporarily disable the PCI-ID-match aliases and go back to insecure default permissions (root:root 0666). (See: #801869) * Synchronize packaging with nvidia-graphics-drivers 340.93-4: - xserver-xorg-video-nvidia-legacy-304xx: Ship nvidia-drm-outputclass.conf, managed via nvidia-legacy-304xx-alternative. - seq-printf.patch: New patch to fix kernel module build for Linux 4.3. * Synchronize packaging with nvidia-graphics-drivers 340.93-3: - nvidia-legacy-304xx-modprobe.conf: + Don't use aliases for the renamed modules, only use install and remove commands. + Duplicate the module's built-in PCI-ID-match aliases to ensure they cause the virtual "nvidia" module to be loaded instead of a random one. * Synchronize packaging with nvidia-graphics-drivers 340.93-2: - Drop instructions and debconf notes about manual xorg.conf creation. The driver now integrates with Xorg s.t. it is automatically detected and loaded if selected as the glx alternative. * Synchronize packaging with nvidia-graphics-drivers 340.76-5: - nvidia-kernel-*: [i386] Drop support for building amd64 kernel modules. - Overhaul arch-specific UVM support. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). * Update lintian overrides. . nvidia-graphics-drivers-legacy-304xx (304.128-5) unstable; urgency=medium . * Upload to unstable. . nvidia-graphics-drivers-legacy-304xx (304.128-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.128 (2015-08-31). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800567) * Improved compatibility with recent Linux kernels. (Closes: #801193, #802452) * Removed f_path.dentry.patch, fixed upstream. * Removed fixes-for-kernel-4.0.0.patch, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers 340.93-0+deb8u1: * Synchronize packaging with nvidia-graphics-drivers 340.76-4: - README.source: Document setup for testing module compilation. * Synchronize packaging with nvidia-graphics-drivers 340.76-3: - Add Luca Boccassi to Uploaders. - nvidia-legacy-304xx-driver, nvidia-legacy-304xx-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * Synchronize packaging with nvidia-graphics-drivers 340.76-1: nvidia-legacy-304xx-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-legacy-304xx-kernel.tar.xz. * Synchronize packaging with nvidia-graphics-drivers 304.128-1: - libgl1-nvidia-legacy-304xx-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. - bug-script: Synchronize with nvidia-graphics-drivers 340.93-4. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.128-7) unstable; urgency=medium . * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-4: * Synchronize packaging with nvidia-graphics-drivers 340.93-7: - Ship the NEWS in xserver-xorg-video-nvidia and nvidia-kernel-dkms, too. - Bump glx-alternative-nvidia dependency to (>= 0.7) for Xorg autoconfig. * Synchronize packaging with nvidia-graphics-drivers 340.93-6: - d/rules: Move tar option --no-recursion before the list of files. - Bump dependency to nvidia-kernel-common (>= 20151021) which no longer applies non-default permissions on the /dev/nvidia* device nodes. - nvidia-modprobe.conf: Re-enable the PCI ID matching aliases. * Synchronize packaging with nvidia-graphics-drivers 340.93-2: - Add NEWS entry about no longer requiring manual xorg.conf creation. nvidia-graphics-drivers-legacy-304xx (304.128-6) unstable; urgency=medium . * Add nvidia-legacy-304xx-kernel-support package. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.93-2: * Synchronize packaging with nvidia-graphics-drivers 340.93-5: - nvidia-legacy-304xx-kernel-support: Ship nvidia-modprobe.conf (previously in nvidia-legacy-304xx-alternative), managed via nvidia-legacy-304xx-alternative. - nvidia-legacy-304xx-kernel-support: Ship nvidia-blacklists-nouveau.conf and nvidia-load.conf, managed via nvidia-legacy-304xx-alternative. - Reroute all kernel module dependencies through nvidia-legacy-304xx-kernel-support. - nvidia-modprobe.conf: Temporarily disable the PCI-ID-match aliases and go back to insecure default permissions (root:root 0666). (See: #801869) * Synchronize packaging with nvidia-graphics-drivers 340.93-4: - xserver-xorg-video-nvidia-legacy-304xx: Ship nvidia-drm-outputclass.conf, managed via nvidia-legacy-304xx-alternative. - seq-printf.patch: New patch to fix kernel module build for Linux 4.3. * Synchronize packaging with nvidia-graphics-drivers 340.93-3: - nvidia-legacy-304xx-modprobe.conf: + Don't use aliases for the renamed modules, only use install and remove commands. + Duplicate the module's built-in PCI-ID-match aliases to ensure they cause the virtual "nvidia" module to be loaded instead of a random one. * Synchronize packaging with nvidia-graphics-drivers 340.93-2: - Drop instructions and debconf notes about manual xorg.conf creation. The driver now integrates with Xorg s.t. it is automatically detected and loaded if selected as the glx alternative. * Synchronize packaging with nvidia-graphics-drivers 340.76-5: - nvidia-kernel-*: [i386] Drop support for building amd64 kernel modules. - Overhaul arch-specific UVM support. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). * Update lintian overrides. nvidia-graphics-drivers-legacy-304xx (304.128-5) unstable; urgency=medium . * Upload to unstable. . nvidia-graphics-drivers-legacy-304xx (304.128-1) UNRELEASED; urgency=medium . * New upstream legacy 304xx branch release 304.128 (2015-08-31). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800567) * Improved compatibility with recent Linux kernels. * Removed f_path.dentry.patch, fixed upstream. * Removed fixes-for-kernel-4.0.0.patch, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers 340.93-0+deb8u1: * Synchronize packaging with nvidia-graphics-drivers 340.76-4: - Add ignore_xen_on_arm.patch needed for dkms build on armhf: armmp kernel headers ship with CONFIG_XEN enabled, which breaks the build, so since running this driver on XEN is currently not supported, ignore the check for XEN in nv-linux.h as a workaround on arm, and also disable CONFIG_XEN and CONFIG_XEN_DOM0 if building on <= 3.16. - README.source: Document setup for testing module compilation. * Synchronize packaging with nvidia-graphics-drivers 340.76-3: - Add Luca Boccassi to Uploaders. - nvidia-legacy-304xx-driver, nvidia-legacy-304xx-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * Synchronize packaging with nvidia-graphics-drivers 340.76-1: nvidia-legacy-304xx-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-legacy-304xx-kernel.tar.xz. * Synchronize packaging with nvidia-graphics-drivers 304.128-1: - libgl1-nvidia-legacy-304xx-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. - bug-script: Synchronize with nvidia-graphics-drivers 340.93-4. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. nvidia-graphics-drivers-legacy-304xx (304.128-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.128 (2015-08-31). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800567) * Improved compatibility with recent Linux kernels. * Removed f_path.dentry.patch, fixed upstream. * Removed fixes-for-kernel-4.0.0.patch, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers 340.93-0+deb8u1: * Synchronize packaging with nvidia-graphics-drivers 340.76-4: - README.source: Document setup for testing module compilation. * Synchronize packaging with nvidia-graphics-drivers 340.76-3: - Add Luca Boccassi to Uploaders. - nvidia-legacy-304xx-driver, nvidia-legacy-304xx-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * Synchronize packaging with nvidia-graphics-drivers 340.76-1: nvidia-legacy-304xx-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-legacy-304xx-kernel.tar.xz. * Synchronize packaging with nvidia-graphics-drivers 304.128-1: - libgl1-nvidia-legacy-304xx-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. - bug-script: Synchronize with nvidia-graphics-drivers 340.93-4. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.128-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-drivers-legacy-304xx (304.128-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.128 (2015-08-31). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800567) * Improved compatibility with recent Linux kernels. (Closes: #801193, #802452) * Removed f_path.dentry.patch, fixed upstream. * Removed fixes-for-kernel-4.0.0.patch, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers 340.93-0+deb8u1: * Synchronize packaging with nvidia-graphics-drivers 340.76-4: - README.source: Document setup for testing module compilation. * Synchronize packaging with nvidia-graphics-drivers 340.76-3: - Add Luca Boccassi to Uploaders. - nvidia-legacy-304xx-driver, nvidia-legacy-304xx-kernel-*: Report the latest tested Linux version that can build the kernel module in the package description. * Synchronize packaging with nvidia-graphics-drivers 340.76-1: nvidia-legacy-304xx-kernel-source: Use reproducible timestamps and file order inside /usr/src/nvidia-legacy-304xx-kernel.tar.xz. * Synchronize packaging with nvidia-graphics-drivers 304.128-1: - libgl1-nvidia-legacy-304xx-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. - bug-script: Synchronize with nvidia-graphics-drivers 340.93-4. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. - Implement new conftest.sh function nvidia_grid_build (352.41). * Update lintian overrides. * Upload to jessie. . nvidia-graphics-drivers-legacy-304xx (304.125-2) unstable; urgency=medium . * Add f_path.dentry.patch and fixes-for-kernel-4.0.0.patch (cherrypicked from svn branches/343 and trunk respectively) to fix FTBFS with linux 3.19 and 4.0. (Closes: #785442, #786383) nvidia-graphics-drivers-legacy-304xx (304.125-2) unstable; urgency=medium . * Add f_path.dentry.patch and fixes-for-kernel-4.0.0.patch (cherrypicked from svn branches/343 and trunk respectively) to fix FTBFS with linux 3.19 and 4.0. (Closes: #785442, #786383) nvidia-graphics-drivers-legacy-304xx (304.125-2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. (Closes: #795610) nvidia-graphics-modules (340.96+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.96. * Upload to jessie. nvidia-graphics-modules (340.96+3.16.0+1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-modules (340.96+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.96. * Upload to jessie. nvidia-graphics-modules (340.93+4.2.0+1) unstable; urgency=medium . * Build for Linux 4.2.0 (ABI 1). nvidia-graphics-modules (340.93+4.1.0+1) unstable; urgency=medium . * Use nvidia-kernel-source 340.93. nvidia-graphics-modules (340.93+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.93. * Upload to jessie. nvidia-graphics-modules (340.93+3.16.0+1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-modules (340.93+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.93. * Upload to jessie. . nvidia-graphics-modules (340.76+3.16.0+1) unstable; urgency=medium . * Use nvidia-kernel-source 340.76. nvidia-graphics-modules (340.76+4.1.0+2) unstable; urgency=medium . * Build for Linux 4.1.0 (ABI 2). nvidia-graphics-modules (340.76+4.1.0+1) unstable; urgency=medium . * Build for Linux 4.1.0 (ABI 1). nvidia-graphics-modules (340.76+4.0.0+2) unstable; urgency=medium . * Build for Linux 4.0.0 (ABI 2). * Drop obsolete Conflicts/Replaces. * Drop transitional package nvidia-kernel-486:i386. nvidia-graphics-modules (340.76+4.0.0+1) unstable; urgency=medium . * Build for Linux 4.0.0-1. * Drop build-dep on linux-headers-$(ABI)-amd64 on arch i386 (src:linux no longer builds the -amd64 package on i386, as of ABI version 4.0.0-1). nvidia-graphics-modules (340.76+3.16.0+1) unstable; urgency=medium . * Use nvidia-kernel-source 340.76. openafs (1.6.9-2+deb8u4) jessie-security; urgency=high . * Apply upstream security patches corresponding to the 1.6.15 release: - OPENAFS-SA-2015-007 (CVE-2015-7762, CVE-2015-7763): rx ACK packets reveal plaintext of previously encrypted data packets. openafs (1.6.9-2+deb8u4~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for jessie-backports (Closes: #775869.) openjdk-7 (7u91-2.6.3-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u91-2.6.3-1~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-7 (7u91-2.6.2-1) unstable; urgency=medium . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.2 (based on 7u91): * Security fixes - S8048030, CVE-2015-4734: Expectations should be consistent - S8068842, CVE-2015-4803: Better JAXP data handling - S8076339, CVE-2015-4903: Better handling of remote object invocation - S8076383, CVE-2015-4835: Better CORBA exception handling - S8076387, CVE-2015-4882: Better CORBA value handling - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency - S8076413, CVE-2015-4883: Better JRMP message handling - S8078427, CVE-2015-4842: More supportive home environment - S8078440: Safer managed types - S8080541: More direct property handling - S8080688, CVE-2015-4860: Service for DGC services - S8081760: Better group dynamics - S8086092, CVE-2015-4840: More palette improvements - S8086733, CVE-2015-4893: Improve namespace handling - S8087350: Improve array conversions - S8103671, CVE-2015-4805: More objective stream classes - S8103675: Better Binary searches - S8130078, CVE-2015-4911: Document better processing - S8130193, CVE-2015-4806: Improve HTTP connections - S8130864: Better server identity handling - S8130891, CVE-2015-4843: (bf) More direct buffering - S8131291, CVE-2015-4872: Perfect parameter patterning - S8132042, CVE-2015-4844: Preserve layout presentation * d/patches/it-debian-build-flags.diff: refreshed * d/patches/it-set-compiler.diff: refreshed * d/patches/it-use-quilt.diff: refreshed and updated * d/patches/it-jamvm-2.0.diff: refreshed * d/patches/xrender: removed as it was applied upstream openjdk-7 (7u85-2.6.1-6+deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u85-2.6.1-6) unstable; urgency=high . [ Tiago Stürmer Daitx ] * Security fixes - S8048030, CVE-2015-4734: Expectations should be consistent - S8068842, CVE-2015-4803: Better JAXP data handling - S8076339, CVE-2015-4903: Better handling of remote object invocation - S8076383, CVE-2015-4835: Better CORBA exception handling - S8076387, CVE-2015-4882: Better CORBA value handling - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency - S8076413, CVE-2015-4883: Better JRMP message handling - S8078427, CVE-2015-4842: More supportive home environment - S8078440: Safer managed types - S8080541: More direct property handling - S8080688, CVE-2015-4860: Service for DGC services - S8081744, CVE-2015-4868: Clear out list corner case - S8081760: Better group dynamics - S8086092. CVE-2015-4840: More palette improvements - S8086733, CVE-2015-4893: Improve namespace handling - S8087350: Improve array conversions - S8103671, CVE-2015-4805: More objective stream classes - S8103675: Better Binary searches - S8129611: Accessbridge error handling improvement - S8130078, CVE-2015-4911: Document better processing - S8130185: More accessible access switch - S8130193, CVE-2015-4806: Improve HTTP connections - S8130864: Better server identity handling - S8130891, CVE-2015-4843: (bf) More direct buffering - S8131291, CVE-2015-4872: Perfect parameter patterning - S8132042, CVE-2015-4844: Preserve layout presentation * S6966259: Make PrincipalName and Realm immutable, required for S8048030 * S8078822: 8068842 fix missed one new file PrimeNumberSequenceGenerator.java . [ Matthias Klose ] * Re-enable the atk bridge for releases with a fixed atk bridge. Again closes: #797595. openjdk-7 (7u85-2.6.1-6~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-7 (7u85-2.6.1-5) unstable; urgency=medium . * Fix passing --disable-system-sctp for non-linux targets. openjdk-7 (7u85-2.6.1-5~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u85-2.6.1-4) unstable; urgency=medium . * Build again with pulseaudio on alpha. * Update the kfreebsd support patches (Steven Chamberlain). Closes: #798123. * Fix parallel build. Closes: #798124. * Disable again the atk bridge, too many regressions. Reopens: #797595. openjdk-7 (7u85-2.6.1-3) unstable; urgency=medium . * Configure with --disable-system-sctp on KFreeBSD. * Stop building jamvm on mips and mipsel, fails to build. openjdk-7 (7u85-2.6.1-2) unstable; urgency=medium . * Stop building zero on AArch64, broken on the merged IcedTea Hotspot. * Only build-depend on libsctp-dev on linux architectures. * Configure for zero on sparc64, Hotspot build fails too. openjdk-7 (7u85-2.6.1-1) unstable; urgency=medium . * IcedTea7 2.6.1 release (based on OpenJDK 7u85). * Configure for Hotspot on sparc64. * Add mips to the openjdk stage1 architectures. * Sort the enums and the annotations in the package-tree.html files (Emmanuel Bourg). Closes: #787159. * Re-enable the atk bridge for releases with a fixed atk bridge. Closes: #797595. * Make derivatives builds the same as the parent distro. Closes: #797662. openjdk-7 (7u79-2.5.6-1) unstable; urgency=medium . * IcedTea7 2.5.6 release (based on OpenJDK 7u79). * Security fixes - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites. - S8067694, CVE-2015-2625: Improved certification checking. - S8071715, CVE-2015-4760: Tune font layout engine. - S8071731: Better scaling for C1. - S8072490: Better font morphing redux. - S8072887: Better font handling improvements. - S8073334: Improved font substitutions. - S8073773: Presume path preparedness. - S8073894: Getting to the root of certificate chains. - S8074330: Set font anchors more solidly. - S8074335: Substitute for substitution formats. - S8074865, CVE-2015-2601: General crypto resilience changes. - S8074871: Adjust device table handling. - S8075374, CVE-2015-4748: Responding to OCSP responses. - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling. - S8075738: Better multi-JVM sharing. - S8075833, CVE-2015-2613: Straighter Elliptic Curves. - S8075838: Method for typing MethodTypes. - S8075853, CVE-2015-2621: Proxy for MBean proxies. - S8076328, CVE-2015-4000: Enforce key exchange constraints. - S8076376, CVE-2015-2628: Enhance IIOP operations. - S8076397, CVE-2015-4731: Better MBean connections. - S8076401, CVE-2015-2590: Serialize OIS data. - S8076405, CVE-2015-4732: Improve serial serialization. - S8076409, CVE-2015-4733: Reinforce RMI framework. - S8077520, CVE-2015-2632: Morph tables into improved form. - PR2487, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize. * Update the kfreebsd hotspot support patch (Steven Chamberlain). Closes: #788982. * openjdk-7-jre: Recommend the real libgconf2-4 and libgnome2-0 packages. Closes: #786594. openjdk-7 (7u79-2.5.6-1~deb8u1) jessie-security; urgency=medium . * Rebuild for stable openjdk-7 (7u79-2.5.6-1~deb7u1) wheezy-security; urgency=low . * Rebuild for oldstable openjdk-7 (7u79-2.5.5-1) unstable; urgency=high . * IcedTea7 2.5.5 release (based on OpenJDK 7u79). * Security fixes - S8059064: Better G1 log caching. - S8060461: Fix for JDK-8042609 uncovers additional issue. - S8064601, CVE-2015-0480: Improve jar file handling. - S8065286: Fewer subtable substitutions. - S8065291: Improved font lookups. - S8066479: Better certificate chain validation. - S8067050: Better font consistency checking. - S8067684: Better font substitutions. - S8067699, CVE-2015-0469: Better glyph storage. - S8068320, CVE-2015-0477: Limit applet requests. - S8068720, CVE-2015-0488: Better certificate options checking. - S8069198: Upgrade image library. - S8071726, CVE-2015-0478: Better RSA optimizations. - S8071818: Better vectorization on SPARC. - S8071931, CVE-2015-0460: Return of the phantom menace. * Build the documentation when building with a Hotspot VM. Closes: #781577. * openjdk-7-jre.preinst: Fix version for alternatives cleanup. Closes: #775072. * Re-enable HotSpot on SPARC; zero doesn't workm and there seems to be some work ongoing upstream. * Refresh patches. * Only install the openjdk-java.desktop file when using cautious-launcher. openjdk-7 (7u79-2.5.5-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie, the upload didn' reach jessie in time due to a failing mips build openjdk-7 (7u79-2.5.5-1~deb7u1) wheezy-security; urgency=low . * Rebuild for stable openjdk-7 (7u75-2.5.4-3) unstable; urgency=medium . * Replace the ARM32 Thumb JIT with the ARM32 JIT. * Fix 8059327: XML parser returns corrupt attribute value. Closes: #780166. * openjdk-7-jre.preinst: Cleanup obsolete alternatives (javaws, pluginappletviewer) left by openjdk-6-jre/squeeze (Andreas Beckmann). Closes: #775072. openldap (2.4.40+dfsg-1+deb8u2) jessie; urgency=medium . * debian/patches/ITS8003-fix-off-by-one-in-LDIF-length.patch: Import upstream patch to fix a crash when adding a large attribute value with the auditlog overlay enabled. (Closes: #806909) openldap (2.4.40+dfsg-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add ITS8240-remove-obsolete-assert.patch patch. Import upstream patch to remove an unnecessary assert(0) that could be triggered remotely by an unauthenticated user by sending a malformed BER element. (CVE-2015-6908, Closes: #798622) openslp-dfsg (1.2.1-10+deb8u1) jessie-security; urgency=high . * QA upload from the Security Team * Fix double free as per CVE-2015-5177 openssh (1:6.7p1-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Disable roaming in openssh client: roaming code is vulnerable to an information leak (CVE-2016-0777) and heap-based buffer overflow (CVE-2016-0778). openssl (1.0.1k-3+deb8u2) jessie-security; urgency=medium . * Fix CVE-2015-3194 * Fix CVE-2015-3195 * Fix CVE-2015-3196 openvpn (2.3.4-5+deb8u1) stable; urgency=medium . * Add --no-block to if-up.d script to avoid hanging boot on interfaces with openvpn instances. (Closes: #787090, #785200) owncloud (7.0.4+dfsg-4~deb8u4) jessie; urgency=medium . * Backport security fixes from 7.0.12, 8.0.10, and 8.0.9: - Reflected XSS in OCS provider discovery [oc-sa-2016-001] [CVE-2016-1498] - Disclosure of files that begin with \".v\" due to unchecked return value [oc-sa-2016-003] [CVE-2016-1500] - Information Exposure Through Directory Listing in the file scanner [oc-sa-2016-002] [CVE-2016-1499] - Full installation path disclosure through error message [oc-sa-2016-004] [CVE-2016-1501] owncloud (7.0.4+dfsg-4~deb8u3) jessie-security; urgency=high . * Backport security fixes from 7.0.5, 7.0.7, 8.0.6, and 7.0.9: - Fix stored XSS in "activity" application [oC-SA-2015-010] [CVE-2015-5953] - Fix disclosure of users files when deleting parent folders of shared files [oC-SA-2015-011] [CVE-2015-5954] - Fix information exposure through directory listing [oC-SA-2015-014] [CVE-2015-6500] (Closes: #800126) - Fix PHP arbitrary class instantiation in "files_external" [oC-SA-2015-018] owncloud (7.0.4+dfsg-4~deb8u2) jessie; urgency=medium . * Backport security fixes from 7.0.6 and 7.0.8: - Local file inclusion on MS Windows Platform [OC-SA-2015-006] [CVE-2015-4716] - Resource exhaustion when sanitizing filenames [OC-SA-2015-007] [CVE-2015-4717] - Command injection when using external SMB storage [OC-SA-2015-008] [CVE-2015-4718] - Calendar export: Authorization Bypass Through User-Controlled Key [OC-SA-2015-015] [CVE-2015-6670] owncloud-client (1.7.0~beta1+really1.6.4+dfsg-1+deb8u1) stable-security; urgency=high . * cherry-pick patches to fix CVE-2015-4456 pam (1.1.8-3.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Fix CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module (Closes: #789986) pcre3 (2:8.35-3.3+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * Add additional CVE references and bug closer to previous changelog. CVE-2015-2327 fix was included in the previous 2:8.35-3.3+deb8u1 upload. CVE-2015-8384 different issue than CVE-2015-3210 but fixed with same commit. CVE-2015-8388 different issue than CVE-2015-5073 but fixed with same commit. Add bug closer to bugs in the BTS retrospectively. * Add 0001-Fix-compile-time-loop-for-recursive-reference-within.patch. CVE-2015-2328: Stack-based buffer overflow in compile_regex(). * Add 794589-information-disclosure.patch. CVE-2015-8382: Fix "pcre_exec does not fill offsets for certain regexps" leading to information disclosure. (Closes: #794589) * Add 0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch. CVE-2015-8383: Buffer overflow caused by repeated conditional group. * Add 0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch. CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group. * Add 0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch. CVE-2015-8386: Buffer overflow caused by lookbehind assertion. * Add 0001-Add-integer-overflow-check-to-n-code.patch. CVE-2015-8387: Integer overflow in subroutine calls. * Add 0001-Fix-overflow-when-ovector-has-size-1.patch. CVE-2015-8380: Heap-based buffer overflow in pcre_exec. (Closes: #806467) * Add 0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch. CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns. * Add 0001-Fix-bug-for-classes-containing-sequences.patch. CVE-2015-8390: Reading from uninitialized memory when processing certain patterns. * Add 0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch. CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time. * Add 0001-Fix-buffer-overflow-for-named-references-in-situatio.patch. CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups. * Add 0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch. CVE-2015-8393: Information leak when running pcgrep -q on crafted binary. * Add 0001-Add-missing-integer-overflow-checks.patch. CVE-2015-8394: Integer overflow caused by missing check for certain conditions. * Add 0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch. CVE-2015-8381: Heap Overflow in compile_regex(). CVE-2015-8395: Buffer overflow caused by certain references. (Closes: #796762) pcre3 (2:8.35-3.3+deb8u1) jessie; urgency=medium . * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073 pdns (3.4.1-4+deb8u4) jessie; urgency=medium . * Fix upgrades with default configuration. The postinst script used to do a "grep include" on pdns.conf, which in older versions would work (mostly), because the default config only had a single "include=" entry. Now this is no longer true, so remove that. Also, changing the include directory would have never worked. (Closes: #798773) pdns (3.4.1-4+deb8u3) jessie-security; urgency=high . * Security update: apply patches for CVE-2015-5230 perl (5.20.2-3+deb8u3) jessie; urgency=medium . * Backport Encode::Unicode BOM fix from Encode-2.77. (Closes: #798727) + break+replace libencode-perl (<< 2.63-1+deb8u1) accordingly perl (5.20.2-3+deb8u2) jessie-security; urgency=high . * [SECURITY] CVE-2015-8607 fix untaint issue with File::Spec::canonpath() php-auth-sasl (1.0.6-1+deb8u1) stable; urgency=medium . * Team upload. * Rebuild with pkg-php-tools 1.28 (Closes: #793948) * gbp.conf: target jessie php-doctrine-annotations (1.2.1-1+deb8u1) jessie; urgency=medium . * gbp.conf: Track the jessie branch * Fix security misconfiguration vulnerability [CVE-2015-5723] php-doctrine-cache (1.3.1-1+deb8u1) jessie; urgency=medium . * gbp.conf: Track the jessie branch * Fix security misconfiguration vulnerability [CVE-2015-5723] php-doctrine-common (2.4.2-2+deb8u1) jessie; urgency=medium . * gbp.conf: Track the jessie branch * Fix security misconfiguration vulnerability [CVE-2015-5723] php-dropbox (1.0.0-3+deb8u1) jessie; urgency=medium . * Refuse to handle any files containing a @ [CVE-2015-4715] * Track Jessie php-horde (5.2.1+debian0-2+deb8u2) jessie-security; urgency=high . * Add session token checking to various admin pages (Closes: #803641) php-mail-mimedecode (1.5.5-2+deb8u1) stable; urgency=medium . * Team upload. * Rebuild with pkg-php-tools 1.28 (Closes: #793947) * gbp.conf: target jessie php5 (5.6.17+dfsg-0+deb8u1) jessie; urgency=high . * Imported Upstream version 5.6.17+dfsg - Core: . Fixed bug #66909 (configure fails utf8_to_mutf7 test). . Fixed bug #70958 (Invalid opcode while using ::class as trait method parameter default value). . Fixed bug #70957 (self::class can not be resolved with reflection for abstract class). . Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions). . Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions). - FPM: . Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). - GD: . Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds). - Mysqlnd: . Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction). - SOAP: . Fixed bug #70900 (SoapClient systematic out of memory error). - Standard: . Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters). - PDO_Firebird: . Fixed bug #60052 (Integer returned as a 64bit integer on X64_86). - WDDX: . Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization). . Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability). - XMLRPC: . Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()). * Rebase patches on top of 5.6.17+dfsg release * Make phar command versioned and use update-alternatives for 'phar' name to allow coinstallation with src:php7.0 packages php5 (5.6.16+dfsg-4) unstable; urgency=medium . * Make phar command versioned and use update-alternatives for 'phar' name to allow src:php5 packages to be co-installed with src:php7.0 php5 (5.6.16+dfsg-3) unstable; urgency=medium . * Remove invalid patch to not reset packagingroot inside PEAR/Command/Install.php * Revert PEAR version to last working version from PHP 5.6.14 (Closes: #805222) php5 (5.6.16+dfsg-2) unstable; urgency=medium . [ Jan Wagner ] * Adding 'PHP_INI_SCAN_DIR=/etc/php5/${conf_dir}/conf.d/' to session cleanup script when calling php . [ Ondřej Surý ] * Add patch to not reset packagingroot inside PEAR/Command/Install.php (Closes: #805222) php5 (5.6.16+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.16+dfsg - Core: . Fixed bug #70828 (php-fpm 5.6 with opcache crashes when referencing a non-existent constant). . Fixed bug #70748 (Segfault in ini_lex () at Zend/zend_ini_scanner.l). - Mysqlnd: . Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag. - OCI8: . Fixed bug #68298 (OCI int overflow). - PDO_DBlib: . Fixed bug #69757 (Segmentation fault on nextRowset). - SOAP: . Fixed bug #70875 (Segmentation fault if wsdl has no targetNamespace attribute). - SPL: . Fixed bug #70852 (Segfault getting NULL offset of an ArrayObject). * Rebase patches on top of 5.6.16+dfsg release php5 (5.6.15+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.15+dfsg - Core: . Fixed bug #70681 (Segfault when binding $this of internal instance method to null). . Fixed bug #70685 (Segfault for getClosure() internal method rebind with invalid $this). - Date: . Fixed bug #70619 (DateTimeImmutable segfault). - Mcrypt: . Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was specified under RC4). - Mysqlnd: . Fixed bug #70384 (mysqli_real_query():Unknown type 245 sent by the server). . Fixed bug #70572 segfault in mysqlnd_connect. - Opcache: . Fixed bug #70632 (Third one of segfault in gc_remove_from_buffer). . Fixed bug #70631 (Another Segfault in gc_remove_from_buffer()). . Fixed bug #70601 (Segfault in gc_remove_from_buffer()). . Fixed compatibility with Windows 10 (see also bug #70652). * Rebase patches on top of 5.6.15+dfsg php5 (5.6.14+dfsg-1) unstable; urgency=medium . * Imported Upstream version 5.6.14+dfsg - Core: . Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions). - CLI server: . Fixed bug #68291 (404 on urls with '+'). - DOM: . Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding). - Mysqlnd: . Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server). - OpenSSL: . Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource). . Fixed bug #70395 (Missing ARG_INFO for openssl_seal()). . Fixed bug #60632 (openssl_seal fails with AES). . Fixed bug #68312 (Lookup for openssl.cnf causes a message box). - PDO: . Fixed bug #70389 (PDO constructor changes unrelated variables). - Phar: . Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). . Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). - Phpdbg: . Fix phpdbg_break_next() sometimes not breaking. - Standard: . Fixed bug #67131 (setcookie() conditional for empty values not met). - Streams: . Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections). - Zip: . Fixed bug #70322 (ZipArchive::close() doesn't indicate errors). * Rebase patches on top of PHP 5.6.14+dfsg php5 (5.6.14+dfsg-0+deb8u1) jessie-security; urgency=high . * Imported Upstream version 5.6.14+dfsg - Core: . Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions). - CLI server: . Fixed bug #68291 (404 on urls with '+'). - DOM: . Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding). - Mysqlnd: . Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server). - OpenSSL: . Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource). . Fixed bug #70395 (Missing ARG_INFO for openssl_seal()). . Fixed bug #60632 (openssl_seal fails with AES). . Fixed bug #68312 (Lookup for openssl.cnf causes a message box). - PDO: . Fixed bug #70389 (PDO constructor changes unrelated variables). - Phar: . Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). . Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). - Phpdbg: . Fix phpdbg_break_next() sometimes not breaking. - Standard: . Fixed bug #67131 (setcookie() conditional for empty values not met). - Streams: . Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections). - Zip: . Fixed bug #70322 (ZipArchive::close() doesn't indicate errors). * Rebase patches on top of PHP 5.6.14+dfsg php5 (5.6.13+dfsg-2) unstable; urgency=medium . [ Justin Pasher ] * Improve sessionclean script to handle tiered and symlinked directories . [ Bernat Arlandis ] * Fix the bug where sessionclean doesn't touch session files php5 (5.6.13+dfsg-1) unstable; urgency=medium . * New upstream version 5.6.13+dfsg * Refresh patches on top of 5.6.13+dfsg release php5 (5.6.13+dfsg-0+deb8u1) jessie-security; urgency=medium . * Imported Upstream version 5.6.13+dfsg - Core: . Fixed bug #69900 (Too long timeout on pipes). . Fixed bug #69487 (SAPI may truncate POST data). . Fixed bug #70198 (Checking liveness does not work as expected). . Fixed bug #70172 (Use After Free Vulnerability in unserialize()). . Fixed bug #70219 (Use after free vulnerability in session deserializer). - CLI server: . Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE). . Fixed bug #70264 (CLI server directory traversal). - Date: . Fixed bug #70266 (DateInterval::__construct.interval_spec is not supposed to be optional). . Fixed bug #70277 (new DateTimeZone($foo) is ignoring text after null byte). - EXIF: . Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes). - hash: . Fixed bug #70312 (HAVAL gives wrong hashes in specific cases). - MCrypt: . Fixed bug #69833 (mcrypt fd caching not working). - Opcache: . Fixed bug #70237 (Empty while and do-while segmentation fault with opcode on CLI enabled). - PCRE: . Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match). . Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions). - SOAP: . Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). - SPL: . Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via ob_start). . Fixed bug #70303 (Incorrect constructor reflection for ArrayObject). . Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). . Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). - Standard: . Fixed bug #70052 (getimagesize() fails for very large and very small WBMP). . Fixed bug #70157 (parse_ini_string() segmentation fault with INI_SCANNER_TYPED). - XSLT: . Fixed bug #69782 (NULL pointer dereference). - ZIP: . Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). * Refresh patches on top of 5.6.13+dfsg release php5 (5.6.12+dfsg-1) unstable; urgency=medium . * Drop explicit support for upstart (Closes: #792892) * Imported Upstream version 5.6.12+dfsg * Rebase patches using gbp pq on top of PHP 5.6.12+dfsg * Silence the MySQL library mismatch warning (Closes: #794191) php5 (5.6.12+dfsg-0+deb8u1) jessie-security; urgency=medium . * New upstream version 5.6.12+dfsg - Core: . Fixed bug #70012 (Exception lost with nested finally block). . Fixed bug #70002 (TS issues with temporary dir handling). . Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls). . Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). . Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref). - CLI server: . Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL). . Fixed bug #64878 (304 responses return Content-Type header). - GD: . Fixed bug #53156 (imagerectangle problem with point ordering). . Fixed bug #66387 (Stack overflow with imagefilltoborder). . Fixed bug #70102 (imagecreatefromwebm() shifts colors). . Fixed bug #66590 (imagewebp() doesn't pad to even length). . Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). . Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory). . Fixed bug #69024 (imagescale segfault with palette based image). . Fixed bug #53154 (Zero-height rectangle has whiskers). . Fixed bug #67447 (imagecrop() add a black line when cropping). . Fixed bug #68714 (copy 'n paste error). . Fixed bug #66339 (PHP segfaults in imagexbm). . Fixed bug #70047 (gd_info() doesn't report WebP support). - ODBC: . Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns). - OpenSSL: . Fixed bug #69882 (OpenSSL error “key values mismatch” after openssl_pkcs12_read with extra cert) . Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). - Phar: . Improved fix for bug #69441. . Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). - SOAP: . Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions). - SPL: . Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). . Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). . Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). . Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). - Standard: . Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes). * New upstream version 5.6.11 - Core: . Fixed bug #69768 (escapeshell*() doesn't cater to !). . Fixed bug #69703 (Use __builtin_clzl on PowerPC). . Fixed bug #69732 (can induce segmentation fault with basic php code). . Fixed bug #69642 (Windows 10 reported as Windows 8). . Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault). . Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business"). . Fixed bug #69740 (finally in generator (yield) swallows exception in iteration). . Fixed bug #69835 (phpinfo() does not report many Windows SKUs). . Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). . Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776. - GD: . Fixed bug #61221 (imagegammacorrect function loses alpha channel). - GMP: . Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP number). - Mysqlnd: . Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM) (CVE-2015-3152). - PCRE: . Fixed Bug #53823 (preg_replace: * qualifier on unicode replace garbles the string). . Fixed bug #69864 (Segfault in preg_replace_callback) - PDO_pgsql: . Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u). . Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote). . Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps). - SimpleXML: . Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name). - SPL: . Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error). . Fixed bug #67805 (SplFileObject setMaxLineLength). . Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()). - Sqlite3: . Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()). * Rebase d/patches on top of 5.6.12+dfsg release . php5 (5.6.10+dfsg-0+deb8u1) jessie-security; urgency=medium . * New upstream version 5.6.10+dfsg (CVE-2015-4644, CVE-2015-4643, CVE-2015-4598) - Core: . Fixed bug #66048 (temp. directory is cached during multiple requests). . Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait). . Fixed bug #69599 (Strange generator+exception+variadic crash). . Fixed bug #69628 (complex GLOB_BRACE fails on Windows). . Fixed POST data processing slowdown due to small input buffer size on Windows. . Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). . Fixed bug #69719 (Incorrect handling of paths with NULs). - FTP . Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). - GD: . Fixed bug #69479 (GD fails to build with newer libvpx). - Iconv: . Fixed bug #48147 (iconv with //IGNORE cuts the string). - Litespeed SAPI: . Fixed bug #68812 (Unchecked return value). - Mail: . Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers). - MCrypt: . Added file descriptor caching to mcrypt_create_iv() - Opcache . Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF). - Phar: . Fixed bug #69680 (phar symlink in binary directory broken). - Postgres: . Fixed bug #69667 (segfault in php_pgsql_meta_data). - Sqlite3: . Upgrade bundled sqlite to 3.8.10.2. * Refresh patches using gbp pq php5 (5.6.11+dfsg-1) unstable; urgency=medium . * New upstream version 5.6.11+dfsg * Finish the transition to libsystemd, but allow backports (Closes: #779780) * Refresh patches using gbp pq rebase/export php5 (5.6.9+dfsg-1) unstable; urgency=medium . * New upstream version 5.6.9+dfsg - Core: . Fixed bug #69467 (Wrong checked for the interface by using Trait). . Fixed bug #69420 (Invalid read in zend_std_get_method). . Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). . Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). . Fixed bug #68652 (segmentation fault in destructor). . Fixed bug #69419 (Returning compatible sub generator produces a warning). . Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). . Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). . Fixed bug #69522 (heap buffer overflow in unpack()). - FTP: . Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). - ODBC: . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). . Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). . Fixed bug #69381 (out of memory with sage odbc driver). - OpenSSL: . Fixed bug #69402 (Reading empty SSL stream hangs until timeout). - PCNTL: . Fixed bug #68598 (pcntl_exec() should not allow null char). - PCRE . Upgraded pcrelib to 8.37. - Phar: . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). * Rebased patches on top of 5.6.9+dfsg version php5 (5.6.9+dfsg-0+deb8u1) jessie-security; urgency=medium . * Update gbp.conf for jessie branch * New upstream version 5.6.9+dfsg - Core: . Fixed bug #69467 (Wrong checked for the interface by using Trait). . Fixed bug #69420 (Invalid read in zend_std_get_method). . Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). . Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). . Fixed bug #68652 (segmentation fault in destructor). . Fixed bug #69419 (Returning compatible sub generator produces a warning). . Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). . Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). . Fixed bug #69522 (heap buffer overflow in unpack()). - FTP: . Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). - ODBC: . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). . Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). . Fixed bug #69381 (out of memory with sage odbc driver). - OpenSSL: . Fixed bug #69402 (Reading empty SSL stream hangs until timeout). - PCNTL: . Fixed bug #68598 (pcntl_exec() should not allow null char). - PCRE . Upgraded pcrelib to 8.37. - Phar: . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). * Rebased patches on top of 5.6.9+dfsg version * New upstream version 5.6.8+dfsg - Core: . Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) . Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) . Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) . Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) . Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso) . Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) . Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) . Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) . Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas) - Apache2handler: . Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema) - cURL: . Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) . Fixed bug #68739 (Missing break / control flow). (Laruence) . Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) - Date: . Fixed bug #69336 (Issues with "last day of "). (Derick Rethans) - Enchant: . Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol) - Ereg: . Fixed bug #68740 (NULL Pointer Dereference). (Laruence) - Fileinfo: . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski) - Filter: . Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch) . Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch) - OPCache: . Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence) . Fixed bug #69281 (opcache_is_script_cached no longer works). (danack) . Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) - OpenSSL . Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright) . Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey) . Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey) . Add a check for RAND_egd to allow compiling against LibreSSL (Leigh) - Phar: . Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike) . Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike) . Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike) . Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar"). (Mike) . Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas) . Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas) - Postgres: . Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence) - SPL: . Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com) - SOAP: . Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence) - Sqlite3: . Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd) . Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol) . Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan) * Update d/gbp.conf to new config style * Update patches for 5.6.8 release * Switch to gbp pq patch management phpmyadmin (4:4.2.12-2+deb8u1) jessie-security; urgency=high . * Fix several security: - CVE-2015-2206: Risk of BREACH attack due to reflected parameter. - CVE-2015-3902: XSRF/CSRF vulnerability in phpMyAdmin setup. - CVE-2015-3903: Vulnerability allowing man-in-the-middle attack on API call to GitHub. - CVE-2015-6830: Vulnerability that allows bypassing the reCaptcha test. - CVE-2015-7873: Content spoofing vulnerability when redirecting user to an external site. plowshare4 (1.0.5-1+deb8u1) stable; urgency=high . * Disable javascript support (Closes: #791467) postgresql-9.1 (9.1.19-0+deb8u1) jessie; urgency=medium . * New upstream version, relevant PL/Perl change: + Fix plperl to handle non-ASCII error message texts correctly. postgresql-9.1 (9.1.19-0+deb7u1) wheezy; urgency=medium . * New upstream version. . + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) . Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) postgresql-9.4 (9.4.5-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. . + Guard against stack overflows in json parsing (Oskari Saarenmaa) . If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289) . + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) . Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) postgresql-9.4 (9.4.5-0+deb8u1~bpo70+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . postgresql-9.4 (9.4.5-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. . + Guard against stack overflows in json parsing (Oskari Saarenmaa) . If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289) . + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) . Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) . postgresql-9.4 (9.4.4-0+deb8u1) jessie; urgency=medium . * New upstream version. + Fix possible failure to recover from an inconsistent database state + Fix rare failure to invalidate relation cache init file . postgresql-9.4 (9.4.3-0+deb8u1) jessie; urgency=medium . * New upstream version: Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane; Closes: #786874) . postgresql-9.4 (9.4.2-0+deb8u1) stable-security; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . + Protect against wraparound of multixact member IDs (Álvaro Herrera, Robert Haas, Thomas Munro) . Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound. . * Repository moved to git, update Vcs headers. . postgresql-9.4 (9.4.1-1) unstable; urgency=medium . * New upstream version. + libpq5: Name lookups fixed in minimal chroots (Closes: #756627) + Fix buffer overruns in to_char() (CVE-2015-0241) + Fix buffer overruns in contrib/pgcrypto (CVE-2015-0243) + Fix possible loss of frontend/backend protocol synchronization after an error (CVE-2015-0244) + Fix information leak via constraint-violation error messages (CVE-2014-8161) . postgresql-9.4 (9.4.0-1) unstable; urgency=medium . * 9.4 released. * libpq5.symbols: PQhostaddr removed; it was new in 9.4. . postgresql-9.4 (9.4~rc1-1) unstable; urgency=medium . * First 9.4 RC release. * Update psql call in dump-reload instructions. * Reenable 010_pg_basebackup.t tests, fixed upstream. . postgresql-9.4 (9.4~beta3-3) unstable; urgency=medium . * Temporarily disable failing test in 010_pg_basebackup.t. . postgresql-9.4 (9.4~beta3-2) unstable; urgency=medium . * postgresql-9.4.preinst: Output detailed dump-reload instructions when refusing the package upgrade, and also add a NEWS item about it. (Closes: #764705) * Add libipc-run-perl for the regression tests which otherwise skip large parts. * Update Standards-Version. . postgresql-9.4 (9.4~beta3-1) unstable; urgency=medium . * New upstream beta version. + Catalog version number changed, older 9.4 clusters need to be dumped and reloaded. + Regexp regression fixed. (Closes: #760564) + CACHE_LINE_SIZE definition renamed to mitigate conflict on *BSD. (Closes: #763098) . [ Martin Pitt ] * Add missing logrotate test dependency. . [ Christoph Berg ] * Set Multi-Arch: foreign in postgresql-client-9.4 and postgresql-doc-9.4. (Closes: #757520; do it even on non-multiarch dists, it doesn't hurt.) * Fix postgresql_fdw in description, spotted by Zack Weinberg, thanks! (Closes: #762389) . postgresql-9.4 (9.4~beta2-1) unstable; urgency=low . * New upstream beta version. + Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) . Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. . * postgresql-9.4.preinst: Fail upgrade when upgrading from beta1, the catalog version changed. People should dump/remove their old clusters first. * Use util-linux' uuid lib as backend for the uuid-ossp extension (--with-uuid=e2fs). * Enable sepgsql (--with-selinux). On systems with libselinux1-dev < 2.1.10, this is automatically disabled. * Revert multiarch for libpq-dev and libecpg-dev. (Closes: #750111, #750112) * Remove our pg_regress patches to support --host=/path. Implemented upstream as fix for CVE-2014-0067. * debian/copyright: Say that there are various copyright holders for the contrib modules. (Hello Lintian!) * Update Vcs URLs. . postgresql-9.4 (9.4~beta1-2) experimental; urgency=medium . * Update watch file for 9.4. * Enable multiarch support in libpq and friends. (Closes: #706849) Support is automatically disabled when the distribution does not support it. * Stop providing postgresql-dbg in postgresql-9.4-dbg. Its only purpose was to conflict with other postgresql-*-dbg packages, and that's no longer needed with build-id debug symbols. * Skip -pie on 32bit archs for performance and stability reasons. Closes: #749686; details at http://www.postgresql.org/message-id/20140519115318.GB7296@msgid.df7cb.de * Update contrib copyright statements, and move them to a separate file. Thanks to Thorsten Alteholz for reviewing the package. . postgresql-9.4 (9.4~beta1-1) experimental; urgency=low . * Update for 9.4. Packaging based on 9.3 branch. * Bump to debhelper 9 to get debug symbol files based on build-ids. postgresql-9.4 (9.4.4-2) unstable; urgency=medium . * Add docbook-xml to build-depends. * debian/rules: Remove broken "generate POT files for translators" code. * Import patch from upstream to fix compatibility with perl 5.22. (Closes: #787468) * Fix memory read barrier on alpha, thanks to Michael Cree for the patch! (Closes: #756368) * postgresql postrm: Don't clean {/etc,/var/lib,/var/log}/postgresql on purge. (Closes: #793861) postgresql-9.4 (9.4.4-1) unstable; urgency=medium . * New upstream version. + Fix possible failure to recover from an inconsistent database state + Fix rare failure to invalidate relation cache init file prosody (0.9.7-2+deb8u2) jessie-security; urgency=high . * CVE-2016-1231: path traversal in http built-in server * CVE-2016-1232: weak PRNG for dialback on S2S putty (0.63-10+deb8u1) jessie-security; urgency=high . * More robust control sequence parameter handling, including: - CVE-2015-5309: Fix a potentially memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator. pygments (2.0.1+dfsg-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-8557.patch patch. CVE-2015-8557: Shell injection in FontManager._get_nix_font_path. (Closes: #802828) pykerberos (1.1.5-0.1+deb8u1) jessie; urgency=medium . * Add KDC authenticity verification support (CVE-2015-3206) Obtained from upstream, ignoring white-space changes, URL: https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c (Closes: #796195) python-django (1.7.7-1+deb8u3) jessie-security; urgency=high . * SECURITY UPDATE: - CVE-2015-8213: Settings leak possibility in ``date`` template filter python-yaql (0.2.3-2+deb8u1) jessie-proposed-updates; urgency=medium . * Removed python3-yaql package: it's not working, and nothing depends on it (Closes: #795910). qemu (1:2.1+dfsg-12+deb8u4) jessie-security; urgency=high . * ne2000-add-checks-to-validate-ring-buffer-pointers-CVE-2015-5279.patch fix for Heap overflow vulnerability in ne2000_receive() function (Closes: #799074 CVE-2015-5279) * ne2000-avoid-infinite-loop-when-receiving-packets-CVE-2015-5278.patch (Closes: #799073 CVE-2015-5278) qemu (1:2.1+dfsg-12+deb8u4~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports: - disable seccomp (not in wheezy) - build-depend on iasl|acpica-tools - s/python:any/python/ in build-depends . qemu (1:2.1+dfsg-12+deb8u4) jessie-security; urgency=high . * ne2000-add-checks-to-validate-ring-buffer-pointers-CVE-2015-5279.patch fix for Heap overflow vulnerability in ne2000_receive() function (Closes: #799074 CVE-2015-5279) * ne2000-avoid-infinite-loop-when-receiving-packets-CVE-2015-5278.patch (Closes: #799073 CVE-2015-5278) . qemu (1:2.1+dfsg-12+deb8u3) jessie-security; urgency=high . * Acknowlege the previous update. Thank you Salvatore for the hard work you did fixing so many security issues. * rename last patches removing numeric prefixes, so that different series wont intermix with each other, add Bug-Debian: headers. * Add e1000-avoid-infinite-loop-in-transmit-CVE-2015-6815.patch. CVE-2015-6815: net: e1000 infinite loop issue in processing transmit descriptor. (Closes: #798101 CVE-2015-6815) * Add ide-fix-ATAPI-command-permissions-CVE-2015-6855.patch. CVE-2015-6855: ide: qemu allows arbitrary commands to be sent to an ATAPI device from guest, while illegal comands might have security impact, f.e. WIN_READ_NATIVE_MAX results in divide by zero error. (Closes: CVE-2015-6855) . qemu (1:2.1+dfsg-12+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0001-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch patch. CVE-2015-3214: i8254: out-of-bounds memory access in pit_ioport_read function. (Closes: #795461) * Add patches to address heap overflow when processing ATAPI commands. CVE-2015-5154: heap overflow during I/O buffer memory access. (Closes: #793811) * Add CVE-2015-5225.patch patch. CVE-2015-5225: vnc: heap memory corruption in vnc_refresh_server_surface. (Closes: #796465) * Add 0001-virtio-serial-fix-ANY_LAYOUT.patch patch. CVE-2015-5745: buffer overflow in virtio-serial. (Closes: #795087) * Add patches for CVE-2015-5165. CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest. (Closes: #794610) . qemu (1:2.1+dfsg-12+deb8u1) jessie-security; urgency=high . * slirp-use-less-predictable-directory-name-in-tmp-CVE-2015-4037.patch (Closes: CVE-2015-4037) * 11 patches for XEN PCI pass-through issues (Closes: #787547 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106) * pcnet-force-buffer-access-to-be-in-bounds-CVE-2015-3209.patch with preparation bugfix pcnet-fix-negative-array-index-read.patch from upstream (Closes: #788460 CVE-2015-3209) qemu (1:2.1+dfsg-12+deb8u3) jessie-security; urgency=high . * Acknowlege the previous update. Thank you Salvatore for the hard work you did fixing so many security issues. * rename last patches removing numeric prefixes, so that different series wont intermix with each other, add Bug-Debian: headers. * Add e1000-avoid-infinite-loop-in-transmit-CVE-2015-6815.patch. CVE-2015-6815: net: e1000 infinite loop issue in processing transmit descriptor. (Closes: #798101 CVE-2015-6815) * Add ide-fix-ATAPI-command-permissions-CVE-2015-6855.patch. CVE-2015-6855: ide: qemu allows arbitrary commands to be sent to an ATAPI device from guest, while illegal comands might have security impact, f.e. WIN_READ_NATIVE_MAX results in divide by zero error. (Closes: CVE-2015-6855) qemu (1:2.1+dfsg-12+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0001-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch patch. CVE-2015-3214: i8254: out-of-bounds memory access in pit_ioport_read function. (Closes: #795461) * Add patches to address heap overflow when processing ATAPI commands. CVE-2015-5154: heap overflow during I/O buffer memory access. (Closes: #793811) * Add CVE-2015-5225.patch patch. CVE-2015-5225: vnc: heap memory corruption in vnc_refresh_server_surface. (Closes: #796465) * Add 0001-virtio-serial-fix-ANY_LAYOUT.patch patch. CVE-2015-5745: buffer overflow in virtio-serial. (Closes: #795087) * Add patches for CVE-2015-5165. CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest. (Closes: #794610) qpsmtpd (0.84-11+deb8u1) stable; urgency=medium . * Patch for compatibility-breaker change in Net::DNS (Closes: #795836) * Depend on libnet-dns-perl >= 0.81, since 0.66 from oldstable has the opposite compatibility problem quassel (1:0.10.0-2.3+deb8u2) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2015-8547: remote DoS in quassel core, using /op * command. (Closes: #807801) - Add debian/patches/CVE-2015-8547.patch, cherry-picked from upstream. redis (2:2.8.17-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 06-CVE-2015-8080-Integer-wraparound-in-lua_struct.c-cau.patch patch. CVE-2015-8080: Integer wraparound in lua_struct.c causing stack-based buffer overflow. (Closes: #804419) redis (2:2.8.17-1+deb8u2) stable; urgency=medium . * Backport debian/redis-server.tmpfile from unstable so that a valid runtime directory is created when running under systemd. This ensures that there is a secure and sensible location for the UNIX socket. (Closes: #803233) redmine (3.0~20140825-8~deb8u1) jessie; urgency=medium . * Backport as a stable update for Jessie. redmine (3.0~20140825-7) unstable; urgency=medium . * debian/postinst: always remove and recreate Gemfile.lock to handle the case where dependencies are being upgraded. redmine (3.0~20140825-6) unstable; urgency=medium . * debian/doc/examples/apache2-host.conf: fix typo in package name user is told to install Closes: #777736 * Fix upgrades when there are locally-installed plugins Closes: #779273 - debian/postinst: run rake under `bundle exec` to correctly handle upgrades when the local admin installed non-packaged plugins (i.e. ~100% of them). - 2003_externalize_session_config.patch, 2002_FHS_through_env_vars.patch, gemfile-adjustments.patch: always set RAILS_ETC, RAILS_* unconditionally from X_DEBIAN_SITEID because the load order under `bundle exec` seems to be a little different. - change Gemfile.lock handling: + symlink Gemfile.lock to /var/lib/redmine/Gemfile.lock + always update it at the beginning of debian/postinst + trigger postinst Ruby packages are upgraded * Don't leave unowned files after purge. Closes: #781534 - debian/postinst: - don't create files under /usr/share/redmine/app - pass SCHEMA=/dev/null to rake `db:migrate` so it won't create /usr/share/redmine/db/schema.rb - debian/postrm: remove the aforementioned files * debian/postinst: fix several programming errors - initialize variable that will hold the return code of a potentially failing command to 0 so it is not undefined if the command suceeeds. Closes: #780894 - add missing quotes around $fHasOldSessionName - fix logic when testing whether session.yml file exists - restrict usage of $2 as a version number when triggered, since $2 will contain the trigger names instead. * debian/patches/fix-move-issue-between-projects.patch: applied patch by Tristam Fenton-May to fix moving issues across projects (Closes: #783717) * debian/install: - install bin/ directory so rails detects redmine as a proper Rails app + This fixes running `rails console`, `rails dbconsole` etc from within the installed package at /usr/share/redmine. - don't install deprecated script/ directory * debian/doc/examples/apache2-passenger-*.conf: document line that must be changed in extra instances. * debian/patches/gemfile-adjustments.patch: - bump dependency on redcarpet - don't try to read database.yml is it's not readable rpcbind (0.2.1-6+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7236.patch patch. CVE-2015-7236: Memory corruption in PMAP_CALLIT code leading to denial of service. (Closes: #799307) rsyslog (8.4.2-1+deb8u2) jessie; urgency=medium . * Fix crash in imfile module when using inotify mode. Patch cherry-picked from upstream Git. (Closes: #770998) * Prevent a segfault in dynafile creation. Patch cherry-picked from upstream Git. (Closes: #807908) ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium . * Fix CVE-2015-4410: DoS and possible injection (Closes: #787951) s390-dasd (0.0.32~deb8u1) jessie; urgency=medium . * Upload to Debian stable. . s390-dasd (0.0.32) unstable; urgency=medium . * If no channel is found, exit cleanly. This allows s390-dasd to step out of the way on VMs with virtio disks. * Log error conditions. . s390-dasd (0.0.31) unstable; urgency=medium . [ Updated translations ] * Turkish (tr.po) by Mert Dirik s390-dasd (0.0.31) unstable; urgency=medium . [ Updated translations ] * Turkish (tr.po) by Mert Dirik samba (2:4.1.17+dfsg-2+deb8u1) jessie-security; urgency=high . * Add patch cve_2015_5252.diff, fixes: - CVE-2015-5252: Insufficient symlink verification in smbd * Add patch cve_2015_5296.diff, fixes: - CVE-2015-5296: Samba client requesting encryption vulnerable downgrade attack * Add patch cve_2015_5299.diff, fixes: - CVE-2015-5299: Missing access control check in shadow copy code * Add patch cve_2015_7540.diff, fixes: - CVE-2015-7540: Remote DoS in Samba (AD) LDAP server * Add patch cve_2015_8467.diff, fixes: - CVE-2015-8467: Denial of service attack against Windows Active Directory server * Add patch cve_2015_3223_5330.diff, fixes: - CVE-2015-3223: Denial of service in Samba Active Directory server - CVE-2015-5330: Remote memory read in Samba LDAP server * Bump build dependency for ldb to >= 2:1.1.17-2+deb8u1~. screen (4.2.1-3+deb8u1) jessie-security; urgency=high . * Fix stack overflow due to too deep recursion (CVE-2015-6806). shadow (1:4.2-3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Fix error handling in busy user detection. (Closes: #778287) smokeping (2.6.9-1+deb8u1) stable-security; urgency=high . * security fix for CVE-2015-0859: code execution via CGI arguments due to Debian Apache configuration sparse (0.4.5~rc1-2~deb8u1) jessie; urgency=medium . * QA upload. * Rebuild for jessie. . sparse (0.4.5~rc1-2) unstable; urgency=medium . [ Andreas Beckmann ] * QA upload. * Set maintainer to Debian QA Group. (See #794643) * Fix Homepage and Vcs-Browser URLs. * Refresh patch to apply without fuzz. . [ Uwe Kleine-König ] * Cherry-pick commit from upstream to fix build failure with llvm-3.5. * Temporarily build-depend on libedit-dev because llvm-config claims to need that. (Closes: #793197) spice (0.12.5-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add series of patches for CVE-2015-5260 and CVE-2015-6261. CVE-2015-5260: insufficient validation of surface_id parameter can cause crash. (Closes: #801089) CVE-2015-5261: host memory access from guest using crafted images. (Closes: #801091) spice (0.12.5-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-3247.patch patch. CVE-2015-3247: Memory corruption in worker_update_monitors_config(). (Closes: #797976) spip (3.0.17-2+deb8u1) jessie; urgency=medium . * Track Jessie * Backport XSS fixes in private content from 3.0.21 squid3 (3.4.8-6+deb8u1) jessie-security; urgency=high . [ Luigi Gangitano ] * debian/patches/36-squid-3.4-13225.patch - Added upstream patch fixing Improper Protection of Alternate Path (Ref: SQUID-2015:2, CVE-2015-5400) (Closes: #793128) stk (4.4.4-5+deb8u1) jessie; urgency=medium . [ Hanno Zulla ] * Install missing SKINI.{msg,tbl} include files strongswan (5.2.1-6+deb8u2) jessie-security; urgency=medium . * debian/patches: - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when using EAP MSCHAPv2. strongswan (5.2.1-6+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . strongswan (5.2.1-6+deb8u2) jessie-security; urgency=medium . * debian/patches: - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when using EAP MSCHAPv2. subversion (1.8.10-6+deb8u2) jessie-security; urgency=high . * patches/r1708699-mod_auth_ntlm-kerb-fix: Fix regression interacting with mod_auth_kerb/mod_auth_ntlm in due to CVE-2015-3814 patch. (Closes: #797216) * patches/CVE-2015-5343: Heap overflow and out-of-bounds read in mod_dav_svn subversion (1.8.10-6+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Use libdb5.1 instead of 5.3. * Create libapache2-mod-svn maintainer scripts manually instead of using dh_apache2. * Adapt ruby libdir as it's not multiarched in wheezy. * Add ruby1.8 and ruby1.8-dev to Build-Conflicts to make sure the same versions of ruby and ruby-dev are installed. * Remove dependency on apache2-bin, not needed for apache 2.2. . subversion (1.8.10-6+deb8u2) jessie-security; urgency=high . * patches/r1708699-mod_auth_ntlm-kerb-fix: Fix regression interacting with mod_auth_kerb/mod_auth_ntlm in due to CVE-2015-3814 patch. (Closes: #797216) * patches/CVE-2015-5343: Heap overflow and out-of-bounds read in mod_dav_svn sudo (1.8.10p3-1+deb8u3) jessie-security; urgency=medium . * Non-maintainer upload * Disable editing of files via user-controllable symlinks (Closes: #804149) (CVE-2015-5602) - sudoedit path restriction bypass using symlinks - Change warning when user tries to sudoedit a symbolic link - Open sudoedit files with O_NONBLOCK and fail if they are not regular files - Remove S_ISREG check from sudo_edit_open(), it is already done in the caller - Add directory writability checks for sudoedit - Fix directory writability checks for sudoedit - Enable sudoedit directory writability checks by default sus (7.20160107~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . sus (7.20160107) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 changed; update checksum (Closes: #790535) | The chapters on m4 and expr seems to have been improved slightly * urgency=medium since susv4 is no longer installable . sus (7.20150719) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 has changed; update checksum (Closes: #790535) | No normative changes, only tidying * urgency=medium since susv4 is no longer installable sus (7.20150719) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 has changed; update checksum (Closes: #790535) | No normative changes, only tidying * urgency=medium since susv4 is no longer installable swift (2.2.0-1+deb8u1) jessie-proposed-updates; urgency=medium . [ Thomas Goirand ] * Fixed swift user creation (standardized on pkgos way). * CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift object. Applied upstream patch: Prevent unauthorized delete in versioned container (Closes: #783163). . [ Ondřej Nový ] * Fixed service name of object-expirer. * Added container-sync init script. * CVE-2015-5223: Information leak via Swift tempurls. Applied upstream patch: Disallow unsafe tempurl operations to point to unauthorized data (Closes: #797032). symfony (2.3.21+dfsg-4+deb8u2) jessie-security; urgency=high . * Backport security fixes from 2.3.35 - Session Fixation in the "Remember Me" Login Feature [CVE-2015-8124] - Vulnerability in Security Remember-Me Service [CVE-2015-8125] systemd (215-17+deb8u3) stable; urgency=medium . * Fix namespace breakage due to incorrect path sorting. (Closes: #787758) * Don't timeout after 90 seconds when no password was entered for cryptsetup devices. (Closes: #802897) * Only set the kernel's timezone when the RTC runs in local time. Otherwise, every daylight saving time change or time zone change by travelling will make the time jump, and the local time might jump backwards which creates unsolvable problems with file timestamps. (Closes: #759319) * Fix incorrect handling of comma separator in systemd-delta. (Closes: #793477) * Make DHCP broadcast behaviour configurable in systemd-networkd via RequestBroadcast=. This is a backport from upstream which doesn't change the default setting. (Closes: #797894) tangerine-icon-theme (0.26.debian-3.1~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . tangerine-icon-theme (0.26.debian-3.1) unstable; urgency=medium . * Non-maintainer upload. * debian/clean-up.sh: Do not run processes in background. (Closes: #793161) tomcat8 (8.0.14-1+deb8u1) jessie-security; urgency=medium . * Fixed CVE-2014-7810: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. torbrowser-launcher (0.1.9-1+deb8u2) jessie; urgency=medium . * Dedicated to the memory of Ian Murdock. Thank you very much for starting and shaping Debian, Ian! The world would be very different today without your work and you will never be forgotten. * Add debian/patches/series file so that the patches from 0.1.9-1+deb8u1 are actually applied. - Apply 3d9f4ed and 5f833d7 from 0.2.0 upstream release to deal with changed pathes in the 4.5 torbrowser release. (Closes: #784041) - 3d9f4ed also removes the accept links feature (as it has stopped worked with 4.5.) - Apply f219f35 from 0.2.0 to stop acting as default browser, because a default browser should be captable of accepting links. * Refresh those patches so they apply cleanly. * Cherry-picks from 0.2.2: - 39901c6 Stop confining start-tor-browser script with AppArmor, and fix profiles to work with TBB 4.5+ (#181) - Set usr.bin.torbrowser-launcher AppArmor profiles to complain mode to make it work again (based on 70c750e). - e07beac Get stable version using torbrowser updater xml. (Closes: #804184) - ab141ee Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180), (includes 7829f3e cleanup commit.) - 1ff1055 Force download URLs to be strings and not unicode (#205). - 94d184a Only convert unicode URLs to strings if they are actually unicode (#205). (Closes: #805078) torbrowser-launcher (0.1.9-1+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . torbrowser-launcher (0.1.9-1+deb8u2) jessie; urgency=medium . * Dedicated to the memory of Ian Murdock. Thank you very much for starting and shaping Debian, Ian! The world would be very different today without your work and you will never be forgotten. * Add debian/patches/series file so that the patches from 0.1.9-1+deb8u1 are actually applied. - Apply 3d9f4ed and 5f833d7 from 0.2.0 upstream release to deal with changed pathes in the 4.5 torbrowser release. (Closes: #784041) - 3d9f4ed also removes the accept links feature (as it has stopped worked with 4.5.) - Apply f219f35 from 0.2.0 to stop acting as default browser, because a default browser should be captable of accepting links. * Refresh those patches so they apply cleanly. * Cherry-picks from 0.2.2: - 39901c6 Stop confining start-tor-browser script with AppArmor, and fix profiles to work with TBB 4.5+ (#181) - Set usr.bin.torbrowser-launcher AppArmor profiles to complain mode to make it work again (based on 70c750e). - e07beac Get stable version using torbrowser updater xml. (Closes: #804184) - ab141ee Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180), (includes 7829f3e cleanup commit.) - 1ff1055 Force download URLs to be strings and not unicode (#205). - 94d184a Only convert unicode URLs to strings if they are actually unicode (#205). (Closes: #805078) tryton-server (3.4.0-3+deb8u1) jessie-security; urgency=high . * Adding patch 02-CVE-2015-0861_field_access_on_multi_write.patch. Field access was only checked for the field defined in the first values dictionary, but it must be checked for all dictionaries in *args. - https://bugs.tryton.org/issue5167 - https://codereview.tryton.org/22631002 ttylog (0.26-1~deb8u1) stable; urgency=medium . * Resolve the issue in 'jessie' with the truncating of the modem_device string during the normal operation of ttylog. * Revert Debhelper Compatibility and Build-Depends to version 8 for 'jessie'. tzdata (2015g-0+deb8u1) stable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) tzdata (2015g-0+deb7u1) oldstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) tzdata (2015g-0+deb6u1) squeeze-lts; urgency=medium . * New upstream version: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST (closes: #801336). - DST suspension from 2015-06-14 03:00 through 2015-07-19 02:00 in Morroco. tzdata (2015f-1) unstable; urgency=high . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST. unzip (6.0-16+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Update 16-fix-integer-underflow-csiz-decrypted patch. Fix regression in handling 0-byte files. (Closes: #804595) unzip (6.0-16+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix infinite loop when extracting password-protected archive. This is CVE-2015-7697. Closes: #802160. * Fix heap overflow when extracting password-protected archive. This is CVE-2015-7696. Closes: #802162. * Fix additional unsigned overflow on invalid input. uqm (0.6.2.dfsg-9.1~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . uqm (0.6.2.dfsg-9.1) unstable; urgency=medium . * Non-maintainer upload. * Fix missing -lm, thanks to Peter Piwowarski. (Closes: #792920) virtualbox (4.3.32-dfsg-1+deb8u2) jessie-security; urgency=medium . * d/rules: re-enable VBOX_WITH_VMSVGA and VBOX_WITH_VMSVGA3D (Closes: #795531). - the CVEs are already fixed - this patch makes it build more coherently with how upstream builds it. - the proper patch should be on upstream changeset 57410 but we don't need it anymore virtualbox (4.3.32-dfsg-1+deb8u2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . virtualbox (4.3.32-dfsg-1+deb8u2) jessie-security; urgency=medium . * d/rules: re-enable VBOX_WITH_VMSVGA and VBOX_WITH_VMSVGA3D (Closes: #795531). - the CVEs are already fixed - this patch makes it build more coherently with how upstream builds it. - the proper patch should be on upstream changeset 57410 but we don't need it anymore virtualbox (4.3.32-dfsg-1+deb8u2~bpo60+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . virtualbox (4.3.32-dfsg-1+deb8u2) jessie-security; urgency=medium . * d/rules: re-enable VBOX_WITH_VMSVGA and VBOX_WITH_VMSVGA3D (Closes: #795531). - the CVEs are already fixed - this patch makes it build more coherently with how upstream builds it. - the proper patch should be on upstream changeset 57410 but we don't need it anymore . virtualbox (4.3.32-dfsg-1+deb8u1) jessie-security; urgency=medium . [ Gianfranco Costamagna ] * New upstream security release. - Addressed CVE-2015-4813 and CVE-2015-4896 * Use my uid to fix NMU warning * Remove pre-depends on dpkg, useless now. . [ Ritesh Raj Sarraf ] * Move virtualbox-dkms | virtualbox-source to Depends, needed to fully configure virtualbox kernel module prior to reload virtualbox service, avoiding a race condition. (Closes: #798527, #798979) . virtualbox (4.3.30-dfsg-1+deb8u1) jessie-security; urgency=medium . [ Ritesh Raj Sarraf ] * Imported upstream release. . [ Gianfranco Costamagna ] * Readd again some removed lintian overrides. * virtualbox 4.3.30 builds fine with gcc 5.1, removing the gcc-4.9 workaround (d/{rules,control}) * Update copyright file. * Patch refresh. * Remove some more windows prebuilt files. * Add libnotify-bin as runtime-dependency for the x11 package (used for notify-send command) (Closes: #792292) - Thanks Torquil Macdonald Sørensen for the useful and complete bug report. . virtualbox (4.3.28-dfsg-1) unstable; urgency=medium . * New upstream release (Closes: #785655). - fix for CVE-2015-3456 a.k.a. VENOM (Closes: #785424) - patch refresh. - remove d/p/37-diff_smap_4.patch. * Remove MAKE=kmk on virtualbox{,-guest}-source.files/rules (Closes: #785161). Upstream doesn't recommend using kmk to build kernel modules. this reverts 63fa6b7b86035b53e8d053b894814eccac9ce595 * Add gbp.conf file. . virtualbox (4.3.26-dfsg-3) unstable; urgency=medium . [ Adam Conrad ] * Re-work the packaging to account for the kernel modules being shipped in the master kernel packages, removing the need for dkms (LP: #1434579): - Make the dkms package provide a virtual package matching what the kernel packages provide to indicate that they ship the dkms modules. - Add an alternate dep from the utils package to the virtual driver. - Make the x11 driver package associate with the VGA controller PCI ID. . virtualbox (4.3.26-dfsg-2) experimental; urgency=medium . [ Gianfranco Costamagna ] * remove obsolete lintian overrides. * d/p/37-diff_smap_4.patch, cherry-pick upstream patch to fix a kernel paging issue (LP: #1437845). . [ Ritesh Raj Sarraf ] * Remove Michael Meskes from uploaders. . virtualbox (4.3.26-dfsg-1) experimental; urgency=medium . * Imported upstream release. * Conflict with upstream proprietary packages 4.3 series. (LP: #1371287, LP: #1375018, LP: #1385931, LP: #1386328, LP: #1421926) . virtualbox (4.3.24-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported upstream release (Closes: #779025). * Remove d/p/38-remove-hardcoded-gcc.patch, use --with-gcc and --with-g++ configure flags. * Remove d/p/37-fix-build.patch, merged upstream. . [ Ritesh Raj Sarraf ] * [3bf4cdd] Add back versioned dependency on gcc multilib . virtualbox (4.3.22-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported Upstream release. * Update copyright year. * d/p/37-fix-build.patch fix build, following upstream change in xorg driver build (thanks to Michael Thayer for the hint and the help). * Remove old patches. * d/p/38-remove-hardcoded-gcc.patch use CC and CXX from d/rules until virtualbox is gcc-5 ready. . [ Ritesh Raj Sarraf ] * [1413631] Build with gcc 4 only * [f34c886] Add versioned dependency on g++-multilib . virtualbox (4.3.20-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported Upstream release. . [ Ritesh Raj Sarraf ] * Flip build dependency to libcurl4-gnutls-dev . virtualbox (4.3.18-dfsg-3+deb8u3) jessie; urgency=medium . * d/p/39-crash-raw-mode.patch fix crash in raw mode. (Closes: #785689) from upstream changeset 53083 thanks Frank for the hint! . virtualbox (4.3.18-dfsg-3+deb8u2) jessie-security; urgency=high . * d/p/CVE-2015-3456.patch fix for CVE-2015-3456 a.k.a. VENOM (Closes: #785424) . virtualbox (4.3.18-dfsg-3+deb8u1) jessie; urgency=medium . [ Moritz Mühlenhoff ] * d/p/37-disable-smap.patch, cherry-pick upstream patch to fix a kernel paging issue (LP: #1437845, Closes: #783142). . virtualbox (4.3.18-dfsg-3) unstable; urgency=medium . * Conflict with upstream proprietary packages 4.3 series. (LP: #1371287, LP: #1375018, LP: #1385931, LP: #1386328, LP: #1421926) virtualbox (4.3.30-dfsg-1+deb8u1) jessie-security; urgency=medium . [ Ritesh Raj Sarraf ] * Imported upstream release. . [ Gianfranco Costamagna ] * Readd again some removed lintian overrides. * virtualbox 4.3.30 builds fine with gcc 5.1, removing the gcc-4.9 workaround (d/{rules,control}) * Update copyright file. * Patch refresh. * Remove some more windows prebuilt files. * Add libnotify-bin as runtime-dependency for the x11 package (used for notify-send command) (Closes: #792292) - Thanks Torquil Macdonald Sørensen for the useful and complete bug report. virtualbox (4.3.30-dfsg-1) unstable; urgency=medium . [ Ritesh Raj Sarraf ] * Imported upstream release. . [ Gianfranco Costamagna ] * Readd again some removed lintian overrides. * virtualbox 4.3.30 builds fine with gcc 5.1, removing the gcc-4.9 workaround (d/{rules,control}) * Update copyright file. * Patch refresh. * Remove some more windows prebuilt files. * Add libnotify-bin as runtime-dependency for the x11 package (used for notify-send command) (Closes: #792292) - Thanks Torquil Macdonald Sørensen for the useful and complete bug report. virtualbox (4.3.28-dfsg-1) unstable; urgency=medium . * New upstream release (Closes: #785655). - fix for CVE-2015-3456 a.k.a. VENOM (Closes: #785424) - patch refresh. - remove d/p/37-diff_smap_4.patch. * Remove MAKE=kmk on virtualbox{,-guest}-source.files/rules (Closes: #785161). Upstream doesn't recommend using kmk to build kernel modules. this reverts 63fa6b7b86035b53e8d053b894814eccac9ce595 * Add gbp.conf file. virtualbox (4.3.26-dfsg-3) unstable; urgency=medium . [ Adam Conrad ] * Re-work the packaging to account for the kernel modules being shipped in the master kernel packages, removing the need for dkms (LP: #1434579): - Make the dkms package provide a virtual package matching what the kernel packages provide to indicate that they ship the dkms modules. - Add an alternate dep from the utils package to the virtual driver. - Make the x11 driver package associate with the VGA controller PCI ID. virtualbox (4.3.26-dfsg-2) experimental; urgency=medium . [ Gianfranco Costamagna ] * remove obsolete lintian overrides. * d/p/37-diff_smap_4.patch, cherry-pick upstream patch to fix a kernel paging issue (LP: #1437845). . [ Ritesh Raj Sarraf ] * Remove Michael Meskes from uploaders. virtualbox (4.3.26-dfsg-1) experimental; urgency=medium . * Imported upstream release. * Conflict with upstream proprietary packages 4.3 series. (LP: #1371287, LP: #1375018, LP: #1385931, LP: #1386328, LP: #1421926) virtualbox (4.3.24-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported upstream release (Closes: #779025). * Remove d/p/38-remove-hardcoded-gcc.patch, use --with-gcc and --with-g++ configure flags. * Remove d/p/37-fix-build.patch, merged upstream. . [ Ritesh Raj Sarraf ] * [3bf4cdd] Add back versioned dependency on gcc multilib virtualbox (4.3.22-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported Upstream release. * Update copyright year. * d/p/37-fix-build.patch fix build, following upstream change in xorg driver build (thanks to Michael Thayer for the hint and the help). * Remove old patches. * d/p/38-remove-hardcoded-gcc.patch use CC and CXX from d/rules until virtualbox is gcc-5 ready. . [ Ritesh Raj Sarraf ] * [1413631] Build with gcc 4 only * [f34c886] Add versioned dependency on g++-multilib virtualbox (4.3.20-dfsg-1) experimental; urgency=medium . [ Gianfranco Costamagna ] * Imported Upstream release. . [ Ritesh Raj Sarraf ] * Flip build dependency to libcurl4-gnutls-dev vlc (2.2.1-1~deb8u1) jessie; urgency=medium . [ Sebastian Ramacher ] * New upstream release. * debian/patches: Removed codec-schroedinger-fix-potential-buffer-overflow.patch, demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch, and stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch. They are included upstream. * debian/libvlccore8.symbols: Bump version requirements for meta data change. (Closes: #798763, #798899) . [ Benjamin Drung ] * drop/rules: Drop removed --enable-glx configure flag. vlc (2.2.0-1) unstable; urgency=medium . [ Helmut Grohne ] * Add versioned depends on libvlccore8 to libvlc5 which shares /usr/share/doc to comply with Debian policy 12.3. (Closes: #779251) . [ Mateusz Łukasik ] * New upstream release. (Closes: #757462, #780476) - Fix various (potentially exploitable) heap overflows and heap buffer overflows in different demuxers (LP: #1390491) * Drop patches included upstream: - demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch - stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch * Disable build samba plugin on hurd for fix FTBFS. (Closes: #765578) . [ Benjamin Drung ] * Point Vcs-Browser to cgit instead of gitweb. * Drop removed --enable-glx configure flag. vzctl (4.8-1+deb8u2) jessie-security; urgency=high . * Correction of regression problem introduced in the upgrade code for version 4.8-1+deb8u1. vzctl (4.8-1+deb8u1) jessie-security; urgency=high . * Security backport from 4.9.4. * CT configuration secured during upgrade as it is done in 4.9.4 package. webkitgtk (2.4.9-1~deb8u1) stable; urgency=high . * New upstream release. + This fixes CVE-2015-2330. * debian/patches/ax-focus-events.patch, debian/patches/fix-ftbfs-pluginpackage.patch, debian/patches/fix-mips64-build.patch, debian/patches/fix-textrel-x86.patch, debian/patches/g-closure-unref.diff, debian/patches/nullptr-accessibilitymenulistoption.patch, debian/patches/nullptr-frameprogresstracker.patch, debian/patches/render-text-control.patch: + Remove. * debian/patches/02_notebook_scroll.patch, debian/patches/fix-arm64-build.patch, debian/patches/restore_sparc_code.patch, debian/patches/x32_support.patch: + Refresh. * debian/source/lintian-overrides: + lintian gives false positives with many of the javascript files in the source tarball, thinking that they are minified (see #798900). wireshark (1.12.1+g01b65bf-4+deb8u3) jessie-security; urgency=high . * security fixes from Wireshark 1.12.7: - Protocol tree crash (CVE-2015-6241) - Crash in wmem block allocator in the memory manager (CVE-2015-6242) - Crash in the dissector table implementation (CVE-2015-6243) - The ZigBee dissector could crash (CVE-2015-6244) - The GSM RLC/MAC dissector could go into an infinite loop (CVE-2015-6245) - The WaveAgent dissector could crash (CVE-2015-6246) - The ptvcursor implementation could crash (CVE-2015-6248) - The OpenFlow dissector could crash (CVE-2015-6247) - The WCCP dissector could crash (CVE-2015-6249) wordpress (4.1+dfsg-1+deb8u7) jessie-security; urgency=high . * Apply changeset 36185 fixes XSS CVE-2016-1564 Closes: #810325 wordpress (4.1+dfsg-1+deb8u6) jessie-security; urgency=high . * Fix changeset 33359 Closes: #803100 wordpress (4.1+dfsg-1+deb8u5) jessie-security; urgency=medium . * Backport of 4.3.1 security fixes Closes: #799140 * Changeset 34137 XSS in user list table * Changeset 34144 unclosed HTML elements CVE-2015-5714 * Changeset 34151 unsticky private posts CVE-2015-5715 wpa (2.3-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-5314.patch patch. CVE-2015-5314: hostapd: EAP-pwd missing last fragment length validation. * Add CVE-2015-5315.patch patch. CVE-2015-5315: wpa_supplicant: EAP-pwd missing last fragment length validation. * Add CVE-2015-5316.patch patch. CVE-2015-5316: EAP-pwd peer error path failure on unexpected Confirm message. wpa (2.3-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to address CVE-2015-4141. CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer encoding. (Closes: #787372) * Add patch to address CVE-2015-4142. CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing. (Closes: #787373) * Add patches to address CVE-2015-414{3,4,5,6} CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146: EAP-pwd missing payload length validation. (Closes: #787371) * Add patch to address 2015-5 vulnerability. NFC: Fix payload length validation in NDEF record parser (Closes: #795740) * Add patch to address CVE-2015-5310. CVE-2015-5310: wpa_supplicant unauthorized WNM Sleep Mode GTK control. wxmaxima (13.04.2-4+deb8u1) jessie; urgency=medium . * New patch that prevents a crash on encountering parenthesis in dialogues (closes: bug#796954, #752528). * New maintainer xen (4.4.1-9+deb8u3) jessie-security; urgency=high . * Fix CVE-2015-3259 (XSA-137) * Fix CVE-2015-3340 (XSA-132) * Fix CVE-2015-6654 (XSA-141) * Fix CVE-2015-7311 (XSA-142) * Fix CVE-2015-7812 (XSA-145) * Fix CVE-2015-7813 (XSA-146) * Fix CVE-2015-7814 (XSA-147) * Fix CVE-2015-7969 (XSA-151 and XSA-149) * Fix CVE-2015-7970 (XSA-150) * Fix CVE-2015-7971 (XSA-152) * Fix CVE-2015-7972 (XSA-153) * Fix CVE-2015-8104 and CVE-2015-5307 (XSA-156) xen (4.4.1-9+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7835-xsa148.patch patch. CVE-2015-7835: x86: Uncontrolled creation of large page mappings by PV guests. xscreensaver (5.30-1+deb8u1) jessie-security; urgency=medium . * Add upstream patch for "xscreensaver aborts when unplugging second monitor" security issue (closes: #802914) http://www.openwall.com/lists/oss-security/2015/10/24/2 zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium . * Backport security fix from 1.12.17 - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 zendframework (1.12.9+dfsg-2+deb8u4) jessie-security; urgency=high . * Backport security fixes from 1.12.16: - ZF2015-07: Filesystem Permissions Issues in Multiple Components http://framework.zend.com/security/advisory/ZF2015-07 [CVE-2015-5723] - ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite) http://framework.zend.com/security/advisory/ZF2015-08 [CVE-2014-8089] ====================================== Sat, 05 Sep 2015 - Debian 8.2 released ====================================== ========================================================================= [Date: Sat, 05 Sep 2015 08:37:46 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: librfilter-ruby1.8 | 0.12-2.1 | all rdeliver | 0.12-2.1 | all rubyfilter | 0.12-2.1 | source rubyfilter-doc | 0.12-2.1 | all Closed bugs: 790318 ------------------- Reason ------------------- RoQA; broken (empty) package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:38:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnetty3.1-java | 3.1.0.CR1-1 | all netty3.1 | 3.1.0.CR1-1 | source Closed bugs: 795430 ------------------- Reason ------------------- RoQA; dependency for jetty which is not present in jessie ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:38:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: php-zend-xml | 1.0.0-1 | source, all Closed bugs: 796115 ------------------- Reason ------------------- RoM; security issues; useless in jessie ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:39:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: criu | 1.3.1-1 | source, amd64, armhf criu-dbg | 1.3.1-1 | amd64, armhf Closed bugs: 796534 ------------------- Reason ------------------- RoM; fast-moving target, too difficult to keep updated ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:39:48 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: dactyl | 1.1+hg7904-0+nmu1 | source xul-ext-pentadactyl | 1.1+hg7904-0+nmu1 | all Closed bugs: 797072 ------------------- Reason ------------------- RoM; incompatible with newer Iceweasel ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 08:40:11 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: fullscreen-extension | 1.0.4-1 | source xul-ext-fullscreen | 1.0.4-1 | all Closed bugs: 797394 ------------------- Reason ------------------- RoM; incompatible with newer Iceweasel ---------------------------------------------- ========================================================================= activemq (5.6.0+dfsg1-4+deb8u1) jessie-security; urgency=high . * Team upload. * Fixed CVE-2014-3576: DoS via unauthenticated remote shutdown command (Closes: #792857) akonadi (1.13.0-2+deb8u1) stable-proposed-updates; urgency=medium . * Team upload. * Apply upstream_dont_leak_old_external_payload_files.patch which fixes a bug that let old files be kept when they should be removed. apache2 (2.4.10-10+deb8u3) jessie; urgency=medium . * Revert fix for deferred mpm switch for now, because it is at least not complete or maybe causes regressions (see #791902). Re-opens #789914 apache2 (2.4.10-10+deb8u2) jessie; urgency=medium . [ Stefan Fritsch ] * Fix upgrade logic: When upgrading from wheezy with apache2.2-common but without apache2 installed to jessie, part of the conffile handling logic would not run, causing outdated conffile content to be kept. This is part of the solution for bug #794933. The other part will be included in the upgrade to Debian 9 (stretch). * core: Fix -D[efined] or [d] variables lifetime accross restarts. This could cause all kinds of strange behavior. PR 56008. PR 57328 * mpm_event: Fix process deadlock when shutting down a worker. PR 56960 * mpm_event: Fix crashes due to various race conditions. Closes: #779078 . [ Jean-Michel Vourgère ] * apache2.postinst: Fixed tests on deferred mpm switch. Closes: #789914 apache2 (2.4.10-10+deb8u1) jessie-security; urgency=medium . * CVE-2015-3183: Fix chunk header parsing defect. * CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an unfixable way. Add a new replacement API ap_some_authn_required() and ap_force_authn hook. apt (1.0.9.8.1) stable; urgency=medium . [ David Kalnischkies ] * parse specific-arch dependencies correctly on single-arch systems (Closes: 777760) * remove "first package seen is native package" assumption. Thanks to Axel Beckert for testing (Closes: 782777) . [ Michael Vogt ] * Fix endless loop in apt-get update that can cause disk fillup (LP: #1445239) bareos (14.2.1+20141017gitc6c5b56-3+deb8u1) stable; urgency=medium . [ Felix Geyer ] * backport the fix for the backup corruption on multi-volume jobs (Closes: #788543) * add autopkgtests . [ Evgeni Golov ] * do not try to create the databases when running tests base-files (8+deb8u2) stable; urgency=low . * Changed /etc/debian_version to 8.2, for Debian 8.2 point release. bind9 (1:9.9.5.dfsg-9+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-5477: A failure to reset a value to NULL in tkey.c could result in an assertion failure. bind9 (1:9.9.5.dfsg-9+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-4620: Specially constructed zone data can cause a resolver to crash when validating. binutils-mingw-w64 (5.2+deb8u1) stable; urgency=medium . * Apply upstream fix to handle Visual Studio DLLs (Closes: #787162). bird (1.4.5-1+deb8u1) jessie-proposed-updates; urgency=medium . [ Christoph Biedl ] * Correctly migrate bird6.conf from bird6 package (Closes: #791464) cacti (0.8.8b+dfsg-8+deb8u2) jessie-security; urgency=high . * Security update - CVE-2015-4634 SQL injection in graphs.php - Multiple other SQL injection vulnerabilities cacti (0.8.8b+dfsg-8+deb8u1) jessie-security; urgency=high . * Security update - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. - CVE-2015-4342 SQL Injection and Location header injection from cdef id - CVE-2015-4454 SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php. - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540 chromium-browser (44.0.2403.89-1~deb8u1) jessie-security; urgency=high . * New upstream security release: - CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous. - CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous. - CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to Mike Ruddy. - CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen. - CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer. - CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva. - CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft. - CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to andrewm.bpi. - CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte). - CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne. - CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined. - CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva. - CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon. - CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer. - CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa. - CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva. - CVE-2015-1283: Heap-buffer-overflow in expat. Credit to Huzaifa Sidhpurwala. - CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen. - CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes. - CVE-2015-1286: UXSS in blink. Credit to anonymous. - CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor. - CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to Mike Ruddy. - CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives. - Hotword extension disabled by default (closes: #786909). chromium-browser (43.0.2357.130-1) unstable; urgency=medium . * New upstream security release: - CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous. - CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous. - CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to Mike Ruddy. * Don't build the Google Now extension. * More updates to debian/copyright. chromium-browser (43.0.2357.124-3) unstable; urgency=medium . * Fix syntax error in default-flags (closes: #789310). chromium-browser (43.0.2357.124-2) unstable; urgency=medium . * More updates to debian/copyright. * Disable all external component loading. * Set flag to avoid hidden items in the about:extensions dialog. chromium-browser (43.0.2357.124-1) unstable; urgency=medium . * New upstream release. * Disable wallet extension. * Remove more sourceless files. * Remove no longer files included from debian/copright. chromium-browser (43.0.2357.81-1) unstable; urgency=medium . * New upstream release fixing missing icon (closes: #786490). * Disable hotword (closes: #786909). * Remove some sourceless files. chromium-browser (43.0.2357.65-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1252: Sandbox escape in Chrome. Credit to anonymous. - CVE-2015-1253: Cross-origin bypass in DOM. Credit to anonymous. - CVE-2015-1254: Cross-origin bypass in Editing. Credit to armin@rawsec.net. - CVE-2015-1255: Use-after-free in WebAudio. Credit to Khalil Zhani. - CVE-2015-1256: Use-after-free in SVG. Credit to Atte Kettunen. - CVE-2015-1251: Use-after-free in Speech. Credit to SkyLined. - CVE-2015-1257: Container-overflow in SVG. Credit to miaubiz. - CVE-2015-1258: Negative-size parameter in Libvpx. Credit to cloudfuzzer - CVE-2015-1259: Uninitialized value in PDFium. Credit to Atte Kettunen. - CVE-2015-1260: Use-after-free in WebRTC. Credit to Khalil Zhani. - CVE-2015-1261: URL bar spoofing. Credit to Juho Nurminen. - CVE-2015-1262: Uninitialized value in Blink. Credit to miaubiz. - CVE-2015-1263: Insecure download of spellcheck dictionary. Credit to Mike Ruddy. - CVE-2015-1264: Cross-site scripting in bookmarks. Credit to K0r3Ph1L. - Fix for gzip file downloading (closes: #677948). - Fix for bookmark navigation (closes: #756211). * Enable HiDPI (closes: #763421). * Make chromium-l10n binnmuable. * Fix Built-Using fields. cinder (2014.1.3-11+deb8u1) jessie-security; urgency=medium . * CVE-2015-1851: Cinder host file disclosure through qcow2 backing file. Applied upstream patch (Closes: #788996): Disallow_backing_files_when_uploading_volumes_to_image.patch conntrack (1:1.4.2-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-6496.patch patch. CVE-2015-6496: conntrackd crash on unexpected network traffic. (Closes: #796103) cron (3.0pl1-127+deb8u1) jessie; urgency=medium . * d/cron.service: Use KillMode=process to kill only the daemon. The default of KillMode=control-group kills all the processes in the control group, for example when restarting the daemon. This is a deviation from past behavior we do not want. Thanks, Alexandre Detiste! Closes: #783683 cross-gcc (14+deb8u1) jessie; urgency=medium . * Require bash in rules.template makefile (Closes: #780583) cups (1.7.5-11+deb8u1) jessie-security; urgency=high . * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through dynamic linker and isolated vulnerabilities: STR: #4609, VU#810572 - CVE-2015-1158 - Improper Update of Reference Count - CVE-2015-1159 - Cross-Site Scripting cups-filters (1.0.61-5+deb8u1) jessie-security; urgency=high . * Backport upstream fixes for buffer overflows on size allocation in texttopdf (CVE-2015-3258, CVE-2015-3279) dbus (1.8.20-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release - fix a memory leak when GetConnectionCredentials is called - stop dbus-monitor replying to org.freedesktop.DBus.Peer messages, including those that another process should have replied to dbus (1.8.18-1) unstable; urgency=medium . * New upstream bugfix release - Hardening: lock down the session bus to only allow EXTERNAL auth by default, the same as the system bus. This avoids allowing DBUS_COOKIE_SHA1, which can end up using a predictable random source on systems where /dev/urandom is unavailable or dbus-daemon runs out of memory. See the upstream NEWS for more details. debian-installer (20150422+deb8u2) jessie; urgency=medium . [ Martin Michlmayr ] * Add image for Seagate DockStar. * Add symlinks for OpenRD variants. * Append DTB for LaCie NAS devices that require it. debian-installer-launcher (19+deb8u1) jessie; urgency=medium . * Set the menu icon text in the source package to read "Install Debian jessie". Remove the dynamic text generating section from the debian/rules. (Closes: #787131) debian-installer-netboot-images (20150422+deb8u2) jessie; urgency=medium . * Update to 20150422+deb8u2 images, from jessie-proposed-updates designate (2014.1-18+deb8u1) jessie-proposed-updates; urgency=medium . * CVE-2015-5695: mDNS DoS through incorrect handling of large RecordSets: applied upstream patch (Closes: #796108). dovecot (1:2.2.13-12~deb8u1) stable; urgency=high . * [6e16721] Fix a mbox corruption problem by applying two patches from mercurial upstream. - fix-mbox-corruption-18534.patch (changeset 18534:94bd895721d8). - fix-mbox-corruption-18679.patch (changeset 18679:b6ea460e7cc4). Thanks to Santiago Vila (Closes: 776094) drupal7 (7.32-1+deb8u4) stable-security; urgency=high . * Backported from 7.38: SA-CORE-2015-002 (Multiple vulnerabilities. CVE IDs assigned as follows: + Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234 + Open redirect (Field UI module - Drupal 7): CVE-2015-3232 + Open redirect (Overlay module - Drupal 7: CVE-2015-3233 + Information disclosure (Render cache system - Drupal 7): CVE-2015-3231 drupal7 (7.32-1+deb8u4~bpo70+1) wheezy-backports; urgency=high . * Backported from 7.38: SA-CORE-2015-002 (Multiple vulnerabilities. CVE IDs assigned as follows: + Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234 + Open redirect (Field UI module - Drupal 7): CVE-2015-3232 + Open redirect (Overlay module - Drupal 7: CVE-2015-3233 + Information disclosure (Render cache system - Drupal 7): CVE-2015-3231 ejabberd (14.07-4+deb8u2) jessie; urgency=medium . * Adjust logrotate postrotate command in case ejabberd is not running (Closes: #786588) * Include upstream patch to fix logging of nicknames in muc logs (Closes: #706897) * Fix parsing of "ldap_dn_filter" option (Closes: #784535) * postinst: restart on upgrade (Closes: #788007) expat (2.1.0-6+deb8u1) jessie-security; urgency=high . * Fix CVE-2015-1283, multiple integer overflows in the XML_GetBuffer function. flash-kernel (3.35+deb8u1) stable; urgency=medium . * Combine i.MX53 QSB and LOCO board entries, they are the same thing and the LOCO variant was missing DTB information. (Closes: #788782) freexl (1.0.0g-1+deb8u2) jessie-security; urgency=high . * Add patch to fix 32 bit multiplication overflow. fusiondirectory (1.0.8.2-5+deb8u1) jessie-proposed-updates; urgency=medium . * debian/fusiondirectory.links: + Add symlinks for prototype and scripaculous shared javascript libraries. * debian/patches: + Add 2005_relative-path-to-js.patch. Access javascript libraries via a path relative to FusionDirectory's base path (Closes: #786864, #782531). gdk-pixbuf (2.31.1-2+deb8u2) jessie-security; urgency=medium . * CVE-2015-4491 gdk-pixbuf (2.31.1-2+deb8u1) jessie-security; urgency=medium . * CVE-2015-4491 ghostscript (9.06~dfsg-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-3228.patch patch. CVE-2015-3228: Integer overflow in gs_heap_alloc_bytes() (Closes: #793489) glibc (2.19-18+deb8u1) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fix pthread_mutex_trylock with lock elision. Closes: #759197, #788999. - Fix gprof entry point on ppc64el. Closes: #794222. - Fix a buffer overflow in getanswer_r (CVE-2015-1781). Closes: #796105. glusterfs (3.5.2-2+deb8u1) jessie-proposed-updates; urgency=medium . * Add upstream patch 02-nfs-unix-domain-socket-created-as-fifo to fix a bug on using glusterfs as nfs volume: unix domain sockets were created as FIFO. gnome-terminal (3.14.1-1+deb8u1) jessie; urgency=medium . * Provide fallback for reading current directory if OSC 7 fails. In Debian there is no mechanism (yet) to source scripts for non-login interactive shells so we can't rely on /etc/profile.d/vte*.sh but instead fallback to reading /proc to determine the working directory of the current tab. (Closes: #706065) gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium . * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from upstream version 3.3.12 to fix a crash in VIA PadLock asm. (Thanks, Peter Lebbing). Closes: #788704 * Pull 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch (the latter unfuzzed) from GnuTLS 3.3.15 to fix GNUTLS-SA-2015-2. - A ServerKeyExchange signature sent by the server was not verified to be in the acceptable by the client set of algorithms. That had the effect of allowing MD5 signatures (which are disabled by default) in the ServerKeyExchange message. gnutls28 (3.3.8-6+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 47_GNUTLS-SA-2015-3.patch patch. Fixes double free in DN decoding [GNUTLS-SA-2015-3]. (Closes: #795068) gosa (2.7.4+reloaded2-1+deb8u1) jessie-proposed-updates; urgency=medium . * debian/patches: + Add 2007_gen-uids-like-gosa26.patch. Fix idGenerator for patterns like {%sn[3-6}-{%givenName[3-6]}. (Closes: #793455). + Add 2008_enable-csv-import-on-clean-installs.patch. Enable CSV / LDIF import on (non-Debian-Edu) clean GOsa² installations by default. (Closes: #782529) groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high . * Fix remote execution of untrusted code and possible DoS vulnerability. (CVE-2015-3253) (Closes: #793398). grub-installer (1.117+deb8u1) jessie; urgency=medium . [ Ian Campbell ] * Correctly propagate grub-installer/force-efi-extra-removable to installed system. (Closes: #792247). gtk+3.0 (3.14.5-1+deb8u1) jessie; urgency=medium . [ Ruben Undheim ] * Added patches backported from upstream for three serious bugs: - debian/patches/074_fix_freeze_while_resume_events.patch (Closes: #787419) - debian/patches/075_fontchoose_crash_bugfix.patch (Closes: #748469) - debian/patches/076_treeview_dont_create_overly_large.patch (Closes: #788002) * Added patch backported from upstream for one annoying bug: - debian/patches/081_fix_huge_icons.patch (Closes: #773135) haproxy (1.5.8-3+deb8u2) jessie; urgency=medium . * Fix a segfault when parsing a configuration file containing disabled proxy sections. Closes: #792116. - BUG/MINOR: config: fix typo in condition when propagating process binding - BUG/MEDIUM: config: do not propagate processes between stopped processes haproxy (1.5.8-3+deb8u1) jessie-security; urgency=high . * Fix an information leak. CVE-2015-3281. - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data haproxy (1.5.8-3+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . haproxy (1.5.8-3+deb8u1) jessie-security; urgency=high . * Fix an information leak. CVE-2015-3281. - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data haproxy (1.5.8-3+deb8u1~bpo60+1) squeeze-backports-sloppy; urgency=high . * Rebuild for squeeze-backports-sloppy. . haproxy (1.5.8-3+deb8u1) jessie-security; urgency=high . * Fix an information leak. CVE-2015-3281. - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data how-can-i-help (10+deb8u1) jessie; urgency=medium . * Change hcih data source from http to https. Since the http is not supported by UDD anymore, older hcih versions won't be able to work. (Closes: #787471) Patch from Stephen Kitt * Added gbp configuration pointing to jessie branch. how-can-i-help (10+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * debian/gbp.conf: Changed gbp configuration so that it points to wheezy-backports branch. * debian/control: Added dependency on ca-certificates as it is required to allow ssl connections to UDD. In jessie and beyond it is automatically provided by rubygems-integration. . how-can-i-help (10+deb8u1) jessie; urgency=medium . * Change hcih data source from http to https. Since the http is not supported by UDD anymore, older hcih versions won't be able to work. (Closes: #787471) Patch from Stephen Kitt * Added gbp configuration pointing to jessie branch. . how-can-i-help (10) unstable; urgency=medium . [ Tomasz Nitecki ] * Added support for 'newcomer' tag. Closes: #769640 - Added support for 'newcomer' option - Updated manual and help - Added 'gift' tag depreciation warning . [ Lucas Nussbaum ] * Fix a few typos in the manpage. + Re-generated the manpage from ascii. The generated format changed slightly, causing a rather huge diff. . how-can-i-help (9) unstable; urgency=medium . [ Lucas Nussbaum ] * Step down from the Maintainer role and add Tomasz. He has been doing all the great work lately anyway. . [ Tomasz Nitecki ] * Bump standards version to 3.9.6 (no changes required). * Added an option to show pseudo-packages tagged as 'gift'. Pseudo-packages tagged as 'gift' will appear in a new 'infrastructure' section, regardless of the fact if they are installed or not. They can be hidden using 'ignore' file. Thanks to Laura Arjona Reina for the idea! . how-can-i-help (8) unstable; urgency=medium . [ Tomasz Nitecki ] * how-can-i-help can be configured to show only specific types of opportunities. Closes: #742245 * Updated manpage and --help output. * Added two more links to 'see also' section. . [ Paul Wise ] * Use https instead of http where possible. iceweasel (38.2.1esr-1~deb8u1) stable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (38.2.0esr-2~deb8u1) stable-security; urgency=medium . * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. iceweasel (38.2.1esr-1~deb7u1) oldstable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (38.2.0esr-2~deb7u1) oldstable-security; urgency=medium . * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. iceweasel (38.2.0esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-{79-80,82-83,87-88,90,92}, also known as: CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. iceweasel (38.2.0esr-1~stretch) stretch; urgency=medium . * Non-maintainer upload. * Rebuild 38.2.0esr-1 for stretch so that various security fixes can bypass the g++-5 transition. iceweasel (38.2.0esr-1~deb8u1) stable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{79-80,82-83,87-90,92}, also known as: CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. . iceweasel (38.1.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. . iceweasel (38.1.0esr-3) unstable; urgency=medium . * debian/browser.js.in, debian/vendor.js.in: Fix localized searchplugins. Closes: #775813. . iceweasel (38.1.0esr-2) unstable; urgency=medium . * debian/control*: Bump NSS build dependency. . iceweasel (38.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59-67,69}, also known as: CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743. . * debian/rules: Use the right --target, --host and --build arguments to configure for the Mozilla build system, which uses different meanings. * debian/branding/firefox-branding.js: Add devtools.selfxss.count pref to the iceweasel branding to match unofficial branding. Closes: #787975. * debian/browser.js.in: Use a sticky pref for browser.newtabpage.enhanced. * debian/branding/content/Makefile.in: Revert branding changes for SVG wordmark, not used on ESR . * modules/libpref/prefapi.*, modules/libpref/prefread.*, modules/libpref/test/unit/data/testPrefSticky*.js, modules/libpref/test/unit/test_stickyprefs.js, modules/libpref/test/unit/xpcshell.ini: support 'sticky' preferences, meaning a user value is retained even when it matches the default. bz#1098343. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js, browser/base/content/newtab/page.js, browser/modules/DirectoryLinksProvider.jsm: Update patch from bz#1094324 to fit what landed upstream in newer versions. . iceweasel (38.0.1-5) unstable; urgency=medium . * debian/rules: Force a timezone when extracting defaults/* files from omni.ja archives. . iceweasel (38.0.1-4) unstable; urgency=medium . * python/mozbuild/mozpack/files.py: Fixup to keep file type. * toolkit/content/Makefile.in, toolkit/content/buildconfig.html: Remove build machine name from about:buildconfig. bz#1168316. . iceweasel (38.0.1-3) unstable; urgency=medium . * debian/upstream.mk: Force a timezone when setting MOZ_BUILD_DATE. . * python/mozbuild/mozpack/files.py: Normalize file mode in jars. bz#1168231. . iceweasel (38.0.1-2) unstable; urgency=medium . * debian/upstream.mk: Set MOZ_BUILD_DATE to the date of the last debian/changelog entry for non-Aurora builds. * debian/branding/content/Makefile.in: Add a dummy conversion for about.png to remove timestamps. * debian/browser.js.in: Default to classic view for about:newtab. * debian/copyright: Update copyright file to some degree. * debian/control*: Bump Standards-Version to 3.9.6.0. - debian/rules: Add build-arch and build-indep targets to debian/rules. * debian/control*: Switch Vcs-* urls to anonscm.debian.org. . * ipc/testshell/XPCShellEnvironment.cpp, js/src/shell/js.cpp, js/xpconnect/src/XPCShellImpl.cpp: Remove build() function from js and xpc shells. bz#1166243. * toolkit/locales/l10n.mk. Use dozip.py for langpacks. bz#1166538. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js browser/modules/DirectoryLinksProvider.jsm: Set browser.newtabpage.enhanced default in prefs. bz#1094324. . iceweasel (38.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/vendor.js.in: Disable auto-installing webide related addons. Closes: #785595. * debian/rules: Disable jit on mips. Only mipsel is supported by the jit code currently. . * configure.in, media/libjpeg/moz.build: Fixup libjpeg-turbo assembly cleanup. * security/manager/ssl/src/SSLServerCertVerification.cpp: Add a NULL-check for extensions on the end entity certificate when gathering EKU telemetry. Closes: #782772. . iceweasel (38.0-2) unstable; urgency=medium . * debian/repack.py: Fix to support filter patterns excluding a top-level directory. . * configure.in: Cleanup how libjpeg-turbo assembly build variables are set. bz#1165654. This should fix FTBFSes on arm64 and mips*. * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900. . iceweasel (38.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46,48-51,53-56}, also know as: CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718. . * debian/branding/Makefile.in, debian/branding/moz.build: Adapt build rules to upstream changes * debian/branding/locales/en-US/brand.*: Add brandShorterName to Iceweasel branding. * debian/branding/content/Makefile.in: Add silhouette-40.svg from the unofficial branding to iceweasel branding * debian/control*: Bump nss and sqlite build dependencies. * debian/control.in, debian/upstream.mk: Change backport rules. - Set LESS_SYSTEM_LIBS on wheezy and jessie. - Only use gstreamer 0.10 on wheezy. . iceweasel (37.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-45, also known as CVE-2015-2706. . iceweasel (37.0.1-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-44, also known as CVE-2015-0799. . * debian/browser.js.in: Change the pref used to disable openh264. Closes: #769716. . iceweasel (37.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-34,36-40,42}, also known as: CVE-2015-0815, CVE-2015-0814, CVE-2015-0813, CVE-2015-0812, CVE-2015-0816, CVE-2015-0811, CVE-2015-0808, CVE-2015-0807, CVE-2015-0805, CVE-2015-0806, CVE-2015-0803, CVE-2015-0804, CVE-2015-0801, CVE-2015-0802. . iceweasel (36.0.4-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. . iceweasel (36.0.1-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Don't build with --disable-eme, reverting the change from 36.0-1. . iceweasel (36.0.1-1) experimental; urgency=medium . * New upstream release. . * gfx/layers/basic/BasicCompositor.cpp, gfx/layers/basic/BasicLayerManager.cpp: Reintroduce pixman code path removed in bz#1097776 for --disable-skia builds. bz#1136958. . iceweasel (36.0-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Force enable skia, to possibly fix FTBFS on non-x86/amd64/arm architectures. . * gfx/skia/moz.build: Remove duplicate SkDiscardableMemory_none.cpp. bz#1136958. . iceweasel (36.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,13-17,19-27}, also known as: CVE-2015-0836, CVE-2015-0835, CVE-2015-0832, CVE-2015-0830, CVE-2015-0834, CVE-2015-0831, CVE-2015-0829, CVE-2015-0827, CVE-2015-0826, CVE-2015-0825, CVE-2015-0824, CVE-2015-0823, CVE-2015-0822, CVE-2015-0821, CVE-2015-0819, CVE-2015-0820. . * debian/control*: Bump nss and sqlite build dependencies. * debian/branding/Makefile.in, debian/branding/moz.build, debian/extra-stuff/Makefile.in, debian/extra-stuff/moz.build: Update and cleanup. * debian/browser.install.in: Remove mozilla-xremote-client, it was removed upstream. * debian/browser.install.in, debian/rules: Remove libmozsandbox.so, it's not a shared library anymore. * debian/browser.mozconfig.in: Build with --disable-eme for now, . iceweasel (35.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/browser.install.in, debian/rules: Only install libmozsandbox.so on i386 and amd64. * debian/control: Recommend gstreamer packages for video playing capabilities. Closes: #737092. Also change the gstreamer build dependencies not to use alternatives. . iceweasel (35.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01-06,08-09}, also known as: CVE-2014-8634, CVE-2014-8635, CVE-2014-8637, CVE-2014-8637, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8636. . * debian/browser.mozconfig.in: Build with --enable-pie instead of our own patch to the build system. . * moz.build: Fix how debian/extra-stuff is added to upstream build system directory traversal after upstream changes. . iceweasel (34.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83-89,91}, also known as: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-8631, CVE-2014-8632. . * debian/branding/firefox-branding.js: Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which resets previously downloaded snippets after a day. * debian/browser.js.in: Avoid openh264 being downloaded and disable it if it is already there. Closes: #769716. * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --disable-compile-environment for l10n builds because of bz#1063880. * debian/browser.install.in: Add sandbox library. . iceweasel (33.1-1) experimental; urgency=medium . * New upstream release. . * debian/changelog: Add missing entries for 27.0.1-1. * debian/rules: Don't force to build with GCC 4.9 on armhf anymore. * debian/browser.mozconfig.in: Don't build with --enable-unified-compilation. It may be causing build problems on architectures with limited resources. * debian/browser.install.in, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in, debian/duckduckgo.xml: Remove duckduckgo search engine, since upstream now has it included. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to nothing. Closes: #721689. . * Import patches from the nss source package that are relevant to building iceweasel against the in-tree nss source, for backports: - security/nss/lib/freebl/unix_rand.c, security/nss/cmd/shlibsign/shlibsign.c: Fix FTBFS on Hurd because of MAXPATHLEN - security/nss/coreconf/Linux.mk, security/nss/coreconf/arch.mk, security/nss/coreconf/config.mk, security/nss/lib/freebl/unix_rand.c, security/nss/lib/softoken/softoken.h, security/nss/lib/ssl/sslmutex.*: GNU/kFreeBSD support. - security/nss/lib/ckfw/builtins/certdata.txt: Adds the SPI Inc. and CAcert.org CA certificates. Those patches were applied on the esr24 branch, but were forgotten on the release branch at the time. * media/libcubeb/tests/moz.build: Work around binutils assertion on mips. . iceweasel (33.0-2) experimental; urgency=medium . * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. . * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983. . iceweasel (33.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{74-76,78-82}, also known as: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586, CVE-2014-1583. . * debian/control*: Bump nss and sqlite build dependencies. * debian/browser.install.in, debian/control.in, debian/rules, debian/upstream.mk, debian/vendor.js.in: Change how official branding is handled. * debian/rules: Disable tests on stable-security. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Allow to build against Gtk+3 by setting the GTK3 environment variable while building. . iceweasel (32.0.3-1) experimental; urgency=medium . * New upstream release. . * toolkit/components/search/nsSearchService.js: Bump search engine max icon size to 35kB. Closes: #749084. * build/autoconf/compiler-opts.m4, config/rules.mk: Build target programs as position independent executable when supported by gcc/clang. bz#857628. . iceweasel (32.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{67-70,72}, also known as: CVE-2014-1562, CVE-2014-1553, CVE-2014-1554, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567. . * debian/browser.bug-script.in, debian/browser.install.in, debian/extra-stuff/Makefile.in, debian/extra-stuff/reportbug-helper-script, debian/installer/package-manifest.browser: Fix bug script. * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (38.2.0esr-1~deb7u1) oldstable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{79-80,82-83,87-90,92}, also known as: CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. . iceweasel (38.1.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. . iceweasel (38.1.0esr-3) unstable; urgency=medium . * debian/browser.js.in, debian/vendor.js.in: Fix localized searchplugins. Closes: #775813. . iceweasel (38.1.0esr-2) unstable; urgency=medium . * debian/control*: Bump NSS build dependency. . iceweasel (38.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59-67,69}, also known as: CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743. . * debian/rules: Use the right --target, --host and --build arguments to configure for the Mozilla build system, which uses different meanings. * debian/branding/firefox-branding.js: Add devtools.selfxss.count pref to the iceweasel branding to match unofficial branding. Closes: #787975. * debian/browser.js.in: Use a sticky pref for browser.newtabpage.enhanced. * debian/branding/content/Makefile.in: Revert branding changes for SVG wordmark, not used on ESR . * modules/libpref/prefapi.*, modules/libpref/prefread.*, modules/libpref/test/unit/data/testPrefSticky*.js, modules/libpref/test/unit/test_stickyprefs.js, modules/libpref/test/unit/xpcshell.ini: support 'sticky' preferences, meaning a user value is retained even when it matches the default. bz#1098343. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js, browser/base/content/newtab/page.js, browser/modules/DirectoryLinksProvider.jsm: Update patch from bz#1094324 to fit what landed upstream in newer versions. . iceweasel (38.0.1-5) unstable; urgency=medium . * debian/rules: Force a timezone when extracting defaults/* files from omni.ja archives. . iceweasel (38.0.1-4) unstable; urgency=medium . * python/mozbuild/mozpack/files.py: Fixup to keep file type. * toolkit/content/Makefile.in, toolkit/content/buildconfig.html: Remove build machine name from about:buildconfig. bz#1168316. . iceweasel (38.0.1-3) unstable; urgency=medium . * debian/upstream.mk: Force a timezone when setting MOZ_BUILD_DATE. . * python/mozbuild/mozpack/files.py: Normalize file mode in jars. bz#1168231. . iceweasel (38.0.1-2) unstable; urgency=medium . * debian/upstream.mk: Set MOZ_BUILD_DATE to the date of the last debian/changelog entry for non-Aurora builds. * debian/branding/content/Makefile.in: Add a dummy conversion for about.png to remove timestamps. * debian/browser.js.in: Default to classic view for about:newtab. * debian/copyright: Update copyright file to some degree. * debian/control*: Bump Standards-Version to 3.9.6.0. - debian/rules: Add build-arch and build-indep targets to debian/rules. * debian/control*: Switch Vcs-* urls to anonscm.debian.org. . * ipc/testshell/XPCShellEnvironment.cpp, js/src/shell/js.cpp, js/xpconnect/src/XPCShellImpl.cpp: Remove build() function from js and xpc shells. bz#1166243. * toolkit/locales/l10n.mk. Use dozip.py for langpacks. bz#1166538. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js browser/modules/DirectoryLinksProvider.jsm: Set browser.newtabpage.enhanced default in prefs. bz#1094324. . iceweasel (38.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/vendor.js.in: Disable auto-installing webide related addons. Closes: #785595. * debian/rules: Disable jit on mips. Only mipsel is supported by the jit code currently. . * configure.in, media/libjpeg/moz.build: Fixup libjpeg-turbo assembly cleanup. * security/manager/ssl/src/SSLServerCertVerification.cpp: Add a NULL-check for extensions on the end entity certificate when gathering EKU telemetry. Closes: #782772. . iceweasel (38.0-2) unstable; urgency=medium . * debian/repack.py: Fix to support filter patterns excluding a top-level directory. . * configure.in: Cleanup how libjpeg-turbo assembly build variables are set. bz#1165654. This should fix FTBFSes on arm64 and mips*. * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900. . iceweasel (38.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46,48-51,53-56}, also know as: CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718. . * debian/branding/Makefile.in, debian/branding/moz.build: Adapt build rules to upstream changes * debian/branding/locales/en-US/brand.*: Add brandShorterName to Iceweasel branding. * debian/branding/content/Makefile.in: Add silhouette-40.svg from the unofficial branding to iceweasel branding * debian/control*: Bump nss and sqlite build dependencies. * debian/control.in, debian/upstream.mk: Change backport rules. - Set LESS_SYSTEM_LIBS on wheezy and jessie. - Only use gstreamer 0.10 on wheezy. . iceweasel (37.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-45, also known as CVE-2015-2706. . iceweasel (37.0.1-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-44, also known as CVE-2015-0799. . * debian/browser.js.in: Change the pref used to disable openh264. Closes: #769716. . iceweasel (37.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-34,36-40,42}, also known as: CVE-2015-0815, CVE-2015-0814, CVE-2015-0813, CVE-2015-0812, CVE-2015-0816, CVE-2015-0811, CVE-2015-0808, CVE-2015-0807, CVE-2015-0805, CVE-2015-0806, CVE-2015-0803, CVE-2015-0804, CVE-2015-0801, CVE-2015-0802. . iceweasel (36.0.4-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. . iceweasel (36.0.1-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Don't build with --disable-eme, reverting the change from 36.0-1. . iceweasel (36.0.1-1) experimental; urgency=medium . * New upstream release. . * gfx/layers/basic/BasicCompositor.cpp, gfx/layers/basic/BasicLayerManager.cpp: Reintroduce pixman code path removed in bz#1097776 for --disable-skia builds. bz#1136958. . iceweasel (36.0-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Force enable skia, to possibly fix FTBFS on non-x86/amd64/arm architectures. . * gfx/skia/moz.build: Remove duplicate SkDiscardableMemory_none.cpp. bz#1136958. . iceweasel (36.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,13-17,19-27}, also known as: CVE-2015-0836, CVE-2015-0835, CVE-2015-0832, CVE-2015-0830, CVE-2015-0834, CVE-2015-0831, CVE-2015-0829, CVE-2015-0827, CVE-2015-0826, CVE-2015-0825, CVE-2015-0824, CVE-2015-0823, CVE-2015-0822, CVE-2015-0821, CVE-2015-0819, CVE-2015-0820. . * debian/control*: Bump nss and sqlite build dependencies. * debian/branding/Makefile.in, debian/branding/moz.build, debian/extra-stuff/Makefile.in, debian/extra-stuff/moz.build: Update and cleanup. * debian/browser.install.in: Remove mozilla-xremote-client, it was removed upstream. * debian/browser.install.in, debian/rules: Remove libmozsandbox.so, it's not a shared library anymore. * debian/browser.mozconfig.in: Build with --disable-eme for now, . iceweasel (35.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/browser.install.in, debian/rules: Only install libmozsandbox.so on i386 and amd64. * debian/control: Recommend gstreamer packages for video playing capabilities. Closes: #737092. Also change the gstreamer build dependencies not to use alternatives. . iceweasel (35.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01-06,08-09}, also known as: CVE-2014-8634, CVE-2014-8635, CVE-2014-8637, CVE-2014-8637, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8636. . * debian/browser.mozconfig.in: Build with --enable-pie instead of our own patch to the build system. . * moz.build: Fix how debian/extra-stuff is added to upstream build system directory traversal after upstream changes. . iceweasel (34.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83-89,91}, also known as: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-8631, CVE-2014-8632. . * debian/branding/firefox-branding.js: Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which resets previously downloaded snippets after a day. * debian/browser.js.in: Avoid openh264 being downloaded and disable it if it is already there. Closes: #769716. * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --disable-compile-environment for l10n builds because of bz#1063880. * debian/browser.install.in: Add sandbox library. . iceweasel (33.1-1) experimental; urgency=medium . * New upstream release. . * debian/changelog: Add missing entries for 27.0.1-1. * debian/rules: Don't force to build with GCC 4.9 on armhf anymore. * debian/browser.mozconfig.in: Don't build with --enable-unified-compilation. It may be causing build problems on architectures with limited resources. * debian/browser.install.in, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in, debian/duckduckgo.xml: Remove duckduckgo search engine, since upstream now has it included. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to nothing. Closes: #721689. . * Import patches from the nss source package that are relevant to building iceweasel against the in-tree nss source, for backports: - security/nss/lib/freebl/unix_rand.c, security/nss/cmd/shlibsign/shlibsign.c: Fix FTBFS on Hurd because of MAXPATHLEN - security/nss/coreconf/Linux.mk, security/nss/coreconf/arch.mk, security/nss/coreconf/config.mk, security/nss/lib/freebl/unix_rand.c, security/nss/lib/softoken/softoken.h, security/nss/lib/ssl/sslmutex.*: GNU/kFreeBSD support. - security/nss/lib/ckfw/builtins/certdata.txt: Adds the SPI Inc. and CAcert.org CA certificates. Those patches were applied on the esr24 branch, but were forgotten on the release branch at the time. * media/libcubeb/tests/moz.build: Work around binutils assertion on mips. . iceweasel (33.0-2) experimental; urgency=medium . * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. . * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983. . iceweasel (33.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{74-76,78-82}, also known as: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586, CVE-2014-1583. . * debian/control*: Bump nss and sqlite build dependencies. * debian/browser.install.in, debian/control.in, debian/rules, debian/upstream.mk, debian/vendor.js.in: Change how official branding is handled. * debian/rules: Disable tests on stable-security. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Allow to build against Gtk+3 by setting the GTK3 environment variable while building. . iceweasel (32.0.3-1) experimental; urgency=medium . * New upstream release. . * toolkit/components/search/nsSearchService.js: Bump search engine max icon size to 35kB. Closes: #749084. * build/autoconf/compiler-opts.m4, config/rules.mk: Build target programs as position independent executable when supported by gcc/clang. bz#857628. . iceweasel (32.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{67-70,72}, also known as: CVE-2014-1562, CVE-2014-1553, CVE-2014-1554, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567. . * debian/browser.bug-script.in, debian/browser.install.in, debian/extra-stuff/Makefile.in, debian/extra-stuff/reportbug-helper-script, debian/installer/package-manifest.browser: Fix bug script. * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (38.1.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. iceweasel (38.1.1esr-1~deb9u1) stretch; urgency=high . * Non-maintainer upload. * Rebuild iceweasel/38.1.1esr-1 in stretch so CVE-2015-4495 can be fixed there before the g++-5 transition finishes. No source changes. iceweasel (38.1.0esr-3) unstable; urgency=medium . * debian/browser.js.in, debian/vendor.js.in: Fix localized searchplugins. Closes: #775813. iceweasel (38.1.0esr-2) unstable; urgency=medium . * debian/control*: Bump NSS build dependency. iceweasel (38.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59-67,69}, also know as: CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743. . * debian/rules: Use the right --target, --host and --build arguments to configure for the Mozilla build system, which uses different meanings. * debian/branding/firefox-branding.js: Add devtools.selfxss.count pref to the iceweasel branding to match unofficial branding. Closes: #787975. * debian/browser.js.in: Use a sticky pref for browser.newtabpage.enhanced. * debian/branding/content/Makefile.in: Revert branding changes for SVG wordmark, not used on ESR . * modules/libpref/prefapi.*, modules/libpref/prefread.*, modules/libpref/test/unit/data/testPrefSticky*.js, modules/libpref/test/unit/test_stickyprefs.js, modules/libpref/test/unit/xpcshell.ini: support 'sticky' preferences, meaning a user value is retained even when it matches the default. bz#1098343. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js, browser/base/content/newtab/page.js, browser/modules/DirectoryLinksProvider.jsm: Update patch from bz#1094324 to fit what landed upstream in newer versions. iceweasel (38.0.1-5) unstable; urgency=medium . * debian/rules: Force a timezone when extracting defaults/* files from omni.ja archives. iceweasel (38.0.1-4) unstable; urgency=medium . * python/mozbuild/mozpack/files.py: Fixup to keep file type. * toolkit/content/Makefile.in, toolkit/content/buildconfig.html: Remove build machine name from about:buildconfig. bz#1168316. iceweasel (38.0.1-3) unstable; urgency=medium . * debian/upstream.mk: Force a timezone when setting MOZ_BUILD_DATE. . * python/mozbuild/mozpack/files.py: Normalize file mode in jars. bz#1168231. iceweasel (38.0.1-2) unstable; urgency=medium . * debian/upstream.mk: Set MOZ_BUILD_DATE to the date of the last debian/changelog entry for non-Aurora builds. * debian/branding/content/Makefile.in: Add a dummy conversion for about.png to remove timestamps. * debian/browser.js.in: Default to classic view for about:newtab. * debian/copyright: Update copyright file to some degree. * debian/control*: Bump Standards-Version to 3.9.6.0. - debian/rules: Add build-arch and build-indep targets to debian/rules. * debian/control*: Switch Vcs-* urls to anonscm.debian.org. . * ipc/testshell/XPCShellEnvironment.cpp, js/src/shell/js.cpp, js/xpconnect/src/XPCShellImpl.cpp: Remove build() function from js and xpc shells. bz#1166243. * toolkit/locales/l10n.mk. Use dozip.py for langpacks. bz#1166538. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js browser/modules/DirectoryLinksProvider.jsm: Set browser.newtabpage.enhanced default in prefs. bz#1094324. iceweasel (38.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/vendor.js.in: Disable auto-installing webide related addons. Closes: #785595. * debian/rules: Disable jit on mips. Only mipsel is supported by the jit code currently. . * configure.in, media/libjpeg/moz.build: Fixup libjpeg-turbo assembly cleanup. * security/manager/ssl/src/SSLServerCertVerification.cpp: Add a NULL-check for extensions on the end entity certificate when gathering EKU telemetry. Closes: #782772. iceweasel (38.0-2) unstable; urgency=medium . * debian/repack.py: Fix to support filter patterns excluding a top-level directory. . * configure.in: Cleanup how libjpeg-turbo assembly build variables are set. bz#1165654. This should fix FTBFSes on arm64 and mips*. * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900. iceweasel (38.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46,48-51,53-56}, also know as: CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718. . * debian/branding/Makefile.in, debian/branding/moz.build: Adapt build rules to upstream changes * debian/branding/locales/en-US/brand.*: Add brandShorterName to Iceweasel branding. * debian/branding/content/Makefile.in: Add silhouette-40.svg from the unofficial branding to iceweasel branding * debian/control*: Bump nss and sqlite build dependencies. * debian/control.in, debian/upstream.mk: Change backport rules. - Set LESS_SYSTEM_LIBS on wheezy and jessie. - Only use gstreamer 0.10 on wheezy. iceweasel (37.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-45, also known as CVE-2015-2706. iceweasel (37.0.1-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-44, also known as CVE-2015-0799. . * debian/browser.js.in: Change the pref used to disable openh264. Closes: #769716. iceweasel (37.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-34,36-40,42}, also known as: CVE-2015-0815, CVE-2015-0814, CVE-2015-0813, CVE-2015-0812, CVE-2015-0816, CVE-2015-0811, CVE-2015-0808, CVE-2015-0807, CVE-2015-0805, CVE-2015-0806, CVE-2015-0803, CVE-2015-0804, CVE-2015-0801, CVE-2015-0802. iceweasel (36.0.4-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. iceweasel (36.0.1-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Don't build with --disable-eme, reverting the change from 36.0-1. iceweasel (36.0.1-1) experimental; urgency=medium . * New upstream release. . * gfx/layers/basic/BasicCompositor.cpp, gfx/layers/basic/BasicLayerManager.cpp: Reintroduce pixman code path removed in bz#1097776 for --disable-skia builds. bz#1136958. iceweasel (36.0-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Force enable skia, to possibly fix FTBFS on non-x86/amd64/arm architectures. . * gfx/skia/moz.build: Remove duplicate SkDiscardableMemory_none.cpp. bz#1136958. iceweasel (36.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,13-17,19-27}, also known as: CVE-2015-0836, CVE-2015-0835, CVE-2015-0832, CVE-2015-0830, CVE-2015-0834, CVE-2015-0831, CVE-2015-0829, CVE-2015-0827, CVE-2015-0826, CVE-2015-0825, CVE-2015-0824, CVE-2015-0823, CVE-2015-0822, CVE-2015-0821, CVE-2015-0819, CVE-2015-0820. . * debian/control*: Bump nss and sqlite build dependencies. * debian/branding/Makefile.in, debian/branding/moz.build, debian/extra-stuff/Makefile.in, debian/extra-stuff/moz.build: Update and cleanup. * debian/browser.install.in: Remove mozilla-xremote-client, it was removed upstream. * debian/browser.install.in, debian/rules: Remove libmozsandbox.so, it's not a shared library anymore. * debian/browser.mozconfig.in: Build with --disable-eme for now, iceweasel (35.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/browser.install.in, debian/rules: Only install libmozsandbox.so on i386 and amd64. * debian/control: Recommend gstreamer packages for video playing capabilities. Closes: #737092. Also change the gstreamer build dependencies not to use alternatives. iceweasel (35.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01-06,08-09}, also known as: CVE-2014-8634, CVE-2014-8635, CVE-2014-8637, CVE-2014-8637, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8636. . * debian/browser.mozconfig.in: Build with --enable-pie instead of our own patch to the build system. . * moz.build: Fix how debian/extra-stuff is added to upstream build system directory traversal after upstream changes. iceweasel (34.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83-89,91}, also known as: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-8631, CVE-2014-8632. . * debian/branding/firefox-branding.js: Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which resets previously downloaded snippets after a day. * debian/browser.js.in: Avoid openh264 being downloaded and disable it if it is already there. Closes: #769716. * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --disable-compile-environment for l10n builds because of bz#1063880. * debian/browser.install.in: Add sandbox library. iceweasel (33.1-1) experimental; urgency=medium . * New upstream release. . * debian/changelog: Add missing entries for 27.0.1-1. * debian/rules: Don't force to build with GCC 4.9 on armhf anymore. * debian/browser.mozconfig.in: Don't build with --enable-unified-compilation. It may be causing build problems on architectures with limited resources. * debian/browser.install.in, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in, debian/duckduckgo.xml: Remove duckduckgo search engine, since upstream now has it included. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to nothing. Closes: #721689. . * Import patches from the nss source package that are relevant to building iceweasel against the in-tree nss source, for backports: - security/nss/lib/freebl/unix_rand.c, security/nss/cmd/shlibsign/shlibsign.c: Fix FTBFS on Hurd because of MAXPATHLEN - security/nss/coreconf/Linux.mk, security/nss/coreconf/arch.mk, security/nss/coreconf/config.mk, security/nss/lib/freebl/unix_rand.c, security/nss/lib/softoken/softoken.h, security/nss/lib/ssl/sslmutex.*: GNU/kFreeBSD support. - security/nss/lib/ckfw/builtins/certdata.txt: Adds the SPI Inc. and CAcert.org CA certificates. Those patches were applied on the esr24 branch, but were forgotten on the release branch at the time. * media/libcubeb/tests/moz.build: Work around binutils assertion on mips. iceweasel (33.0-2) experimental; urgency=medium . * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. . * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983. iceweasel (33.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{74-76,78-82}, also known as: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586, CVE-2014-1583. . * debian/control*: Bump nss and sqlite build dependencies. * debian/browser.install.in, debian/control.in, debian/rules, debian/upstream.mk, debian/vendor.js.in: Change how official branding is handled. * debian/rules: Disable tests on stable-security. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Allow to build against Gtk+3 by setting the GTK3 environment variable while building. iceweasel (32.0.3-1) experimental; urgency=medium . * New upstream release. . * toolkit/components/search/nsSearchService.js: Bump search engine max icon size to 35kB. Closes: #749084. * build/autoconf/compiler-opts.m4, config/rules.mk: Build target programs as position independent executable when supported by gcc/clang. bz#857628. iceweasel (32.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{67-70,72}, also known as: CVE-2014-1562, CVE-2014-1553, CVE-2014-1554, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567. . * debian/browser.bug-script.in, debian/browser.install.in, debian/extra-stuff/Makefile.in, debian/extra-stuff/reportbug-helper-script, debian/installer/package-manifest.browser: Fix bug script. * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (32.0~b5-1) experimental; urgency=medium . * New upstream beta release. . * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. . * media/libstagefright/moz.build: Fix libstagefright build on GNU/kFreeBSD. bz#1048064. iceweasel (32.0~b3-1) experimental; urgency=medium . * New upstream beta release. . * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. . * testing/mozbase/mozinfo/mozinfo/mozinfo.py: Add a fallback for unknown platforms after bz#945869. bz#1044414. iceweasel (32.0~b1-1) experimental; urgency=medium . * New upstream beta release. . * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (31.8.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59,61,64-66,69-71}, also known as: CVE-2015-2724, CVE-2015-2728, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2743, CVE-2015-4000, CVE-2015-2721. . * debian/rules, debian/control*: Use bundled libraries because of the requirement for a newer NSS. . * dom/indexedDB/IndexedDatabaseManager.cpp: Backout mercurial changeset 4fd4c854dc0f (fixup for bz#1142210) to unbust unified builds. iceweasel (31.8.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59,61,64-66,69-71}, also known as: CVE-2015-2724, CVE-2015-2728, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2743, CVE-2015-4000, CVE-2015-2721. . * debian/rules, debian/control*: Use bundled libraries because of the requirement for a newer NSS. . * dom/indexedDB/IndexedDatabaseManager.cpp: Backout mercurial changeset 4fd4c854dc0f (fixup for bz#1142210) to unbust unified builds. iceweasel (31.7.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46-48,51,54,57}, also known as: CVE-2015-2708, CVE-2015-0797, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716, CVE-2011-3079. . * debian/control.in, debian/rules, debian/upstream.mk: Change backport rules. - Only set LESS_SYSTEM_LIBS on wheezy (for now). - Only exclude gstreamer 1.0 on wheezy. iceweasel (31.7.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46-48,51,54,57}, also known as: CVE-2015-2708, CVE-2015-0797, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716, CVE-2011-3079. . * debian/control.in, debian/rules, debian/upstream.mk: Change backport rules. - Only set LESS_SYSTEM_LIBS on wheezy (for now). - Only exclude gstreamer 1.0 on wheezy. icu (52.1-8+deb8u2) jessie-security; urgency=high . * Fix security bugs: - CVE-2014-8146 , a heap overflow, - CVE-2014-8147 , an integer overflow, - CVE-2015-4760 , missing boundary checks in layout engine, - CVE-2014-6585 , finish null pointer checks. jackrabbit (2.3.6-1+deb8u1) jessie-security; urgency=medium . * Team upload. * Add CVE-2015-1833.patch. Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others. (Closes: #787316) jackrabbit (2.3.6-1+deb7u1) wheezy-security; urgency=medium . * Team upload. * Add CVE-2015-1833.patch. Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others. (Closes: #787316) kic (2.4a-2~deb8u1) jessie; urgency=medium . * QA upload. * Rebuild for jessie. . kic (2.4a-2) unstable; urgency=medium . * QA upload. * Set Maintainer to Debian QA Group. (See: #691834) * configure: Do not add -L without argument to $LIBS. (Closes: #793367) lame (3.99.5+repack1-7+deb8u1) jessie; urgency=medium . * debian/patches/force_align_arg_pointer.patch: Enable functions with SSE instructions to maintain their own properly aligned stack. Fixes crashes with a general protection error when called from the ocaml bindings (Closes: #786438). Thanks Detrick Merz for the bug report, Robert Hegemann and especially Bernhard Übelacker for their help with analyzing the bug. libapache-mod-jk (1:1.2.37-4+deb8u1) jessie-security; urgency=high . * Team upload. * Add CVE-2014-8111.patch. (Closes: #783233) It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. - Add option to control handling of multiple adjacent slashes in mount and unmount. New default is collapsing the slashes only in unmount. Before this change, adjacent slashes were never collapsed, so most mounts and unmounts didn't match for URLs with multiple adjacent slashes. - Configuration is done via new JkOption for Apache (values "CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount"). libav (6:11.4-1~deb8u1) jessie-security; urgency=high . [ Sebastian Ramacher ] * New upstream release fixing multiple security issues. - h264: Make sure reinit failures mark the context as not initialized (CVE-2015-3417) - msrle: Use FFABS to determine the frame size in msrle_decode_pal4 (CVE-2015-3395) - cavs: Remove an unneeded scratch buffer - configure: Disable i686 for i586 and lower CPUs (debian/783082) - mjpegenc: Fix JFIF header byte ordering (bug/808) - nut: Make sure to clean up on read_header failure - png: Set the color range as full range - avi: Validate sample_size - nut: Check chapter creation in decode_info_header - alac: Reject rice_limit 0 if compression is used - ape: Support _0000 files with nblock smaller than 64 - mux: Do not leave stale side data pointers in ff_interleave_add_packet() - avresample: Reallocate the internal buffer to the correct size (bug/825) - mpegts: Update the PSI/SI table only if the version change - rtsp: Make sure we don't write too many transport entries into a fixed-size array - rtpenc_jpeg: Handle case of picture dimensions not dividing by 8 - mov: Fix little endian audio detection - x86: Put COPY3_IF_LT under HAVE_6REGS (gentoo/541930) - roqvideoenc: set enc->avctx in roq_encode_init - mp3: Properly use AVCodecContext API - libvpx: Fix mixed use of av_malloc() and av_reallocp() - Revert "lavfi: always check av_expr_parse_and_eval() return value" - alsdec: only adapt order for positive max_order - alsdec: check sample pointer range in revert_channel_correlation - aacpsy: correct calculation of minath in psy_3gpp_init - alsdec: limit avctx->bits_per_raw_sample to 32 - aasc: return correct buffer size from aasc_decode_frame - matroskadec: fix crash when parsing invalid mkv - avconv: do not overwrite the stream codec context for streamcopy - webp: ensure that each transform is only used once - h264_ps: properly check cropping parameters against overflow - hevc: zero the correct variables on invalid crop parameters - hevc: make the crop sizes unsigned . [ Reinhard Tartler] * drop 01-configure-disable-i686-for-i586 libav (6:11.3-3) unstable; urgency=medium . * Fix use of illegal instruction on i586. (Closes: #783082) - debian/confflags: Pass correct value to --cpu. Thanks to Bernhard Übelacker for the patch. - debian/patches: + 01-configure-disable-i686-for-i586.patch: Upstream patch to disable i686 on instructions on i586. + 02-configure-disable-ebx-gcc-4.9.patch: Workaround build failure with gcc 4.9 and newer by disabling the use of ebx in handwritten assembler code. Thanks to Bernhard Übelacker for the initial patch. libav (6:11.3-2) unstable; urgency=medium . * debian/control: - Bump Standards-Version to 3.9.6. - libav-tools: Add x264 to Suggests. (Closes: #779097) - Build-Depend on libx265-dev. * debian/libav-tools.maintscript: Remove /etc/avserver.conf. (Closes: #760763) * debian/confflags: Enable x265 encoder. (Closes: #780796) * debian/rules: Use matching version in shlibs. (LP: #1407103) libcrypto++ (5.6.1-6+deb8u1) jessie-security; urgency=high . * Fix CVE-2015-2141, misuse of blinding technique that is aimed at preventing timing attacks. * Update my email address. libcrypto++ (5.6.1-6+deb7u1) wheezy-security; urgency=high . * Fix CVE-2015-2141, misuse of blinding technique that is aimed at preventing timing attacks. * Update my email address. libdatetime-timezone-perl (1:1.75-2+2015f) jessie; urgency=medium . * Update to Olson database version 2015f. Add patch debian/patches olson-2015e, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for North Korea, Uruguay, and Moldova. libdatetime-timezone-perl (1:1.75-2+2015e) jessie; urgency=medium . * Update to Olson database version 2015e. Add patch debian/patches/olson-2015e, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Morocco. libgee-0.8 (0.16.1-1+deb8u1) jessie; urgency=medium . * Fix default value of --enable-consistency-check, otherwise a very expensive debug option is turned on by default and would make a lot of applications unusably slow. Patch cherry-picked from upstream Git. * Fix the removal of the vala.stamp files so the C sources are regenerated. * Add missing geeutils.vapi. This file is missing in the tarball but is required if we want to rebuild the C source files. * Drop gee_tree_set_check from symbols file. This symbol was exported by accident due to the wrong default value of --enable-consistency-check. It doesn't appear to be used by other applications, so it should be safe to remove. * Add myself to Uploaders. libio-socket-ssl-perl (2.002-2+deb8u1) jessie; urgency=medium . * Add 0001-make-PublicSuffix-_default_data-thread-safe-by-stori.patch. Make PublicSuffix::_default_data thread safe by storing the default data inside a function inside within __DATA__. Thanks to Jonny Schulz for the report (Closes: #788035) libisocodes (1.2.2-1~deb8u1) jessie; urgency=medium . * Rebuild for Jessie . libisocodes (1.2.2-1) unstable; urgency=medium . * Imported Upstream version 1.2.2 - Fix GLib critical warning if the environment variable LANGUAGE is not set. Thanks to Paul Wise for the bug report. Closes: #787395 * Update maintainer name libvirt (1.2.9-9+deb8u1) jessie; urgency=medium . [ Guido Günther ] * [8e4cf5a] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm or kqemu. Thanks to Luke Faraone for the report (Closes: #786650) * [ad1ff0b] Adjust gbp.conf for jessie * [c830a54] Disable test suite due to libxml2 bug #781232 in jessie * [be70aec] Fix crash on live migration this supplements 07dbec0a64783f644854a22aa0355720f0328d17. Thanks to Eckebrecht von Pappenheim (Closes: #788171) . [ Felix Geyer ] * [9fb6c59] Allow access to libnl-3 configuration (Closes: #786652) . [ intrigeri ] * Allow-access-to-libnl-3-config-files.patch: revert changes that are unrelated to the bug this patch is meant to fix. . [ Daniel P. Berrange ] * [afae69a] Report original error when QMP probing fails with new QEMU (Closes: #780093) libwmf (0.2.8.4-10.3+deb8u1) jessie-security; urgency=medium . * CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 libwmf (0.2.8.4-10.3+deb7u1) wheezy-security; urgency=low . * CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 linux (3.16.7-ckt11-1+deb8u3) jessie-security; urgency=high . * path_openat(): fix double fput() (CVE-2015-5706) * KEYS: ensure we free the assoc array edit if edit is valid (CVE-2015-1333) * sctp: fix ASCONF list handling (CVE-2015-3212) * [x86] kvm: fix kvm_apic_has_events to check for NULL pointer (CVE-2015-4692) * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700) * sg_start_req(): make sure that there's not too many elements in iovec (CVE-2015-5707) * md: use kzalloc() when bitmap is disabled (CVE-2015-5697) linux (3.16.7-ckt11-1+deb8u3~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt11-1+deb8u3) jessie-security; urgency=high . * path_openat(): fix double fput() (CVE-2015-5706) * KEYS: ensure we free the assoc array edit if edit is valid (CVE-2015-1333) * sctp: fix ASCONF list handling (CVE-2015-3212) * [x86] kvm: fix kvm_apic_has_events to check for NULL pointer (CVE-2015-4692) * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700) * sg_start_req(): make sure that there's not too many elements in iovec (CVE-2015-5707) * md: use kzalloc() when bitmap is disabled (CVE-2015-5697) linux (3.16.7-ckt11-1+deb8u2) jessie-security; urgency=high . * [amd64] Restore "perf/x86: Further optimize copy_from_user_nmi()" * [amd64] Fix nested NMI handling (CVE-2015-3290, CVE-2015-3291) - Enable nested do_nmi handling for 64-bit kernels - Remove asm code that saves cr2 - Switch stacks on userspace NMI entry - Reorder nested NMI checks - Use DF to avoid userspace RSP confusing nested NMI detection linux (3.16.7-ckt11-1+deb8u2~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.7-ckt11-1+deb8u2) jessie-security; urgency=high . * [amd64] Restore "perf/x86: Further optimize copy_from_user_nmi()" * [amd64] Fix nested NMI handling (CVE-2015-3290, CVE-2015-3291) - Enable nested do_nmi handling for 64-bit kernels - Remove asm code that saves cr2 - Switch stacks on userspace NMI entry - Reorder nested NMI checks - Use DF to avoid userspace RSP confusing nested NMI detection . linux (3.16.7-ckt11-1+deb8u1) jessie-security; urgency=medium . * udf: Remove repeated loads blocksize * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366) * [amd64] Revert "perf/x86: Further optimize copy_from_user_nmi()" (CVE-2015-3290) linux (3.16.7-ckt11-1+deb8u1) jessie-security; urgency=medium . * udf: Remove repeated loads blocksize * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366) * [amd64] Revert "perf/x86: Further optimize copy_from_user_nmi()" (CVE-2015-3290) linux-ftpd-ssl (0.17.33+0.3-1+deb8u1) jessie; urgency=medium . * QA Upload * NLST of empty directory results in segfault. (Closes: #788331) + debian/patches/500-ssl.diff: Updated. linux-ftpd-ssl (0.17.33+0.3-1+deb7u1) wheezy; urgency=medium . * QA Upload * NLST of empty directory results in segfault. (Closes: #788331) + debian/patches/500-ssl.diff: Updated. lxc (1:1.0.6-6+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch. CVE-2015-1331: Directory traversal flaw that allows arbitrary file creation as the root user. (Closes: #793298) * Add 0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch. CVE-2015-1334: Processes intended to be run inside of confined LXC containers could escape their AppArmor or SELinux confinement. (Closes: #793298) lxc (1:1.0.6-6+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. lynx-cur (2.8.9dev1-2+deb8u1) jessie; urgency=medium . * gnutls_set_default_priority.diff: Use gnutls_set_default_priority() instead of a custom priority string. The fix for the GnuTLS issue GNUTLS-SA-2015-2 combined with a buggy GnuTLS priority string in lynx breaks lynx SSL support. Preemptively apply the fix to lynx before the GnuTLS issue is fixed in stable. Closes: #784430 mesa (10.3.2-1+deb8u1) jessie; urgency=medium . [ Timo Aaltonen ] * radeonsi-disable-asynchronous-dma.diff: Disable asynchronous DMA on radeonsi which can cause lockups. (Closes: #775264) motif (2.3.4-6+deb8u1) jessie-proposed-updates; urgency=medium . * Disable fix for upstream bug #1565 which caused segfaults in ddd and xpdf (Closes: #781995). * Remove XmForceGrabKeyboard@Base from d/libxm4.symbols which was introduced by upstream's updated fix applied in motif 2.3.4-5 (Closes: #782678). mozilla-gnome-keyring (0.10-1~deb8u1) jessie; urgency=medium . * New upstream release. (Closes: #797040) mozilla-gnome-keyring (0.9~20150531gitb0170724-1) experimental; urgency=medium . * New upstream pre-release. (Closes: #788967, #788971) mysql-5.5 (5.5.44-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.44 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - CVE-2015-4752 CVE-2015-4737 CVE-2015-2648 CVE-2015-2643 CVE-2015-2620 CVE-2015-2582 (Closes: #792445) mysql-5.5 (5.5.44-0+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.44 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - CVE-2015-4752 CVE-2015-4737 CVE-2015-2648 CVE-2015-2643 CVE-2015-2620 CVE-2015-2582 (Closes: #792445) nbd (1:3.8-4+deb8u2) jessie; urgency=low . * Cherry-pick two commits from 3.10 to fix authfile parsing. Closes: #785727. nss (2:3.17.2-1.1+deb8u2) jessie; urgency=medium . [ Andrew Ayer ] * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix certificate chain generation to prefer stronger/newer certificates over weaker/older certs. Closes: #774195. nss (2:3.17.2-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 99_CVE-2015-2721.patch patch. CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange. * Add 100_CVE-2015-2730.patch patch. CVE-2015-2730: ECDSA signature validation fails to handle some signatures correctly. ocl-icd (2.2.3-1+deb8u1) jessie; urgency=medium . * Fix "clSVMFree never called in OpenCL ICD" (Closes: #787941) The patch is backported from upstream * ocl-icd-opencl-dev: Bump the Breaks/Replaces on nvidia-libopencl1 to cover new upstream releases of nvidia-graphics-drivers (304.xx legacy series) in wheezy (backported patch from sid by Andreas Beckmann in #787952) openafs (1.6.9-2+deb8u3) jessie-security; urgency=high . * Apply upstream security patches from the 1.6.13 release (thanks to Benjamin Kaduk for providing the patches): - OPENAFS-SA-2015-001 (CVE-2015-3282): vos leaks stack data onto the wire when creating vldb entries - OPENAFS-SA-2015-002 (CVE-2015-3283): bos commands can be spoofed, including some which alter server state - OPENAFS-SA-2015-003 (CVE-2015-3284): pioctls leak kernel memory contents - OPENAFS-SA-2015-004 (CVE-2015-3285): kernel pioctl support for OSD command parsing can trigger a panic - OPENAFS-SA-2015-006 (CVE-2015-3287): Buffer overflow in OpenAFS vlserver * The patch for OPENAFS-SA-2015-005 is not applied, since that vulnerability is limited to the Solaris kernel module opensaml2 (2.5.3-2+deb8u1) jessie-security; urgency=high . * Rebuild against fixed xmltooling for DSA 3321-1 openssl (1.0.1k-3+deb8u1) jessie-security; urgency=medium . * Fix CVE-2015-1791 * Fix CVE-2015-1792 * Fix CVE-2015-1789 * Fix CVE-2015-1790 * Fix CVE-2015-1788 * CVE-2015-4000: Have minimum of 768 bit for DH p7zip (9.20.1~dfsg.1-4.1+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Delay creation of symlinks to prevent arbitrary file writes (CVE-2015-1038) (Closes: #774660) pdf.js (1.0.907+dfsg-1+deb8u1) jessie; urgency=medium . * Drop xul-ext-pdf.js package since it’s not compatible with iceweasel 38 pdns (3.4.1-4+deb8u2) jessie-security; urgency=high . * Security update: apply second patch for CVE-2015-1868 pdns-recursor (3.6.2-2+deb8u2) jessie-security; urgency=high . * Security update: apply second patch for CVE-2015-1868 postgresql-9.1 (9.1.18-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.18-0+deb7u1) wheezy; urgency=medium . * New upstream version. + Fix rare failure to invalidate relation cache init file * Remove obsolete .bzr-builddeb/. postgresql-9.1 (9.1.17-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.17-0+deb7u1) wheezy; urgency=medium . * New upstream version including the fsync fix. postgresql-9.4 (9.4.4-0+deb8u1) jessie; urgency=medium . * New upstream version. + Fix possible failure to recover from an inconsistent database state + Fix rare failure to invalidate relation cache init file postgresql-9.4 (9.4.3-1) unstable; urgency=medium . * New upstream version: Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane; Closes: #786874) prosody (0.9.7-2+deb8u1) jessie; urgency=medium . * Apply upstream patch which fixes CNAME DNS record resolution (closes: #787070) pyjwt (0.2.1-1+deb8u1) jessie-security; urgency=medium . * debian/patches/01_not-use-asymmetric-keys-as-HMAC.patch - Add a check so that asymmetric keys cannot be used as HMAC secrets. See for more details: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ (Closes: #781640) python-apt (0.9.3.12) jessie; urgency=medium . [ Julian Andres Klode ] * apt/cache.py: Work around a cyclic reference from Cache to its methods (Closes: #745487) * python/arfile.cc: LFS: Use long long instead of long for file sizes * python/arfile.cc: Do not allow files larger than SIZE_MAX to be mapped * python/tarfile.cc: LFS: Handle too large file * apt.debfile: Fix splitting of multi-lines Binary fields in dsc files (Closes: #751770) * apt/debfile.py: Arch-qualify in compare_to_version_in_cache() (Closes: #750189) . [ Michael Vogt ] * Fix apt.Package.installed_files for multi-arch packages (LP: #1313699) python-django (1.7.7-1+deb8u2) jessie-security; urgency=medium . * SECURITY UPDATE: - CVE-2015-5963: Possible denial-of-service via logout() python-django (1.7.7-1+deb8u1) jessie-security; urgency=high . * SECURITY UPDATE: - CVE-2015-5143: possible denial-of-service via session store - CVE-2015-5144: email header injection via newlines python-keystoneclient (1:0.10.1-2+deb8u1) jessie-proposed-updates; urgency=high . * CVE-2015-1852: S3token incorrect condition expression for ssl_insecure. Applied upstream patch: Fix s3_token middleware parsing insecure option. (Closes: #783164) * Added python-oslo.utils (build-)depends introduce by this patch. python-keystonemiddleware (1.0.0-3+deb8u1) jessie-proposed-updates; urgency=medium . * Refreshed patches. * cve-2015-1852: S3Token TLS cert verification option not honored. Applied upstream patch. * Added python-oslo.utils new (build-)depends introduced by this patch. python-reportlab (3.1.8-3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Add handle-png-with-transparency.patch to avoid failing when reading a PNG with transparency. Closes: #785023 This fixes a regression compared to the version in Wheezy. python-swiftclient (1:2.3.1-1+deb8u1) jessie-proposed-updates; urgency=medium . * Added missing dependency on python-pkg-resources (Closes: #789685). qemu (1:2.1+dfsg-12+deb8u1) jessie-security; urgency=high . * slirp-use-less-predictable-directory-name-in-tmp-CVE-2015-4037.patch (Closes: CVE-2015-4037) * 11 patches for XEN PCI pass-through issues (Closes: #787547 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106) * pcnet-force-buffer-access-to-be-in-bounds-CVE-2015-3209.patch with preparation bugfix pcnet-fix-negative-array-index-read.patch from upstream (Closes: #788460 CVE-2015-3209) r-cran-rcurl (1.95-4.3-1+deb8u1) jessie; urgency=medium . * Team upload. * Build-Depend on libcurl4-openssl-dev only (Closes: #786473). rawtherapee (4.2-1+deb8u1) jessie; urgency=high . * Add patch debian/patches/02-fix_CVE-2015-3885.patch: - Fix dcraw imput sanitization errors (CVE-2015-3885) redis (2:2.8.17-1+deb8u1) jessie-security; urgency=high . * Fix Lua sandbox bypass by disabling Lua bytecode loading as per CVE-2015-4335 request-tracker4 (4.2.8-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-5475.patch patch. CVE-2015-5475: Cross-site scripting attack via the user and group rights managment pages. * Add XSS-cryptography-interface.patch patch. Fixes cross-site scripting attack via the cryptography interface. requestpolicy (0.5.29-1) jessie; urgency=medium . * Team upload, targeted to Jessie * Imported Upstream version 0.5.29: restore compatibility with iceweasel 38 (Closes: #786565) rsyslog (8.4.2-1+deb8u1) jessie; urgency=medium . * Disable transactions in ompgsql as they were not working properly. Patch cherry-picked from upstream Git. (Closes: #788183) ruby-rack (1.5.2-3+deb8u1) jessie-security; urgency=high . * Create cherry-picked patch for Security Fix (Closes: #789311). - CVE-2015-3225: 0001-Fix-Params_Depth.patch Default depth at which the parameter parser will raise an exception for being too deep, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. * Add 0002-Add-missing-require-to-response.rb.patch. Add missing require of rack/body_proxy in response.rb ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high . * Apply upstream patches to fix Request hijacking vulnerability in Rubygems [CVE-2015-3900] (Closes: #790119) strongswan (5.2.1-6+deb8u1) jessie-security; urgency=high . * debian/patches: - CVE-2015-4171_enforce_remote_auth added, fix potential leak of authentication credential to rogue server when using PSK or EAP. This is CVE-2015-4171. strongswan (5.2.1-6+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . strongswan (5.2.1-6+deb8u1) jessie-security; urgency=high . * debian/patches: - CVE-2015-4171_enforce_remote_auth added, fix potential leak of authentication credential to rogue server when using PSK or EAP. This is CVE-2015-4171. . strongswan (5.2.1-6) unstable; urgency=medium . * Ship /lib/systemd/system/ipsec.service as a symlink to strongswan.service in strongswan-starter instead of using Alias= in the service file. This makes the ipsec name available to invoke-rc.d before the service gets actually enabled, which avoids some confusion (closes: #781209). stunnel4 (3:5.06-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 17-CVE-2015-3644.patch patch. CVE-2015-3644: authentication bypass with the "redirect" option. (Closes: #785352) subversion (1.8.10-6+deb8u1) jessie-security; urgency=high . * Add (Build-)Depends on apache2 packages necessary for security fixes. * patches/CVE-2015-3814: Mixed anonymous/authenticated path-based authz with httpd 2.4 * patches/CVE-2015-3817: svn_repos_trace_node_locations() reveals paths hidden by authz subversion (1.8.10-6+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Use libdb5.1 instead of 5.3. * Create libapache2-mod-svn maintainer scripts manually instead of using dh_apache2. * Adapt ruby libdir as it's not multiarched in wheezy. * Add ruby1.8 and ruby1.8-dev to Build-Conflicts to make sure the same versions of ruby and ruby-dev are installed. * Remove dependency on apache2-bin, not needed for apache 2.2. . subversion (1.8.10-6+deb8u1) jessie-security; urgency=high . * Add (Build-)Depends on apache2 packages necessary for security fixes. * patches/CVE-2015-3814: Mixed anonymous/authenticated path-based authz with httpd 2.4 * patches/CVE-2015-3817: svn_repos_trace_node_locations() reveals paths hidden by authz symfony (2.3.21+dfsg-4+deb8u1) jessie-security; urgency=high . [ Daniel Beyer ] * Backport a security fix from 2.3.29 - ESI unauthorized access [CVE-2015-4050] syslinux (3:6.03+dfsg-5+deb8u1) jessie; urgency=low . * Cherry-pick upstream patches that fix booting on some Chromebooks (Closes: #780765): - 0005-load-linux-correct-type.patch - 0006-load-linux-protected-mode.patch systemd (215-17+deb8u2) stable; urgency=medium . * Disable default DNS servers in systemd-resolved. In v215 they are always added to resolv.conf as fallback entries even when DNS servers were acquired from systemd-networkd. (Closes: #787731) * Use strictly versioned dependendency on libsystemd-dev for the transitional dev packages. The .pc files of the compat libraries declare a strictly versioned dependency on libsystemd.pc, so reflect that in the package dependencies as well. (Closes: #794290) * udev: Increase udev event timeout to 180s. Some kernel modules, like mptsas, can take longer then 30s to load so udevd kills the (hanging) worker responsible for loading the module. Increase timeout from 30s to 180s to workaround this issue. Thanks Faidon Liambotis. (Closes: #787191) tabmixplus (0.4.1.8-1~deb8u1) jessie; urgency=medium . * Track the jessie branch tabmixplus (0.4.1.8~150607a3-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 41.0a1 . [ David Prévot ] * Fix copyright tabmixplus (0.4.1.8~150317a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.8~150317a1 tabmixplus (0.4.1.8~150303a1-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 39.0a1 tabmixplus (0.4.1.7-1) unstable; urgency=medium . * Upload stable release to unstable, since Jessie is being released . [ onemen ] * Version update to 0.4.1.7 . [ David Prévot ] * Track stable releases tabmixplus (0.4.1.7~150212a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.7~150212a1 tabmixplus (0.4.1.7~150126a1-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 38.0a1 tabmixplus (0.4.1.7~150112a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.7~150112a1 tabmixplus (0.4.1.6-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.6 tabmixplus (0.4.1.6~141229a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.6~141229a1 tabmixplus (0.4.1.6~141222a1-1) experimental; urgency=medium . [ onemen ] * Update maxVersion to 37.0a1 tabmixplus (0.4.1.6~141114a1-1) experimental; urgency=medium . * Imported Upstream version 0.4.1.6~141114a1 tabmixplus (0.4.1.6~141025a1-1) experimental; urgency=medium . [ onemen ] * Can't change new tab button position when tabbar is below content * The tabs are cut off by the bottom of the window, when tabs are on the bottom, the window isn't maximized and the menu bar is hidden tabmixplus (0.4.1.6~141014a2-1) experimental; urgency=medium . [ onemen ] * Tab width expands when mouse is over the tab * Don't add id with colon, it cause document.querySelector to throw an exception - An invalid or illegal string was specified * Don't change session preference when Session manager extension installed * Restore Defaults doesn't work when there are pending changes tabmixplus (0.4.1.6~141014a1-1) experimental; urgency=medium . [ onemen ] * Update compatibility with Tile Tabs 11.12 * Tabs merged in reverse order, when the preference openTabNext is true and both browser.tabs.insertRelatedAfterCurrent and openTabNextInverse are false * Use left and right close tab button on tab to show on mouse hover, remove showhover-box and button * Disable close tab button on left side when the button is not inside tab-content tabmixplus (0.4.1.6~140926a1-1) experimental; urgency=medium . [ onemen ] * "Open new tabs next to current one" option is not working. * Unloaded tabs don't have an icon * Follow up bug 1000513 - Combined navigation items in the context menu * Fix incompatibility with UnloadTab extension * Fix incompatibility with WEB.DE MailCheck extension . [ David Prévot ] * Track pre-releases, and upload to experimental tcpdump (4.6.2-5+deb8u1) stable; urgency=low . * Cherry-pick commit 3f15ae25c2 from upstream Git to fix -Z confirmation log being sent to stdout, where it can get mixed with pcap stream data if '-w -' is used (closes: #793479). tidy (20091223cvs-1.4+deb8u1) jessie-security; urgency=high . * Fix heap buffer overflow and memory saturation on invalid HTML input as per CVE-2015-5522 and CVE-2015-5523 (Closes: #792571) torrus (2.08-1+deb8u1) jessie; urgency=medium . * Revert broken patch refresh in commit 486f4baa (Closes: #774851) This bug was introduced in the Jessie development cycle and breaks functionality of rrdup_notify due to looking in the wrong path * debian/gbp.conf: Point to jessie branch twig (1.16.2-1+deb8u1) jessie-security; urgency=high . * gbp: Track the Jessie branch * Backport security fixes from 1.20.0 - forbid access to the Twig environment from templates and internal parts of Twig_Template - fixed limited RCEs when in sandbox mode tzdata (2015f-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST. tzdata (2015f-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST. tzdata (2015e-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version: - DST suspension from 2015-06-14 03:00 through 2015-07-19 02:00 in Morroco. * Change the Provides: to tzdata-stretch from tzdata-jessie. tzdata (2015e-0+deb8u1) stable; urgency=medium . * New upstream version: - DST suspension from 2015-06-14 03:00 through 2015-07-19 02:00 in Morroco. tzdata (2015e-0+deb7u1) oldstable; urgency=medium . * New upstream version: - DST suspension from 2015-06-14 03:00 through 2015-07-19 02:00 in Morroco. tzdata (2015d-1) unstable; urgency=medium . [ Adam Conrad ] * New upstream release with yet another urgent DST change for Egypt. * Install leap-seconds.list to /usr/share/zoneinfo (Closes: #775166) . [ Aurelien Jarno ] * Install zone1970.tab. Closes: #782646. ufraw (0.20-2+deb8u1) jessie; urgency=high . * dcraw.cc: Apply patch from https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff to prevent buffer overflow in ljpeg_start (Closes: #786783, CVE-2015-3885) unattended-upgrades (0.83.3.2+deb8u1) jessie-security; urgency=high . * fix missing package authentication check for apt configurations that force-{confold,confnew} (CVE-2015-1330) . unattended-upgrades (0.83.3.2) stable; urgency=low . * Rebuild in a clean schroot (closes: #783690, #788066) * Cherry pick 4c755d7 so that the optional automatic-reboot feature works again (closes: #788358) unattended-upgrades (0.83.3.2) stable; urgency=low . * Rebuild in a clean schroot (closes: #783690, #788066) * Cherry pick 4c755d7 so that the optional automatic-reboot feature works again (closes: #788358) vlc (2.2.0~rc2-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-5949.patch patch. CVE-2015-5949: Insufficient restrictions on a writable buffer in the 3GP file format parser can be exploited to execute arbitrary code via a specially crafted 3GP file. wesnoth-1.10 (1:1.10.7-2+deb8u1) jessie; urgency=medium . * Security fix: Disallowed inclusion of .pbl files from WML, independent of extension case (CVE-2015-5069, CVE-2015-5070). wesnoth-1.10 (1:1.10.7-2+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Revert changes for ttf-dejavu -> fonts-dejavu-core which isn't in wheezy. wireshark (1.12.1+g01b65bf-4+deb8u2) jessie-security; urgency=high . * security fixes from Wireshark 1.12.6: - WCCP dissector crash (CVE-2015-4651) - GSM DTAP dissector crash (CVE-2015-4652) wireshark (1.12.1+g01b65bf-4+deb8u1) jessie-security; urgency=high . * security fixes from Wireshark 1.12.5: - The LBMR dissector could go into an infinite loop (CVE-2015-3809) - The WebSocket dissector could recurse excessively (CVE-2015-3810) - The WCP dissector could crash while decompressing data (CVE-2015-3811) - The X11 dissector could leak memory (CVE-2015-3812) - The packet reassembly code could leak memory (CVE-2015-3813) - The IEEE 802.11 dissector could go into an infinite loop (CVE-2015-3814) - The Android Logcat file parser could crash. Discovered by Hanno Böck. (CVE-2015-3815) wordpress (4.1+dfsg-1+deb8u4) jessie-security; urgency=high . * Rework changeset 33359 reliable shortcodes CVE-2015-5622 Closes: #794548 * Backports of 4.2.4 security fixes Closes: #794560 * Changeset 33555 SQL Injection CVE-2015-2213 * Changeset 33535 fixes timing attack CVE-2015-4730 * Changeset 33542 prevent posts lock attack CVE-2015-5731 * Changeset 33529 XSS widget title CVE-2015-5732 * CVE-2015-5733: Not vulnerable CS32176 fixes this * Changeset 33549 theme preview XSS CVE-2015-5734 wordpress (4.1+dfsg-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team * Back out fautly patch: - Changeset 33359 reliable shortcodes CVE-2015-5622 wordpress (4.1+dfsg-1+deb8u2) jessie-security; urgency=high . * Removed genericons example files CVE-2015-3429 Closes: #784603 * Backports of 4.1.3 security fixes - Changeset 33357 autodraft perms CVE-2015-5623 - Changeset 33359 reliable shortcodes CVE-2015-5622 xemacs21 (21.4.22-14~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. . xemacs21 (21.4.22-14) unstable; urgency=low . * Clean up after half baked removal of circular dependency, add an empty versioned lib directory now dpkg does the right thing with that (closes: #783704). . xemacs21 (21.4.22-13) unstable; urgency=low . * Clean up after half baked removal of circular dependency, add an empty versioned lib directory now dpkg does the right thing with that (closes: #783704). . xemacs21 (21.4.22-12) unstable; urgency=low . * Remove dependency from support to binary package since the binary package already has the equivalent dependency (closes: #735268). * Conflict against old transitional packages to make absolutely sure that they are removed before we try to upgrade (closes: #775733). * Above changes originally from Andreas Beckmann . xemacs21 (21.4.22-13) unstable; urgency=low . * Clean up after half baked removal of circular dependency, add an empty versioned lib directory now dpkg does the right thing with that (closes: #783704). xemacs21 (21.4.22-12) unstable; urgency=low . * Remove dependency from support to binary package since the binary package already has the equivalent dependency (closees: #735268). * Conflict against old transitional packages to make absolutely sure that they are removed before we try to upgrade (closes: #775733). * Above changes originally from Andreas Beckmann . xen (4.4.1-9+deb8u1) jessie-security; urgency=medium . * Apply fix for CVE-2015-4163 (XSA 134) - gnttab: add missing version check to GNTTABOP_swap_grant_ref handling ... avoiding NULL derefs when the version to use wasn't set yet * Apply fix for CVE-2015-4164 (XSA 136) - x86/traps: loop in the correct direction in compat_iret() xmltooling (1.5.3-2+deb8u1) jessie-security; urgency=high . * Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855): Shibboleth SP software crashes on well-formed but invalid XML xserver-xorg-video-modesetting (0.9.0-2) jessie; urgency=medium . * Merge from upstream master: + modesetting: Don't pretend to support rotation (closes: #791644) xserver-xorg-video-modesetting (0.9.0-1+exp1) experimental; urgency=low . * Rebuild against xorg 1.16 rc. zendframework (1.12.9+dfsg-2+deb8u3) jessie-security; urgency=high . * ZF2015-06: XXE/XEE vector when using ZendXml on multibyte payloads http://framework.zend.com/security/advisory/ZF2015-06 [CVE-2015-5161] ====================================== Sat, 06 Jun 2015 - Debian 8.1 released ====================================== ========================================================================= [Date: Sat, 06 Jun 2015 10:31:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: k8temp | 0.4.0-2 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:31:42 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libinotify-kqueue | 20120419-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:31:50 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cuse4bsd | 0~svn2434-2 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:31:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: freebsd-quota | 8.2-3 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:05 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: kfreebsd-downloader-10 | 10.0-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:14 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libsystemd-dummy | 208-2 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:22 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: xserver-xorg-video-nv | 1:2.1.20-3 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:30 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: partman-ufs | 19 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:39 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: zfsutils | 10.1~svn272500-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:45 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: freebsd-smbfs | 10.1~svn272500-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:32:53 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: fuse4bsd | 0.3.9~pre1.20080208-9 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:00 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ufsutils | 10.1~svn272500-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:08 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: freebsd-utils | 10.1~svn273304-1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:14 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: kfreebsd-kernel-headers | 10.1~5 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: kfreebsd-defaults | 10+2 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 Jun 2015 10:33:29 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: partman-zfs | 45 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= base-files (8+deb8u1) stable; urgency=low . * Changed /etc/debian_version to 8.1, for Debian 8.1 point release. berkeley-abc (1.01+20140822hg4d547a5+dfsg-1+deb8u1) stable-proposed-updates; urgency=medium . * Fixed "Broken on big-endian architectures" (Closes: #782027) - (debian/patches/abc-bugfix-20150403.diff) * Fixed memory alignment problem (Closes: #786916) - (debian/patches/04_memory_alignment_fix.patch) * Fixed FTBFS during reproducibility tests (Closes: 780449) - (debian/patches/reproducibility.patch) blackbox (0.70.1-23+deb8u1) stable; urgency=medium . * QA upload. * debian/patches: Added focus.patch. Fixes bug #784955. caja (1.8.2-3+deb8u1) jessie-proposed-updates; urgency=medium . * debian/patches: + Add 0004_avoid-automounts-while-screen-is-locked.patch. Don't mount newly added USB flash drives / optical disks / etc. while a session is locked by the screensaver. Delay the automounting action until the session has been unlocked again. (Closes: #781608). chromium-browser (43.0.2357.65-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2015-1252: Sandbox escape in Chrome. Credit to anonymous. - CVE-2015-1253: Cross-origin bypass in DOM. Credit to anonymous. - CVE-2015-1254: Cross-origin bypass in Editing. Credit to armin@rawsec.net. - CVE-2015-1255: Use-after-free in WebAudio. Credit to Khalil Zhani. - CVE-2015-1256: Use-after-free in SVG. Credit to Atte Kettunen. - CVE-2015-1251: Use-after-free in Speech. Credit to SkyLined. - CVE-2015-1257: Container-overflow in SVG. Credit to miaubiz. - CVE-2015-1258: Negative-size parameter in Libvpx. Credit to cloudfuzzer - CVE-2015-1259: Uninitialized value in PDFium. Credit to Atte Kettunen. - CVE-2015-1260: Use-after-free in WebRTC. Credit to Khalil Zhani. - CVE-2015-1261: URL bar spoofing. Credit to Juho Nurminen. - CVE-2015-1262: Uninitialized value in Blink. Credit to miaubiz. - CVE-2015-1263: Insecure download of spellcheck dictionary. Credit to Mike Ruddy. - CVE-2015-1264: Cross-site scripting in bookmarks. Credit to K0r3Ph1L. chromium-browser (42.0.2311.135-2) unstable; urgency=medium . * Remove src/ prefix in debian/copyright. * Fix path to default configuration files. * Describe omnibox search in README.debian (closes: 781591). * Fix application name in the launcher script (closes: #783858). * Set CHROME_WRAPPER to /usr/bin/chromium by default (closes: #783097). chromium-browser (42.0.2311.135-1) unstable; urgency=medium . [ Michael Gilbert ] * Remove some unneeded files from the upstream tarball. * Move default configuration files to /usr/share/chromium. * New upstream stable release: - CVE-2015-1243: Use-after-free in DOM. Credit to Saif El-Sherei. - CVE-2015-1250: Various fixes from internal audits, fuzzing and other initiatives. . [ Shawn Landden ] * Supress first run welcome page. * Turn off safebrowsing. * Turn off pinging Google on 404 and other HTTP errors. chromium-browser (42.0.2311.135-1~deb8u1) jessie-security; urgency=high . * New upstream stable release: - CVE-2015-1243: Use-after-free in DOM. Credit to Saif El-Sherei. - CVE-2015-1250: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (42.0.2311.90-2) unstable; urgency=medium . * Update debian/copyright. * Drop some unused patches. * Drop chromium-inspector package. * Remove Giuseppe from the uploaders. - Many thanks for the prior contributions. * Fix built on text (closes: #782052). * Fix path to master_preferences (closes: #777708). * Disable default browser warning (closes: #777265). * Conflict with libgl1-mesa-swx11 (closes: #776388). * Add MHTML mimetype to chromium.desktop (closes: #769039). * Tighten chromium-l10n versioned dependency (closes: #781505). chromium-browser (42.0.2311.90-1) unstable; urgency=medium . * New upstream stable release: - CVE-2015-1235: Cross-origin-bypass in HTML parser. Credit to anonymous. - CVE-2015-1236: Cross-origin-bypass in Blink. Credit to Amitay Dobo. - CVE-2015-1237: Use-after-free in IPC. Credit to Khalil Zhani. - CVE-2015-1238: Out-of-bounds write in Skia. Credit to cloudfuzzer. - CVE-2015-1240: Out-of-bounds read in WebGL. Credit to w3bd3vil. - CVE-2015-1241: Tap-Jacking. Credit to Phillip Moon and Matt Weston. - CVE-2015-1242: Type confusion in V8. Credit to fcole@onshape.com. - CVE-2015-1244: HSTS bypass in WebSockets. Credit to Mike Ruddy. - CVE-2015-1245: Use-after-free in PDFium. Credit to Khalil Zhani. - CVE-2015-1246: Out-of-bounds read in Blink. Credit to Atte Kettunen. - CVE-2015-1247: Scheme issues in OpenSearch. Credit to Jann Horn. - CVE-2015-1248: SafeBrowsing bypass. Credit to Vittorio Gambaletta. - CVE-2015-1249: Various fixes from internal audits, fuzzing and other initiatives. Also multiple issues in v8 4.2.77.14. chromium-browser (42.0.2311.90-1~deb8u1) jessie-security; urgency=high . * New upstream stable release: - CVE-2015-1235: Cross-origin-bypass in HTML parser. Credit to anonymous. - CVE-2015-1236: Cross-origin-bypass in Blink. Credit to Amitay Dobo. - CVE-2015-1237: Use-after-free in IPC. Credit to Khalil Zhani. - CVE-2015-1238: Out-of-bounds write in Skia. Credit to cloudfuzzer. - CVE-2015-1240: Out-of-bounds read in WebGL. Credit to w3bd3vil. - CVE-2015-1241: Tap-Jacking. Credit to Phillip Moon and Matt Weston. - CVE-2015-1242: Type confusion in V8. Credit to fcole@onshape.com. - CVE-2015-1244: HSTS bypass in WebSockets. Credit to Mike Ruddy. - CVE-2015-1245: Use-after-free in PDFium. Credit to Khalil Zhani. - CVE-2015-1246: Out-of-bounds read in Blink. Credit to Atte Kettunen. - CVE-2015-1247: Scheme issues in OpenSearch. Credit to Jann Horn. - CVE-2015-1248: SafeBrowsing bypass. Credit to Vittorio Gambaletta. - CVE-2015-1249: Various fixes from internal audits, fuzzing and other initiatives. Also multiple issues in v8 4.2.77.14. clamav (0.98.7+dfsg-0+deb8u1) stable; urgency=high . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it consistent with the other postinst scripts. * Build against libsystemd-dev. (Closes: #779758) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Shorten debian/copyright. This fixes some lintian warnings: - dep5-copyright-license-name-not-unique - wildcard-matches-nothing-in-dep5-copyright - unused-file-paragraph-in-dep5-copyright * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. * Fix syntax errors in clamav-freshclam.postinst. Thanks piuparts! * Fix cleanup on purge in clamav-base.postrm. * Use SocketUser, SocketGroup and RemoveOnStop systemd socket options instead of using ExecStartPost and ExecStopPost for that. * Respect clamav-daemon's LocalSocket* options with the systemd unit by extending the clamav-daemon.socket file appropriately, when running dpkg-reconfigure clamav-daemon. (Closes: #783720) * Disable this extendend configuration, when handling the configuration file with debconf is disabled. * Disable clamav-daemon.socket in prerm script. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. clamav (0.98.7+dfsg-0+deb7u1) oldstable; urgency=high . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Fix cleanup on purge in clamav-base.postrm. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. clamav (0.98.7+dfsg-0+deb6u2) squeeze-lts; urgency=medium . * Don't error out if rar file cat fails to work around arch/indep issues on squeeze clamav (0.98.7+dfsg-0+deb6u1) squeeze-lts; urgency=high . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Fix cleanup on purge in clamav-base.postrm. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. . [ Scott Kitterman ] * Drop minimum debhelper version to 8 for squeeze and drop indep specific override of dh_installdocs * Manually patch in results of autoreconf since dh_autoreconf is too old and package FTBFS otherwise * Drop procps requirement and dpkg minimum version requirement since squeeze versions are too old and revert init script changes for freshclam, daemon, and milter to use the squeeze versions of the init scripts (also restore required functions to debian/common_functions) clamav (0.98.6+dfsg-3) unstable; urgency=medium . * Fix syntax errors in clamav-freshclam.postinst. Thanks piuparts! * Fix cleanup on purge in clamav-base.postrm. clamav (0.98.6+dfsg-2) unstable; urgency=medium . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Fix clamav-daemon installability with custom PidFile. Thanks to Andy Dorman for the bug report and patch. (Closes: #778507) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it consistent with the other postinst scripts. * Build against libsystemd-dev. (Closes: #779758) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Shorten debian/copyright. This fixes some lintian warnings: - dep5-copyright-license-name-not-unique - wildcard-matches-nothing-in-dep5-copyright - unused-file-paragraph-in-dep5-copyright * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. clamav (0.98.6+dfsg-1+deb8u1) jessie; urgency=medium . [ Andreas Cadhalpun ] * Fix clamav-daemon installability with custom PidFile. Thanks to Andy Dorman for the bug report and patch. (Closes: #778507) cproto (4.7l-3+deb8u1) jessie; urgency=low . * Fix functional regression vs. 4.7j-5 in wheezy (closes: #784719). - Modify debian/rules to put back --enable-llib configure option, by adding override_dh_auto_configure. This option was accidentally lost in version 4.7j-7 while converting to debhelper 7. This disabled the -X command line option in the cproto program, a regression vs. wheezy. curl (7.38.0-4+deb8u2) jessie-security; urgency=high . * Don't send sensitive HTTP server headers to proxies as per CVE-2015-3153 http://curl.haxx.se/docs/adv_20150429.html curl (7.38.0-4+deb8u1) jessie-security; urgency=high . * Fix re-using authenticated connection when unauthenticated as per CVE-2015-3143 http://curl.haxx.se/docs/adv_20150422A.html * Fix host name out of boundary memory access as per CVE-2015-3144 http://curl.haxx.se/docs/adv_20150422D.html * Fix cookie parser out of boundary memory access as per CVE-2015-3145 http://curl.haxx.se/docs/adv_20150422C.html * Fix Negotiate not treated as connection-oriented as per CVE-2015-3148 http://curl.haxx.se/docs/adv_20150422B.html cwm (5.5-1+deb8u1) stable; urgency=low . * Fix "Lookups for 'exec' and 'wm' fail on XFS" by adding an extra check using lstat() if the d_type check fails (Closes: #783588) dbus (1.8.18-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release - Hardening: lock down the session bus to only allow EXTERNAL auth by default, the same as the system bus. This avoids allowing DBUS_COOKIE_SHA1, which can end up using a predictable random source on systems where /dev/urandom is unavailable or dbus-daemon runs out of memory. See the upstream NEWS for more details. dbus (1.8.16-2) unstable; urgency=medium . * Merge packaging changes (but not the new upstream branch) from experimental: - Move Vcs-Git to cgit; go via https, because we can - Standards-Version: 3.9.6 (no changes needed) - Remove debian/source/local-options, no longer necessary (dpkg-source now unapplies patches after the build if they were unapplied before) - Configure gbp-pq to export patches without patch numbers, and re-export our long-standing Debian patch in that format - dbus-x11: use dbus-x11.install for the Xsession hook - If DEB_BUILD_OPTIONS=noudeb, don't do the udeb build, for a 30% speedup - Change the check for requiring a reboot to be init-system-agnostic so Ubuntu can stop patching it (partially addresses #712167) * Security hardening: build position-independent executables for better ASLR * Security hardening: build with bindnow, so relro (which is already on by default) can make the entire PLT read-only * Transcode debian/rules from Latin-1 to UTF-8 * Reproducible build: remove dates from man pages using sed * Reproducible build: patch Doxyfile.in to not include timestamps in HTML documentation debian-installer (20150422+deb8u1) jessie; urgency=medium . [ Martin Michlmayr ] * Append DTB for SheevaPlug, SheevaPlug eSATA and GuruPlug. (Closes: #785588) . [ Cyril Brulebois ] * Enable p-u in debian/rules for the jessie point releases. debian-installer-netboot-images (20150422+deb8u1) jessie; urgency=medium . * Update to 20150422+deb8u1 images, from jessie-proposed-updates debian-lan-config (0.19+deb8u1) stable-proposed-updates; urgency=medium . * Fix package names on i386. * Workarounds: #759424 (di-n-a) removed, #774033 (deadlock) added. - With the NMUed di-netboot-assistant package available in jessie, only chain.c32 has to be copied to the tftp-boot directory. It is needed to boot from the local disk in the Debian-LAN PXE menu. - The Debian-LAN live system freezes when mounting the home directory with NFSv4. Switch back to NFSv3 which works fine. * Fix squid configuration: Modify ordering to succeed in a single cfengine pass. * Comment 'browser-plugin-gnash' and 'adzapper' in the package-list and the corresponding script: These packages did not make it into jessie. * Define the replacement of exim4-daemon-light by exim4-daemon-heavy and sudo by sudo-ldap to make conversion more robust. * Describe how to use an arbitrary hostname for the 'mainserver'. * Add libcgi-fast-perl to make the zoom in munin work. didjvu (0.2.8-1+deb8u1) stable; urgency=medium . * add fix-insecure-use-of-tmp-when-calling-c44.diff on security issue (Closes: #784888). django-markupfield (1.2.1-2+deb8u1) jessie-security; urgency=high . * Security Upload * Include fix for remote file inclusion, CVE-2015-0846, thanks to James P. Turk for finding this bug and providing a fix. dnsmasq (2.72-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-3294: denial of service and memory disclosure via malformed DNS requests (Closes: #783459) ejabberd (14.07-4+deb8u1) jessie; urgency=low . * Drop debian/ejabberd.8 as there is no "ejabberd" executable anymore * Add --enable-transient_supervisors build-flag (Closes: #782794) * Accept trailing newline characters in Base64 strings (Closes: #782725) elasticsearch (1.0.3+dfsg-5+deb8u1) jessie-security; urgency=high . * Added patch to fix directory traversal bug (CVE-2015-3337) exactimage (0.8.9-7+deb8u1) jessie; urgency=high . * Fix CVE-2015-3885: Integer overflow in the ljpeg_start function in dcraw * debian/patches: - Add CVE-2015-3885.patch, Avoid overflow in ljpeg_start() (Closes: #786785) - Add draw_jpeg_fix.patch, Fix execution order of ljpeg_start() and result check fai (4.3.1+deb8u1) jessie; urgency=high . * setup-storage: add support for parted 2.4, Closes: #785804 * fai: Fix IP address lifetime, Closes: #780144 * update copyright year to 2015 feed2imap (1.2.3-1+deb8u1) jessie; urgency=medium . * debian/patches/0001-Fix-usage-of-filters.patch: apply upstream patch to fix usage of filters (Closes: #783444) * debian/patches/0002-Fix-regression-in-include-images-option.patch: apply upstream patch to fix the `include-images` option (Closes: #784591) freeorion (0.4.4-2+deb8u1) jessie; urgency=medium . * Add fix-FTBFS.patch, fix compiler errors so that FreeOrion can be built from source again. (Closes: #783839) fuse (2.9.3-15+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0007-CVE-2015-3202.patch patch. CVE-2015-3202: Missing scrubbing of the environment before executing a mount or umount of a filesystem. fusionforge (5.3.2+20141104-3+deb8u1) jessie-security; urgency=high . * CVE-2015-0850: Prevent arbitrary command execution via clone URL parameter of the method to create secondary Git repositories. Found by Ansgar Burchardt . ganeti (2.12.4-1~deb8u1) jessie; urgency=medium . [ Apollon Oikonomopoulos ] * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz): Fixes in 2.12.1: + Clean up stale livelock files + Fix setting up the metadata daemon's network interface for Xen + Make the watcher visible on the reason trail on disk activation + Allow `gnt-instance grow-disk' to ignore instance policy + Fix counting votes when doing master failover + Properly check for IPv6 use before making an SSH connection + Properly check if an instance exists in `gnt-instance console' . Fixes in 2.12.2: + Detect and report non-master status on socket connection errors (closes: #783388, #781084) + Improve error handling when looking up instances (closes: #776770) + SSH keys are now distributed only to master and master candidates + Improve performance for operations with frequent configuration reads + Improve robustness of spawning job processes, fixing timeouts + Fix a race condition that caused cluster verify to fail + Fix failing automatic glusterfs mounts + Fix watcher failing to read its status file on upgrade + Fix Xen instance state handling, taking transitional states into account (closes: #776772) + Fix conversion of diskless DRBD instances to plain + Fix upgrades from pre-2.6 versions, by handling hv_state_static and disk_state_static configuration fields + Fix a memory leak in the monitoring daemon + Fix a file descriptor leak in the ConfD client . Fixes in 2.12.3: + Fix config.data upgrade issues from older versions (closes: #783186) + Do not allow the master node to lose its master capability + Properly display externally reserved IPs in `gnt-network info' output + Properly distribute ssconf_hvparams_* using ssconf + Improve `gnt-cluster renew-crypto' robustness against node reachability errors + Make sure the master IP is always removed from the old master after master-failover + Work around Python's os.minor() not supporting devices with high (> 255) minor numbers (closes: #782073) + Fix Luxid failure when DNS returns an IPv6 address that does not reverse resolve . Fixes in 2.12.4: + Fix a performance regression in 2.12 during gnt-cluster verify and gnt-cluster verify-disks (high CPU usage) (closes: #784620). + Make the RAPI responsive after master-failover. + Fix gnt-cluster verify reporting existing instance disks on non-default VGs as missing. * Drop fix-wconfd-metad patch, merged upstream. * d/copyright: adjust copyright years . [ Gregory Potamianos ] * molly-guard: detect master status and warn when attempting to shutdown or reboot the master node. . [ Debconf translations ] * Dutch (Frans Spiesschaert, closes: #765856) * Swedish (Martin Bagge, closes: #769870) ganeti (2.12.4-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . ganeti (2.12.4-1) unstable; urgency=medium . * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz), including the following fixes: + Fix a performance regression in 2.12 during gnt-cluster verify and gnt-cluster verify-disks (high CPU usage) (closes: #784620). + Make the RAPI responsive after master-failover. + Fix gnt-cluster verify reporting existing instance disks on non-default VGs as missing. * Drop GHC 7.8 patch + It is part of the 2.12.4 release. * Drop dh_autoreconf + Not needed after removing the GHC 7.8 patch. . ganeti (2.12.3-1) unstable; urgency=medium . [ Apollon Oikonomopoulos ] * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz): Fixes in 2.12.1: + Clean up stale livelock files + Fix setting up the metadata daemon's network interface for Xen + Make the watcher visible on the reason trail on disk activation + Allow `gnt-instance grow-disk' to ignore instance policy + Fix counting votes when doing master failover + Properly check for IPv6 use before making an SSH connection + Properly check if an instance exists in `gnt-instance console' . Fixes in 2.12.2: + Detect and report non-master status on socket connection errors (closes: #783388, #781084) + Improve error handling when looking up instances (closes: #776770) + SSH keys are now distributed only to master and master candidates + Improve performance for operations with frequent configuration reads + Improve robustness of spawning job processes, fixing timeouts + Fix a race condition that caused cluster verify to fail + Fix failing automatic glusterfs mounts + Fix watcher failing to read its status file on upgrade + Fix Xen instance state handling, taking transitional states into account (closes: #776772) + Fix conversion of diskless DRBD instances to plain + Fix upgrades from pre-2.6 versions, by handling hv_state_static and disk_state_static configuration fields + Fix a memory leak in the monitoring daemon + Fix a file descriptor leak in the ConfD client . Fixes in 2.12.3: + Fix config.data upgrade issues from older versions (closes: #783186) + Do not allow the master node to lose its master capability + Properly display externally reserved IPs in `gnt-network info' output + Properly distribute ssconf_hvparams_* using ssconf + Improve `gnt-cluster renew-crypto' robustness against node reachability errors + Make sure the master IP is always removed from the old master after master-failover + Work around Python's os.minor() not supporting devices with high (> 255) minor numbers (closes: #782073) + Fix Luxid failure when DNS returns an IPv6 address that does not reverse resolve * Backport upstream commits to fix compilation under GHC 7.8: + b78a2c3 Makefile.am: Fix wrong -dep-suffix for GHC 7.8 + 083776b Fix compiler invocation for GHC >= 7.8 + 9664aff Makefile.am: Don't use dots in -osuf + 1ad14f3 Makefile.am: Don't use -dynamic-too for .hpc_o files * Build-depend on dh-autoreconf and use dh_autoreconf to make the GHC 7.8 patch effective * Drop fix-wconfd-metad patch, merged upstream. * d/copyright: adjust copyright years . [ Gregory Potamianos ] * molly-guard: detect master status and warn when attempting to shutdown or reboot the master node. . [ Debconf translations ] * Dutch (Frans Spiesschaert, closes: #765856) * Swedish (Martin Bagge, closes: #769870) ganeti (2.12.3-1) unstable; urgency=medium . [ Apollon Oikonomopoulos ] * New upstream bugfix release (see /usr/share/doc/ganeti/NEWS.gz): Fixes in 2.12.1: + Clean up stale livelock files + Fix setting up the metadata daemon's network interface for Xen + Make the watcher visible on the reason trail on disk activation + Allow `gnt-instance grow-disk' to ignore instance policy + Fix counting votes when doing master failover + Properly check for IPv6 use before making an SSH connection + Properly check if an instance exists in `gnt-instance console' . Fixes in 2.12.2: + Detect and report non-master status on socket connection errors (closes: #783388, #781084) + Improve error handling when looking up instances (closes: #776770) + SSH keys are now distributed only to master and master candidates + Improve performance for operations with frequent configuration reads + Improve robustness of spawning job processes, fixing timeouts + Fix a race condition that caused cluster verify to fail + Fix failing automatic glusterfs mounts + Fix watcher failing to read its status file on upgrade + Fix Xen instance state handling, taking transitional states into account (closes: #776772) + Fix conversion of diskless DRBD instances to plain + Fix upgrades from pre-2.6 versions, by handling hv_state_static and disk_state_static configuration fields + Fix a memory leak in the monitoring daemon + Fix a file descriptor leak in the ConfD client . Fixes in 2.12.3: + Fix config.data upgrade issues from older versions (closes: #783186) + Do not allow the master node to lose its master capability + Properly display externally reserved IPs in `gnt-network info' output + Properly distribute ssconf_hvparams_* using ssconf + Improve `gnt-cluster renew-crypto' robustness against node reachability errors + Make sure the master IP is always removed from the old master after master-failover + Work around Python's os.minor() not supporting devices with high (> 255) minor numbers (closes: #782073) + Fix Luxid failure when DNS returns an IPv6 address that does not reverse resolve * Backport upstream commits to fix compilation under GHC 7.8: + b78a2c3 Makefile.am: Fix wrong -dep-suffix for GHC 7.8 + 083776b Fix compiler invocation for GHC >= 7.8 + 9664aff Makefile.am: Don't use dots in -osuf + 1ad14f3 Makefile.am: Don't use -dynamic-too for .hpc_o files * Build-depend on dh-autoreconf and use dh_autoreconf to make the GHC 7.8 patch effective * Drop fix-wconfd-metad patch, merged upstream. * d/copyright: adjust copyright years . [ Gregory Potamianos ] * molly-guard: detect master status and warn when attempting to shutdown or reboot the master node. . [ Debconf translations ] * Dutch (Frans Spiesschaert, closes: #765856) * Swedish (Martin Bagge, closes: #769870) gdnsd (2.1.2-1~deb8u1) stable; urgency=medium . * Backport as a stable update. gnome-shell (3.14.4-1~deb8u1) jessie; urgency=low . * New upstream translation and bugfix release. + Includes workaround for #768896 which is very annoying for users of the proprietary nvidia driver. * 01_network_list.patch, 02_auth_prompt.patch, 50-compute-weeknumber-with-gdatetime.patch: dropped, merged upstream. * Bump (build-)dependencies on mutter as usual. gnutls28 (3.3.8-6+deb8u1) jessie; urgency=medium . * Reupload 3.3.8-7 unchanged for first point release: 45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff: Pull two patches from upstream to a use-after-free flaw in gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308 Closes: #782776 hello (2.9-2+deb8u1) jessie-security; urgency=low . * Non-maintainer upload by the security team. * No-change test upload to jessie-security. ibus-cangjie (2.2-2+deb8u1) stable; urgency=medium . * Backport 2.4 bugfix (Closes: 782453) * A serious usability issue, where we would in some cases suggest duplicate characters to the users: https://github.com/Cangjians/ibus-cangjie/issues/63 . * A python traceback (in the background, not crashing the engine, but which was nevertheless triggering automatic crash catchers): https://github.com/Cangjians/ibus-cangjie/issues/57 . * An incorrect translation for Taiwan users: https://github.com/Cangjians/ibus-cangjie/issues/61 . * works around another serious usability issue, where the candidate popup was misplaced (i.e not at the input cursor, but at the bottom of the screen) on some applications, most notably Firefox (which is quite the common app) https://github.com/Cangjians/ibus-cangjie/issues/60 icecast2 (2.4.0-1.1+deb8u1) jessie-security; urgency=high . * This fixes a crash (NULL reference) in case URL Auth is used and stream_auth is trigged with no credentials passed by the client. Username and password is now set to empty strings and transmited to the backend server this way. (Closes: #782120, fixes CVE-2015-3026) icedove (31.7.0-1~deb8u1) stable-security; urgency=medium . * [c3c81df] Imported Upstream version 31.7.0 - MFSA 2015-46 aka CVE-2015-2708 - MFSA 2015-47 aka CVE-2015-0797 - MFSA 2015-48 aka CVE-2015-2710 - MFSA 2015-51 aka CVE-2015-2713 - MFSA 2015-54 aka CVE-2015-2716 * [eb8cb5a] adjust gbp.conf for jessie-security branch icedove (31.7.0-1~deb7u1) oldstable-security; urgency=medium . * [c3c81df] Imported Upstream version 31.7.0 - MFSA 2015-46 aka CVE-2015-2708 - MFSA 2015-47 aka CVE-2015-0797 - MFSA 2015-48 aka CVE-2015-2710 - MFSA 2015-51 aka CVE-2015-2713 - MFSA 2015-54 aka CVE-2015-2716 installation-guide (20150423+deb8u1) jessie; urgency=medium . * Backport fixes from sid. . [ Samuel Thibault ] * Give to make-kpkg a "1.0.custom" revision instead of bogus "custom.1.0". Closes: #783613. * Add an example preseed entry for setting up multi-arch. Closes: #785165 . Thanks to Matthew Sweet for the patch. . [ Christian Perrier ] * Fix kernel source compression extension in kernel-baking.xml . [ Holger Wansing ] * Revert to documenting that the text installer is still the default installer. * Remove mention of kfreebsd as supported archs for Jessie ipsec-tools (1:0.8.2+20140711-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add bug785778-null-pointer-deref.patch patch. CVE-2015-4047: Fix NULL pointer dereference in racoon in gssapi.c leading to a possible crash and denial of service attack. (Closes: #785778) ircd-hybrid (1:8.2.0+dfsg.1-2+deb8u1) jessie; urgency=medium . * Remove Suggests: hybserv as the package isn't in jessie * Fix a DoS from localhost clients backported from 8.2.6 (Closes: #782859) * Debconf configuration script no longer ignores the result of upgrade questions (Closes: #779082) * Don't display upgrade warnings on new installs (Closes: #782883) * Support chained SSL certificates (Closes: #769741) lastpass-cli (0.3.0-2+deb8u1) stable; urgency=medium . * Update upstream CA certificate (Closes: #786862) libav (6:11.3-1+deb8u1) jessie; urgency=medium . * Fix use of illegal instruction on i586. (Closes: #783082) - debian/confflags: Pass correct value to --cpu. Thanks to Bernhard Übelacker for the patch. - debian/patches: + 01-configure-disable-i686-for-i586.patch: Upstream patch to disable i686 instructions on i586. + 02-configure-disable-ebx-gcc-4.9.patch: Workaround build failure with gcc 4.9 and newer by disabling the use of ebx in handwritten assembler code. Thanks to Bernhard Übelacker for the initial patch. libdatetime-timezone-perl (1:1.75-2+2015d) jessie; urgency=medium . * Update to Olson database version 2015d. Add patch debian/patches olson-2015d, which updates the timezone *.pm files, using upstream's tools/parse_olson script. This update contains contemporary changes for Egypt. libdebian-installer (0.99+deb8u1) jessie; urgency=medium . [ Martin Michlmayr ] * Add device tree variants for supported armel/kirkwood devices. (Closes: #787563) libi18n-charset-perl (1.412-1+deb8u1) jessie; urgency=medium . * Team upload. * Remove a stray 'use blib' line. (Closes: #785502) libinfinity (0.6.6-1~deb8u1) jessie; urgency=medium . * New upstream bugfix release - Check certificates for expiration and weak algorithms even if the CA is trusted. (Closes: #783601) - Fix cursor processing and a crash in the client code. libmodule-signature-perl (0.73-1+deb8u2) jessie-security; urgency=high . * Team upload. * Add 0001-make-skip-work-again.patch patch. Restore --skip functionality for cpansign. (Closes: #785701) libmodule-signature-perl (0.73-1+deb8u1) jessie-security; urgency=high . * Team upload. * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch. CVE-2015-3406: Module::Signature parses the unsigned portion of the SIGNATURE file as the signed portion due to incorrect handling of PGP signature boundaries. CVE-2015-3407: Module::Signature incorrectly handles files that are not listed in the SIGNATURE file. This includes some files in the t/ directory that would execute when tests are run. CVE-2015-3408: Module::Signature uses two argument open() calls to read the files when generating checksums from the signed manifest, allowing to embed arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. (Closes: #783451) * Add CVE-2015-3409.patch patch. CVE-2015-3409: Module::Signature incorrectly handles module loading allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. (Closes: #783451) * Add Fix-signature-tests.patch patch. Fix signature tests by defaulting to verify(skip=>1) when $ENV{TEST_SIGNATURE} is true. libraw (0.16.0-9+deb8u1) stable; urgency=high . * debian/patches/: patchset updated - 0001-Fix_CVE-2015-3885.patch added | Integer overflow in the ljpeg_start function | in dcraw 7.00 and earlier allows remote attackers | to cause a denial of service (crash) via a | crafted image, which triggers a buffer overflow, | related to the len variable. libreoffice (1:4.3.3-2+deb8u1) unstable; urgency=high . * debian/patches/hwpreader-check-reads.patch: fix "out of bounds write in hwp file filter" (CVE-2015-1774), patch from libreoffice-4-3 branch libreoffice (1:4.3.3-2+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . * debian/rules: - comment out some conditionals and they don't exactly do what we want on wheezy-backports and use hardcoded values - fix coinmp conditional, use internal one on wheezy... - use internal icu - see https://bugs.freedesktop.org/show_bug.cgi?id=82229#c38 * debian/rules, debian/shlibs.local.coin: add shlibs.local.coin to override all the internal coin dynamic libraries.... * debian/shlibs.override.icu: update to actual current SOVERSION * debian/rules, debian/shlibs.override.libc: revert libc hack again * debian/patches/icu-icudata-link-fix-armhf.diff: fix internal icu build on armhf ("stolen" from icu package) . libreoffice (1:4.3.3-2+deb8u1) unstable; urgency=high . * debian/patches/hwpreader-check-reads.patch: fix "out of bounds write in hwp file filter" (CVE-2015-1774), patch from libreoffice-4-3 branch libtasn1-6 (4.2-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 20_CVE-2015-3622.diff patch. CVE-2015-3622: heap overflow flaw in _asn1_extract_der_octet(). Prevent past of boundary access in octet string decoding. libtest-signature-perl (1.10-1+deb8u1) jessie-security; urgency=high . * Team upload. * Consider MANIFEST.SKIP when verfying signature as part of testsuites. Set skip => 1 on Module::Signature::verify for compatibility with the fix for CVE-2015-3407 in libmodule-signature-perl. libtest-signature-perl (1.10-1+deb7u1) wheezy-security; urgency=high . * Team upload. * Consider MANIFEST.SKIP when verfying signature as part of testsuites. Set skip => 1 on Module::Signature::verify for compatibility with the fix for CVE-2015-3407 in libmodule-signature-perl. libvncserver (0.9.9+dfsg2-6.1+deb8u1) stable; urgency=medium . * added patch for libgcrypt init before use (Closes: #782570) * replaced non-free sha1 implementation (Closes: #786907) * new maintainer due to package adoption libxml-libxml-perl (2.0116+dfsg-1+deb8u1) jessie-security; urgency=high . * Team upload. * Add CVE-2015-3451.patch patch. CVE-2015-3451: expand_entities set to 0 is not preserved after a _clone() call. (Closes: #783443) linux (3.16.7-ckt11-1) jessie; urgency=medium . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt10 - fuse: notify: don't move pages - fuse: set stolen page uptodate - dm thin: fix to consistently zero-fill reads to unprovisioned blocks - dm: hold suspend_lock while suspending device during device deletion - dm snapshot: suspend origin when doing exception handover - dm snapshot: suspend merging snapshot when doing exception handover - dm io: deal with wandering queue limits when handling REQ_DISCARD and REQ_WRITE_SAME - [armhf] crypto: arm/aes update NEON AES module to latest OpenSSL version (regression in 3.13) - mac80211: drop unencrypted frames in mesh fwding - mac80211: disable u-APSD queues by default - virtio_console: init work unconditionally - regmap: regcache-rbtree: Fix present bitmap resize (regression in 3.12) - Input: synaptics - fix middle button on Lenovo 2015 products - Input: synaptics - handle spurious release of trackstick buttons - [x86] asm/entry/32: Fix user_mode() misuses - [x86] fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() - [x86] fpu: Drop_fpu() should not assume that tsk equals current - mac80211: count interfaces correctly for combination checks (regression in 3.16) - nl80211: ignore HT/VHT capabilities without QoS/WMM - pagemap: do not leak physical addresses to non-privileged userspace (mitigation of the DRAM 'rowhammer' defect) - iscsi-target: Avoid early conn_logout_comp for iser connections - tcm_qla2xxx: Fix incorrect use of __transport_register_session - [arm64] Honor __GFP_ZERO in dma allocations - xfrm: release dst_orig in case of error in xfrm_lookup() (regression in 3.16.6) - [powerpc*] smp: Wait until secondaries are active & online (regression in 3.15) - [powerpc*] iommu: Remove IOMMU device references via bus notifier (regression in 3.14) - [powerpcspe] mpc85xx: Add ranges to etsec2 nodes (regression in 3.16.7-ckt3) - IB/core: Avoid leakage from kernel to user space - timers/tick/broadcast-hrtimer: Fix suspicious RCU usage in idle loop - [x86] KVM: nVMX: mask unrestricted_guest if disabled on L0 - [ppc64el] pseries: Little endian fixes for post mobility device tree update - block: Fix bug in blk_rq_merge_ok (regression in 3.16) - sched: Fix RLIMIT_RTTIME when PI-boosting to RT - mm: fix anon_vma->degree underflow in anon_vma endless growing prevention (regression in 3.16.7-ckt5) - hfsplus: fix B-tree corruption after insertion at position 0 - iio: fix drivers that check buffer->scan_mask - iio: inv_mpu6050: Clear timestamps fifo while resetting hardware fifo - cifs: smb2_clone_range() - exit on unhandled error - cifs: fix use-after-free bug in find_writable_file - xen/balloon: before adding hotplugged memory, set frames to invalid (regression in 3.16) - iio: adc: vf610: use ADC clock within specification - dmaengine: edma: fix memory leak when terminating running transfers - dmaengine: omap-dma: Fix memory leak when terminating running transfer - mac80211: fix RX A-MPDU session reorder timer deletion - net: use for_each_netdev_safe() in rtnl_group_changelink() - net/mlx4_en: Call register_netdevice in the proper location (regression in 3.14) - NFS: fix BUG() crash in notify_change() with patch to chown_common() http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt11 - n_tty: Fix read buffer overwrite when no newline - [x86] KVM: Fix lost interrupt on irr_pending race (regression in 3.16.2) - tcp: prevent fetching dst twice in early demux code - ipv6: protect skb->sk accesses from recursive dereference inside the stack - bonding: Bonding Overriding Configuration logic restored. (regression in 3.14) - ioctx_alloc(): fix vma (and file) leak on failure - [x86] drm/i915/vlv: remove wait for previous GFX clk disable request (regression in 3.16) - SCSI: Defer processing of REQ_PREEMPT requests for blocked devices - ocfs2: _really_ sync the right range (regression in 3.14) - iscsi target: fix oops when adding reject pdu - ext4: fix indirect punch hole corruption - ip_forward: Drop frames with attached skb->sk - ppp: call skb_checksum_complete_unset in ppp_receive_frame - tcp: fix possible deadlock in tcp_send_fin() (regression in 3.16.7-ckt9) - tcp: avoid looping in tcp_send_fin() - [x86] Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open() - [s390x] KVM: fix handling of write errors in the tpi handler - [s390x] KVM: reinjection of irqs can fail in the tpi handler - [x86] compal-laptop: correct invalid hwmon name (regression in 3.14) - [x86] compal-laptop: Fix leaking hwmon device - [x86] compal-laptop: Check return value of power_supply_register (regression in 3.14) - [x86] sched/idle: Restore mwait_idle() to fix boot hangs, to improve power savings and to improve performance - usb: phy: Find the right match in devm_usb_phy_match - [x86] kvm: Revert "remove sched notifier for cross-cpu migrations" (regression in 3.12) - [mips*el/loongson-3] Add IRQF_NO_SUSPEND to Cascade irqaction (regression in 3.16.7-ckt7) - ring-buffer: Replace this_cpu_*() with __this_cpu_*() - UBI: account for bitflips in both the VID header and data - UBI: fix out of bounds write - UBI: fix check for "too many bytes" - Btrfs: fix log tree corruption when fs mounted with -o discard - btrfs: don't accept bare namespace as a valid xattr - [armel,armhf] 8320/1: fix integer overflow in ELF_ET_DYN_BASE - [mips*] Hibernate: flush TLB entries earlier - ext4: make fsync to sync parent dir in no-journal for real this time - iser-target: Fix session hang in case of an rdma read DIF error - iser-target: Fix possible deadlock in RDMA_CM connection error - [x86] vdso: fix pvclock races with task migration (Closes: #784960) - md/raid0: fix bug with chunksize not a power of 2. - ALSA: emu10k1: don't deadlock in proc-functions - [s390x] hibernate: fix save and restore of kernel text section - Btrfs: fix inode eviction infinite loop after extent_same ioctl - Btrfs: fix inode eviction infinite loop after cloning into it - [powerpc/powerpc64,ppc64*] perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH (Closes: #784278) - target: Fix COMPARE_AND_WRITE with SG_TO_MEM_NOALLOC handling - fs/binfmt_elf.c: fix bug in loading of PIE binaries - IB/core: disallow registering 0-sized memory region - IB/core: don't disallow registering region starting at 0x0 - target/file: Fix SG table for prot_buf initialization - ptrace: fix race between ptrace_resume() and wait_task_stopped() - nfs: fix high load average due to callback thread sleeping (regression in 3.16.7-ckt8) - [x86] drm/i915: vlv: fix save/restore of GFX_MAX_REQ_COUNT reg (regression in 3.16) - ACPI / scan: Annotate physical_node_lock in acpi_scan_is_offline() (regression in 3.14) - vfs: RCU pathwalk breakage when running into a symlink overmounting something - drivers/of: Add empty ranges quirk for PA-Semi (regression in 3.16.7-ckt3) - [x86] apple-gmux: lock iGP IO to protect from vgaarb changes (regression in 3.16.5) - lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR - [arm64] head.S: ensure visibility of page tables (regression in 3.15) - [armhf] crypto: omap-aes - Fix support for unequal lengths - [armhf] fix broken hibernation (regression in 3.16) - jhash: Update jhash_[321]words functions to use correct initval - vti6: fix uninit when using x-netns - [powerpc*] cell: Fix cell iommu after it_page_shift changes (regression in 3.14) - KVM: use slowpath for cross page cached accesses - IB/iser: Fix wrong calculation of protection buffer length - [i386/686-pae] mlx5: wrong page mask if CONFIG_ARCH_DMA_ADDR_T_64BIT enabled for 32Bit architectures - skbuff: Do not scrub skb mark within the same name space (regression in 3.12) - memstick: mspro_block: add missing curly braces - ipv4: Missing sk_nulls_node_init() in ping_unhash(). (CVE-2015-3636) . [ Ben Hutchings ] * debian.py,gencontrol.py: Fix the version sanity checks for backports and security/LTS uploads * Fix error messages at boot on systems without an RTC (Closes: #784146): - [armhf] mvebu: armada-xp-openblocks-ax3-4: Disable internal RTC - rtc: hctosys: do not treat lack of RTC device as error - rtc: hctosys: use function name in the error log * [x86] Input: synaptics: Fix routing of trackpoint buttons on Lenovo 2015 models (Closes: #780862) * [x86] thinkpad_acpi: support new BIOS version string pattern (Closes: #780467) * ext4: fix data corruption caused by unwritten and delayed extents (Closes: #785672) * ext4: move check under lock scope to close a race. * libata: Update Crucial/Micron blacklist * libata: Blacklist queued TRIM on Samsung SSD 850 Pro (Closes: #784152) * [x86] config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected (Closes: #786551) * [arm64] USB: Add support for XHCI on APM Mustang (Closes: #785707) - Enable USB_XHCI_HCD as module, and USB_XHCI_PLATFORM - Make xhci platform driver use 64 bit or 32 bit DMA - Add support for ACPI identification to xhci-platform * md/raid0: fix restore to sector variable in raid0_make_request (regression in 3.16.7-ckt11) * cdc_ncm: Fix tx_bytes statistics (regression in 3.16.7-ckt11) * [x86] e1000e: Add support for Sunrise Point (i219) (Closes: #784546) * [armhf] musb: Backport upstream changes to support multiplatform configuration properly (Closes: #773400) . [ Ian Campbell ] * [armhf] Enable support for Freescale SNVS RTC. (Closes: #782364) * [armhf] Add ehci-orion module to usb-modules udeb. (Closes: #783324) * [armhf] dts: imx53: correct clock-names of SATA node (Closes: #784344) * [armhf+arm64] Enabled generic SYSCON regmap reset driver linux (3.16.7-ckt9-3) unstable; urgency=high . [ Ben Hutchings ] * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561) (CVE-2015-3331) * tcp: Fix crash in TCP Fast Open (Closes: #782515) (CVE-2015-3332) * kernel: Provide READ_ONCE and ASSIGN_ONCE * Replace use of ACCESS_ONCE on non-scalar types with READ_ONCE or barriers as appropriate * kernel: tighten rules for ACCESS ONCE * kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val) * fs: take i_mutex during prepare_binprm for set[ug]id executables (CVE-2015-3339) . [ Ian Campbell ] * [xen] release per-queue Tx and Rx resource when disconnecting, fixing network after save/restore or migration. (Closes: #782698) linux (3.16.7-ckt9-3~deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561) (CVE-2015-3331) * tcp: Fix crash in TCP Fast Open (Closes: #782515) (CVE-2015-3332) * kernel: Provide READ_ONCE and ASSIGN_ONCE * Replace use of ACCESS_ONCE on non-scalar types with READ_ONCE or barriers as appropriate * kernel: tighten rules for ACCESS ONCE * kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val) * fs: take i_mutex during prepare_binprm for set[ug]id executables (CVE-2015-3339) . [ Ian Campbell ] * [xen] release per-queue Tx and Rx resource when disconnecting, fixing network after save/restore or migration. (Closes: #782698) linux (3.16.7-ckt9-3~deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut - debian.py,gencontrol.py: Fix the version sanity checks for backports and security/LTS uploads . linux (3.16.7-ckt9-3~deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561) (CVE-2015-3331) * tcp: Fix crash in TCP Fast Open (Closes: #782515) (CVE-2015-3332) * kernel: Provide READ_ONCE and ASSIGN_ONCE * Replace use of ACCESS_ONCE on non-scalar types with READ_ONCE or barriers as appropriate * kernel: tighten rules for ACCESS ONCE * kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val) * fs: take i_mutex during prepare_binprm for set[ug]id executables (CVE-2015-3339) . [ Ian Campbell ] * [xen] release per-queue Tx and Rx resource when disconnecting, fixing network after save/restore or migration. (Closes: #782698) mate-desktop (1.8.1+dfsg1-3+deb8u1) jessie-proposed-updates; urgency=medium . * debian/control: + Add to D (libmate-desktop-dev): libstartup-notification0-dev, libdconf-dev. mate-netbook (1.8.1-4+deb8u1) jessie-proposed-updates; urgency=medium . [ Martin Wimpress ] * Add 0002_preserve_configuration.patch. Ensure Window Picker applet doesn't override mate-maximus. (Closes: #785090). mate-utils (1.8.1+dfsg1-2+deb8u1) jessie-proposed-updates; urgency=medium . * debian/patches: + Add 0002_fix-errmsg-text.patch. Show actual error message if loading of the mate-screenshot UI fails. (Closes: #783162). + Update 2001_omit-gfdl-licensed-help-files.patch to avoid patch fuzziness. mercurial (3.1.2-2+deb8u1) jessie-security; urgency=high . * Fix "CVE-2014-9462" by adding patch from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes: #783237) mew (1:6.6-2+deb8u1) jessie; urgency=medium . * New patch 060_encrypt.patch to fix incorrect keys in encryption (closes: #784721) mew-beta (7.0.50~6.6+0.20140902-1+deb8u1) jessie; urgency=medium . * New patch 060_encrypt.patch to fix incorrect keys in encryption (closes: #784722) multipath-tools (0.5.0-6+deb8u1) jessie; urgency=medium . * [b40599e] Add dm-service-time path checked. Thanks to Mauricio Faria de Oliveira (Closes: #782363) mutter (3.14.4-1~deb8u1) jessie; urgency=low . * New upstream translation and bugfix release. + Includes new function required for the workaround to #768896 which is very annoying for users of the proprietary nvidia driver. * 10_window-actor_unredirect.patch, 11_black_background.patch: dropped, merged upstream. * Bump shlibs due to new function. mysql-5.5 (5.5.43-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.43 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html - CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2571 (Closes: #782645) * Update copyright years for upstream files mysql-5.5 (5.5.43-0+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.43 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html - CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 (Closes: #782645) * Update copyright years for upstream files nbd (1:3.8-4+deb8u1) jessie-security; urgency=medium . * Add fix for CVE-2015-0847. Closes: #784657. needrestart (1.2-8+deb8u1) stable; urgency=low . * Add patch 17-fix-interp-use-undef-in-chdir to fix warnings and errors if a process has not got a valid cwd. Closes: #779832 * Add patch 18-fix-kernel-version-sorting to fix the Linux kernel version sorting, so that 4.0 is also considered to be higher than 3.19.x. Closes: #781657 * Add patch 20-fix-perl-warning-dangling-kernel to fix Perl warnings while scanning dangling kernel symlinks. node-groove (2.2.6-1+deb8u1) stable; urgency=medium . * Backport patch to fix cpu usage ntfs-3g (1:2014.2.15AR.2-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Update 0002-CVE-2015-3202.patch patch. CVE-2015-3202: Missing scrubbing of the environment before executing a mount or umount of a filesystem. The previous fix for CVE-2015-3202 was incomplete and missed the replacement of one execl call with execle. (Closes: #786475) ntfs-3g (1:2014.2.15AR.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 0002-CVE-2015-3202.patch patch. CVE-2015-3202: Missing scrubbing of the environment before executing a mount or umount of a filesystem. open-iscsi (2.0.873+git0.3b4b4500-8+deb8u1) stable; urgency=medium . * [725c5c6] Populate udebs in every architecture they are built (Closes: #784092) opencv (2.4.9.1+dfsg-1+deb8u1) jessie; urgency=medium . [ Bernhard Übelacker ] * Build with -march=i586 instead of -march=i686 on i386. (Closes: #784647) openstack-debian-images (1.3~deb8u1) stable-proposed-updates; urgency=medium . * Fixed debian/gbp.conf to use debian/jessie as new packaging branch. * Backport of the version 1.3 from Sid to Jessie: - Removed the tweak of /etc/modules, as acpiphp and pci_hotplug aren't in the Jessie kernel: they are built not as module (Closes: #783340). - Also adds security repository if building an image for Jessie. Previously, this was done only for Wheezy (Closes: #783480). - Adds dbus + libpam-systemd when building a Jessie image, and acpid + acpi-support-base when building a Wheezy image, so that ACPI shutdown works by default (Closes: #783448). - Adds nano as default when not using the --minimal flag (Closes: #783341). osmosis (0.43.1-3+deb8u1) stable-proposed-updates; urgency=medium . * Add patch from upstream to fix java.lang.ClassCastException for java.util.HashMap to org.openstreetmap.osmosis.hstore.PGHStore. (closes: #785257) owncloud (7.0.4+dfsg-4~deb8u1) jessie-security; urgency=medium . * Upload to jessie-security as agreed with the security team owncloud (7.0.4+dfsg-3) unstable; urgency=medium . * Add gbp config file to follow the jessie branch * Backport security fixes from 7.0.5: - Multiple stored XSS in "contacts" application [OC-SA-2015-001] - Multiple stored XSS in "documents" application [OC-SA-2015-002] - Bypass of file blacklist [OC-SA-2015-004] * Run upgrade script with sudo as www-data user * Depend on php5-cli (it is actually used in postinst) pdf2djvu (0.7.17-4+deb8u1) stable; urgency=medium . * added fix-insecure-use-of-tmp-when-executing-c44.diff, fix of security issue TEMP-0784889-495CCA, see #784889 (closed in Sid by 0.7.21-1). pdns (3.4.1-4+deb8u1) jessie-security; urgency=high . * Security update: apply patch for CVE-2015-1868 pdns (3.4.1-4+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports, including security fix for CVE-2015-1868. . pdns (3.4.1-4+deb8u1) jessie-security; urgency=high . * Security update: apply patch for CVE-2015-1868 . pdns (3.4.1-4) unstable; urgency=medium . * Remove DROP INDEX domainmetaidindex from MySQL schema upgrade files. The Debian schema files since at least wheezy didn't have that index, so we can't drop it. It'd be nicer if we could say DROP INDEX IF EXISTS, but apparently there's no such thing in MySQL. Thanks to Andreas Beckmann (Closes: #773345) . pdns (3.4.1-3~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Remove lmdb backend, as liblmdb-dev is unavailable. * Remove systemd support, as dh-systemd is unavailable * Replace dpkg-parsechangelog -S with wheezy compatible approach * Fix secpoll version. . pdns (3.4.1-3) unstable; urgency=medium . * Fix PACKAGEVERSION not having the actual version. Due to #766559 in dpkg, PACKAGEVERSION ended up not containing the version part. Fixed by using the alternate syntax that dpkg-parsechangelog understands since 1.17.0, thereby avoiding a dependency bump to dpkg 1.17.21. (Closes: #769701) . pdns (3.4.1-2) unstable; urgency=medium . * Bump dpkg-dev dependency for dpkg-parsechangelog -S, which is used to pass the package version to the build process. . pdns (3.4.1-1) unstable; urgency=medium . * Imported Upstream version 3.4.1, a bug fix release, that: * Fixes slaving of DNSSEC-signed zones to NSD or BIND. * Fixes pdnssec increase-serial to not break SOA records in DNSSEC zones. * Adds security status polling. (We set the package vendor and version for this.) * Remove patch 0001-API-Replace-HTTP-Basic-auth-with-static-key-in-custom, which has been applied upstream. * Resync pdns.conf with upstream * Update debian/watch file, as upstream has changed to bz2 files. . pdns (3.4.0-2) unstable; urgency=medium . * Apply patch from upstream switching API auth to a static key. * Install upstream-supplied SQL schema files (Closes: #763555) * Remove bindbackend.conf on purge (Closes: #678929) * Bump Standards-Version to 3.9.6 (no changes) . pdns (3.4.0-1) unstable; urgency=medium . * New upstream release, send to unstable. . pdns (3.4.0~rc1+2014082902-1) experimental; urgency=medium . * Fix typo in init script, causing stop to not work * Add a smoke test as an autopkgtest * Install systemd unit file for pdns * Imported Upstream version 3.4.0~rc1+2014082902 . pdns (3.4.0~rc1+20140829-1) experimental; urgency=medium . * Imported Upstream version 3.4.0~rc1+20140829 . pdns (3.4.0~rc1-1) experimental; urgency=medium . * New upstream release candidate, target experimental * Update schema files for 3.4.0 * Add lmdb, mydns, remote backends * Remove upstream applied patch to honor PKGLIBDIR * Build tests in verbose mode * Explicitly build with bind backend * Stop installing lib*backend.a * Update Vcs-* URLs to anonscm.debian.org * Force usage of libpolarssl.so * Skip make test: the remotebackend tests require various Ruby libraries that we don't have. * Update debian/copyright, the AES files are no longer distributed . pdns (3.3.1-4) unstable; urgency=medium . * Drop unused pdns-backend-mongodb.prerm file * Update schema migration files for 3.3.1. In the case of MySQL, this includes the migration up from 3.0! . pdns (3.3.1-3~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . pdns (3.3.1-3) unstable; urgency=medium . * Correct libdir/pkglibdir usage. PowerDNS upstream abuses autoconf libdir as the package-specific library location, when they should be using pkglibdir instead, which prevented us from correctly setting the multiarch libdir. As the package name is set to 'pdns', modules now go into ${libdir}/pdns, and libdir is now correctly set to the multiarch path, so modules-dir now ends up being (ex.) /usr/lib/x86_64-linux-gnu/pdns. Also fixes embedding the multiarch path as an rpath. . pdns (3.3.1-2) unstable; urgency=medium . * Use pg_config to detect PostgreSQL lib dir (Closes: #750062) . pdns (3.3.1-1) unstable; urgency=medium . * New upstream release. * Remove GRANTs from SQL Schema scripts. The SQL install scripts from upstream used to contain GRANT statements, but these were never needed with dbconfig-common, as the objects are created as the runtime user, plus they can lead to installation failures. * Remove patch "remove-rpath-ldflags-patch" The original issue has been fixed upstream in a better way. * Remove upstream applied patches * Remove duplicate B-D: libpolarssl-dev * Update copyright file, based on work by Marc Haber (Closes: #726401) * Don't overwrite launch= statements in configuration * Resync default pdns.conf . pdns (3.3-2) unstable; urgency=medium . * Fix 3.3-1 SQL upgrade script for PostgreSQL. Thanks to Peter van Dijk for the patch. (Closes: #726945) * Fix FTBFS on s390x. Thanks to Peter van Dijk for the upstream patches. (Closes: #726863) * Add myself to Uploaders * Bump Standards-Version to 3.9.5 (no changes) * Run make with V=1. Needed to get compiler flags into the build log. * Revert "disable dnssec in default configuration to not break updates" Reverting to not break upgrades from wheezy. . pdns (3.3-1) unstable; urgency=low . * The "Habbie saves the World" release . [ Matthijs Möhlmann ] . * Standards-Version: 3.9.4 (no changes needed) * Move files used by dbconfig-common to /usr/share/PACKAGE (Closes: #710360) * Upstream fixes self notification (Closes: #374779) * Added Brazilian Portuguese translation, thanks to Adriano Rafael Gomes (Closes: #718713) * All other nameservers are optional in insserv, so make that happen for pdns too. (Closes: #714145) * Update the default schema for the PostgreSQL backend (Closes: #698911) * Reworked README fixes also #717356 (Closes: #717356) * Add a SQL script for updating the database scheme in PostgreSQL, this will be applied automatically by dbconfig-common if chosen to do so (Closes: #685808, #707761) . [ Marc Haber ] * be more robust with chmod in pdns-server.postinst. Thanks to Peter van Dijk (Closes: #716859) * fix exit code of init script to be more LSB compliant. (Closes: #708861) * remove unnecessary MySQL dependency (Upstream #1032). Adapt patches. (Closes: #725073) * remove double code from postinst. Thanks to Peter van Dijk (Closes: #725195) . pdns (3.3-1~exp1) experimental; urgency=low . * New Upstream Release * Fix for Upstream #555 (patch 2720) to build with botan. This might address #675410, thanks to Florian Obser and Marcus 'darix' Rueckert. * fix ECDSA (upstream patch 3036). (Closes: #697904) * sqlite backend removed upstream. Suggest migration to sqlite3 * remove --disable-recursor, it's a no-op anyway * build with --enable-tools and --enable-unit-tests * remove local manpages that have been incorporated upstream * remove lazy-recursion from default config * refresh patches, remove obsolete patches * disable dnssec in default configuration to not break updates * upstream now has include-dir * Use it instead of include * remove our patch for include * rename config files to .conf * remove --with autotools-dev (see dh-autoreconf(7)) * zap dnslabeltext.cc in clean (see Upstream #554) * ship dnsreplay, dnswasher and dnsscope * add PDNSDEBUG environment variable to all postinst scripts * properly handle pdns.simplebind.conf on installation and purge * re-work conffile handling in postinst and postrm scripts * document changes in configuration syntax/semantics for updaters * depend on lsb-base (>= 3.2-14) * do not call in /lib/init/vars.sh any more (lintian) pdns-recursor (3.6.2-2+deb8u1) jessie-security; urgency=high . * Security update: apply patch for CVE-2015-1868 pdns-recursor (3.6.2-2+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports (including the security fix for CVE-2015-1868). . pdns-recursor (3.6.2-2+deb8u1) jessie-security; urgency=high . * Security update: apply patch for CVE-2015-1868 . pdns-recursor (3.6.2-2~bpo70+2) wheezy-backports; urgency=medium . * Fix secpoll version. * Fix incorrect dpkg-dev dependency. . pdns-recursor (3.6.2-2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Adapt for wheezy's dpkg-parsechangelog. * Remove systemd support because dh-systemd is unavailable. . pdns-recursor (3.6.2-2) unstable; urgency=medium . * Set package vendor for security status polling. Requires directly including buildflags.mk so d/rules can modify CXXFLAGS. (Closes: #767701) * d/control: Update Vcs-Git and Vcs-Browser * Fix "smoke" autopkgtest. The test definition was incorrectly copied from the pdns-server package. . pdns-recursor (3.6.2-1) unstable; urgency=high . * Imported Upstream version 3.6.2, a bugfix release (Closes: #767368) * Remove API key patch, which has been incorporated upstream. . pdns-recursor (3.6.1-3) unstable; urgency=medium . * Apply API key patch from upstream * Bump Standards-Version to 3.9.6 (no further changes) . pdns-recursor (3.6.1-2) unstable; urgency=medium . * Drop patch 'pdns-recursor-less-chatty' * Ship native systemd unit file * Enable extra hardening flags (PIE, bindnow) * Add smoke test, testing example.org resolution . pdns-recursor (3.6.1-1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . pdns-recursor (3.6.1-1) unstable; urgency=high . * Imported Upstream version 3.6.1 Fixes security issue: CVE-2014-3614 . pdns-recursor (3.6.0-2~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . pdns-recursor (3.6.0-2) unstable; urgency=medium . [ Christian Hofstaedtler ] * Update debian/copyright file * Remove boilerplate from debian/watch * Update init script options: Removed X-Start-After and X-Stop-Before, which were sent to irrelevant services, and updated Description fields. * Add status target to init script. Thanks to Iain Georgeson (Closes: #730684) . [ SATOH Fumiyasu ] * Enable resolvconf hooks only when $RESOLVCONF is set to 'yes' (Closes: #722659) . pdns-recursor (3.6.0-1) unstable; urgency=medium . * Imported Upstream version 3.6.0 * Drop upstream applied patches 1443, 1444, 1445 . pdns-recursor (3.6.0~rc1-2) unstable; urgency=medium . * Switch to Lua 5.2 . pdns-recursor (3.6.0~rc1-1) unstable; urgency=medium . * Imported Upstream version 3.6.0~rc1 * Replace local patches with upstream PRs do-not-strip-binaries, hurd-ftbfs-patch, kfreebsd-ftbfs-patch and remove-pdns_hw-patch are now pending upstream approval and merge. * Add myself to Uploaders * Bump Standards-Version to 3.9.5 . pdns-recursor (3.5.3-1) unstable; urgency=low . * New upstream version . pdns-recursor (3.5.2-2) unstable; urgency=low . * Enable on all architectures (Closes: #579194) . pdns-recursor (3.5.2-1) unstable; urgency=low . * New upstream version (Closes: #710048, #682851, #671592, #697355, #649724) - Refresh patches * Improve the patch to make pdns-recursor less chatty * Standards-Version: 3.9.4 (no changes necessary) * Remove pdns_hw on cleanup (Closes: #652833) perl (5.20.2-3+deb8u1) jessie; urgency=medium . * Make the perl debugger work with threaded programs again. Thanks to James McCoy. (Closes: #779357) pgbouncer (1.5.4-6+deb8u1) jessie; urgency=medium . * Fix remote crash - invalid packet order causes lookup of NULL pointer. Not exploitable, just DoS. (CVE-2015-4054) Cherry-picked from upstream 1.5.5. php-horde (5.2.1+debian0-2+deb8u1) stable; urgency=medium . * Fix XSS in group administration (Closes: #785364) php-horde-passwd (5.0.2-3+deb8u1) stable; urgency=medium . * Fix Kolab driver password change (Closes: #780670) phpbb3 (3.0.12-5+deb8u1) jessie; urgency=medium . * Fix possible redirection on Chrome: an insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login) [CVE-2015-3880] postgresql-9.1 (9.1.16-0+deb8u1) stable-security; urgency=medium . * New upstream version, relevant PL/Perl change: . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . * Repository moved to git, update Vcs headers. postgresql-9.1 (9.1.16-0+deb7u2) wheezy-security; urgency=medium . * Fix fsync-at-startup code to not treat errors as fatal. (Abhijit Menon-Sen and Tom Lane, Closes: #786874) postgresql-9.1 (9.1.16-0+deb7u1) wheezy-security; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . * Repository moved to git, update Vcs headers. postgresql-9.4 (9.4.3-0+deb8u1) jessie; urgency=medium . * New upstream version: Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane; Closes: #786874) postgresql-9.4 (9.4.2-1) unstable; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . + Protect against wraparound of multixact member IDs (Álvaro Herrera, Robert Haas, Thomas Munro) . Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound. . + pg_dump -Fd -Z compression level fixed. (Closes: #781361) . * Make postgresql-9.4 Recommends: postgresql-contrib-9.4. * Enable TAP tests. * Repository moved to git, update Vcs headers. postgresql-9.4 (9.4.2-0+deb8u1) stable-security; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . + Protect against wraparound of multixact member IDs (Álvaro Herrera, Robert Haas, Thomas Munro) . Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound. . * Repository moved to git, update Vcs headers. pound (2.6-6+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the security team with maintainer approval. * Add missing part of anti_beast patch to fix disabling of client renegotiation. (Closes: #765649) proftpd-dfsg (1.3.5-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team * Fix CVE-2015-3306: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy (Closes: #782781) python-dbusmock (0.11.4-1+deb8u1) stable; urgency=medium . * SECURITY FIX: When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files. By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. . Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories. (Closes: #786858, LP: #1453815, CVE-2015-1326) * Add debian/gbp.conf for "jessie" packaging branch. qcontrol (0.5.4-1+deb8u1) jessie; urgency=medium . * Wait for necessary devices to appear before starting. (Closes: #781886). This works around an issue exposed by systemd LSB compatibility mode. Proper systemd support will come later. qemu (1:2.1+dfsg-12) jessie-security; urgency=high . * CVE-2015-1779 (#781250) fix from upstream (Closes: #781250) * ide-correct-handling-of-malformed-short-PRDTs-CVE-2014-9718.patch (Closes: CVE-2014-9718) * CVE-2015-2756-xen-limit-guest-control-of-PCI-command-register.patch (Closes: CVE-2015-2756) * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch (Closes: CVE-2015-3456) * fix the OSABI binfmt mask for x86_64 arch, to actually fix #763043. Original fix didn't work, because "someone" forgot arithmetics. (Really Closes: #763043) qemu (1:2.1+dfsg-12~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports: - disable seccomp (not in wheezy) - build-depend on iasl|acpica-tools - s/python:any/python/ in build-depends . qemu (1:2.1+dfsg-12) jessie-security; urgency=high . * CVE-2015-1779 (#781250) fix from upstream (Closes: #781250) * ide-correct-handling-of-malformed-short-PRDTs-CVE-2014-9718.patch (Closes: CVE-2014-9718) * CVE-2015-2756-xen-limit-guest-control-of-PCI-command-register.patch (Closes: CVE-2015-2756) * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch (Closes: CVE-2015-3456) * fix the OSABI binfmt mask for x86_64 arch, to actually fix #763043. Original fix didn't work, because "someone" forgot arithmetics. (Really Closes: #763043) . qemu (1:2.1+dfsg-11) unstable; urgency=medium . * bump epoch and reupload to cancel 2.2+dfsg-1exp upload mistakenly done to unstable. No other changes. . qemu (2.1+dfsg-10) unstable; urgency=medium . * make (debian-specific) x86 data path (with seabios and ipxe in it) non-x86-specific, since other arches use firmware files too (Closes: #772127) * add seabios to Recommends to qemu-system-misc, qemu-system-mips, qemu-system-ppc and qemu-system-sparc packages, because these packages contains emulators using vgabios which is part of seabios package (#772127). * add ipxe-qemu to Recommends to qemu-system-misc, qemu-system-arm, qemu-system-mips, qemu-system-ppc, qemu-system-sparc packages, because these packages contains emulators using network boot roms (#772127), in a similar way. . qemu (2.1+dfsg-9) unstable; urgency=high . * apply upstream patches for CVE-2014-8106 (cirrus: insufficient blit region checks) (Closes: #772025 CVE-2014-8106) qt4-x11 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) stable-proposed-updates; urgency=medium . * Add fixes_crash_in_gif_image_decoder.patch and fixes_crash_in_bmp_and_ico_image_decoder.patch to fix CVE-2015-1858, CVE-2015-1859 and CVE-2015-1860 (Closes: #783133). qtbase-opensource-src (5.3.2+dfsg-4+deb8u1) stable-proposed-updates; urgency=medium . [ Dmitry Shachnev ] * Fix several DoS vulnerabilities in the image handlers. - CVE-2015-0295, CVE-2015-1858, CVE-2015-1859, CVE-2015-1860. - Closes: #779580. qtbase-opensource-src (5.3.2+dfsg-4+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Backport latest upload to Jessie which fixes several CVEs. . qtbase-opensource-src (5.3.2+dfsg-4+deb8u1) stable-proposed-updates; urgency=medium . [ Dmitry Shachnev ] * Fix several DoS vulnerabilities in the image handlers. - CVE-2015-0295, CVE-2015-1858, CVE-2015-1859, CVE-2015-1860. - Closes: #779580. . qtbase-opensource-src (5.3.2+dfsg-4~bpo70+1) wheezy-backports; urgency=medium . * Set xkb-config-root as we are currently not using libxkbcommon because it has not been backported (Closes: #766239). . qtbase-opensource-src (5.3.2+dfsg-4) unstable; urgency=medium . * Move QPlatformSupport stuff from qtbase5-dev to qtbase5-private-dev, as it belongs there. Update Breaks+Replaces. * Backport fix_bug_in_internal_comparison_operator.patch to fix a UTF-8 problem on QJson (Closes: #764452). . qtbase-opensource-src (5.3.2+dfsg-3~bpo70+1) wheezy-backports; urgency=medium . * Upload to wheezy-backports. * Use embedded harfbuzz lib. Backport requested in #750427. * Use embedded libxkbcommon-x11. Backport requested in #757174. * The KMS plugin is not built in Wheezy, remove it from the install file. * Update symbols files with current build log. . qtbase-opensource-src (5.3.2+dfsg-3) unstable; urgency=medium . * Do not use precompiled headers on arm64 (Closes: #762702). * Update symbols files with buildds' logs. . qtbase-opensource-src (5.3.2+dfsg-2) unstable; urgency=medium . * Upload to unstable. * Add Adam Majer's fix_sparc_atomics.patch to let Sparc use C++11's atomics. * Add libxext-dev as build dependency: it's currently being pulled by something else, but adding it here will make things more robust. * Make qtbase5-dev depend on libxext-dev. Some mkspecs require it and it seems it's not a false positive. * Update symbols files with buildds' logs. . qtbase-opensource-src (5.3.2+dfsg-1) experimental; urgency=medium . [ Dmitry Shachnev ] * Update my e-mail address. * Update Vcs-Browser field to point to cgit interface. * Use correct exception syntax in debian/copyright. . [ Lisandro Damián Nicanor Pérez Meyer ] * New upstream release. * Remove patches applied upstream: - support_mips_atomic_on_pre-mips32_archs.patch, applied upstream with a fix. - Remove-Wcast-align-from-QMAKE_CXXFLAGS.patch. - cmake_dont_check_existence_of_gl_filesin_qt5gui.patch. * Refresh patches. * Bump qtbase-abi to 5-3-2. * Remove libgstreamer* build dependencies, they are not really needed as there is no usage of them by grepping the code. * Update install files. * Update symbols files with buildds' and current logs. * Build conflict against libmariadbclient-dev until the fix for #759309 enters unstable. * Mark private symbols as such. . qtbase-opensource-src (5.3.1+dfsg-6) unstable; urgency=medium . * Release to unstable. * Update symbols files with buildds' logs. . qtbase-opensource-src (5.3.1+dfsg-5) experimental; urgency=medium . [ Julián Moreno Patiño ] * Add support for non-sse2 processors (Closes: #754894). . [ Lisandro Damián Nicanor Pérez Meyer ] * Disable the usage of system proxies by default due to https://bugreports.qt-project.org/browse/QTBUG-41053 * Make libqt5core5a recommend qttranslations5-l10n. Thanks Felix Geyer for the pointer. * Build SSE2 enabled libraries in override_dh_auto_install-arch in order to avoid rewriting the previously built versions before installing them. * Disable pre compiled headers support when building both non SEE2 and SSE2 libraries, as it is not compatible. * Create new install files for archs which uses i386 processor. . qtbase-opensource-src (5.3.1+dfsg-3) unstable; urgency=medium . * Improve NEWS wording. * Add cmake_dont_check_existence_of_gl_filesin_qt5gui.patch to avoid Qt GUI requiring libegl1-mesa-dev (Closes: #752847). * Update symbols files with buildds' and mips64el's logs. . qtbase-opensource-src (5.3.1+dfsg-2) unstable; urgency=medium . * Enable using system network proxies by default. - Add NEWS file with this information. * Make qtbase5-dev suggest libegl1-mesa-dev and libgl1-mesa-dev, as they might be needed by those using EGL. * Bump qtbase-abi to 5-3-1. Sune found that there is a runtime check that forces us to do a transition for private symbols even on point releases without symbols changes (Closes: #752889). * Update symbols files with buildds' and mips64el's logs. * Add multitouch protocol translation support. . qtbase-opensource-src (5.3.1+dfsg-1) unstable; urgency=medium . * New upstream release. * Update symbols files with buildds' and current logs. * Clear the list of archs that should not use pre compiled headers. We've been told that with GCC 4.9 this should not be necessary anymore. * Remove link to a favicon in a dead url, part of an example. The Trolltech site is down and so there is no possible privacy breach in it, so just removing the link should suffice. . qtbase-opensource-src (5.3.0+dfsg-5) unstable; urgency=medium . * Remove enable_sparc_detection.patch. This is causing a FTBFS in sparc now. I've contacted upstream to know the best way to go from here, in the meantime we just don't detect it. * Update symbols files with buildds' and current logs. * Install only the last (and more relevant) changelog. We were trying (and failing) to install all of them, but only the first one would end up as changelog. As the listing order varies between archs, the final changelog will also be different between them, thus not allowing the package to be really Multi-Arch: same. Thanks Jakub Wilk for the bug report. (Closes: #750730). . qtbase-opensource-src (5.3.0+dfsg-4) unstable; urgency=medium . * Upload to unstable. * Update symbols files with buildds' logs. . qtbase-opensource-src (5.3.0+dfsg-3) experimental; urgency=medium . [ Lisandro Damián Nicanor Pérez Meyer ] * Search for private symbols at build time and produce a diff so as to be able to get the changes from build logs. - Modify mark_private_symbols.sh. - Run mark_private_symbols.sh from debian/rules. * Do not override dh_builddeb: xz compression is now the default method. * Backport Remove-Wcast-align-from-QMAKE_CXXFLAGS.patch. This totally disables -Wcast-align (Closes: #744311). - Remove do_not_pass_wcast-align_on_sparc.patch, it s now not needed anymore. * Update symbols files with buildds' logs. . [ Peter Michael Green ] * arm64 changes cherry picked from ubuntu (Closes: #750047). + Add arm64 to list of 64-bit architectures that should not use -m64 * Remove .device.vars and .qmake.vars in clean target. . qtbase-opensource-src (5.3.0+dfsg-2) experimental; urgency=medium . * Add revert_upstream_bsymbolic_change.patch by Timo Jyrinki which reenables -Bsymbolic-functions on non-x86 since Debian has a recent enough binutils. * Mark private symbols as such. . qtbase-opensource-src (5.3.0+dfsg-1) experimental; urgency=medium . [ Timo Jyrinki ] * Make qt5-qmake Multi-Arch: same since it moved from shipping files in /usr/share to /usr/lib/. . [ Dmitry Shachnev ] * Build-depend on libxkbcommon-x11-dev, as the new patch includes . * Add arm64 to no_pch_architectures. . [ Lisandro Damián Nicanor Pérez Meyer ] * New upstream release. - Fixes CVE-2014-0190. * Install the headers in a Multi-Arch qualified directory (Closes: #734677). - Fix related install files. - Mark qtbase5-dev, qtbase5-private-dev and libqt5opengl5-dev as Multi-Arch: same. * Override Lintian warning about torrent.qdoc being under an RFC license, it's just a false positive coming from the fact that the documentation is listing the license, but it's really not licensed under the RFC license. * Update symbols files with buildds' and current logs. * Refresh patches: - hurd_opengl_incldir.diff - support_mips_atomic_on_pre-mips32_archs.patch - qatomic_mips.h - enable_sparc_detection.patch * Remove patches: - fix_power_atomic_code.patch, the code it patches has been removed. - enable_s390_detection.patch, applied upstream. - change_sparc_qatomic.patch, the code it patches has been removed. * Adjust install files. * Bump qtbase-abi to qtbase-abi-5-3-0 due to private symbols changes. * Make qtbase5-dev-tools-dbg Multi-Arch: same due to qt5-qmake also becoming Multi-Arch: same. * Add a lintian override for qtbase5-examples: there is no possibility of privacy breach in the way trolltech_com.html is used, as it is just parsed, but not rendered nor any of the things it points at it's retrieved. . qtbase-opensource-src (5.2.1+dfsg-3) unstable; urgency=medium . * Release to unstable. * Add license to mark_private_symbols.sh and corresponding entry in debian/copyright. * Remove linux_no_perf.diff used to disable perf events on Linux/IA64. We no longer have IA64 around. . qtbase-opensource-src (5.2.1+dfsg-2) experimental; urgency=medium . [ Pino Toscano ] * Disable eglfs on any non-Linux architecture; while the dependencies for it might be satisfied, the code seems tied to/requiring Linux stuff. . [ Dmitry Shachnev ] * Update remove_google_adsense.patch to also remove ProspectXtractor tracker script. . [ Lisandro Damián Nicanor Pérez Meyer ] * Update symbols files with buildd's logs. . qtbase-opensource-src (5.2.1+dfsg-1) experimental; urgency=medium . * New upstream release. * Remove sha3_64bit_BE.diff, uname_include.diff and fix_crash_stale_pointer_dereferencing.patch, applied upstream. * Update symbols files with buildd's logs. * Do not install any CMake file for any plugin. * The egl/kms plugins have been built on amd64 too. Move them to the linux install files and see what happens with other archs. * Remove private headers no longer installed. * QtCore's QNoImplicitBoolCast header is no longer installed. It only had an include to qtglobal.h in it and no public symbols are missing. * Update symbols files with current build log. All missing symbols where private. Private symbols where [re]marked in symbols files. * Bump qtbase-abi to qtbase-abi-5-2-1 due to private symbols changes. . qtbase-opensource-src (5.2.0+dfsg-7) unstable; urgency=medium . [ Dmitry Shachnev ] * Use canonical Vcs-Browser field. . [ Lisandro Damián Nicanor Pérez Meyer ] * Install qmake's arch-specific data in an arch-specific path by using the hostdatadir option while calling configure. * Upload to unstable. . qtbase-opensource-src (5.2.0+dfsg-6) experimental; urgency=medium . [ Dmitry Shachnev ] * Build-depend on libxcb-xkb-dev, to get more input languages support. * Also, build-depend on libxcb-sync-dev instead of removed libxcb-sync0-dev. * Fix misspelled DEB_HOST_ARCH_OS in debian/rules comments. * Re-introduce qtbase5-doc-html package. . [ Lisandro Damián Nicanor Pérez Meyer ] * Backport fix_crash_stale_pointer_dereferencing.patch to solve a crash while using harfbuzz-ng. * Update symbols files with buildd's logs. . qtbase-opensource-src (5.2.0+dfsg-5) experimental; urgency=medium . * Workaround sparc's FTBFS due to it's qatomic code. * Build Qt against system's harfbuzz (Closes: #733972). * Update symbol's files unsing buildd's logs. . qtbase-opensource-src (5.2.0+dfsg-4) experimental; urgency=medium . [ Dmitry Shachnev ] * Remove unused piece of code in debian/rules. . [ Lisandro Damián Nicanor Pérez Meyer ] * Enable processor detection for s390[x] and sparc. - Do not use Wcast-align on header's tests on sparc, thus avoiding a FTBFS. * Update symbols files using buildds' logs. * Patch out Google-AdSense tracker from examples. * Update Standars-Version to 3.9.5, no changes required. . qtbase-opensource-src (5.2.0+dfsg-3) experimental; urgency=low . [ Pino Toscano ] * Further fix for MIPS, also in the orderedMemoryFence implementation; patch mips_more_pre-mips32.diff. * rules: small simplification in the platform_arg (mkspec) selection. * Initial support for GNU/kFreeBSD: - provide qmake mkspec, and use LD_LIBRARY_PATH; patch gnukfreebsd.diff - rules: use the gnukfreebsd-g++ when configure'ing * Get rid of our glibc-g++ qmake mkspec: it was a mistake with Qt4 (3?) already, and it is no more working with non-Linux OSes; as a consequence, error out for OSes with no qmake mkspec explicitly set in rules. * Remove the Pre-Depends on dpkg >= 1.15.6~, since that version is available in Squeeze already. . [ Lisandro Damián Nicanor Pérez Meyer ] * Update symbols files with buildds' logs. . [ Dmitry Shachnev ] * Explicitly define all DEB_HOST_ARCH{,_BITS} variables and remove duplicate variables. . qtbase-opensource-src (5.2.0+dfsg-2) experimental; urgency=medium . [ Pino Toscano ] * Simplify and sort qtbase5-dev.install-armel and qtbase5-dev.install-armhf. * Include sys/utsname.h for uname(3); patch uname_include.diff. * Move few Linux-only files from qtbase5-dev.install-common to qtbase5-dev.install-linux. * Remove the cmake files of QtSql plugins on dh_auto_install phase instead of dh_install. . qtbase-opensource-src (5.2.0+dfsg-1) experimental; urgency=low . [ Dmitry Shachnev ] * Fix two wrongly sorted lines in qtbase5-private-dev.install (thanks Timo). * Do not list armhf-specific paths in qtbase5-dev.install-armel. . [ Lisandro Damián Nicanor Pérez Meyer ] * New upstream release. * Update install files. * Update symbols files, marking private symbols as such. * Remove Disallow_deep_or_widely_nested_entity_references.patch, it has been applied upstream. * Upstream made all archs use double for qreal (see #731261 for more context). - Rename libqt5core5 to libqt5core5a to help in the transition: - Make libqt5core5a break and replace libqt5core5 << 5.2.0+dfsg~. - Rename the associated files (install, lintian-overrides and symbols). - Adjust dependencies in debian/control. - Add lintian override for package not matching SONAME. - Re create symbols that used the qreal subst, they are now all doubles. * A user of Qt built by a distro doesn't needs to find where the SQL plugins are via CMake. Do not install them (Closes: #729602). . qtbase-opensource-src (5.2.0~beta1+dfsg-3) experimental; urgency=low . [ Lisandro Damián Nicanor Pérez Meyer ] * Also install KSM/EGL CMake's configuration files for armel: - Create debian/qtbase5-dev.install-armel. * Install the QEvdev CMake related files only in Linux, as they are not present in Hurd. * Update symbols files. . qtbase-opensource-src (5.2.0~beta1+dfsg-2) experimental; urgency=low . * Install KMS/EGL CMake's configuration files for armhf. - Create debian/qtbase5-dev.install-armhf. - Move debian/qtbase5-dev.install to debian/qtbase5-dev.install-common. * Update symbols files. * Import upstream's fix_power_atomic_code.patch for fixing PowerPC's FTBFS (Closes: #729265). Thanks Aurelien Jarno for the patch. * Import upstream's support_mips_atomic_on_pre-mips32_archs.patch for fixing MIPS's FTBFS (Closes: #729187). Thanks Aurelien Jarno for the patch. . qtbase-opensource-src (5.2.0~beta1+dfsg-1) experimental; urgency=low . [ Dmitry Shachnev ] * New upstream beta release. * Drop fix_usr-move_workaround_in_the_presence_of_multi-arch.patch, applied upstream. * Update .install files for new upstream release. * Make libqt5core5 provide qtbase-abi-5-2-0. * Update symbols files. * Add myself to Uploaders. . [ Lisandro Damián Nicanor Pérez Meyer ] * Use newer qtbase-abi-5-2-0 in lintian-overrides files. . qtbase-opensource-src (5.1.1+dfsg-6) unstable; urgency=high . * Backport Disallow_deep_or_widely_nested_entity_references.patch to fix CVE-2013-4549: XML Entity Expansion Denial of Service. Set severity to high. * Update symbols files with buildds' logs. . qtbase-opensource-src (5.1.1+dfsg-5) unstable; urgency=low . * Add mips64 and mipsel64 to the list of archs that should use linux-g++ instead of linux-g++-64 (Closes: #727139). . qtbase-opensource-src (5.1.1+dfsg-4) unstable; urgency=low . [ Pino Toscano ] * Limit the libasound2-dev build dependency as linux-any, as the oss-alsa replacement is not usable for qt5 anyway. * Remove X11R6 library- and include-dirs from the hurd-g++ mkspec, as they might cause issues; patch hurd_opengl_incldir.diff. * Update symbols files. . qtbase-opensource-src (5.1.1+dfsg-3) unstable; urgency=low . [ Pino Toscano ] * Move libcomposeplatforminputcontextplugin.so, libqoffscreen.so and libqgtk2.so from libqt5gui5.install-linux to libqt5gui5.install-common, as they are compiled also on non-Linux OSes. . qtbase-opensource-src (5.1.1+dfsg-2) unstable; urgency=low . * Add upstream patch fix_usr-move_workaround_in_the_presence_of_multi-arch.patch to solve a CMake paths issue that involved a workaround for other distros (Closes: #721176). * Update symbols files with symbols from other archs. . qtbase-opensource-src (5.1.1+dfsg-1) unstable; urgency=low . * New upstream release. * Remove patches applied upstresm: - deppath_gnu.diff, the fix is now included upstream. - Dont_check_for_the_existence_of_priv_inc_dirs.patch * Update amd64 symbols and mark the private ones. * Update lintian overrides. . qtbase-opensource-src (5.1.0+dfsg-5) unstable; urgency=low . [ Pino Toscano ] * Extend patch sha3_64bit_BE.diff with another needed function; should really fix build on s390x and ppc64 now. . qtbase-opensource-src (5.1.0+dfsg-4) unstable; urgency=low . [ Pino Toscano ] * Fix build of the SHA3 implementation on 64bit big endian architectures (e.g. s390x and ppc64); patch sha3_64bit_BE.diff. * Update/simplify lintian overrides. * Fix build on ia64 by disabling the use of Linux perf events, which do not seem present on linux/ia64 kernels; patch linux_no_perf.diff. . qtbase-opensource-src (5.1.0+dfsg-3) unstable; urgency=low . * Upload to unstable. . qtbase-opensource-src (5.1.0+dfsg-2) experimental; urgency=low . * Add libxkbcommon-dev as build dependency, thus avoiding using the bundled lib. * Minor improvement of mark_private_symbols.sh. * Add Dont_check_for_the_existence_of_priv_inc_dirs.patch that avoids making our users install private headers in order to compile with CMake (Closes: #718348). * Armel also builds libqkms.so, added to the proper install file. * Update symbols files. . qtbase-opensource-src (5.1.0+dfsg-1) experimental; urgency=low . * New upstream release. * Do not build depend on libopenvg1-mesa-dev on hurd, it's not available there. * Fix watch file with new url. * Make libqt5core5 provide qtbase-abi-5-1-0. * Update symbols files with latest 5.0.2 build logs. * Remove patches applied upstream: - undef_B0.diff - Rename-qAbs-Function-for-timeval.patch - build_examples.patch, adding the new -compile-examples switch. * Refresh patches: deppath_gnu.diff. * Bump Build-Depends-Indep qttools5-dev-tools dependency to << 5.1.0~. * Do not remove the include dir on cleaning the sources. Prior to Qt 5.1 perl would be run and re-create the includes. In 5.1, perl only runs if .git is found and the build is done out-of-source. Thanks Pino and Thiago for the hints. * Fix typo in -no-direcfb switch in configure. * Update install files. * Update symbols files with current build. The missing symbols seemed to be internal/private stuff and optional ones, so everything should be OK. * Mark private symbols in symbols files. * Add a lintian override for libqt5core5. Symbols should declare a dependency on qtbase-abi-5-1-0. * Change symbols files and lintian overrides to provide qtbase-abi-5-1-0. * Minimal improve of README.source with private symbols handling. * Remove doc packages. The build system has changed and I can't build them anymore. - Remove independent build deps. - Remove the doc packages from debian/control. - Remove their asociated install files. - Remove the indep targets in debian/rules. . qtbase-opensource-src (5.0.2+dfsg1-7) experimental; urgency=low . * Mark libgbm-dev as linux-any. Other OSs do not have it. * Add the qkms plugin to the armhf list of files to install. * Update symbols files. * From the armhf build log: "The -arch and -host-arch options are obsolete". Remove the relevant armv6 option from debian/rules. * Add a lintian override for libqt5xml5, which rightfully declares a dependency on qtbase-abi-5-0-2. . qtbase-opensource-src (5.0.2+dfsg1-6) experimental; urgency=low . [ Lisandro Damián Nicanor Pérez Meyer ] * Make packages that ship a binary managed by qtchooser depend on it. * Build the documentation shipped with this submodule as a build-indep task: - Add the necessary indep build dependencies: * qttools5-dev-tools to use qhelpgenerator. * libqt5sql5-sqlite to generate qch doc. - Build and create a packages for qch and HTML doc formats. - Document how to bootstrap the packages in order to be able to build the documentation. * Update symbols files. * Add build dependencies to build support for: - ALSA. - PulseAudio. - OpenVG. - GStreamer. * Add libgbm-dev as Build-Dep, necessary for KMS support. * Apply Rename-qAbs-Function-for-timeval.patch taken from upstream to solve FTBFS with GCC 4.8. * Update Standards-Version to 3.9.4. No changes needed. * Make qtbase5-dbg M-A same. . qtbase-opensource-src (5.0.2+dfsg1-5) experimental; urgency=low . [ Pino Toscano ] * Update symbols files. . [ Lisandro Damián Nicanor Pérez Meyer ] * Also ship 5.conf. This makes calls to qtchooser prettier: qtchooser -qt5. * Add lintian overrides for packages that depend on the private API/ABI, it's totally correct for them to do so. . [ Sune Vuorela ] * Prepare symbol files to track private symbols. * Make libqt5core5 provide a virtual package to track the non-public api/abi. * Create a script to mark symbols as private. * Mark private symbols as private. . qtbase-opensource-src (5.0.2+dfsg1-4) experimental; urgency=low . [ Pino Toscano ] * Update lintian overrides. * Drop check of old hppa kernel bug, which has been fixed many years ago. * Update Vcs-Browser and Vcs-Git headers. . [ Timo Jyrinki ] * libqt5sql5-sqlite listed as first in recommends, being the lightest. . [ Lisandro Damián Nicanor Pérez Meyer ] * Add qt5-triplet.conf and arch-qualified qt5.conf. See qtchooser's README.Debian for more details. * Fix typo in qtbase5-private-dev's Breaks+Replaces. * Changed qt5-default to arch: all. Should have been like this from start, as it contains arch-qualified paths in it. * Update symbols files. . qtbase-opensource-src (5.0.2+dfsg1-3) experimental; urgency=low . [ Pino Toscano ] * debian/control: remove extra ${misc:Pre-Depends} from qt5-qmake. * debian/control: remove extra qtbase5-dev suggest from libqt5sql5, libqt5sql5-mysql, libqt5sql5-odbc, libqt5sql5-psql, libqt5sql5-sqlite, libqt5sql5-tds. * debian/control: make libqt5printsupport5 recommend libcups2 (which is dlopen'ed). * Move the private qsqlresult_p.h from qtbase5-dev to qtbase5-private-dev, adding proper breaks/replaces in the latter. * Use LD_LIBRARY_PATH on any GNU system; patch deppath_gnu.diff. * debian/control: remove extra ${shlibs:Depends} from qtbase5-private-dev and libqt5opengl5-dev. . [ Lisandro Damián Nicanor Pérez Meyer ] * Update symbols files for hurd-i386, i386, ia64 and powerpc. . [ Timo Jyrinki ] * Use -opengl es2 correctly on arm * Allow EGL support also on desktop, on Linux only for now. * List no_pch_architectures separately . qtbase-opensource-src (5.0.2+dfsg1-2) experimental; urgency=low . [ Lisandro Damián Nicanor Pérez Meyer ] * Remove the licenses of the removed fonts from debian/copyright. * Patch out commit 2b397f985e4ef6ae5c0571a928bb1320fb048c61 to allow building examples without calling -developer-build with build_examples.patch (Closes: #705836). . qtbase-opensource-src (5.0.2+dfsg1-1) experimental; urgency=low . * Remove non-free fonts: - Fonts under Luxi font license. - Fonts under Adobe Copyright license. * Be verbose on what we are removing. . qtbase-opensource-src (5.0.2+dfsg-2) experimental; urgency=low . * Make qtbase5-dev depend on qtchooser, as it is needed for using qmake and friends. . qtbase-opensource-src (5.0.2+dfsg-1) experimental; urgency=low . * Initial release. (Closes: #697509) quassel (1:0.10.0-2.3+deb8u1) jessie-security; urgency=high . * Fix CVE-2015-3427: SQL injection vulnerability in PostgreSQL backend. (Closes: #783926) - Add debian/patches/CVE-2015-3427.patch, cherry-picked from upstream. - The original issue was CVE-2013-4422 which had an incomplete fix. ruby-defaults (1:2.1.5+deb8u1) jessie; urgency=medium . * ruby: add `Conflicts: ruby-activesupport-2.3` to help with several Rails-related upgrade issues, e.g. when upgrading redmine from wheezy (Closes: #784336). ruby-defaults (1:2.1.5+1) experimental; urgency=medium . * Add support for Ruby 2.2 (not the default yet) * debian/ruby-all-dev-depends: automatically generate dependencies for ruby-all-dev based on the contents of ruby_debian_dev.rb ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high . * Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL extension [CVE-2015-1855] - applied revision 50296 of upstream svn repository. semi (1.14.7~0.20120428-14+deb8u1) jessie; urgency=medium . * New patch 020_encrypt.patch to fix incorrect keys in encryption (closes: #784712) smstools (3.1.15-1.1+deb8u1) stable; urgency=high . * NMU by Jonas Meurer to push the fix into Jessie. * Fix initscript (debian/init.d): * drop action 'reload' as it does not what policy demands it to do. Use 'force-reload' in logrotate post-rotate action. This fixes 'force-reload' action when used through systemd tools and prevents the smsd daemon process from being killed at every log rotation. (closes: #782996) * source /lib/lsb/init-functions in order to make systemd tools aware of status changes to the daemon that have been caused by invoking the initscript directly. sqlite3 (3.8.7.1-1+deb8u1) jessie-security; urgency=high . * Fix CVE-2015-3414 , use of uninitialized memory when parsing collation sequences. * Fix CVE-2015-3415 , properly implement comparison operators in sqlite3VdbeExec() . * Fix CVE-2015-3416 , properly handle precision and width values during floating-point conversions in sqlite3VXPrintf() . suricata (2.0.7-2+deb8u1) jessie-security; urgency=high . * Backport fix for CVE-2015-0971 (Integer overflow in the DER parser) systemd (215-17+deb8u1) stable; urgency=medium . [ Michael Biebl ] * manager: Pass correct errno to strerror(), have_ask_password contains negative error values which have to be negated when being passed to strerror(). . [ Martin Pitt ] * Revert upstream commit 743970d which immediately SIGKILLs units during shutdown. This leads to problems like bash not being able to write its history, mosh not saving its state, and similar failed cleanup actions. (Closes: #784720, LP: #1448259) * write_net_rules: Escape '{' and '}' characters as well, to make this work with busybox grep. Thanks Faidon Liambotis! (Closes: #765577) * debian/gbp.conf: Point to jessie branch. tasksel (3.31+deb8u1) jessie; urgency=medium . * Make task-xfce-desktop recommend evince-gtk | evince instead of just evince-gtk, making the GNOME and Xfce desktop tasks co-installable (Closes: #783571). tecnoballz (0.93.1-4+deb8u1) jessie; urgency=medium . * Fix multiple gameplay issues which could impair the fun. * Add bouncer-restriction.patch. Fix minimum distance of bouncers to walls in boss levels. (Closes: #776262) * gigablitz-gauge.patch: Fix gigablitz gauge was not working. (Closes: #776342) * right-click-game-over.patch: Fix right click game over bug. (Closes: #776263) tlsdate (0.0.13-1~deb8u1) jessie; urgency=high . * Upload to stable to switch from www.ptb.de to www.google.com as the former is now sending randomized gmt values. (Closes: #783174, #783193) . tlsdate (0.0.13-1) unstable; urgency=high . * New upstream release . tlsdate (0.0.12-3) unstable; urgency=high . * Switch from www.ptb.de to www.google.com as the former is now sending randomized gmt values. (Closes: #783174) (Closes: #783193) tlsdate (0.0.13-1~deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . tlsdate (0.0.13-1~deb8u1) jessie; urgency=high . * Upload to stable to switch from www.ptb.de to www.google.com as the former is now sending randomized gmt values. (Closes: #783174, #783193) . tlsdate (0.0.13-1) unstable; urgency=high . * New upstream release . tlsdate (0.0.12-3) unstable; urgency=high . * Switch from www.ptb.de to www.google.com as the former is now sending randomized gmt values. (Closes: #783174) (Closes: #783193) torbrowser-launcher (0.1.9-1+deb8u1) jessie; urgency=high . * Apply 3d9f4ed and 5f833d7 from 0.2.0 upstream release to deal with changed pathes in the 4.5 torbrowser release. (Closes: #784041) * 3d9f4ed also removes the accept links feature (as it has stopped worked with 4.5.) * Apply f219f35 from 0.2.0 to stop acting as default browser, because a default browser should be captable of accepting links. torbrowser-launcher (0.1.9-1+deb8u1~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . torbrowser-launcher (0.1.9-1+deb8u1) jessie; urgency=high . * Apply 3d9f4ed and 5f833d7 from 0.2.0 upstream release to deal with changed pathes in the 4.5 torbrowser release. (Closes: #784041) * 3d9f4ed also removes the accept links feature (as it has stopped worked with 4.5.) * Apply f219f35 from 0.2.0 to stop acting as default browser, because a default browser should be captable of accepting links. translate-shell (0.8.21-1+deb8u1) jessie; urgency=medium . * switch to new Google Translate API Closes: #782811 tzdata (2015d-0+deb8u1) stable; urgency=medium . * New upstream version: - Remove DST rule for Egypt starting in 2015. * Install leap-seconds.list to /usr/share/zoneinfo (Closes: #775166) tzdata (2015d-0+deb7u1) oldstable; urgency=medium . * New upstream version: - Remove DST rule for Egypt starting in 2015. tzdata (2015d-0+deb6u1) squeeze-lts; urgency=medium . * New upstream version: - Remove DST rule for Egypt starting in 2015. ulogd2 (2.0.4-2+deb8u1) stable; urgency=medium . * Begin a new debian-jessie branch: update debian/gbp.conf. * Add upstream patch Fix-JSON-output-on-big-endian-systems.patch: - Corrects JSON output of integer types on big-endian systems. (Closes: #784935) unattended-upgrades (0.83.3.1) stable; urgency=low . * fix default configuration to match the jessie security server configuration (closes: #783690) usemod-wiki (1.0.5-3+deb8u1) jessie; urgency=medium . * Adjust startform/endform to start_form/end_form. (Closes: #784256) * Update repository URLs. virtualbox (4.3.18-dfsg-3+deb8u3) jessie; urgency=medium . * d/p/39-crash-raw-mode.patch fix crash in raw mode. (Closes: #785689) from upstream changeset 53083 thanks Frank for the hint! virtualbox (4.3.18-dfsg-3+deb8u2) jessie-security; urgency=high . * d/p/CVE-2015-3456.patch fix for CVE-2015-3456 a.k.a. VENOM (Closes: #785424) virtualbox (4.3.18-dfsg-3+deb8u1) jessie; urgency=medium . [ Moritz Mühlenhoff ] * d/p/37-disable-smap.patch, cherry-pick upstream patch to fix a kernel paging issue (LP: #1437845, Closes: #783142). win32-loader (0.7.8+deb8u1) jessie; urgency=low . * Replace the Joy screenshot by a recent Lines screenshot * Replace http.debian.net with httpredir.debian.org wordpress (4.1+dfsg-1+deb8u1) jessie-security; urgency=high . * Backports of 4.1.2 security fixes Closes: #783347 - Changeset 32163 sanity checks - Changeset 32165 sanitize order by - Changeset 32172 filename check - Changeset 32174 multisite change extra checks - Changeset 32176 Dashboard escapes titles - Changeset 32234 More WPDB query sanity * Backport of 4.2.1 for security fixes Closes: #783554 - Changeset 32307: XSS for long 64k+ comments wpa (2.3-1+deb8u1) jessie-security; urgency=high . * import "P2P: Validate SSID element length before copying it (CVE-2015-1863)" from upstream (Closes: #783148). zendframework (1.12.9+dfsg-2+deb8u2) jessie-security; urgency=high . * Update ZF2015-04 patch. Use the final upstream patch instead of the initial one. No actual change other than spaces, comments and tests. It will ease cherry-picking further fixes if needed. * Fix regression in headers creation. Non-string and non-stringable objects were not allowed anymore with the ZF2015-04 patch. This broke a number of other classes, however, which required integer and/or float values (e.g., to set a Content-Length header). zendframework (1.12.9+dfsg-2+deb8u1) jessie-security; urgency=high . * Track Jessie update in the jessie branch * Fix ZF2015-04: CRLF injections in HTTP and Mail http://framework.zend.com/security/advisory/ZF2015-04 [CVE-2015-3154] zeromq3 (4.0.5+dfsg-2+deb8u1) jessie-security; urgency=high . * V3 protocol handler vulnerable to downgrade attacks, use upstream backported fix for this issue. ========================================= Sat, 25 Apr 2015 - Debian 8.0 released =========================================