====================================== Sat, 10 Mar 2018 - Debian 9.4 released ====================================== ========================================================================= [Date: Sat, 10 Mar 2018 08:47:20 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: python-seelablet | 1.0.6-2 | all python3-seelablet | 1.0.6-2 | all seelablet | 1.0.6-2 | source, all seelablet-common | 1.0.6-2 | all seelablet-doc | 1.0.6-2 | all Closed bugs: 886017 ------------------- Reason ------------------- RoM: abandoned upstream; broken ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 08:48:03 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: electrum | 2.7.9-1 | source, all python-electrum | 2.7.9-1 | all Closed bugs: 887412 ------------------- Reason ------------------- RoM; security issues; broken due to upstream changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 08:52:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: pgmodeler | 0.8.2-1 | source pgmodeler | 0.8.2-1+b1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x pgmodeler-common | 0.8.2-1 | all pgmodeler-dbg | 0.8.2-1+b1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 891120 ------------------- Reason ------------------- RoM; incompatible with version of postgresql in stretch ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 08:53:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: jirc | 1.0-1 | source, all Closed bugs: 891403 ------------------- Reason ------------------- RoQA; broken with version of libpoe-filter-xml-perl in stretch ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 08:53:55 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: dolibarr | 4.0.2+dfsg4-2 | source, all Closed bugs: 892024 ------------------- Reason ------------------- RoM; too much work to maintain it properly in Debian ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:11:49 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: acpi-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 acpi-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 ata-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 ata-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 btrfs-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 btrfs-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 cdrom-core-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 cdrom-core-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 crc-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 crc-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 crypto-dm-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 crypto-dm-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 crypto-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 crypto-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 efi-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 efi-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 event-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 event-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 ext4-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 ext4-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 fat-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 fat-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 fb-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 fb-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 firewire-core-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 firewire-core-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 fuse-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 fuse-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 hyperv-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 hyperv-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 i2c-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 i2c-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 input-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 input-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 isofs-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 isofs-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 jfs-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 jfs-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 kernel-image-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 kernel-image-4.9.0-5-amd64-di | 4.9.80-2 | amd64 linux-headers-4.9.0-4-all-amd64 | 4.9.65-3+deb9u1 | amd64 linux-headers-4.9.0-4-amd64 | 4.9.65-3+deb9u1 | amd64 linux-headers-4.9.0-4-rt-amd64 | 4.9.65-3+deb9u1 | amd64 linux-headers-4.9.0-5-all-amd64 | 4.9.80-2 | amd64 linux-headers-4.9.0-5-amd64 | 4.9.80-2 | amd64 linux-headers-4.9.0-5-rt-amd64 | 4.9.80-2 | amd64 linux-image-4.9.0-4-amd64 | 4.9.65-3+deb9u1 | amd64 linux-image-4.9.0-4-amd64-dbg | 4.9.65-3+deb9u1 | amd64 linux-image-4.9.0-4-rt-amd64 | 4.9.65-3+deb9u1 | amd64 linux-image-4.9.0-4-rt-amd64-dbg | 4.9.65-3+deb9u1 | amd64 linux-image-4.9.0-5-amd64 | 4.9.80-2 | amd64 linux-image-4.9.0-5-amd64-dbg | 4.9.80-2 | amd64 linux-image-4.9.0-5-rt-amd64 | 4.9.80-2 | amd64 linux-image-4.9.0-5-rt-amd64-dbg | 4.9.80-2 | amd64 loop-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 loop-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 md-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 md-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 mmc-core-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 mmc-core-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 mmc-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 mmc-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 mouse-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 mouse-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 multipath-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 multipath-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 nbd-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 nbd-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 nic-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 nic-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 nic-pcmcia-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 nic-pcmcia-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 nic-shared-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 nic-shared-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 nic-usb-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 nic-usb-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 nic-wireless-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 nic-wireless-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 ntfs-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 ntfs-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 pata-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 pata-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 pcmcia-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 pcmcia-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 pcmcia-storage-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 pcmcia-storage-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 ppp-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 ppp-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 sata-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 sata-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 scsi-core-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 scsi-core-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 scsi-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 scsi-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 serial-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 serial-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 sound-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 sound-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 speakup-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 speakup-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 squashfs-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 squashfs-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 udf-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 udf-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 uinput-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 uinput-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 usb-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 usb-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 usb-serial-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 usb-serial-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 usb-storage-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 usb-storage-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 virtio-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 virtio-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 xfs-modules-4.9.0-4-amd64-di | 4.9.65-3+deb9u1 | amd64 xfs-modules-4.9.0-5-amd64-di | 4.9.80-2 | amd64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:12:13 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: linux-headers-4.9.0-4-all | 4.9.65-3+deb9u1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x linux-headers-4.9.0-5-all | 4.9.80-2 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:12:33 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: ata-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 ata-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 btrfs-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 btrfs-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 cdrom-core-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 cdrom-core-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 crc-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 crc-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 crypto-dm-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 crypto-dm-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 crypto-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 crypto-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 efi-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 efi-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 event-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 event-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 ext4-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 ext4-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 fat-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 fat-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 fb-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 fb-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 fuse-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 fuse-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 i2c-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 i2c-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 input-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 input-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 isofs-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 isofs-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 jfs-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 jfs-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 kernel-image-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 kernel-image-4.9.0-5-arm64-di | 4.9.80-2 | arm64 leds-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 leds-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 linux-headers-4.9.0-4-all-arm64 | 4.9.65-3+deb9u1 | arm64 linux-headers-4.9.0-4-arm64 | 4.9.65-3+deb9u1 | arm64 linux-headers-4.9.0-5-all-arm64 | 4.9.80-2 | arm64 linux-headers-4.9.0-5-arm64 | 4.9.80-2 | arm64 linux-image-4.9.0-4-arm64 | 4.9.65-3+deb9u1 | arm64 linux-image-4.9.0-4-arm64-dbg | 4.9.65-3+deb9u1 | arm64 linux-image-4.9.0-5-arm64 | 4.9.80-2 | arm64 linux-image-4.9.0-5-arm64-dbg | 4.9.80-2 | arm64 loop-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 loop-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 md-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 md-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 mmc-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 mmc-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 multipath-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 multipath-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 nbd-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 nbd-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 nic-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 nic-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 nic-shared-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 nic-shared-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 nic-usb-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 nic-usb-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 nic-wireless-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 nic-wireless-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 ppp-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 ppp-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 sata-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 sata-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 scsi-core-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 scsi-core-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 scsi-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 scsi-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 squashfs-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 squashfs-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 udf-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 udf-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 uinput-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 uinput-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 usb-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 usb-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 usb-storage-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 usb-storage-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 virtio-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 virtio-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 xfs-modules-4.9.0-4-arm64-di | 4.9.65-3+deb9u1 | arm64 xfs-modules-4.9.0-5-arm64-di | 4.9.80-2 | arm64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:13:10 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: btrfs-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel btrfs-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel cdrom-core-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel cdrom-core-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel crc-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel crc-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel crypto-dm-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel crypto-dm-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel crypto-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel crypto-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel event-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel event-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel ext4-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel ext4-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel fat-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel fat-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel fb-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel fb-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel fuse-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel fuse-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel input-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel input-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel ipv6-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel ipv6-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel isofs-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel isofs-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel jffs2-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel jffs2-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel jfs-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel jfs-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel kernel-image-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel kernel-image-4.9.0-5-marvell-di | 4.9.80-2 | armel leds-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel leds-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel linux-headers-4.9.0-4-all-armel | 4.9.65-3+deb9u1 | armel linux-headers-4.9.0-4-marvell | 4.9.65-3+deb9u1 | armel linux-headers-4.9.0-5-all-armel | 4.9.80-2 | armel linux-headers-4.9.0-5-marvell | 4.9.80-2 | armel linux-image-4.9.0-4-marvell | 4.9.65-3+deb9u1 | armel linux-image-4.9.0-4-marvell-dbg | 4.9.65-3+deb9u1 | armel linux-image-4.9.0-5-marvell | 4.9.80-2 | armel linux-image-4.9.0-5-marvell-dbg | 4.9.80-2 | armel loop-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel loop-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel md-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel md-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel minix-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel minix-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel mmc-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel mmc-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel mouse-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel mouse-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel mtd-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel mtd-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel multipath-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel multipath-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel nbd-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel nbd-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel nic-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel nic-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel nic-shared-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel nic-shared-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel nic-usb-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel nic-usb-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel ppp-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel ppp-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel sata-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel sata-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel scsi-core-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel scsi-core-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel squashfs-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel squashfs-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel udf-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel udf-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel uinput-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel uinput-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel usb-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel usb-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel usb-serial-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel usb-serial-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel usb-storage-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel usb-storage-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel zlib-modules-4.9.0-4-marvell-di | 4.9.65-3+deb9u1 | armel zlib-modules-4.9.0-5-marvell-di | 4.9.80-2 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:13:32 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: ata-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf ata-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf btrfs-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf btrfs-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf crc-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf crc-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf crypto-dm-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf crypto-dm-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf crypto-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf crypto-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf efi-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf efi-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf event-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf event-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf ext4-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf ext4-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf fat-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf fat-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf fb-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf fb-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf fuse-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf fuse-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf i2c-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf i2c-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf input-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf input-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf isofs-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf isofs-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf jfs-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf jfs-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf kernel-image-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf kernel-image-4.9.0-5-armmp-di | 4.9.80-2 | armhf leds-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf leds-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf linux-headers-4.9.0-4-all-armhf | 4.9.65-3+deb9u1 | armhf linux-headers-4.9.0-4-armmp | 4.9.65-3+deb9u1 | armhf linux-headers-4.9.0-4-armmp-lpae | 4.9.65-3+deb9u1 | armhf linux-headers-4.9.0-5-all-armhf | 4.9.80-2 | armhf linux-headers-4.9.0-5-armmp | 4.9.80-2 | armhf linux-headers-4.9.0-5-armmp-lpae | 4.9.80-2 | armhf linux-image-4.9.0-4-armmp | 4.9.65-3+deb9u1 | armhf linux-image-4.9.0-4-armmp-dbg | 4.9.65-3+deb9u1 | armhf linux-image-4.9.0-4-armmp-lpae | 4.9.65-3+deb9u1 | armhf linux-image-4.9.0-4-armmp-lpae-dbg | 4.9.65-3+deb9u1 | armhf linux-image-4.9.0-5-armmp | 4.9.80-2 | armhf linux-image-4.9.0-5-armmp-dbg | 4.9.80-2 | armhf linux-image-4.9.0-5-armmp-lpae | 4.9.80-2 | armhf linux-image-4.9.0-5-armmp-lpae-dbg | 4.9.80-2 | armhf loop-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf loop-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf md-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf md-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf mmc-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf mmc-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf mtd-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf mtd-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf multipath-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf multipath-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf nbd-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf nbd-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf nic-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf nic-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf nic-shared-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf nic-shared-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf nic-usb-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf nic-usb-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf nic-wireless-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf nic-wireless-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf pata-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf pata-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf ppp-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf ppp-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf sata-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf sata-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf scsi-core-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf scsi-core-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf scsi-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf scsi-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf squashfs-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf squashfs-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf udf-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf udf-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf uinput-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf uinput-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf usb-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf usb-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf usb-storage-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf usb-storage-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf virtio-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf virtio-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf zlib-modules-4.9.0-4-armmp-di | 4.9.65-3+deb9u1 | armhf zlib-modules-4.9.0-5-armmp-di | 4.9.80-2 | armhf ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:13:58 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: acpi-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 acpi-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 acpi-modules-4.9.0-5-686-di | 4.9.80-2 | i386 acpi-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 ata-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 ata-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 ata-modules-4.9.0-5-686-di | 4.9.80-2 | i386 ata-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 btrfs-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 btrfs-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 btrfs-modules-4.9.0-5-686-di | 4.9.80-2 | i386 btrfs-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 cdrom-core-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 cdrom-core-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 cdrom-core-modules-4.9.0-5-686-di | 4.9.80-2 | i386 cdrom-core-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 crc-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 crc-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 crc-modules-4.9.0-5-686-di | 4.9.80-2 | i386 crc-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 crypto-dm-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 crypto-dm-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 crypto-dm-modules-4.9.0-5-686-di | 4.9.80-2 | i386 crypto-dm-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 crypto-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 crypto-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 crypto-modules-4.9.0-5-686-di | 4.9.80-2 | i386 crypto-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 efi-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 efi-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 efi-modules-4.9.0-5-686-di | 4.9.80-2 | i386 efi-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 event-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 event-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 event-modules-4.9.0-5-686-di | 4.9.80-2 | i386 event-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 ext4-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 ext4-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 ext4-modules-4.9.0-5-686-di | 4.9.80-2 | i386 ext4-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 fat-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 fat-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 fat-modules-4.9.0-5-686-di | 4.9.80-2 | i386 fat-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 fb-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 fb-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 fb-modules-4.9.0-5-686-di | 4.9.80-2 | i386 fb-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 firewire-core-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 firewire-core-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 firewire-core-modules-4.9.0-5-686-di | 4.9.80-2 | i386 firewire-core-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 fuse-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 fuse-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 fuse-modules-4.9.0-5-686-di | 4.9.80-2 | i386 fuse-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 hyperv-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 hyperv-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 hyperv-modules-4.9.0-5-686-di | 4.9.80-2 | i386 hyperv-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 i2c-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 i2c-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 i2c-modules-4.9.0-5-686-di | 4.9.80-2 | i386 i2c-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 input-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 input-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 input-modules-4.9.0-5-686-di | 4.9.80-2 | i386 input-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 isofs-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 isofs-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 isofs-modules-4.9.0-5-686-di | 4.9.80-2 | i386 isofs-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 jfs-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 jfs-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 jfs-modules-4.9.0-5-686-di | 4.9.80-2 | i386 jfs-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 kernel-image-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 kernel-image-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 kernel-image-4.9.0-5-686-di | 4.9.80-2 | i386 kernel-image-4.9.0-5-686-pae-di | 4.9.80-2 | i386 linux-headers-4.9.0-4-686 | 4.9.65-3+deb9u1 | i386 linux-headers-4.9.0-4-686-pae | 4.9.65-3+deb9u1 | i386 linux-headers-4.9.0-4-all-i386 | 4.9.65-3+deb9u1 | i386 linux-headers-4.9.0-4-rt-686-pae | 4.9.65-3+deb9u1 | i386 linux-headers-4.9.0-5-686 | 4.9.80-2 | i386 linux-headers-4.9.0-5-686-pae | 4.9.80-2 | i386 linux-headers-4.9.0-5-all-i386 | 4.9.80-2 | i386 linux-headers-4.9.0-5-rt-686-pae | 4.9.80-2 | i386 linux-image-4.9.0-4-686 | 4.9.65-3+deb9u1 | i386 linux-image-4.9.0-4-686-dbg | 4.9.65-3+deb9u1 | i386 linux-image-4.9.0-4-686-pae | 4.9.65-3+deb9u1 | i386 linux-image-4.9.0-4-686-pae-dbg | 4.9.65-3+deb9u1 | i386 linux-image-4.9.0-4-rt-686-pae | 4.9.65-3+deb9u1 | i386 linux-image-4.9.0-4-rt-686-pae-dbg | 4.9.65-3+deb9u1 | i386 linux-image-4.9.0-5-686 | 4.9.80-2 | i386 linux-image-4.9.0-5-686-dbg | 4.9.80-2 | i386 linux-image-4.9.0-5-686-pae | 4.9.80-2 | i386 linux-image-4.9.0-5-686-pae-dbg | 4.9.80-2 | i386 linux-image-4.9.0-5-rt-686-pae | 4.9.80-2 | i386 linux-image-4.9.0-5-rt-686-pae-dbg | 4.9.80-2 | i386 loop-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 loop-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 loop-modules-4.9.0-5-686-di | 4.9.80-2 | i386 loop-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 md-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 md-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 md-modules-4.9.0-5-686-di | 4.9.80-2 | i386 md-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 mmc-core-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 mmc-core-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 mmc-core-modules-4.9.0-5-686-di | 4.9.80-2 | i386 mmc-core-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 mmc-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 mmc-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 mmc-modules-4.9.0-5-686-di | 4.9.80-2 | i386 mmc-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 mouse-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 mouse-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 mouse-modules-4.9.0-5-686-di | 4.9.80-2 | i386 mouse-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 multipath-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 multipath-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 multipath-modules-4.9.0-5-686-di | 4.9.80-2 | i386 multipath-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 nbd-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 nbd-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 nbd-modules-4.9.0-5-686-di | 4.9.80-2 | i386 nbd-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 nic-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 nic-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 nic-modules-4.9.0-5-686-di | 4.9.80-2 | i386 nic-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 nic-pcmcia-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 nic-pcmcia-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 nic-pcmcia-modules-4.9.0-5-686-di | 4.9.80-2 | i386 nic-pcmcia-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 nic-shared-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 nic-shared-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 nic-shared-modules-4.9.0-5-686-di | 4.9.80-2 | i386 nic-shared-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 nic-usb-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 nic-usb-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 nic-usb-modules-4.9.0-5-686-di | 4.9.80-2 | i386 nic-usb-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 nic-wireless-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 nic-wireless-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 nic-wireless-modules-4.9.0-5-686-di | 4.9.80-2 | i386 nic-wireless-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 ntfs-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 ntfs-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 ntfs-modules-4.9.0-5-686-di | 4.9.80-2 | i386 ntfs-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 pata-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 pata-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 pata-modules-4.9.0-5-686-di | 4.9.80-2 | i386 pata-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 pcmcia-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 pcmcia-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 pcmcia-modules-4.9.0-5-686-di | 4.9.80-2 | i386 pcmcia-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 pcmcia-storage-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 pcmcia-storage-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 pcmcia-storage-modules-4.9.0-5-686-di | 4.9.80-2 | i386 pcmcia-storage-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 ppp-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 ppp-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 ppp-modules-4.9.0-5-686-di | 4.9.80-2 | i386 ppp-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 sata-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 sata-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 sata-modules-4.9.0-5-686-di | 4.9.80-2 | i386 sata-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 scsi-core-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 scsi-core-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 scsi-core-modules-4.9.0-5-686-di | 4.9.80-2 | i386 scsi-core-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 scsi-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 scsi-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 scsi-modules-4.9.0-5-686-di | 4.9.80-2 | i386 scsi-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 serial-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 serial-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 serial-modules-4.9.0-5-686-di | 4.9.80-2 | i386 serial-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 sound-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 sound-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 sound-modules-4.9.0-5-686-di | 4.9.80-2 | i386 sound-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 speakup-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 speakup-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 speakup-modules-4.9.0-5-686-di | 4.9.80-2 | i386 speakup-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 squashfs-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 squashfs-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 squashfs-modules-4.9.0-5-686-di | 4.9.80-2 | i386 squashfs-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 udf-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 udf-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 udf-modules-4.9.0-5-686-di | 4.9.80-2 | i386 udf-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 uinput-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 uinput-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 uinput-modules-4.9.0-5-686-di | 4.9.80-2 | i386 uinput-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 usb-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 usb-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 usb-modules-4.9.0-5-686-di | 4.9.80-2 | i386 usb-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 usb-serial-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 usb-serial-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 usb-serial-modules-4.9.0-5-686-di | 4.9.80-2 | i386 usb-serial-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 usb-storage-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 usb-storage-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 usb-storage-modules-4.9.0-5-686-di | 4.9.80-2 | i386 usb-storage-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 virtio-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 virtio-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 virtio-modules-4.9.0-5-686-di | 4.9.80-2 | i386 virtio-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 xfs-modules-4.9.0-4-686-di | 4.9.65-3+deb9u1 | i386 xfs-modules-4.9.0-4-686-pae-di | 4.9.65-3+deb9u1 | i386 xfs-modules-4.9.0-5-686-di | 4.9.80-2 | i386 xfs-modules-4.9.0-5-686-pae-di | 4.9.80-2 | i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:14:17 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: linux-headers-4.9.0-4-all-mips | 4.9.65-3+deb9u1 | mips linux-headers-4.9.0-5-all-mips | 4.9.80-2 | mips ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:14:48 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: affs-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel affs-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel btrfs-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel btrfs-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel cdrom-core-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel cdrom-core-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel crc-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel crc-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel crypto-dm-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel crypto-dm-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel crypto-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel crypto-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel event-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel event-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel ext4-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel ext4-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel fat-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel fat-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel fuse-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel fuse-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel hfs-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel hfs-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel input-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel input-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel isofs-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel isofs-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel jfs-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel jfs-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel kernel-image-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel kernel-image-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel linux-headers-4.9.0-4-5kc-malta | 4.9.65-3+deb9u1 | mips, mips64el, mipsel linux-headers-4.9.0-4-octeon | 4.9.65-3+deb9u1 | mips, mips64el, mipsel linux-headers-4.9.0-5-5kc-malta | 4.9.80-2 | mips, mips64el, mipsel linux-headers-4.9.0-5-octeon | 4.9.80-2 | mips, mips64el, mipsel linux-image-4.9.0-4-5kc-malta | 4.9.65-3+deb9u1 | mips, mips64el, mipsel linux-image-4.9.0-4-5kc-malta-dbg | 4.9.65-3+deb9u1 | mips, mips64el, mipsel linux-image-4.9.0-4-octeon | 4.9.65-3+deb9u1 | mips, mips64el, mipsel linux-image-4.9.0-4-octeon-dbg | 4.9.65-3+deb9u1 | mips, mips64el, mipsel linux-image-4.9.0-5-5kc-malta | 4.9.80-2 | mips, mips64el, mipsel linux-image-4.9.0-5-5kc-malta-dbg | 4.9.80-2 | mips, mips64el, mipsel linux-image-4.9.0-5-octeon | 4.9.80-2 | mips, mips64el, mipsel linux-image-4.9.0-5-octeon-dbg | 4.9.80-2 | mips, mips64el, mipsel loop-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel loop-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel md-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel md-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel minix-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel minix-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel multipath-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel multipath-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel nbd-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel nbd-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel nic-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel nic-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel nic-shared-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel nic-shared-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel nic-usb-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel nic-usb-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel nic-wireless-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel nic-wireless-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel ntfs-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel ntfs-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel pata-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel pata-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel ppp-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel ppp-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel rtc-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel rtc-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel sata-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel sata-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel scsi-core-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel scsi-core-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel scsi-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel scsi-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel sound-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel sound-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel squashfs-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel squashfs-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel udf-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel udf-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel usb-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel usb-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel usb-serial-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel usb-serial-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel usb-storage-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel usb-storage-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel virtio-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel virtio-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel xfs-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel xfs-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel zlib-modules-4.9.0-4-octeon-di | 4.9.65-3+deb9u1 | mips, mips64el, mipsel zlib-modules-4.9.0-5-octeon-di | 4.9.80-2 | mips, mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:15:09 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: affs-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel affs-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel ata-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel ata-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel btrfs-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel btrfs-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel cdrom-core-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel cdrom-core-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel crc-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel crc-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel crypto-dm-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel crypto-dm-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel crypto-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel crypto-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel event-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel event-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel ext4-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel ext4-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel fat-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel fat-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel fuse-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel fuse-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel hfs-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel hfs-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel i2c-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel i2c-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel input-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel input-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel isofs-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel isofs-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel jfs-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel jfs-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel kernel-image-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel kernel-image-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel linux-headers-4.9.0-4-4kc-malta | 4.9.65-3+deb9u1 | mips, mipsel linux-headers-4.9.0-5-4kc-malta | 4.9.80-2 | mips, mipsel linux-image-4.9.0-4-4kc-malta | 4.9.65-3+deb9u1 | mips, mipsel linux-image-4.9.0-4-4kc-malta-dbg | 4.9.65-3+deb9u1 | mips, mipsel linux-image-4.9.0-5-4kc-malta | 4.9.80-2 | mips, mipsel linux-image-4.9.0-5-4kc-malta-dbg | 4.9.80-2 | mips, mipsel loop-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel loop-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel md-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel md-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel minix-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel minix-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel mmc-core-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel mmc-core-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel mmc-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel mmc-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel mouse-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel mouse-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel multipath-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel multipath-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel nbd-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel nbd-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel nic-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel nic-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel nic-shared-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel nic-shared-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel nic-usb-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel nic-usb-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel nic-wireless-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel nic-wireless-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel ntfs-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel ntfs-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel pata-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel pata-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel ppp-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel ppp-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel sata-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel sata-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel scsi-core-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel scsi-core-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel scsi-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel scsi-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel sound-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel sound-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel squashfs-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel squashfs-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel udf-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel udf-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel usb-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel usb-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel usb-serial-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel usb-serial-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel usb-storage-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel usb-storage-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel virtio-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel virtio-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel xfs-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel xfs-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel zlib-modules-4.9.0-4-4kc-malta-di | 4.9.65-3+deb9u1 | mips, mipsel zlib-modules-4.9.0-5-4kc-malta-di | 4.9.80-2 | mips, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:15:31 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: affs-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el affs-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el ata-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el ata-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el btrfs-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el btrfs-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el cdrom-core-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el cdrom-core-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el crc-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el crc-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el crypto-dm-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el crypto-dm-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el crypto-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el crypto-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el event-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el event-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el ext4-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el ext4-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el fat-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el fat-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el fuse-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el fuse-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el hfs-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el hfs-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el i2c-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el i2c-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el input-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el input-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el isofs-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el isofs-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el jfs-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el jfs-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el kernel-image-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el kernel-image-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el linux-headers-4.9.0-4-all-mips64el | 4.9.65-3+deb9u1 | mips64el linux-headers-4.9.0-5-all-mips64el | 4.9.80-2 | mips64el loop-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el loop-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el md-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el md-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el minix-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el minix-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el mmc-core-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el mmc-core-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el mmc-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el mmc-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el mouse-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el mouse-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el multipath-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el multipath-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el nbd-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el nbd-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el nic-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el nic-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el nic-shared-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el nic-shared-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el nic-usb-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el nic-usb-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el nic-wireless-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el nic-wireless-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el ntfs-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el ntfs-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el pata-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el pata-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el ppp-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el ppp-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el sata-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el sata-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el scsi-core-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el scsi-core-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el scsi-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el scsi-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el sound-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el sound-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el squashfs-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el squashfs-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el udf-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el udf-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el usb-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el usb-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el usb-serial-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el usb-serial-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el usb-storage-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el usb-storage-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el virtio-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el virtio-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el xfs-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el xfs-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el zlib-modules-4.9.0-4-5kc-malta-di | 4.9.65-3+deb9u1 | mips64el zlib-modules-4.9.0-5-5kc-malta-di | 4.9.80-2 | mips64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:15:55 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: affs-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel affs-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel ata-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel ata-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel btrfs-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel btrfs-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel cdrom-core-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel cdrom-core-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel crc-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel crc-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel crypto-dm-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel crypto-dm-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel crypto-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel crypto-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel event-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel event-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel ext4-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel ext4-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel fat-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel fat-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel fb-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel fb-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel firewire-core-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel firewire-core-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel fuse-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel fuse-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel hfs-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel hfs-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel input-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel input-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel isofs-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel isofs-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel jfs-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel jfs-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel kernel-image-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel kernel-image-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel linux-headers-4.9.0-4-loongson-3 | 4.9.65-3+deb9u1 | mips64el, mipsel linux-headers-4.9.0-5-loongson-3 | 4.9.80-2 | mips64el, mipsel linux-image-4.9.0-4-loongson-3 | 4.9.65-3+deb9u1 | mips64el, mipsel linux-image-4.9.0-4-loongson-3-dbg | 4.9.65-3+deb9u1 | mips64el, mipsel linux-image-4.9.0-5-loongson-3 | 4.9.80-2 | mips64el, mipsel linux-image-4.9.0-5-loongson-3-dbg | 4.9.80-2 | mips64el, mipsel loop-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel loop-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel md-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel md-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel minix-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel minix-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel multipath-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel multipath-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel nbd-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel nbd-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel nfs-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel nfs-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel nic-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel nic-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel nic-shared-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel nic-shared-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel nic-usb-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel nic-usb-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel nic-wireless-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel nic-wireless-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel ntfs-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel ntfs-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel pata-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel pata-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel ppp-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel ppp-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel sata-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel sata-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel scsi-core-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel scsi-core-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel scsi-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel scsi-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel sound-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel sound-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel speakup-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel speakup-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel squashfs-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel squashfs-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel udf-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel udf-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel usb-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel usb-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel usb-serial-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel usb-serial-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel usb-storage-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel usb-storage-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel virtio-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel virtio-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel xfs-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel xfs-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel zlib-modules-4.9.0-4-loongson-3-di | 4.9.65-3+deb9u1 | mips64el, mipsel zlib-modules-4.9.0-5-loongson-3-di | 4.9.80-2 | mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:16:12 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: linux-headers-4.9.0-4-all-mipsel | 4.9.65-3+deb9u1 | mipsel linux-headers-4.9.0-5-all-mipsel | 4.9.80-2 | mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:16:52 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: ata-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el ata-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el btrfs-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el btrfs-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el cdrom-core-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el cdrom-core-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el crc-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el crc-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el crypto-dm-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el crypto-dm-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el crypto-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el crypto-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el event-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el event-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el ext4-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el ext4-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el fancontrol-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el fancontrol-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el fat-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el fat-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el firewire-core-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el firewire-core-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el fuse-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el fuse-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el hypervisor-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el hypervisor-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el input-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el input-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el isofs-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el isofs-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el jfs-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el jfs-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el kernel-image-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el kernel-image-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el linux-headers-4.9.0-4-all-ppc64el | 4.9.65-3+deb9u1 | ppc64el linux-headers-4.9.0-4-powerpc64le | 4.9.65-3+deb9u1 | ppc64el linux-headers-4.9.0-5-all-ppc64el | 4.9.80-2 | ppc64el linux-headers-4.9.0-5-powerpc64le | 4.9.80-2 | ppc64el linux-image-4.9.0-4-powerpc64le | 4.9.65-3+deb9u1 | ppc64el linux-image-4.9.0-4-powerpc64le-dbg | 4.9.65-3+deb9u1 | ppc64el linux-image-4.9.0-5-powerpc64le | 4.9.80-2 | ppc64el linux-image-4.9.0-5-powerpc64le-dbg | 4.9.80-2 | ppc64el loop-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el loop-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el md-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el md-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el mouse-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el mouse-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el multipath-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el multipath-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el nbd-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el nbd-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el nic-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el nic-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el nic-shared-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el nic-shared-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el ppp-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el ppp-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el sata-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el sata-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el scsi-core-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el scsi-core-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el scsi-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el scsi-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el serial-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el serial-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el squashfs-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el squashfs-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el udf-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el udf-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el uinput-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el uinput-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el usb-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el usb-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el usb-serial-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el usb-serial-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el usb-storage-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el usb-storage-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el virtio-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el virtio-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el xfs-modules-4.9.0-4-powerpc64le-di | 4.9.65-3+deb9u1 | ppc64el xfs-modules-4.9.0-5-powerpc64le-di | 4.9.80-2 | ppc64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:17:18 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: btrfs-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x btrfs-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x crc-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x crc-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x crypto-dm-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x crypto-dm-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x crypto-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x crypto-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x dasd-extra-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x dasd-extra-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x dasd-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x dasd-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x ext4-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x ext4-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x fat-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x fat-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x fuse-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x fuse-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x isofs-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x isofs-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x kernel-image-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x kernel-image-4.9.0-5-s390x-di | 4.9.80-2 | s390x linux-headers-4.9.0-4-all-s390x | 4.9.65-3+deb9u1 | s390x linux-headers-4.9.0-4-s390x | 4.9.65-3+deb9u1 | s390x linux-headers-4.9.0-5-all-s390x | 4.9.80-2 | s390x linux-headers-4.9.0-5-s390x | 4.9.80-2 | s390x linux-image-4.9.0-4-s390x | 4.9.65-3+deb9u1 | s390x linux-image-4.9.0-4-s390x-dbg | 4.9.65-3+deb9u1 | s390x linux-image-4.9.0-5-s390x | 4.9.80-2 | s390x linux-image-4.9.0-5-s390x-dbg | 4.9.80-2 | s390x loop-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x loop-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x md-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x md-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x multipath-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x multipath-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x nbd-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x nbd-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x nic-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x nic-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x scsi-core-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x scsi-core-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x scsi-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x scsi-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x udf-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x udf-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x virtio-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x virtio-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x xfs-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x xfs-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x zlib-modules-4.9.0-4-s390x-di | 4.9.65-3+deb9u1 | s390x zlib-modules-4.9.0-5-s390x-di | 4.9.80-2 | s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:25:38 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: linux-headers-4.9.0-4-common | 4.9.65-3+deb9u1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:25:56 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: linux-headers-4.9.0-4-common-rt | 4.9.65-3+deb9u1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:26:10 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: linux-headers-4.9.0-5-common | 4.9.80-2 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:26:25 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: linux-headers-4.9.0-5-common-rt | 4.9.80-2 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:26:47 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: linux-support-4.9.0-4 | 4.9.65-3+deb9u1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 10 Mar 2018 09:27:03 +0000] [ftpmaster: Mark Hymers] Removed the following packages from stable: linux-support-4.9.0-5 | 4.9.80-2 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= acme-tiny (20160801-3+deb9u1) stretch; urgency=medium . * Fix outdated version of the subscriber agreement (Closes: #882693) activity-log-manager (0.8.0-1.2~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . activity-log-manager (0.8.0-1.2) unstable; urgency=medium . * Non-maintainer upload. * Add dependency against python-zeitgeist (Closes: #881438) agenda.app (0.42.2-1+deb9u1) stretch; urgency=medium . * debian/patches/fix-editors-exception.patch: New, fixes creation of tasks and appointments (Closes: #884098). * debian/patches/series: New file. apparmor (2.11.0-3+deb9u2) stretch; urgency=medium . * Move the features file to /usr/share/apparmor-features; accordingly remove the old (now obsolete) '/etc/apparmor/features' conffile (Closes: #883682). * Configure gbp for DEP-14 and avoid gbp-pq prefixing patches with numbers. apparmor (2.11.0-3+deb9u1) stretch; urgency=medium . * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585). This ensures Stretch systems, even when running a newer kernel (e.g. from backports), have their AppArmor feature set pinned to the one supported by the AppArmor policy shipped in Stretch. Otherwise they would experience breakage due to new AppArmor mediation features introduced in recent kernels. asterisk (1:13.14.1~dfsg-2+deb9u3) stretch-security; urgency=medium . [ Tzafrir Cohen ] * AST-2017-009: ignored for the record. * AST-2017-010 / CVE-2017-16671: Buffer overflow in CDRs (call logs) (Closes: #881257) * AST-2017-011 / CVE-2017-16672: Memory/File Descriptor/RTP leak in pjsip session resource (Closes: #881256) * AST-2017-012 / CVE-2017-17664: Remote Crash Vulnerability in RTCP Stack (Closes: #884345) * AST-2017-013 / CVE-2017-17090: DoS (memory leak) in chan_skinny (Closes: #883342) * ASTERISK-26606.patch: fix openssl error reporting (Closes: #883767) * debian/.gitignore: typo * gbp.conf: set branch name . [ Bernhard Schmidt ] * Drop duplicate filter line from d/gbp.conf auto-apt-proxy (2+deb9u1) stretch; urgency=medium . * Move apt configuration away on removal, and put it back on reinstalls (Closes: #881751) awstats (7.6+dfsg-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix traversal flaw in the handling of the "config" and "migrate" parameters (CVE-2017-1000501) (Closes: #885835) bareos (16.2.4-3+deb9u2) stretch; urgency=medium . * Fix backups failing with "No Volume name given". (Closes: #889040) - Backport upstream commit: Don't return empty volname if volume is on unwanted vols list. base-files (9.9+deb9u4) stretch; urgency=medium . * Change /etc/debian_version to 9.4, for Debian 9.4 point release. bind9 (1:9.10.3.dfsg.P4-12.3+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Addresses could be referenced after being freed in resolver.c, causing an assertion failure. (CVE-2017-3145) bouncycastle (1.56-1+deb9u1) stretch-security; urgency=medium . * CVE-2017-13098 cappuccino (0.5.1-6+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport fix from 0.5.1-7 to stretch. . [ Breno Leitao ] * Adding gir1.2-gtk-3.0 as a dependency. Closes: #879848 cerealizer (0.8.1-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport fix from 0.8.1-2 to stretch. . [ Vincent Bernat ] * Fix python3-cerealizer Depends field. Closes: #867396. clamav (0.99.4+dfsg-1+deb9u1) stretch; urgency=medium . * Update to upstream 0.99.4: Fixes for CVE: CVE-2018-1000085, CVE-2018-0202. * Update the gpg signing key (the old DSA expired). * Update version of private symbols due to version change. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. clamav (0.99.4+dfsg-1+deb8u1) jessie; urgency=medium . * Update to upstream 0.99.4: Fixes for CVE: CVE-2018-1000085, CVE-2018-0202. * Update the gpg signing key (the old DSA expired). * Update version of private symbols due to version change. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. clamav (0.99.3~snapshot20170704+dfsg-1) experimental; urgency=medium . * Update to upstream snapshot (commit 144ef69462427b63a650294257c892b047601aac): - add config options - boost symbol file - drop applied patches: - Allow-M-suffix-for-PCREMaxFileSize.patch - bb11549-fix-temp-file-cleanup-issue.patch - clamav_add_private_fts_implementation.patch - drop-AllowSupplementaryGroups-option-and-make-it-def.patch - fix-ssize_t-size_t-off_t-printf-modifier.patch - libclamav-use-libmspack.patch - make_it_compile_against_openssl_1_1_0.patch - add new ones: - fts-no-use-AC_TRY_RUN.patch - clamsubmit-add-JSON-libs-to-clamsubmit.patch clamav (0.99.3~beta2+dfsg-1) unstable; urgency=medium . * Update upstream's signing gpg key * Update to beta2: - freshclam does not complain that clamav is outdated (Closes: #873401). clamav (0.99.3~beta1+dfsg-4) unstable; urgency=medium . * Ignore errors from update-rc.d in freshclam postins (Closes: #882323). * Drop dh-systemd & autoreconf from B-D. clamav (0.99.3~beta1+dfsg-3) unstable; urgency=medium . * Drop "demime = *" from Debian.README for clamav, this option is gone from exim (Closes: #881634). * Use "ucf" instead "ucp" in clamav-milter's postinst. * Disable LLVM support due to 3.8 removal (Closes: #873401). * Disable the freshclam service if changed to `manual' mode so it does start again after system reboot with systemd (Closes: #881780). * Bump standards version to 4.1.1 without further change. * Allow to build as non root user. * Update dh compat level 10 clamav (0.99.3~beta1+dfsg-2) unstable; urgency=medium . * Build again against system's libmspack (dropped by accident) (Closes: #872594). * Don't replace config file with sample config after debconf gets disabled (in milter and daemon (Closes: #870253). * Update standards to 4.0.1 - use invoke-rc.d instead of /etc/init.d. - drop priority extra from clamav-milter. * Add bytecode.c(l|v)d to log clamav-freshclam.logcheck.ignore.server. Patch by Václav Ovsík (Closes: #868766). clamav (0.99.3~beta1+dfsg-1) unstable; urgency=medium . * Upload to unstable * update to official beta1 release: - drop fts-no-use-AC_TRY_RUN.patch, applied upstream. clamav (0.99.2+dfsg-6+deb9u1) stretch; urgency=medium . * Apply security patches from 0.99.3 (Closes: #888484): - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420, CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. cron (3.0pl1-128+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers (Closes: #857662) cups (2.2.1-8+deb9u1) stretch; urgency=low . * CVE-2017-18190: Prevent an issue where remote attackers could execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry. curl (7.52.1-5+deb9u4) stretch-security; urgency=high . * Fix HTTP/2 trailer out-of-bounds read as per CVE-2018-1000005 https://curl.haxx.se/docs/adv_2018-824a.html * Fix HTTP authentication leak in redirects as per CVE-2018-1000007 https://curl.haxx.se/docs/adv_2018-b3bf.html dbus (1.10.26-0+deb9u1) stretch; urgency=medium . * New upstream stable release - bus/bus.c: Raise file descriptor limit sooner, while we still can (before we drop privileges), fixing a regression in 1.10.18 which negated a previous fix for local denial of service via resource exhaustion - test/*, build system: Add a regression test for the above * d/tests/root: Re-run test-dbus-daemon as root, since it now contains tests that are skipped as non-root * d/tests/root: Allow stderr output, because test-dbus-daemon emits some (and it is not a problem) debian-edu-config (1.929+deb9u1) stretch; urgency=medium . [ Wolfgang Schweer ] * Rewrite wpad-extract tool to be independent from KDE related files. (Closes: #888829). * Adjust Samba configuration. Allow joining of Windows 10 clients to the Samba NT4-style domain. (Closes: #864663). . [ Mike Gabriel ] * debian/control: Drop libproxy-tools, add libpacparser1. (as part of fixing #888829). * Chromium: Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD (plus locking the proxy settings dialog for users). (Closes: #891262). debian-installer (20170615+deb9u3) stretch; urgency=medium . * Bump Linux kernel version from 4.9.0-4 to 4.9.0-6. debian-installer-netboot-images (20170615+deb9u3) stretch; urgency=medium . * Update to 20170615+deb9u3 images, from stretch-proposed-updates * Fix Vcs-Browser field. directfb (1.2.10.0-8+deb9u1) stretch; urgency=medium . * debian/libdirectfb-1.2-9.install: Fix architecture-based filter to actually install drivers. (Closes: #878324) django-anymail (0.8-2+deb9u1) stretch-security; urgency=high . * Security fix for timing attack on WEBHOOK_AUTHORIZATION secret (CVE-2018- 6596) as described in https://github.com/anymail/django-anymail/releases/ tag/v1.2.1 (Closes: #889450) dovecot (1:2.2.27-3+deb9u2) stretch-security; urgency=high . * [794e743] Fix CVE-2017-14461: rfc822_parse_domain information leak vulnerability (Closes: #891819) * [530ca6d] Fix CVE-2017-15130: TLS SNI config lookups are inefficient and can be used for DoS (Closes: #891820) + Use dh-autoreconf, as src/Makefile.in needs to be regenerated. Also disable dovecot_name.patch, since it changes dovecot's banner in conjunction with dh_autoreconf. * [68c2156] Fix CVE-2017-15132: memory leak on aborted SASL auth (Closes: #888432) dovecot (1:2.2.27-3+deb9u2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . dovecot (1:2.2.27-3+deb9u2) stretch-security; urgency=high . * [794e743] Fix CVE-2017-14461: rfc822_parse_domain information leak vulnerability (Closes: #891819) * [530ca6d] Fix CVE-2017-15130: TLS SNI config lookups are inefficient and can be used for DoS (Closes: #891820) + Use dh-autoreconf, as src/Makefile.in needs to be regenerated. Also disable dovecot_name.patch, since it changes dovecot's banner in conjunction with dh_autoreconf. * [68c2156] Fix CVE-2017-15132: memory leak on aborted SASL auth (Closes: #888432) . dovecot (1:2.2.27-3+deb9u1) stretch; urgency=medium . * [8b8226f] Fix fts-solr: escape {} chars when sending queries (Closes: #865945) * [a97cdab] Add basic usage DEP-8 tests, performing end-to-end testing using LDA, IMAP and POP3. dpdk (16.11.4-1+deb9u1) stretch; urgency=medium . [ Luca Boccassi ] * Merge stable update to 16.11.4; For a list of changes see http://dpdk.org/ml/archives/announce/2017-December/000163.html * Merge stable update to 16.11.3; For a list of changes see http://dpdk.org/ml/archives/announce/2017-August/000143.html * Merge stable update to 16.11.2; For a list of changes see http://dpdk.org/ml/archives/announce/2017-May/000131.html * Merge stable update to 16.11.1; For a list of changes see http://dpdk.org/ml/archives/dev/2017-March/058930.html * Use HTTPS in debian/copyright and debian/control * Switch to @debian.org email address. . [ Christian Ehrhardt ] * d/p/dpdk-dev-v3-eal-sPAPR-IOMMU-support-in-pci-probing-for-vfio-pci- in-ppc64le.patch: sPAPR IOMMU based pci probing enabled for vfio-pci devices. * d/p/fix-vhost-user-socket-permission.patch: updated to work with newer openvswitch versions * d/p/igb_uio-switch-to-new-irq-function-for-MSI-X.patch: fix dkms issue in kernel 4.12 (LP: #1700768) * ensure man pages are bundled with executables on all architectures * dpdk.conf: add info about unwanted effects of multiple hugepage mountpoints . [ Charles (Chas) Williams ] * Fix upstream documentation links in d/control. dpdk (16.11.4-1) unstable; urgency=medium . * Merge stable update to 16.11.4; For a list of changes see http://dpdk.org/ml/archives/announce/2017-December/000163.html * Drop kni-fix-ethtool-build-with-kernel-4.11.patch, merged upstream. dpdk (16.11.4-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. dpdk (16.11.3-1) unstable; urgency=medium . [ Luca Boccassi ] * Merge stable update to 16.11.3; For a list of changes see http://dpdk.org/ml/archives/announce/2017-August/000143.html * Fix reproducibility of librte-eal linuxapp. * Mark build-dependencies needed for documentation builds with the build-profile to fully implement support for it. * Bump Standards-Version to 4.1.0. Relevant changes are nodoc support and build reprodicibility. * Switch to debian.org email address. * Build-Depend on debhelper (>= 9.20160709) rather than dh-systemd as latter is deprecated. Fixes Lintian Error: build-depends-on-obsolete-package * Fix upstream version parsing in d/rules to account for -rcX. * Build-Depend on debhelper (>= 9.20160709) | dh-systemd to keep compatibility with Ubuntu 16.04, which does not yet have that of debhelper. * Revert: d/rules: use new dh option names - Ubuntu 16.04 does not have a debhelper that supports the new option, so use the old ones for now. * Correctly parse upstream version when using ~rc instead of -rc. * Bump Standards-Version to 4.1.1, no changes. . [ Christian Ehrhardt ] * d/rules: use new dh option names * d/rules: properly enable dpdk systemd service * d/t/control: fix test dependencies for s390x. dpdk (16.11.3-1~bpo9+1) stretch-backports; urgency=low . * Rebuild for stretch-backports dpdk (16.11.2-4) unstable; urgency=medium . [ Christian Ehrhardt ] * d/p/igb_uio-switch-to-new-irq-function-for-MSI-X.patch: fix dkms issue in kernel 4.12 (LP: #1700768) . [ Luca Boccassi ] * Add patches to make the documentation and linker script builds fully reproducible. * Add patches to make the libraries and PMDs builds fully reproducible, by making the listing order of headers, source files and objects in the makefiles stable (via sorting). dpdk (16.11.2-3) unstable; urgency=medium . * Upload to unstable. dpdk (16.11.2-2) experimental; urgency=medium . * Restore fixes by Santiago RR for typos in debian/control, accidentally dropped in 16.11.2-1. dpdk (16.11.2-1) experimental; urgency=medium . [ Christian Ehrhardt ] * Merge stable update to 16.11.2; For a list of changes see http://dpdk.org/ml/archives/announce/2017-May/000131.html * Dropped changes - patches that were included in 16.11.2 stable: - d/p/kni-fix-build-with-kernel-4.11.patch - d/p/nicvf-0002-net-thunderx-fix-32-bit-build.patch - d/p/nicvf-0006-mk-fix-lib-filtering-when-linking-app.patch - d/p/nicvf-0008-net-thunderx-fix-stats-access-out-of-bounds.patch - d/p/nicvf-0010-net-thunderx-fix-deadlock-in-Rx-path.patch . [ Luca Boccassi ] * Optionally generate libdpdk-dbgsym metapackage that depends on every librte/PMD binary package's dbgsym. Keep it disabled by default, and let users choose to enable it by passing dbgsym_meta via DEB_BUILD_OPTIONS. Thanks Jan Blunck for the patch! * Generate dependency list of libdpdk-dev to all librte and PMDs packages dynamically at build time. * Generate list of recommends for dpdk dynamically at build time. * dpdk-modules-$KVERS: depend on same kernel version used to build rather than just recommend - in-kernel API/ABI is not stable. * Support for building packages for the new mempool framework has been added. In 17.05 and newer a mempool framework was added, that has to be loaded like a PMD. So any "plugin" will be linked in RTE_EAL_PMD_PATH just like the PMDs. No mempool plugins are built for now, so it is currently a no-op. * Drop libethdev4, librte-cryptodev1 and librte-eal2 transitional packages, no longer needed. * Fix some upstream documentation links in the packages metadata. Thanks Chas Williams! * Fix building debugging symbols for -dbgsym packages. Thanks Chas Williams! dpdk (16.11.1-2) experimental; urgency=medium . [ Christian Ehrhardt ] * Merge stable update to 16.11.1; For a list of changes see http://dpdk.org/ml/archives/dev/2017-March/058930.html * dpdk.conf: add info about unwanted effects of multiple hugepage mountpoints * d/p/dpdk-dev-v3-eal-sPAPR-IOMMU-support-in-pci-probing-for-vfio-pci- in-ppc64le.patch: sPAPR IOMMU based pci probing enabled for vfio-pci devices. * enable librte-pmd-i40e1 for ppc64el - debian/control: enable arch onpackage - d/p/dpdk-dev-v4-i40e-implement-vector-PMD-for-altivec.patch: add i40e PMD / vector PMD implementation and enable by default on ppc64el * fix library availability/dependency - librte-kni is built on ppc64el, fix dependency from libdpdk-dev - librte-pmd-fm10k1 is not built on ppc64el (empty pkg atm) adapt arch - librte-pmd-i40e is built on all architectures now * Fix up thunderx to make arm support useful on more devices (LP: #1691659) - d/p/nicvf-00[01-10]* backports of 17.02/17.05 fixes for thunderx - d/control: dependencies and package for librte-pmd-thunderx-nicvf - d/librte-pmd-thunderx-nicvf1.symbols: tracking library symbols * fix dpdk-rte-kni dkms issues with kernel 4.11 (LP: #1691830) - d/p/kni-fix-build-with-kernel-4.11.patch: fix pci_enable_msix usage - d/p/kni-fix-ethtool-build-with-kernel-4.11.patch: Use new signal header * ensure man pages are bundled with executables on all architectures * d/p/fix-vhost-user-socket-permission.patch: updated to work with newer openvswitch versions . [ Luca Boccassi ] * Simplify debian/rules by using upstream's install target and Debian's multiarch dir. Thanks Jan Blunck! * Clarify that only the kni and igb_uio kernel modules are distributed exclusively under the GPL2 in debian/copyright * Add new DEB_BUILD_OPTIONS "nodocs" to allow users to avoid building the DPDK documentation * Add new DEB_BUILD_OPTIONS "nostatic" to allow users to avoid building the DPDK static libraries drupal7 (7.52-2+deb9u2) stretch-security; urgency=high . * Added missing DEP5 header to SA-CORE-2017-003 patch * Uncruft: Remove an unused .dpatch file still from the drupal6 era(!) * Fixes multiple security vulnerabilities, grouped under Drupal's SA-CORE-2018-001 (CVEs yet unassigned): - External link injection on 404 pages when linking to the current page (Closes: #891154) - jQuery vulnerability with untrusted domains (Closes: #891153) - Private file access bypass (Closes: #891152) - JavaScript cross-site scripting prevention is incomplete (Closes: #891150) enigmail (2:1.9.9-1~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security . enigmail (2:1.9.9-1) unstable; urgency=medium . * new upstream release * Standards-Version: bump to 4.1.2 (no changes needed) * drop patch already upstreamed * debian/changelog: drop trailing whitespace . enigmail (2:1.9.8.3-1) unstable; urgency=medium . * New upstream release * Standards-Version: bump to 4.1.1 (no changes needed) . enigmail (2:1.9.8.2-2) unstable; urgency=medium . * fix memoryhole protected header force-display part . enigmail (2:1.9.8.2-1) unstable; urgency=medium . * New upstream bugfix release * refresh patches * clean up debian/copyright * clean up licensing in About dialog box (from upstream) * Standards-Version: bump to 4.1.0 (no changes needed) . enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.8.3-1) unstable; urgency=medium . * New upstream release * Standards-Version: bump to 4.1.1 (no changes needed) enigmail (2:1.9.8.2-2) unstable; urgency=medium . * fix memoryhole protected header force-display part enigmail (2:1.9.8.2-1) unstable; urgency=medium . * New upstream bugfix release * refresh patches * clean up debian/copyright * clean up licensing in About dialog box (from upstream) * Standards-Version: bump to 4.1.0 (no changes needed) enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release erlang (1:19.2.1+dfsg-2+deb9u1) stretch-security; urgency=high . * Applied a patch from the upstream which fixes CVE-2017-1000385 vulnerability (TLS server vunlerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery ot MITM attack). erlang (1:19.2.1+dfsg-2+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Backport for jessie. * Replaced libssl1.0-dev by libssl-dev for backport. espeakup (1:0.80-5+deb9u1) stretch; urgency=medium . * debian/espeakup-udeb.start: Fix case where card 0 does not have an id or where cards have non-contiguous indexes. Also make sure we load the english language by default. * debian/espeakup-udeb.finish-install: Use card id in installed system to avoid issues with card detection ordering. exam (0.10.5-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport fixes from 0.10.5-2 to stretch. . [ Scott Kitterman ] * Correct Vcs-* fields in debian/control to point to the correct package name * Use correct substitution variable for python3-exam so python3 interpreter depends are correctly generated (Closes: #867404) * Let dh_python determine the mock depends (corrects issue where python- exam incorrectly depended on python-mock instead of python3-mock) exim4 (4.89-2+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix base64d() buffer size (CVE-2018-6789) (Closes: #890000) exim4 (4.89-2+deb9u3~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * b-d on libmysqlclient-dev | libmysqlclient15-dev instead of default-libmysqlclient-dev. . exim4 (4.89-2+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix base64d() buffer size (CVE-2018-6789) (Closes: #890000) . exim4 (4.89-2+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Avoid release of store if there have been later allocations (CVE-2017-16943) (Closes: #882648) * Chunking: do not treat the first lonely dot special (CVE-2017-16944) (Closes: #882671) ffmpeg (7:3.2.10-1~deb9u1) stretch-security; urgency=medium . * New upstream release. - avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu. (CVE-2017-17081) - avformat/libssh: check the user provided a password before trying to use it. (Closes: #886912) * debian/patches: - Drop CVE-2017-16840 patch - applied upstream. ffmpeg (7:3.2.10-1~deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * Merge jessie specific changes: - Build-depend on yasm to work around nasm issues in jessie. - Disable building with libebur128 because jessie's version breaks the build. - Build-depend on libchromaprint-dev from jessie-backports. - Disable OCR with Tesseract because it is missing the pkg-config file on jessie. - Omit -fstack-protector-strong from used CFLAGS, FFmpeg already sets -fstack-protector-all. - Use GCC 4.8 on i386 instead of disabling PIE. - Revert switch from libmodplug to libopenmpt because libopenmpt is not available in jessie-backports yet. . ffmpeg (7:3.2.10-1~deb9u1) stretch-security; urgency=medium . * New upstream release. - avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu. (CVE-2017-17081) - avformat/libssh: check the user provided a password before trying to use it. (Closes: #886912) * debian/patches: - Drop CVE-2017-16840 patch - applied upstream. . ffmpeg (7:3.2.9-1~deb9u1) stretch-security; urgency=medium . * New upstream release. - avcodec/x86/lossless_videoencdsp: Fix out of array access. (CVE-2017-15186) - avcodec/ffv1dec: Fix out of array read in slice counting. (CVE-2017-15672) * debian/patches: avcodec/vc2enc_dwt: Fix out of bounds read. (CVE-2017-16840) . ffmpeg (7:3.2.8-1~deb9u1) stretch-security; urgency=high . * New upstream release. - avformat/rmdec: Fix DoS due to lack of eof check. (CVE-2017-14054) - avformat/mvdec: Fix DoS due to lack of eof check. (CVE-2017-14055) - avformat/rl2: Fix DoS due to lack of eof check. (CVE-2017-14056) - avformat/asfdec: Fix DoS due to lack of eof check. (CVE-2017-14057) - avformat/hls: Fix DoS due to infinite loop. (CVE-2017-14058) - avformat/cinedec: Fix DoS due to lack of eof check. (CVE-2017-14059) - avformat/mxfdec: Fix Sign error. (CVE-2017-14169) - avformat/mxfdec: Fix DoS issues. (CVE-2017-14170) - avformat/nsvdec: Fix DoS due to lack of eof check. (CVE-2017-14171) - avformat/mov: Fix DoS. (CVE-2017-14222) - avformat/asfdec: Fix DoS. (CVE-2017-14223) - ffprobe: Fix null pointer dereference with color primaries. (CVE-2017-14225) - avformat/rtpdec_h264: Fix heap-buffer-overflow. (CVE-2017-14767) . ffmpeg (7:3.2.7-1~deb9u1) stretch-security; urgency=high . * New upstream release. - apadec: Fix integer overflow. (CVE-2016-11399) - rtmppkt: Fix out-of-bound access. (CVE-2017-11665) - dnxhddec: Fix out-of-bound access. (CVE-2017-11719) - dnxhd_parser: Fix NULL pointer access. (CVE-2017-9608) - hls, avidec: Check file extensions. (CVE-2017-9993) firefox-esr (52.6.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.5.3esr-1) unstable; urgency=medium . * New upstream release. firefox-esr (52.5.2esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.5.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. . firefox-esr (52.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. . firefox-esr (52.5.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/import-tar.py: Make python 3.6 happy. flatpak (0.8.9-0+deb9u1) stretch; urgency=medium . * New upstream release backporting the following fixes from 0.10.x: - common/flatpak-run.c: Ignore unrecognised permission strings instead of failing, for forwards compatibility - dbus-proxy/flatpak-proxy.c: Fix a D-Bus filtering bypass in flatpak-dbus-proxy (Closes: #888842) - profile/flatpak.sh.in: Simplify and improve profile.d snippet (already done in Debian since 0.8.4-1, no practical effect) * Drop our patch to profile/flatpak.sh.in, no longer necessary * debian/control: Update Vcs-* metadata for salsa.d.o migration flatpak (0.8.9-0+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. - debian/gbp.conf: adjust for this branch - debian/control: (build-)depend on libgtk-3-bin, not gtk-update-icon-cache - d/p/debian/Try-gtk-3.0-version-of-the-icon-cache-utility-first.patch: try to use gtk-update-icon-cache-3.0 before gtk-update-icon-cache - d/p/backport/*.patch, d/control: Relax GLib dependency to 2.42 . flatpak (0.8.9-0+deb9u1) stretch; urgency=medium . * New upstream release backporting the following fixes from 0.10.x: - common/flatpak-run.c: Ignore unrecognised permission strings instead of failing, for forwards compatibility - dbus-proxy/flatpak-proxy.c: Fix a D-Bus filtering bypass in flatpak-dbus-proxy (Closes: #888842) - profile/flatpak.sh.in: Simplify and improve profile.d snippet (already done in Debian since 0.8.4-1, no practical effect) * Drop our patch to profile/flatpak.sh.in, no longer necessary * debian/control: Update Vcs-* metadata for salsa.d.o migration . flatpak (0.8.8-0+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. - debian/gbp.conf: adjust for this branch - debian/control: (build-)depend on libgtk-3-bin, not gtk-update-icon-cache - d/p/debian/Try-gtk-3.0-version-of-the-icon-cache-utility-first.patch: try to use gtk-update-icon-cache-3.0 before gtk-update-icon-cache - d/p/backport/*.patch, d/control: Relax GLib dependency to 2.42 . flatpak (0.8.8-0+deb9u1) stretch; urgency=medium . * d/watch: Watch for new 0.8.x versions * New upstream release from 0.8.x branch, backporting the following fixes from 0.10.x: - Add compatibility with ostree ≥ 2017.7 (in Debian, the same changes were already in 0.8.7-2) - Security: Do not allow legacy eavesdropping on the D-Bus session bus (Closes: #880451) - Ensure that LD_LIBRARY_PATH is in the correct order, respecting extensions' priorities - Ensure that extensions are mounted in the correct order even if they have differing priorities, fixing Steam - Remove PYTHONPATH, PERLLIB, PERL5LIB, XCURSOR_PATH from the environment given to sandboxed apps - Give each app a persistent cache directory for fontconfig - Make /usr/share/icons available in the sandbox so that sandboxed apps can use the host's icon theme - Disable debug-level FUSE logging for the document portal - Make the * wildcard at the end of a D-Bus filtering rule match zero or more components, so --talk="com.example.Foo.*" behaves the same as D-Bus' arg0namespace="com.example.Foo". Previously, it would only match exactly one component. This matches a proposed design for integrating equivalent filtering into future dbus versions. * d/p/0.8.8/: Drop patches that added compatibility with ostree ≥ 2017.7, no longer necessary flatpak (0.8.8-0+deb9u1) stretch; urgency=medium . * d/watch: Watch for new 0.8.x versions * New upstream release from 0.8.x branch, backporting the following fixes from 0.10.x: - Add compatibility with ostree ≥ 2017.7 (in Debian, the same changes were already in 0.8.7-2) - Security: Do not allow legacy eavesdropping on the D-Bus session bus (Closes: #880451) - Ensure that LD_LIBRARY_PATH is in the correct order, respecting extensions' priorities - Ensure that extensions are mounted in the correct order even if they have differing priorities, fixing Steam - Remove PYTHONPATH, PERLLIB, PERL5LIB, XCURSOR_PATH from the environment given to sandboxed apps - Give each app a persistent cache directory for fontconfig - Make /usr/share/icons available in the sandbox so that sandboxed apps can use the host's icon theme - Disable debug-level FUSE logging for the document portal - Make the * wildcard at the end of a D-Bus filtering rule match zero or more components, so --talk="com.example.Foo.*" behaves the same as D-Bus' arg0namespace="com.example.Foo". Previously, it would only match exactly one component. This matches a proposed design for integrating equivalent filtering into future dbus versions. * d/p/0.8.8/: Drop patches that added compatibility with ostree ≥ 2017.7, no longer necessary flatpak (0.8.8-0+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. - debian/gbp.conf: adjust for this branch - debian/control: (build-)depend on libgtk-3-bin, not gtk-update-icon-cache - d/p/debian/Try-gtk-3.0-version-of-the-icon-cache-utility-first.patch: try to use gtk-update-icon-cache-3.0 before gtk-update-icon-cache - d/p/backport/*.patch, d/control: Relax GLib dependency to 2.42 . flatpak (0.8.8-0+deb9u1) stretch; urgency=medium . * d/watch: Watch for new 0.8.x versions * New upstream release from 0.8.x branch, backporting the following fixes from 0.10.x: - Add compatibility with ostree ≥ 2017.7 (in Debian, the same changes were already in 0.8.7-2) - Security: Do not allow legacy eavesdropping on the D-Bus session bus (Closes: #880451) - Ensure that LD_LIBRARY_PATH is in the correct order, respecting extensions' priorities - Ensure that extensions are mounted in the correct order even if they have differing priorities, fixing Steam - Remove PYTHONPATH, PERLLIB, PERL5LIB, XCURSOR_PATH from the environment given to sandboxed apps - Give each app a persistent cache directory for fontconfig - Make /usr/share/icons available in the sandbox so that sandboxed apps can use the host's icon theme - Disable debug-level FUSE logging for the document portal - Make the * wildcard at the end of a D-Bus filtering rule match zero or more components, so --talk="com.example.Foo.*" behaves the same as D-Bus' arg0namespace="com.example.Foo". Previously, it would only match exactly one component. This matches a proposed design for integrating equivalent filtering into future dbus versions. * d/p/0.8.8/: Drop patches that added compatibility with ostree ≥ 2017.7, no longer necessary flatpak (0.8.7-5) unstable; urgency=medium . * d/p/tests-Isolate-tests-from-real-home-directory-more-thoroug.patch: Mark as upstreamed for 0.9.8, and move to d/p/0.9.8/ directory * d/p/Improve-test-diagnostics.patch: Add patch to improve test diagnostics (see #870312) * Standards-Version: 4.0.1 (no changes required) * d/p/testlibrary-Skip-tests-that-need-extended-attributes-if-n.patch: Add patch to skip tests that need extended attributes if /var/tmp does not support them (Closes: #870312) flatpak (0.8.7-4) unstable; urgency=medium . * d/rules, d/autogen.sh: Run gtkdocize as well as autoreconf (similar to upstream's autogen.sh but much simpler), replacing gtk-doc.make at build time with the one in Debian's gtk-doc-tools flatpak (0.8.7-3) unstable; urgency=medium . * d/patches/: Add patch backported from 0.9.4, and new patch sent upstream to PR #894, to avoid using the real home directory in tests * d/control: Add libglib2.0-doc, libostree-doc to Build-Depends-Indep so that libflatpak-doc can cross-reference those documentation packages * debian/test.sh: Do not ignore build-time tests' exit status * d/rules: Do not run build-time tests with DEB_BUILD_OPTIONS=nocheck * d/control: Do not build-depend on gnome-desktop-testing. It is only used for the installed-tests. * d/control: Annotate test-only build-dependencies with * Standards-Version: 4.0.0 - Use https URL for format of debian/copyright flatpak (0.8.7-2) unstable; urgency=medium . * Move upstreamed patch to debian/patches/0.9.1/ to make it obvious when it can be dropped * d/p/0.8.8/: add patches backported from upstream 0.9.4, 0.9.6, together with a new patch to the tests, to restore compatibility with libostree 2017.7 (all applied upstream already) freexl (1.0.2-2+deb9u2) stretch-security; urgency=high . * Add upstream patch to fix various heap-buffer-overflows. - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547879 - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST https://bugzilla.redhat.com/show_bug.cgi?id=1547883 - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547885 - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547889 - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547892 fuse-zip (0.4.0-2+deb9u1) stretch; urgency=medium . * Backport upstream commit 9b9c2f47cfe9 to fix writeback fail with libzip 1.0 gcab (0.7-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Do not crash when ncbytes is larger than the buffer size (CVE-2018-5345) (Closes: #887776) gcc-6 (6.3.0-18+deb9u1) stretch-security; urgency=medium . * Backport of retpoline support by HJ Lu gdk-pixbuf (2.36.5-2+deb9u2) stretch-security; urgency=medium . * Fix CVE-2017-1000422 (and while we're add it also add patches for three minor crash bugs (CVE-2017-6312, CVE-2017-6313.patch, CVE-2017-6314)) gifsicle (1.88-3+deb9u1) stretch-security; urgency=high . [ Herbert Parentes Fortes Neto ] * Closes: CVE-2017-1000421 gifsicle (1.88-3+deb9u1~bpo8+1) jessie-backports; urgency=high . * Rebuild for jessie-backports. - no changes gimp (2.8.18-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Out of bounds read / heap overflow in TGA importer (CVE-2017-17786) (Closes: #884862) * plug-ins: TGA 16-bit RGB (without alpha bit) is also valid * Heap buffer overflow in PSP importer (CVE-2017-17789) (Closes: #884837) * heap overread in gbr parser / load_image (CVE-2017-17784) (Closes: #884925) * heap overread in psp importer (CVE-2017-17787) (Closes: #884927) * Heap overflow while parsing FLI files (CVE-2017-17785) (Closes: #884836) * buffer overread in XCF parser if version field has no null terminator (CVE-2017-17788) (Closes: #885347) glade (3.20.0-2+deb9u1) stretch; urgency=medium . * Team upload. . [ Sébastien Villemot ] * fix-use-of-gtk-style-context-in-GladeDesignLayout.patch: new patch. Fixes high CPU usage. (Closes: #859324) . [ Jeremy Bicha ] * Update Vcs fields and add debian/gbp.conf glibc (2.24-11+deb9u3) stretch; urgency=medium . [ Aurelien Jarno ] * debian/rules.d/debhelper.mk: install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade. Closes: #883394. glibc (2.24-11+deb9u2) stretch; urgency=medium . [ Aurelien Jarno ] * debian/control.in/x32: Add a gcc-multilib Recommends for libc6-dev-x32. * debian/patches/git-updates.diff: update from upstream stable branch: - debian/patches/any/submitted-perl-inc.diff: drop, merged upstream. - debian/patches/any/cvs-remove-pid-tid-cache-clone.diff: drop, merged upstream. - debian/patches/any/local-CVE-2017-1000366-rtld-LD_LIBRARY_PATH.diff: drop, merged upstream. - debian/patches/any/local-CVE-2017-1000366-rtld-LD_PRELOAD.diff: drop, merged upstream. - debian/patches/any/local-CVE-2017-1000366-rtld-LD_AUDIT.diff: drop, merged upstream. - debian/patches/any/cvs-vectorized-strcspn-guards.diff: drop, merged upstream. - debian/patches/any/cvs-hwcap-AT_SECURE.diff: drop, merged upstream. - Avoid use-after-free read access in clntudp_call (CVE-2017-12133). Closes: #870648. - Fix compatibility with Intel C++ __regcall calling convention. Closes: #881850. - Fix a buffer overrun in rpcgen. - Fix strlen on null pointer in nss_nisplus. - Fix invalid cast in group merging affecting ppc64 and s390x. - Define collation for Malayalam chillu characters. - Correct collation of U+0D36 and U+0D37 Malayalam characters. * debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures. Closes: #882272. . [ Santiago Vila ] * debian/debhelper.in/libc-bin.postinst: do not update /etc/nsswitch.conf when its content already matches the default. Closes: #865144. global (6.5.6-2+deb9u1) stretch; urgency=medium . * Backport fix for CVE-2017-17531 from 6.6.1 (Closes: #884912) gnumail (1.2.2-1.1+deb9u1) stretch; urgency=medium . * debian/patches/link-libs.patch: Update to eradicate unnecessary linking with OpenSSL (Closes: #886305). golang-github-go-ldap-ldap (2.4.1-1+deb9u1) stretch; urgency=medium . * Team upload. * Require explicit intention for empty password. This is normally used for unauthenticated bind, and https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends: "Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface" This is (mostly) a cherry-pick of 95ede12 from upstream, except the bit in ldap_test.go, which is unrelated to the security issue. This fixes CVE-2017-14623. (Closes: #876404) gosa-plugin-pwreset (0.99.4-1+deb9u1) stretch; urgency=medium . * debian/patches: + Add 0001_fix-deprecated-constructor-call.patch. (Closes: #886848). grilo-plugins (0.3.3-1+deb9u1) stretch; urgency=medium . * debian/patches/radiofrance.patch: - Fix Radio France source after website changes (Closes: #887469). hdf5 (1.10.0-patch1+docs-3+deb9u1) stretch; urgency=medium . * debian/rules: fix javahelper invocation (closes: #871506) heimdal (7.1.0+dfsg-13+deb9u2) stretch-security; urgency=high . * CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.1 (Closes: #878144) inputlirc (23-2+deb9u1) stretch; urgency=medium . * Include input-event-codes.h instead of input.h. Closes: #879458 Thanks to Ingo Schneider for reporting the bug and providing the fix. jackson-databind (2.8.6-1+deb9u3) stretch-security; urgency=high . * Team upload. * Fix CVE-2017-17485 and CVE-2018-5968: Bybass of deserialization blackist to disallow unauthenticated remote code execution. These CVE exist due to an incomplete fix for CVE-2017-7525. (Closes: #888316, #888318) java-atk-wrapper (0.33.3-13+deb9u1) stretch; urgency=medium . * debian/patches/iter: Fix iterator initialization. * debian/patches/child_add: Fix missing reference for children (Closes: #837081). kildclient (3.1.0-1+deb9u1) stretch; urgency=low . * Fix for CVE-2017-17511. New dependency 'desktop-file-utils' required in order to use GTK+ function for opening URLs. Closes: #885007 libdate-holidays-de-perl (1.9-1+deb9u1) stretch; urgency=low . * Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 on libdatetime-timezone-perl (1:2.09-1+2018b) stretch; urgency=medium . * Update to Olson database version 2018b. This update contains contemporary changes for São Tomé and Príncipe, Brazil, and Ireland. libhibernate-validator-java (4.3.3-1+deb9u1) stretch; urgency=medium . * Team upload. * Fix CVE-2017-7536: potential privilege escalation by circumventing security manager permissions. (Closes: #885577) libperlx-assert-perl (0.904-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport fix from 0.905-1 to stretch. . [ gregor herrmann ] * Add libkeyword-simple-perl, libdevel-declare-perl to Depends. (Closes: #868075) libreoffice (1:5.2.7-1+deb9u3) stretch; urgency=medium . * debian/patches/WEBSERVICE-DDE.diff: - improve to not throw more errors than neccessary (use the right error code) on WEBSERVICE() failures, thanks Jan-Marek Glogowski; do another s/FormulaError::NoValue/formula::errNoValue/ for clarity - backport 4a412bdf0387cc2cb59d656d0738a63a286ec497 from 5.4 branch to let FunctionAccess execute WEBSERVICE . * debian/rules: - do not run the tests except on i386 (notfatal) and amd64 - move dk.mk from -dev-common to -dev as it's not arch-indep, thanks Rico Tzschichholz libreoffice (1:5.2.7-1+deb9u2) stretch-security; urgency=high . * fix control libreoffice (1:5.2.7-1+deb9u2~bpo8+1) jessie-backports; urgency=high . * Rebuild for jessie-backports. . * tarballs/*, debian/source/include-binaries: add tarballs for used internal versions . libreoffice (1:5.2.7-1+deb9u2) stretch-security; urgency=high . * fix control . libreoffice (1:5.2.7-1+deb9u1) stretch-security; urgency=high . * debian/patches/WEBSERVICE-DDE.diff: backport fix for "Remote arbitrary file disclosure vulnerability via WEBSERVICE formula" (CVE-2018-1055) from 5.4 * debian/patches/layout-footnote-use-after-free.diff: add; as name says. possible patch for iDefense V-mct3ei5wml . * debian/rules: - make i386 make check notfatal for now given the i386 Java Stack Clash regression libreoffice (1:5.2.7-1+deb9u1) stretch-security; urgency=high . * debian/patches/WEBSERVICE-DDE.diff: backport fix for "Remote arbitrary file disclosure vulnerability via WEBSERVICE formula" (CVE-2018-1055) from 5.4 * debian/patches/layout-footnote-use-after-free.diff: add; as name says. possible patch for iDefense V-mct3ei5wml . * debian/rules: - make i386 make check notfatal for now given the i386 Java Stack Clash regression libtasn1-6 (4.10-1.1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * _asn1_check_identifier: safer access to values read (CVE-2017-10790) (Closes: #867398) * _asn1_decode_simple_ber: restrict the levels of recursion to 3 (CVE-2018-6003) libvhdi (20160424-1+deb9u1) stretch; urgency=medium . * Add mising Python3 dependency, thanks to Adrian Bunk, Scott Kitterman (Closes: #867409, #867610) libvirt (3.0.0-4+deb9u2) stretch; urgency=medium . * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor (Closes: #887700) * qemu: shared disks with cache=directsync should be safe for migration. Thanks to Carsten Burkhardt (Closes: #883208) libvpx (1.6.1-3+deb9u1) stretch-security; urgency=high . * Fix OOB caused by odd frame width (CVE-2017-13194) libxcursor (1:1.1.14-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix heap overflows when parsing malicious files (CVE-2017-16612) (Closes: #883792) libxcursor (1:1.1.14-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix heap overflows when parsing malicious files (CVE-2017-16612) (Closes: #883792) libxml2 (2.9.4+dfsg1-2.2+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix XPath stack frame logic (CVE-2017-15412) (Closes: #883790) linux (4.9.82-1+deb9u3) stretch-security; urgency=medium . * [powerpc] Backport more RFI flush related patches from 4.9.84. Closes: #891249. * [powerpc] Ignore ABI change in paca. linux (4.9.82-1+deb9u2) stretch-security; urgency=high . * [x86] linux-headers: use correct version in linux-compiler-gcc-6-x86 dependency. linux (4.9.80-2) stretch; urgency=medium . * scsi: ignore ABI change in hisi_sas. linux (4.9.80-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.66 - [s390x] fix transactional execution control register handling - [s390x] runtime instrumention: fix possible memory corruption - [s390x] disassembler: add missing end marker for e7 table - [s390x] disassembler: increase show_code buffer size - ACPI / EC: Fix regression related to triggering source of EC event handling - [x86] mm: fix use-after-free of vma during userfaultfd fault - ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER - vsock: use new wait API for vsock_stream_sendmsg() - sched: Make resched_cpu() unconditional - lib/mpi: call cond_resched() from mpi_powm() loop - [x86] decoder: Add new TEST instruction pattern - [arm64] Implement arch-specific pte_access_permitted() - [armhf/armmp-lpae] 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE - [armhf/armmp-lpae] 8721/1: mm: dump: check hardware RO bit for LPAE - [arm64] PCI: Set Cavium ACS capability quirk flags to assert RR/CR/SV/UF - dm bufio: fix integer overflow when limiting maximum cache size - dm: allocate struct mapped_device with kvzalloc - [mips*] pci: Remove KERN_WARN instance inside the mt7620 driver - dm: fix race between dm_get_from_kobject() and __dm_destroy() - [mips*] Fix odd fp register warnings with MIPS64r2 - [mips*] Fix an n32 core file generation regset support regression - rt2x00usb: mark device removed when get ENOENT usb error - autofs: don't fail mount for transient error - nilfs2: fix race condition that causes file system corruption - eCryptfs: use after free in ecryptfs_release_messaging() - libceph: don't WARN() if user tries to add invalid key - bcache: check ca->alloc_thread initialized before wake up it - isofs: fix timestamps beyond 2027 - NFS: Fix typo in nomigration mount option - nfs: Fix ugly referral attributes - NFS: Avoid RCU usage in tracepoints - nfsd: deal with revoked delegations appropriately - rtlwifi: rtl8192ee: Fix memory leak when loading firmware - rtlwifi: fix uninitialized rtlhal->last_suspend_sec time - ata: fixes kernel crash while tracing ata_eh_link_autopsy event - ext4: fix interaction between i_size, fallocate, and delalloc after a crash - ALSA: pcm: update tstamp only if audio_tstamp changed - ALSA: usb-audio: Add sanity checks to FE parser - ALSA: usb-audio: Fix potential out-of-bound access at parsing SU - ALSA: usb-audio: Add sanity checks in v2 clock parsers - ALSA: timer: Remove kernel warning at compat ioctl error paths - ALSA: hda: Fix too short HDMI/DP chmap reporting - ALSA: hda/realtek - Fix ALC700 family no sound issue - fix a page leak in vhost_scsi_iov_to_sgl() error recovery - fs/9p: Compare qid.path in v9fs_test_inode - iscsi-target: Fix non-immediate TMR reference leak - target: Fix QUEUE_FULL + SCSI task attribute handling - [armhf] mtd: nand: omap2: Fix subpage write - mtd: nand: Fix writing mtdoops to nand flash. - mtd: nand: mtk: fix infinite ECC decode IRQ issue - p54: don't unregister leds when they are not initialized - block: Fix a race between blk_cleanup_queue() and timeout handling - [armhf,arm64] irqchip/gic-v3: Fix ppi-partitions lookup - lockd: double unregister of inetaddr notifiers - [x86] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state - [x86] KVM: SVM: obey guest PAT - SUNRPC: Fix tracepoint storage issues with svc_recv and svc_rqst_status - [armhf] clk: ti: dra7-atl-clock: fix child-node lookups - libnvdimm, pfn: make 'resource' attribute only readable by root - libnvdimm, namespace: fix label initialization to use valid seq numbers - libnvdimm, namespace: make 'resource' attribute only readable by root - IB/srpt: Do not accept invalid initiator port names - IB/srp: Avoid that a cable pull can trigger a kernel crash - NFC: fix device-allocation error return - fm10k,i40e,i40evf,igb,igbvf,ixgbe,ixgbevf: Use smp_rmb rather than read_barrier_depends - [powerpc*] signal: Properly handle return value from uprobe_deny_signal() - media: Don't do DMA on stack for firmware upload in the AS102 driver - media: rc: check for integer overflow - media: v4l2-ctrl: Fix flags field on Control events - sched/rt: Simplify the IPI based RT balancing logic - fscrypt: lock mutex before checking for bounce page pool - net/9p: Switch to wait_event_killable() - PM / OPP: Add missing of_node_put(np) - [x86] Revert "drm/i915: Do not rely on wm preservation for ILK watermarks" closes: #884001 - e1000e: Fix error path in link detection - e1000e: Fix return value test - e1000e: Separate signaling for link check/link up - e1000e: Avoid receiver overrun interrupt bursts - RDS: make message size limit compliant with spec - RDS: RDMA: return appropriate error on rdma map failures - RDS: RDMA: fix the ib_map_mr_sg_zbva() argument - PCI: Apply _HPX settings only to relevant devices - [armhf] clk: sunxi-ng: A31: Fix spdif clock register - [armhf] clk: sunxi-ng: fix PLL_CPUX adjusting on A33 - fscrypt: use ENOKEY when file cannot be created w/o key - fscrypt: use ENOTDIR when setting encryption policy on nondirectory - net: Allow IP_MULTICAST_IF to set index to L3 slave - net: 3com: typhoon: typhoon_init_one: fix incorrect return values - rt2800: set minimum MPDU and PSDU lengths to sane values - adm80211: return an error if adm8211_alloc_rings() fails - mwifiex: sdio: fix use after free issue for save_adapter - ath10k: fix incorrect txpower set by P2P_DEVICE interface - ath10k: ignore configuring the incorrect board_id - ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats() - bnxt_en: Set default completion ring for async events. - ath10k: set CTS protection VDEV param only if VDEV is up - ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE - drm: Apply range restriction after color adjustment when allocation - [arm64] clk: qcom: ipq4019: Add all the frequencies for apss cpu - mac80211: Remove invalid flag operations in mesh TSF synchronization - mac80211: Suppress NEW_PEER_CANDIDATE event if no room - adm80211: add checks for dma mapping errors - iio: light: fix improper return value - netfilter: nft_queue: use raw_smp_processor_id() - netfilter: nf_tables: fix oob access - [armel,armhf] crypto: marvell - Copy IVDIG before launching partial DMA ahash requests - btrfs: return the actual error value from from btrfs_uuid_tree_iterate - [s390x] kbuild: enable modversions for symbols exported from asm - cec: when canceling a message, don't overwrite old status info - cec: CEC_MSG_GIVE_FEATURES should abort for CEC version < 2 - cec: update log_addr[] before finishing configuration - nvmet: fix KATO offset in Set Features - xen: xenbus driver must not accept invalid transaction ids https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.67 - [armhf] dts: LogicPD Torpedo: Fix camera pin mux - [armhf] dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio - mm/cma: fix alloc_contig_range ret code/potential leak - mm, hugetlbfs: introduce ->split() to vm_operations_struct - mm/madvise.c: fix madvise() infinite loop under special circumstances - btrfs: clear space cache inode generation always - nfsd: Fix stateid races between OPEN and CLOSE - nfsd: Fix another OPEN stateid race - nfsd: fix panic in posix_unblock_lock called from nfs4_laundromat - [armhf] mfd: twl4030-power: Fix pmic for boards that need vmmc1 on reboot - [armhf] OMAP2+: Fix WL1283 Bluetooth Baud Rate - [x86] KVM: pvclock: Handle first-time write to pvclock-page contains random junk - [x86] KVM: Exit to user-mode on #UD intercept when emulator requires - [x86] KVM: inject exceptions produced by x86_decode_insn - [x86] KVM: lapic: Split out x2apic ldr calculation - [x86] KVM: lapic: Fixup LDR on load in x2apic - mmc: core: Do not leave the block driver in a suspended state - mmc: core: prepend 0x to OCR entry in sysfs - eeprom: at24: fix reading from 24MAC402/24MAC602 - eeprom: at24: correctly set the size for at24mac402 - eeprom: at24: check at24_read/write arguments - [x86,alpha] i2c: i801: Fix Failed to allocate irq -2147483648 error - hwmon: (jc42) optionally try to disable the SMBUS timeout - nvme-pci: add quirk for delay before CHK RDY for WDC SN200 - Revert "drm/radeon: dont switch vt on suspend" - drm/amdgpu: potential uninitialized variable in amdgpu_vce_ring_parse_cs() - drm/amdgpu: Potential uninitialized variable in amdgpu_vm_update_directories() - drm/radeon: fix atombios on big endian - [armhf,arm64] drm/panel: simple: Add missing panel_simple_unprepare() calls - [arm64] drm/hisilicon: Ensure LDI regs are properly configured. - drm/ttm: once more fix ttm_buffer_object_transfer - drm/amd/pp: fix typecast error in powerplay. - NFS: revalidate "." etc correctly on "open". - [x86] drm/i915: Don't try indexed reads to alternate slave addresses - [x86] drm/i915: Prevent zero length "index" write https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.68 - bcache: only permit to recovery read error when cache device is clean - bcache: recover data from backing when data is clean - Revert "crypto: caam - get rid of tasklet" - mm, oom_reaper: gather each vma to prevent leaking TLB entry - uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices - usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub - [s390x] runtime instrumentation: simplify task exit handling - ima: fix hash algorithm initialization - [s390x] pci: do not require AIS facility - serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() - staging: rtl8188eu: avoid a null dereference on pmlmepriv - [arm64] mmc: sdhci-msm: fix issue with power irq - serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X - [x86] entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() - [x86] EDAC, sb_edac: Fix missing break in switch - [armel,armhf] sysrq : fix Show Regs call trace on ARM - usbip: tools: Install all headers needed for libusbip development - [x86] kprobes: Disable preemption in ftrace-based jprobes - iio: adc: ti-ads1015: add 10% to conversion wait time - dax: Avoid page invalidation races and unnecessary radix tree traversals - net/mlx4_en: Fix type mismatch for 32-bit systems - l2tp: take remote address into account in l2tp_ip and l2tp_ip6 socket lookups - usb: gadget: f_fs: Fix ExtCompat descriptor validation - libcxgb: fix error check for ip6_route_output() - [armhf] OMAP2+: Fix WL1283 Bluetooth Baud Rate - vti6: fix device register to report IFLA_INFO_KIND - be2net: fix accesses to unicast list - be2net: fix unicast list filling - net/appletalk: Fix kernel memory disclosure - libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount - mm: fix remote numa hits statistics - mac80211: calculate min channel width correctly - nfs: Don't take a reference on fl->fl_file for LOCK operation - [armhf,arm64] KVM: Fix occasional warning from the timer work function - mac80211: prevent skb/txq mismatch - NFSv4: Fix client recovery when server reboots multiple times - [x86] perf/intel: Account interrupts for PEBS errors - [powerpc*] mm: Fix memory hotplug BUG() on radix - qla2xxx: Fix wrong IOCB type assumption - drm/amdgpu: fix bug set incorrect value to vce register - net: sctp: fix array overrun read on sctp_timer_tbl - [x86] fpu: Set the xcomp_bv when we fake up a XSAVES area - drm/amdgpu: fix unload driver issue for virtual display - mac80211: don't try to sleep in rate_control_rate_init() - RDMA/qedr: Return success when not changing QP state - RDMA/qedr: Fix RDMA CM loopback - tipc: fix nametbl_lock soft lockup at module exit - tipc: fix cleanup at module unload - [armhf] dmaengine: pl330: fix double lock - tcp: correct memory barrier usage in tcp_check_space() - nvmet: cancel fatal error and flush async work before free controller - gtp: clear DF bit on GTP packet tx - gtp: fix cross netns recv on gtp socket - net: phy: micrel: KSZ8795 do not set SUPPORTED_[Asym_]Pause - [arm64] net: thunderx: avoid dereferencing xcv when NULL - be2net: fix initial MAC setting - [powerpc*] vfio/spapr: Fix missing mutex unlock when creating a window - mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers - xen-netfront: Improve error handling during initialization - cec: initiator should be the same as the destination for, poll - xen-netback: vif counters from int/long to u64 - net: fec: fix multicast filtering hardware setup - dma-buf/dma-fence: Extract __dma_fence_is_later() - dma-buf/sw-sync: Fix the is-signaled test to handle u32 wraparound - dma-buf/sw-sync: Prevent user overflow on timeline advance - dma-buf/sw-sync: sync_pt is private and of fixed size - dma-buf/sw-sync: Fix locking around sync_timeline lists - dma-buf/sw-sync: Use an rbtree to sort fences in the timeline - dma-buf/sw_sync: move timeline_fence_ops around - dma-buf/sw_sync: clean up list before signaling the fence - dma-fence: Clear fence->status during dma_fence_init() - dma-fence: Wrap querying the fence->status - dma-fence: Introduce drm_fence_set_error() helper - dma-buf/sw_sync: force signal all unsignaled fences on dying timeline - dma-buf/sync_file: hold reference to fence when creating sync_file - usb: hub: Cycle HUB power when initialization fails - usb: xhci: fix panic in xhci_free_virt_devices_depth_first - USB: core: Add type-specific length check of BOS descriptors - USB: Increase usbfs transfer limit - USB: devio: Prevent integer overflow in proc_do_submiturb() - USB: usbfs: Filter flags passed in from user space - usb: host: fix incorrect updating of offset - xen-netfront: avoid crashing on resume after a failure in talk_to_netback() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.69 - can: kvaser_usb: free buf in error paths - can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() - can: kvaser_usb: ratelimit errors if incomplete messages are received - can: kvaser_usb: cancel urb on -EPIPE and -EPROTO - can: ems_usb: cancel urb on -EPIPE and -EPROTO - can: esd_usb2: cancel urb on -EPIPE and -EPROTO - can: usb_8dev: cancel urb on -EPIPE and -EPROTO - virtio: release virtio index when fail to device_register - [x86] hv: kvp: Avoid reading past allocated blocks from KVP file - isa: Prevent NULL dereference in isa_bus driver callbacks - scsi: dma-mapping: always provide dma_get_cache_alignment - scsi: use dma_get_cache_alignment() as minimum DMA alignment - scsi: libsas: align sata_device's rps_resp on a cacheline - efi: Move some sysfs files to be read-only by root - efi/esrt: Use memunmap() instead of kfree() to free the remapping - ASN.1: fix out-of-bounds read when parsing indefinite length item - ASN.1: check for error from ASN1_OP_END__ACT actions - X.509: reject invalid BIT STRING for subjectPublicKey - X.509: fix comparisons of ->pkey_algo - [x86] PCI: Make broadcom_postcore_init() check acpi_disabled - [x86] KVM: fix APIC page invalidation - btrfs: fix missing error return in btrfs_drop_snapshot - ALSA: pcm: prevent UAF in snd_pcm_info - ALSA: seq: Remove spurious WARN_ON() at timer check - ALSA: usb-audio: Fix out-of-bound error - ALSA: usb-audio: Add check return value for usb_string() - [x86] iommu/vt-d: Fix scatterlist offset handling - smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place - [s390x] fix compat system call table - [s390x] KVM: Fix skey emulation permission check - [powerpc*] 64s: Initialize ISAv3 MMU registers before setting partition table - brcmfmac: change driver unbind order of the sdio function devices - media: dvb: i2c transfers over usb cannot be done from stack - [armhf,arm64] KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one - [armhf,arm64] KVM: Fix broken GICH_ELRSR big endian conversion - [armhf,arm64] KVM: vgic-irqfd: Fix MSI entry allocation - [armhf,arm64] KVM: vgic-its: Check result of allocation before use - [arm64] fpsimd: Prevent registers leaking from dead tasks - [armhf] bus: arm-cci: Fix use of smp_processor_id() in preemptible context - usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT - [armel,armhf] BUG if jumping to usermode address in kernel mode - [armel,armhf] avoid faulting on qemu - thp: reduce indentation level in change_huge_pmd() - thp: fix MADV_DONTNEED vs. numa balancing race - mm: drop unused pmdp_huge_get_and_clear_notify() - [armel,armhf] 8657/1: uaccess: consistently check object sizes - vti6: Don't report path MTU below IPV6_MIN_MTU. - [armhf] OMAP2+: gpmc-onenand: propagate error on initialization failure - [x86] platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register - sched/fair: Make select_idle_cpu() more aggressive - [x86] hpet: Prevent might sleep splat on resume - [powerpc*] 64: Invalidate process table caching after setting process table - lirc: fix dead lock between open and wakeup_filter - module: set __jump_table alignment to 8 - [powerpc*] 64: Fix checksum folding in csum_add() - [armhf] OMAP2+: Fix device node reference counts - [armhf] OMAP2+: Release device node after it is no longer needed. - usb: gadget: configs: plug memory leak - USB: gadgetfs: Fix a potential memory leak in 'dev_config()' - [armhf,arm64] usb: dwc3: gadget: Fix system suspend/resume on TI platforms - usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver - [x86] kvm: nVMX: VMCLEAR should not cause the vCPU to shut down - libata: drop WARN from protocol error in ata_sff_qc_issue() - workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq - scsi: qla2xxx: Fix ql_dump_buffer - scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters - [armhf] irqchip/crossbar: Fix incorrect type of register size - [x86] KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset - [armhf,arm64] KVM: Survive unknown traps from guests - [armhf,arm64] KVM: VGIC: Fix command handling while ITS being disabled - bnx2x: prevent crash when accessing PTP with interface down - bnx2x: fix possible overrun of VFPF multicast addresses array - bnx2x: fix detection of VLAN filtering feature for VF - bnx2x: do not rollback VF MAC/VLAN filters we did not configure - rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races - [powerpc*] ibmvnic: Fix overflowing firmware/hardware TX queue - [powerpc*] ibmvnic: Allocate number of rx/tx buffers agreed on by firmware - ipv6: reorder icmpv6_init() and ip6_mr_init() - blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue() - zram: set physical queue limits to avoid array out of bounds accesses - netfilter: don't track fragmented packets - [powerpc*] axonram: Fix gendisk handling - drm/amd/amdgpu: fix console deadlock if late init failed - [powerpc*] powernv/ioda2: Gracefully fail if too many TCE levels requested - [x86] EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro - [x86] EDAC, i5000, i5400: Fix definition of NRECMEMB register - kbuild: pkg: use --transform option to prefix paths in tar - coccinelle: fix parallel build with CHECK=scripts/coccicheck - mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() - gre6: use log_ecn_error module parameter in ip6_tnl_rcv() - route: also update fnhe_genid when updating a route cache - route: update fnhe_expires for redirect when the fnhe exists - NFS: Fix a typo in nfs_rename() - sunrpc: Fix rpc_task_begin trace point - xfs: fix forgotten rcu read unlock when skipping inode reclaim - block: wake up all tasks blocked in get_request() - zsmalloc: calling zs_map_object() from irq is a bug - sctp: do not free asoc when it is already dead in sctp_sendmsg - sctp: use the right sk after waking up from wait_buf sleep - bpf: fix lockdep splat - atm: horizon: Fix irq release error - xfrm: Copy policy family in clone_policy - IB/mlx4: Increase maximal message size under UD QP - IB/mlx5: Assign send CQ and recv CQ of UMR QP - afs: Connect up the CB.ProbeUuid https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.70 - [s390x] qeth: fix early exit from error path - tipc: fix memory leak in tipc_accept_from_sock() - rds: Fix NULL pointer dereference in __rds_rdma_map - sit: update frag_off info - packet: fix crash in fanout_demux_rollover() - net/packet: fix a race in packet_bind() and packet_notifier() - usbnet: fix alignment for frames with no ethernet header - stmmac: reset last TSO segment size after device open - tcp/dccp: block bh before arming time_wait timer - [s390x] qeth: build max size GSO skbs on L2 devices - [s390x] qeth: fix GSO throughput regression - [s390x] qeth: fix thinko in IPv4 multicast address tracking - tipc: call tipc_rcv() only if bearer is up in tipc_udp_recv() - Fix handling of verdicts after NF_QUEUE - ipmi: Stop timers before cleaning up the module - [s390x] always save and restore all registers on context switch - usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping - fix kcm_clone() - [armhf,arm64] KVM: vgic-its: Preserve the revious read from the pending table - [powerpc*] 64: Fix checksum folding in csum_tcpudp_nofold and ip_fast_csum_nofold - kbuild: do not call cc-option before KBUILD_CFLAGS initialization - ipvlan: fix ipv6 outbound device - audit: ensure that 'audit=1' actually enables audit for PID 1 - md: free unused memory after bitmap resize - RDMA/cxgb4: Annotate r2 and stag as __be32 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.71 - mfd: fsl-imx25: Clean up irq settings during removal - crypto: rsa - fix buffer overread when stripping leading zeroes - autofs: fix careless error in recent commit - tracing: Allocate mask_str buffer dynamically - USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID - usbip: fix stub_rx: get_pipe() to validate endpoint number (CVE-2017-16912) - usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input (CVE-2017-16913) - usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer (CVE-2017-16914) - ceph: drop negative child dentries before try pruning inode's alias - usb: xhci: fix TDS for MTK xHCI1.1 - xhci: Don't add a virt_dev to the devs array before it's fully allocated - nfs: don't wait on commit in nfs_commit_inode() if there were no commit requests - sched/rt: Do not pull from current CPU if only one CPU to pull - eeprom: at24: change nvmem stride to 1 - dmaengine: dmatest: move callback wait queue to thread context - ext4: fix fdatasync(2) after fallocate(2) operation - ext4: fix crash when a directory's i_size is too small - mac80211: Fix addition of mesh configuration element - [x86] KVM: nVMX: do not warn when MSR bitmap address is not backed - md-cluster: free md_cluster_info if node leave cluster - userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE - userfaultfd: selftest: vm: allow to build in vm/ directory - net: initialize msg.msg_flags in recvfrom - bnxt_en: Ignore 0 value in autoneg supported speed from firmware. - net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values - net: bcmgenet: correct MIB access of UniMAC RUNT counters - net: bcmgenet: reserved phy revisions must be checked first - net: bcmgenet: power down internal phy if open or resume fails - net: bcmgenet: synchronize irq0 status between the isr and task - net: bcmgenet: Power up the internal PHY before probing the MII - rxrpc: Wake up the transmitter if Rx window size increases on the peer - net/mlx5: Fix create autogroup prev initializer - net/mlx5: Don't save PCI state when PCI error is detected - drm/amdgpu: fix parser init error path to avoid crash in parser fini - NFSD: fix nfsd_minorversion(.., NFSD_AVAIL) - NFSD: fix nfsd_reset_versions for NFSv4. - [armhf] drm/omap: fix dmabuf mmap for dma_alloc'ed buffers - netfilter: bridge: honor frag_max_size when refragmenting - blk-mq: Fix tagset reinit in the presence of cpu hot-unplug - writeback: fix memory leak in wb_queue_work() - net: wimax/i2400m: fix NULL-deref at probe - dmaengine: Fix array index out of bounds warning in __get_unmap_pool() - irqchip/mvebu-odmi: Select GENERIC_MSI_IRQ_DOMAIN - net: Resend IGMP memberships upon peer notification. - qed: Align CIDs according to DORQ requirement - qed: Fix mapping leak on LL2 rx flow - qed: Fix interrupt flags on Rx LL2 - scsi: hpsa: update check for logical volume status - scsi: hpsa: limit outstanding rescans - scsi: hpsa: do not timeout reset operations - fjes: Fix wrong netdevice feature flags - drm/radeon/si: add dpm quirk for Oland - [x86] Drivers: hv: util: move waiting for release to hv_utils_transport itself - iwlwifi: mvm: cleanup pending frames in DQA mode - sched/deadline: Add missing update_rq_clock() in dl_task_timer() - sched/deadline: Make sure the replenishment timer fires in the next period - sched/deadline: Throttle a constrained deadline task activated after the deadline - sched/deadline: Use deadline instead of period when calculating overflow - drm/radeon: reinstate oland workaround for sclk - afs: Fix missing put_page() - afs: Populate group ID from vnode status - afs: Adjust mode bits processing - afs: Deal with an empty callback array - afs: Flush outstanding writes when an fd is closed - afs: Migrate vlocation fields to 64-bit - afs: Prevent callback expiry timer overflow - afs: Fix the maths in afs_fs_store_data() - afs: Invalid op ID should abort with RXGEN_OPCODE - afs: Better abort and net error handling - afs: Populate and use client modification time - afs: Fix page leak in afs_write_begin() - afs: Fix afs_kill_pages() - afs: Fix abort on signal while waiting for call completion - nvme-loop: fix a possible use-after-free when destroying the admin queue - nvmet: confirm sq percpu has scheduled and switched to atomic - nvmet-rdma: Fix a possible uninitialized variable dereference - net/mlx4_core: Avoid delays during VF driver device shutdown - net: mpls: Fix nexthop alive tracking on down events - rxrpc: Ignore BUSY packets on old calls - tty: don't panic on OOM in tty_set_ldisc() - tty: fix data race in tty_ldisc_ref_wait() - perf symbols: Fix symbols__fixup_end heuristic for corner cases - efi/esrt: Cleanup bad memory map log messages - NFSv4.1 respect server's max size in CREATE_SESSION - btrfs: add missing memset while reading compressed inline extents - target: Use system workqueue for ALUA transitions - target: fix ALUA transition timeout handling - target: fix race during implicit transition work flushes - [x86] Revert "x86/acpi: Set persistent cpuid <-> nodeid mapping when booting" - HID: cp2112: fix broken gpio_direction_input callback - sfc: don't warn on successful change of MAC - video: udlfb: Fix read EDID timeout - rtc: pcf8563: fix output clock rate - [x86] ASoC: Intel: Skylake: Fix uuid_module memory leak in failure case - [armhf] dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type - PCI/PME: Handle invalid data when reading Root Status - powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo - PCI: Do not allocate more buses than available in parent - netfilter: ipvs: Fix inappropriate output of procfs - [powerpc*] opal: Fix EBUSY bug in acquiring tokens - [powerpc*] ipic: Fix status get and status clear - [x86] platform: intel_punit_ipc: Fix resource ioremap warning - target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd() - iscsi-target: fix memory leak in lio_target_tiqn_addtpg() - target:fix condition return in core_pr_dump_initiator_port() - target/file: Do not return error for UNMAP if length is zero - badblocks: fix wrong return value in badblocks_set if badblocks are disabled - [x86] iommu/amd: Limit the IOVA page range to the specified addresses - xfs: truncate pagecache before writeback in xfs_setattr_size() - crypto: tcrypt - fix buffer lengths in test_aead_speed() - mm: Handle 0 flags in _calc_vm_trans() macro - [armhf] clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU - [arm64] clk: hi6220: mark clock cs_atb_syspll as critical - [armhf,arm64] clk: tegra: Fix cclk_lp divisor register - ppp: Destroy the mutex when cleanup - thermal/drivers/step_wise: Fix temperature regulation misbehavior - scsi: scsi_debug: write_same: fix error report - GFS2: Take inode off order_write list when setting jdata flag - bcache: explicitly destroy mutex while exiting - bcache: fix wrong cache_misses statistics - Ib/hfi1: Return actual operational VLs in port info query - [x86] platform: hp_accel: Add quirk for HP ProBook 440 G4 - nvme: use kref_get_unless_zero in nvme_find_get_ns - l2tp: cleanup l2tp_tunnel_delete calls - xfs: fix log block underflow during recovery cycle verification - xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real - RDMA/cxgb4: Declare stag as __be32 - PCI: Detach driver before procfs & sysfs teardown on device remove - scsi: hpsa: cleanup sas_phy structures in sysfs when unloading - scsi: hpsa: destroy sas transport properties before scsi_host - [powerpc*] perf/hv-24x7: Fix incorrect comparison in memord - tty fix oops when rmmod 8250 - raid5: Set R5_Expanded on parity devices as well as data. - scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry - IB/core: Fix calculation of maximum RoCE MTU - vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend - rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_createbss_cmd - rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_disassoc_cmd - scsi: sd: change manage_start_stop to bool in sysfs interface - scsi: sd: change allow_restart to bool in sysfs interface - scsi: bfa: integer overflow in debugfs - udf: Avoid overflow when session starts at large offset - macvlan: Only deliver one copy of the frame to the macvlan interface - RDMA/cma: Avoid triggering undefined behavior - IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop - icmp: don't fail on fragment reassembly time exceeded - ath9k: fix tx99 potential info leak https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.72 - cxl: Check if vphb exists before iterating over AFU devices - [arm64] Initialise high_memory global variable earlier - kvm: fix usage of uninit spinlock in avic_vm_destroy() - [armhf] kprobes: Fix the return address of multiple kretprobes - [armhf] kprobes: Align stack to 8-bytes in test code - nvme-loop: handle cpu unplug when re-establishing the controller - cpuidle: Validate cpu_dev in cpuidle_add_sysfs() - r8152: fix the list rx_done may be used without initialization - crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex - vsock: track pkt owner vsock - vhost-vsock: add pkt cancel capability - vsock: cancel packets when failing to connect - sch_dsmark: fix invalid skb_cow() usage - bna: integer overflow bug in debugfs - sctp: out_qlen should be updated when pruning unsent queue - usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed - usb: gadget: udc: remove pointer dereference after free - netfilter: nfnl_cthelper: fix runtime expectation policy updates - netfilter: nfnl_cthelper: Fix memory leak - [armhf] iommu/exynos: Workaround FLPD cache flush issues for SYSMMU v5 - r8152: fix the rx early size of RTL8153 - tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe - inet: frag: release spinlock before calling icmp_send() - scsi: lpfc: Fix PT2PT PRLI reject - [x86] kvm: vmx: Flush TLB when the APIC-access address changes - [x86] KVM: correct async page present tracepoint - [x86] KVM: VMX: Fix enable VPID conditions - [armhf] dts: ti: fix PCI bus dtc warnings - [x86] hwmon: (asus_atk0110) fix uninitialized data access - HID: xinmo: fix for out of range for THT 2P arcade controller. - ASoC: STI: Fix reader substream pointer set - r8152: prevent the driver from transmitting packets with carrier off - [s390x] qeth: size calculation outbound buffers - [s390x] qeth: no ETH header for outbound AF_IUCV - bna: avoid writing uninitialized data into hw registers - i40iw: Receive netdev events post INET_NOTIFIER state - IB/core: Protect against self-requeue of a cq work item - infiniband: Fix alignment of mmap cookies to support VIPT caching - nbd: set queue timeout properly - net: Do not allow negative values for busy_read and busy_poll sysctl interfaces - IB/rxe: double free on error - IB/rxe: increment msn only when completing a request - i40e: Do not enable NAPI on q_vectors that have no rings - RDMA/iser: Fix possible mr leak on device removal event - irda: vlsi_ir: fix check for DMA mapping errors - netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table - netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register - [armhf] dts: am335x-evmsk: adjust mmc2 param to allow suspend - cpufreq: Fix creation of symbolic links to policy directories - net: ipconfig: fix ic_close_devs() use-after-free - [x86] KVM: pci-assign: do not map smm memory slot pages in vt-d page tables - virtio-balloon: use actual number of stats for stats queue buffers - virtio_balloon: prevent uninitialized variable use - isdn: kcapi: avoid uninitialized data - xhci: plat: Register shutdown for xhci_plat - netfilter: nfnetlink_queue: fix secctx memory leak - Btrfs: fix an integer overflow check - [armel,armhf] dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory - [powerpc*] cpuidle: powernv: Pass correct drv->cpumask for registration - bnxt_en: Fix NULL pointer dereference in reopen failure path - [armhf,arm64] backlight: pwm_bl: Fix overflow condition - [armhf,arm64] rtc: pl031: make interrupt optional - kvm, mm: account kvm related kmem slabs to kmemcg - net: phy: at803x: Change error to EINVAL for invalid MAC - PCI: Avoid bus reset if bridge itself is broken - scsi: cxgb4i: fix Tx skb leak - scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume created on two SATA drive - PCI: Create SR-IOV virtfn/physfn links before attaching driver - PM / OPP: Move error message to debug level - igb: check memory allocation failure - ixgbe: fix use of uninitialized padding - IB/rxe: check for allocation failure on elem - PCI/AER: Report non-fatal errors only to the affected endpoint - tracing: Exclude 'generic fields' from histograms - fm10k: fix mis-ordered parameters in declaration for .ndo_set_vf_bw - scsi: lpfc: Fix secure firmware updates - scsi: lpfc: PLOGI failures during NPIV testing - vfio/pci: Virtualize Maximum Payload Size - fm10k: ensure we process SM mbx when processing VF mbx - net: ipv6: send NS for DAD when link operationally up - [armhf] clk: sunxi-ng: sun6i: Rename HDMI DDC clock to avoid name collision - tcp: fix under-evaluated ssthresh in TCP Vegas - rtc: set the alarm to the next expiring timer - cpuidle: fix broadcast control when broadcast can not be entered - [arm64] thermal: hisilicon: Handle return value of clk_prepare_enable - [arm64] thermal/drivers/hisi: Fix missing interrupt enablement - [arm64] thermal/drivers/hisi: Fix kernel panic on alarm interrupt - [arm64] thermal/drivers/hisi: Simplify the temperature/step computation - [arm64] thermal/drivers/hisi: Fix multiple alarm interrupts firing - [mips*] math-emu: Fix final emulation phase for certain instructions - [x86] platform: asus-wireless: send an EV_SYN/SYN_REPORT between state changes https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.73 - ACPI: APEI / ERST: Fix missing error handling in erst_reader() - ALSA: rawmidi: Avoid racy info ioctl via ctl device - spi: xilinx: Detect stall with Unknown commands - [x86] KVM: X86: Fix load RFLAGS w/o the fixed bit - [x86] kvm: x86: fix RSM when PCID is non-zero - [armhf] clk: sunxi: sun9i-mmc: Implement reset callback for reset controls - [powerpc*] powerpc/perf: Dereference BHRB entries safely - bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.74 - tracing: Remove extra zeroing out of the ring buffer page - tracing: Fix possible double free on failure of allocating trace buffer - tracing: Fix crash when it fails to alloc ring buffer - ring-buffer: Mask out the info bits when returning buffer page length - ASoC: wm_adsp: Fix validation of firmware and coeff lengths - [x86] x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly() - [x86] x86/mm: Remove flush_tlb() and flush_tlb_current_task() - [x86] x86/mm: Make flush_tlb_mm_range() more predictable - [x86] x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range() - [x86] x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code - [x86] x86/mm: Disable PCID on 32-bit kernels - [x86] x86/mm: Add the 'nopcid' boot option to turn off PCID - [x86] x86/mm: Enable CR4.PCIDE on supported systems - [amd64] x86/mm/64: Fix reboot interaction with CR4.PCIDE - kbuild: add '-fno-stack-check' to kernel build options - ipv4: igmp: guard against silly MTU values - ipv6: mcast: better catch silly mtu values - ptr_ring: add barriers - RDS: Check cmsg_len before dereferencing CMSG_DATA - tg3: Fix rx hang on MTU change with 5717/5719 - net: ipv4: fix for a race condition in raw_sendmsg - ipv4: Fix use-after-free when flushing FIB tables - net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks - net: Fix double free and memory corruption in get_net_ns_by_id() (CVE-2017-15129) - net/mlx5e: Fix possible deadlock of VXLAN lock - net/mlx5e: Prevent possible races in VXLAN control flow - usbip: fix usbip bind writing random string after command in match_busid - usbip: prevent leaking socket pointer address in messages - usbip: stub: stop printing kernel pointer addresses in messages - usbip: vhci: stop printing kernel pointer addresses in messages - USB: Fix off by one in type-specific length check of BOS SSP capability - nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() - [x86] x86/smpboot: Remove stale TLB flush invocations - n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.75 - [x86] x86/boot: Add early cmdline parsing for options with arguments - [amd64] KAISER: Kernel Address Isolation - [amd64] kaiser: merged update - [amd64] kaiser: do not set _PAGE_NX on pgd_none - [amd64] kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE - [amd64] kaiser: fix build and FIXME in alloc_ldt_struct() - [amd64] kaiser: KAISER depends on SMP - [amd64] kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER - [amd64] kaiser: fix perf crashes - [amd64] kaiser: ENOMEM if kaiser_pagetable_walk() NULL - [amd64] kaiser: tidied up asm/kaiser.h somewhat - [amd64] kaiser: tidied up kaiser_add/remove_mapping slightly - [amd64] kaiser: align addition to x86/mm/Makefile - [amd64] kaiser: cleanups while trying for gold link - [amd64] kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET - [amd64] kaiser: delete KAISER_REAL_SWITCH option - [amd64] kaiser: vmstat show NR_KAISERTABLE as nr_overhead - [amd64] kaiser: enhanced by kernel and user PCIDs - [amd64] kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user - [amd64] kaiser: PCID 0 for kernel and 128 for user - [amd64] kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user - [amd64] kaiser: paranoid_entry pass cr3 need to paranoid_exit - [amd64] kaiser: kaiser_remove_mapping() move along the pgd - [amd64] kaiser: fix unlikely error in alloc_ldt_struct() - [amd64] kaiser: add "nokaiser" boot option, using ALTERNATIVE - [amd64] x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling - [amd64] x86/kaiser: Check boottime cmdline params - [amd64] kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush - [amd64] kaiser: drop is_atomic arg to kaiser_pagetable_walk() - [amd64] kaiser: asm/tlbflush.h handle noPGE at lower level - [amd64] kaiser: kaiser_flush_tlb_on_return_to_user() check PCID - [amd64] x86/paravirt: Dont patch flush_tlb_single - [amd64] x86/kaiser: Reenable PARAVIRT - [amd64] kaiser: disabled on Xen PV - [amd64] x86/kaiser: Move feature detection up - [amd64] KPTI: Rename to PAGE_TABLE_ISOLATION - [amd64] KPTI: Report when enabled - [amd64] kaiser: Set _PAGE_NX only if supported https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.76 - crypto: n2 - cure use after free - crypto: chacha20poly1305 - validate the digest size - crypto: pcrypt - fix freeing pcrypt instances (CVE-2017-18075) - nbd: fix use-after-free of rq/bio in the xmit path - [arm] iommu/arm-smmu-v3: Don't free page table ops twice - [arm] iommu/arm-smmu-v3: Cope with duplicated Stream IDs - [x86] x86/microcode/AMD: Add support for fam17h microcode loading - [hppa] parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel - [x86] Map the vsyscall page with _PAGE_USER https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.77 - mac80211: Add RX flag to indicate ICV stripped - ath10k: rebuild crypto header in rx data frames - [x86] KVM: Fix stack-out-of-bounds read in write_mmio - [mips] MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA - [x86] kvm: vmx: Scrub hardware GPRs at VM-exit (mitigates Spectre / CVE-2017-5715 and CVE-2017-5753) - ALSA: pcm: Remove incorrect snd_BUG_ON() usages - RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332) - RDS: null pointer dereference in rds_atomic_free_op (CVE-2018-5333) - ipv6: fix possible mem leaks in ipv6_make_skb() - mlxsw: spectrum_router: Fix NULL pointer deref - crypto: algapi - fix NULL dereference in crypto_remove_spawns() - [x86] x86/microcode/intel: Extend BDW late-loading with a revision check - [x86] KVM: x86: Add memory barrier on vmcs field lookup (mitigates Spectre#2 / CVE-2017-5715) - [x86] kaiser: Set _PAGE_NX only if supported - bpf: prevent out-of-bounds speculation (mitigates Spectre#1 / CVE-2017-5753) - bpf, array: fix overflow in max_entries and undefined behavior in index_mask - USB: fix usbmon BUG trigger - usbip: remove kernel addresses from usb device and urb debug msgs - usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input - usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer - Bluetooth: Prevent stack info leak from the EFS element.(CVE-2017-1000410) - [x86] x86/retpoline: Add initial retpoline support (mitigates Spectre#2 / CVE-2017-5715) - [x86] x86/spectre: Add boot time option to select Spectre v2 mitigation - [x86] x86/retpoline/crypto: Convert crypto assembler indirect jumps - [x86] x86/retpoline/entry: Convert entry assembler indirect jumps - [x86] x86/retpoline/ftrace: Convert ftrace assembler indirect jumps - [x86] x86/retpoline/hyperv: Convert assembler indirect jumps - [x86] x86/retpoline/xen: Convert Xen hypercall indirect jumps - [x86] x86/retpoline/checksum32: Convert assembler indirect jumps - [x86] x86/retpoline/irq32: Convert assembler indirect jumps - [x86] x86/retpoline: Fill return stack buffer on vmexit - [x86] x86/pti/efi: broken conversion from efi to kernel page table https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.78 - futex: Prevent overflow by strengthen input validation - ALSA: seq: Make ioctls race-free - af_key: fix buffer overread in verify_address_len() - af_key: fix buffer overread in parse_exthdrs() - iser-target: Fix possible use-after-free in connection establishment error - [x86] x86/retpoline: Fill RSB on context switch for affected CPUs - [x86] x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros - module: Add retpoline tag to VERMAGIC - [x86] x86/mm/pkeys: Fix fill_sig_info_pkey - [x86] x86/tsc: Fix erroneous TSC rate on Skylake Xeon - pipe: avoid round_pipe_size() nr_pages overflow on 32-bit - [x86] x86/apic/vector: Fix off by one in error path - Input: ALPS - fix multi-touch decoding on SS4 plus touchpads - Input: 88pm860x-ts - fix child-node lookup - Input: twl6040-vibra - fix child-node lookup - Input: twl4030-vibra - fix sibling-node lookup - proc: fix coredump vs read /proc/*/stat race - libata: apply MAX_SEC_1024 to all LITEON EP1 series devices - workqueue: avoid hard lockups in show_workqueue_state() - dm btree: fix serious bug in btree_split_beneath() - dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 - [arm64] arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls - [x86] x86/cpu, x86/pti: Do not enable PTI on AMD processors - usbip: fix warning in vhci_hcd_probe/lockdep_init_map - [x86] x86/mce: Make machine check speculation protected - [x86] retpoline: Introduce start/end markers of indirect thunk - [x86] x86/retpoline: Optimize inline assembler for vmexit_fill_RSB https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.79 - [i386] x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels - usbip: prevent vhci_hcd driver from leaking a socket pointer address (CVE-2017-16911) - usbip: Fix potential format overflow in userspace tools - [arm*] KVM: arm/arm64: Check pagesize when allocating a hugepage at Stage 2 - [amd64] Prevent timer value 0 for MWAITX - drivers: base: cacheinfo: fix boot error message when acpi is enabled - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack - ACPICA: Namespace: fix operand cache leak - netfilter: nfnetlink_cthelper: Add missing permission checks - netfilter: xt_osf: Add missing permission checks - fs/fcntl: f_setown, avoid undefined behaviour - Revert "module: Add retpoline tag to VERMAGIC" - orangefs: fix deadlock; do not write i_size in read_iter - um: link vmlinux with -no-pie - vsyscall: Fix permissions for emulate mode with KAISER/PTI - ipv6: fix udpv6 sendmsg crash caused by too small MTU - ipv6: ip6_make_skb() needs to clear cork.base.dst - net: igmp: fix source address check for IGMPv3 reports - net: qdisc_pkt_len_init() should be more robust - net: tcp: close sock if net namespace is exiting - pppoe: take ->needed_headroom of lower device into account on xmit - r8169: fix memory corruption on retrieval of hardware statistics. - sctp: do not allow the v4 socket to bind a v4mapped v6 address - sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf - flow_dissector: properly cap thoff field - perf/x86/amd/power: Do not load AMD power module on !AMD platforms - x86/microcode/intel: Extend BDW late-loading further with LLC size check - bpf: fix bpf_tail_call() x64 JIT - bpf: avoid false sharing of map refcount with max_entries - bpf: fix divides by zero - bpf: fix 32-bit divide by zero - nfsd: auth: Fix gid sorting when rootsquash enabled https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.80 - loop: fix concurrent lo_open/lo_release (CVE-2018-5344) - gpio: Fix kernel stack leak to userspace - crypto: aesni - handle zero length dst buffer - crypto: sha3-generic - fixes for alignment and big endian operation - HID: wacom: EKR: ensure devres groups at higher indexes are released - igb: Free IRQs when device is hotplugged - drm/vc4: Account for interrupts in flight - [x86] KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure - [x86] KVM: x86: Don't re-execute instruction when not passing CR2 value - [x86] KVM: X86: Fix operand/address-size during instruction decoding - [x86] KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race - [x86] KVM: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered - ACPI / bus: Leave modalias empty for devices which are not present - [x86] KVM: x86: ioapic: Preserve read-only values in the redirection table - btrfs: fix deadlock when writing out space cache - [x86] KVM: X86: Fix softlockup when get the current kvmclock - KVM: VMX: Fix rflags cache during vCPU reset - xfs: always free inline data before resetting inode fork during ifree - kmemleak: add scheduling point to kmemleak_scan() - scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path - scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg - usb: gadget: don't dereference g until after it has been null checked - tty: fix data race between tty_init_dev and flush of buf - USB: serial: io_edgeport: fix possible sleep-in-atomic - usbip: prevent bind loops on devices attached to vhci_hcd . [ Ben Hutchings ] * [rt] Update to 4.9.68-rt60: - Revert "memcontrol: Prevent scheduling while atomic in cgroup code" - Revert "fs: jbd2: pull your plug when waiting for space" - rtmutex: Fix lock stealing logic - cpu_pm: replace raw_notifier to atomic_notifier - PM / CPU: replace raw_notifier with atomic_notifier (fixup) - kernel/hrtimer: migrate deferred timer on CPU down - net: take the tcp_sk_lock lock with BH disabled - kernel/hrtimer: don't wakeup a process while holding the hrtimer base lock - kernel/hrtimer/hotplug: don't wake ktimersoftd while holding the hrtimer base lock - Bluetooth: avoid recursive locking in hci_send_to_channel() - iommu/amd: Use raw_cpu_ptr() instead of get_cpu_ptr() for ->flush_queue - rt/locking: allow recursive local_trylock() - locking/rtmutex: don't drop the wait_lock twice - net: use trylock in icmp_sk * e1000e: Fix e1000_check_for_copper_link_ich8lan return value. (see bug #885348) * [s390x] Un-revert upstream change moving exports to assembly sources . [ Yves-Alexis Perez ] * mm, hugetlbfs: Avoid ABI change in 4.9.67. * dma-fence: Avoid ABI change in 4.9.68. * lib/genalloc: Avoid ABI change in 4.9.69. * Ignore ABI changes in inet_diag, SCTP, vsock, NVME, MD and libsas drivers, prevent FTBFS. * debian/patches: drop patches included upstream: - bugfix/all/e1000e-fix-e1000_check_for_copper_link_ich8lan-return-value.patch - bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch - bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch - bugfix/all/mm-mmap.c-do-not-blow-on-prot_none-map_fixed-holes-i.patch - bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch - bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch - bugfix/all/nfsd-auth-Fix-gid-sorting-when-rootsquash-enabled.patch * bpf: avoid ABI changes in 4.9.77 and 4.9.79. * Ignore ABI change for cpu_tlbstate (symbol not exported _GPL anymore) * sched/rt: Avoid ABI change in 4.9.66. * Ignore ABI change for tcp_cong_avoid_ai and tcp_slow_start. * RT patchset: - fix context against 4.9.78 (164, 165, 229, 230) - refresh for fuzz (228) * mm: Avoid ABI change in 4.9.79. * usbip: ignore ABI change in 4.9.79. * cpupower: check for CPU existence has been fixed upstream, although a bit differently than the included patch. . [ Salvatore Bonaccorso ] * nfsd: auth: Fix gid sorting when rootsquash enabled (CVE-2018-1000028) linux (4.9.65-3+deb9u2) stretch-security; urgency=high . * x86: setup PCID, preparation work for KPTI. - x86/mm/64: Fix reboot interaction with CR4.PCIDE - x86/mm: Add the 'nopcid' boot option to turn off PCID - x86/mm: Disable PCID on 32-bit kernels - x86/mm: Enable CR4.PCIDE on supported systems * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER) (CVE-2017-5754) - kaiser: add "nokaiser" boot option, using ALTERNATIVE - kaiser: align addition to x86/mm/Makefile - kaiser: asm/tlbflush.h handle noPGE at lower level - kaiser: cleanups while trying for gold link - kaiser: delete KAISER_REAL_SWITCH option - kaiser: disabled on Xen PV - kaiser: do not set _PAGE_NX on pgd_none - kaiser: drop is_atomic arg to kaiser_pagetable_walk() - kaiser: enhanced by kernel and user PCIDs - kaiser: ENOMEM if kaiser_pagetable_walk() NULL - kaiser: fix build and FIXME in alloc_ldt_struct() - kaiser: fix perf crashes - kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER - kaiser: fix unlikely error in alloc_ldt_struct() - kaiser: KAISER depends on SMP - kaiser: kaiser_flush_tlb_on_return_to_user() check PCID - kaiser: kaiser_remove_mapping() move along the pgd - KAISER: Kernel Address Isolation - x86_64: KAISER - do not map kernel in user mode - kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user - kaiser: merged update - kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET - kaiser: paranoid_entry pass cr3 need to paranoid_exit - kaiser: PCID 0 for kernel and 128 for user - kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE - kaiser: tidied up asm/kaiser.h somewhat - kaiser: tidied up kaiser_add/remove_mapping slightly - kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush - kaiser: vmstat show NR_KAISERTABLE as nr_overhead - kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user - KPTI: Rename to PAGE_TABLE_ISOLATION - KPTI: Report when enabled - x86/boot: Add early cmdline parsing for options with arguments - x86/kaiser: Check boottime cmdline params - x86/kaiser: Move feature detection up - x86/kaiser: Reenable PARAVIRT - x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling - x86/paravirt: Dont patch flush_tlb_single * Bump ABI to 5. linux (4.9.65-3+deb9u2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports: - Revert "[x86] psmouse: Enable MOUSE_PS2_VMMOUSE", which breaks xserver-xorg-input-vmmouse and several metapackages in jessie - Revert changes to use gcc-6 compiler, not found in jessie - Change ABI number to 0.bpo.5 - Revert changes to flex and asciidoc build-dependencies - linux-image-dbg: Revert changes to packaging of debug symbols - Revert "enable `perf data' support" as libbabeltrace is not available - [mips*] Disable RELOCATABLE and RANDOMIZE_BASE. linux (4.9.65-3+deb9u1) stretch-security; urgency=high . * dccp: CVE-2017-8824: use-after-free in DCCP code * media: dvb-usb-v2: lmedm04: Improve logic checking of warm start (CVE-2017-16538) * media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner (CVE-2017-16538) * media: hdpvr: Fix an error handling path in hdpvr_probe() (CVE-2017-16644) * bpf/verifier: Fix multiple security issues: - adjust insn_aux_data when patching insns - fix branch pruning logic - reject out-of-bounds stack pointer calculation - fix incorrect sign extension in check_alu_op() (CVE-2017-16995) - Fix states_equal() comparison of pointer and UNKNOWN * netfilter: nfnetlink_cthelper: Add missing permission checks (CVE-2017-17448) * netlink: Add netns check on taps (CVE-2017-17449) * netfilter: xt_osf: Add missing permission checks (CVE-2017-17450) * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558) * net: ipv4: fix for a race condition in raw_sendmsg (CVE-2017-17712) * [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio (CVE-2017-17741) * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805) * crypto: hmac - require that the underlying hash algorithm is unkeyed (CVE-2017-17806) * KEYS: add missing permission check for request_key() destination (CVE-2017-17807) * [x86] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (CVE-2017-1000407) * bluetooth: Prevent stack info leak from the EFS element. (CVE-2017-1000410) linux (4.9.65-3+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports: - Revert "[x86] psmouse: Enable MOUSE_PS2_VMMOUSE", which breaks xserver-xorg-input-vmmouse and several metapackages in jessie - Revert changes to use gcc-6 compiler, not found in jessie - Change ABI number to 0.bpo.4 - Revert changes to flex and asciidoc build-dependencies - linux-image-dbg: Revert changes to packaging of debug symbols - Revert "enable `perf data' support" as libbabeltrace is not available - [mips*] Disable RELOCATABLE and RANDOMIZE_BASE. . linux (4.9.65-3+deb9u1) stretch-security; urgency=high . * dccp: CVE-2017-8824: use-after-free in DCCP code * media: dvb-usb-v2: lmedm04: Improve logic checking of warm start (CVE-2017-16538) * media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner (CVE-2017-16538) * media: hdpvr: Fix an error handling path in hdpvr_probe() (CVE-2017-16644) * bpf/verifier: Fix multiple security issues: - adjust insn_aux_data when patching insns - fix branch pruning logic - reject out-of-bounds stack pointer calculation - fix incorrect sign extension in check_alu_op() (CVE-2017-16995) - Fix states_equal() comparison of pointer and UNKNOWN * netfilter: nfnetlink_cthelper: Add missing permission checks (CVE-2017-17448) * netlink: Add netns check on taps (CVE-2017-17449) * netfilter: xt_osf: Add missing permission checks (CVE-2017-17450) * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558) * net: ipv4: fix for a race condition in raw_sendmsg (CVE-2017-17712) * [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio (CVE-2017-17741) * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805) * crypto: hmac - require that the underlying hash algorithm is unkeyed (CVE-2017-17806) * KEYS: add missing permission check for request_key() destination (CVE-2017-17807) * [x86] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (CVE-2017-1000407) * bluetooth: Prevent stack info leak from the EFS element. (CVE-2017-1000410) linux-latest (80+deb9u4) stretch-security; urgency=high . * Update to 4.9.0-6 linux-latest (80+deb9u3) stretch-security; urgency=high . * Update to 4.9.0-5 lucene-solr (3.6.2+dfsg-10+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2017-12629: possible remote code execution by exploiting XXE. For security reasons the RunExecutableListener class was permanently removed. * Update debian/conf/solrconfig.xml and remove example configuration for RunExecutableListener which had to be removed for security reasons. * CVE-2017-3163: fix ReplicationHandler path traversal vulnerability. (Closes: #867712) lxc (1:2.0.7-2+deb9u2) stretch; urgency=medium . * 0005-debian-Use-iproute2-instead-of-iproute.patch: pull iproute2 instead of iproute, fixing the creation of testing and unstable containers after the iproute binary package was dropped. mailman (1:2.1.23-1+deb9u2) stretch-security; urgency=high . * CVE-2018-5950: XSS and information leak in user options. (Closes: #888201) mapproxy (1.9.0-3+deb9u1) stretch; urgency=medium . * Update branch in gbp.conf & Vcs-Git URL. * Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service. Fixes CVE-2017-1000426. mosquitto (1.4.10-3+deb9u1) stretch; urgency=medium . * SECURITY UPDATE: Mosquitto persistence file is world readable. - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to limit read permissions. - CVE-2017-9868 mpi4py (2.0.0-2.1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport fix from 2.0.0-3 to stretch. . [ Stuart Prescott ] * Fix sover list used in dlopen so that current libmpi.so is found (Closes: #860476) mpv (0.23.0-2+deb9u2) stretch-security; urgency=high . * debian/patches/08_ytdl-hook-whitelist-protocols.patch: - Fix regression in CVE-2018-6360 patch which broke youtube playlists. (Closes: #889892) mpv (0.23.0-2+deb9u1) stretch-security; urgency=high . * debian/patches/08_ytdl-hook-whitelist-protocols.patch: - Add patch which whitelists protocols received from youtube-dl. Fixes CVE-2018-6360. (Closes: #888654) ncurses (6.0+20161126-1+deb9u2) stretch; urgency=medium . * Cherry-pick upstream fix from the 20171125 patchlevel to fix a buffer overflow in the _nc_write_entry function (CVE-2017-16879, Closes: #882620). needrestart (2.11-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix switching to list mode if debconf is run non-interactively. (Closes: #876459) nova (2:14.0.0-4+deb9u1) stretch-security; urgency=medium . * CVE-2017-16239 / OSSA-2017-005: Nova Filter Scheduler bypass through rebuild action. Applied upstream patch: Validate new image via scheduler during rebuild (Closes: #882009). * Fixed nova-placement-api init to use uwsgi. The old init file was simply not working at all. * Add CVE-2017-17051_Refined_fix_for_validating_image_on_rebuild.patch. ntp (1:4.2.8p10+dfsg-3+deb9u2) stretch; urgency=medium . * Cherry-pick patch from upstream to increase stack size. Thanks to Frederic Endner-Dühr for testing (Closes: #887385) * Add d/gbp.conf for stretch branch nvidia-graphics-drivers-legacy-304xx (304.137-5~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-graphics-drivers-legacy-304xx (304.137-5) unstable; urgency=medium . * The 304.xx legacy driver series has been declared as End-of-Life by NVIDIA. No further updates fixing security issues, critical bugs, or adding support for new Xorg or Linux releases will be issued. https://nvidia.custhelp.com/app/answers/detail/a_id/3142 . [ Andreas Beckmann ] * Add NEWS entry for End-of-Life status. * Include again the amd64 blob to build amd64 kernel modules on i386. (Closes: #887651) * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description (384.111-4). * Use dh_missing --fail-missing (384.111-4). * Update lintian overrides. . nvidia-graphics-drivers-legacy-304xx (304.137-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.3. No changes needed. * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * nvidia-legacy-304xx-alternative.prerm: Trigger register-glx-alternative- nvidia upon removal (384.111-3). (Closes: #883637) * libgl1-nvidia-legacy-304xx-glx.prerm: Do not forcibly remove the nvidia alternative, this would reset it from manual mode to auto mode while it could still be needed by other packages, e.g. libcuda1. Let the nvidia-legacy-304xx-alternative triggers handle it instead (384.111-3). . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. . nvidia-graphics-drivers-legacy-304xx (304.137-3) unstable; urgency=medium . * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk (375.82-9). * Set Rules-Requires-Root: no (375.82-9). . nvidia-graphics-drivers-legacy-304xx (304.137-2) unstable; urgency=medium . * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19) (375.82-7). * nvidia-detect: Detect devices in PCI classes 0301 (XGA compatible controller) and 0302 (3D controller), too (375.82-7). * bug-script: List these devices, too (375.82-7). * Use https:// URLs where possible (375.82-8). . nvidia-graphics-drivers-legacy-304xx (304.137-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.137 (2017-09-19). - Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.1. No changes needed. * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Simplify upstream changelog handling (375.82-5). . [ Luca Boccassi ] * Drop drm-driver-legacy.patch, deprecated-cpu-events.patch and drm-unload.patch, fixed upstream. * Refresh disable-mtrr.patch to remove fuzz from upstream changes. * Add nvidia-drm-pci-init.patch to fix kernel module build on Linux 4.14 and newer. . nvidia-graphics-drivers-legacy-304xx (304.135-5) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.0. No changes needed. . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Update pud-offset.patch to fix runtime error on Linux 4.12 and newer. Original patch: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4629#c11 (Closes: #875425) . [ Russ Allbery ] * Remove myself from Uploaders. . nvidia-graphics-drivers-legacy-304xx (304.135-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.0.1. No changes needed. * nvidia-alternative: Explicitly use interest-await triggers (375.82-2). * Switch from dh_install --list-missing to dh_missing (375.82-2). * Use dpkg makefile snippets instead of manual changelog parsing (375.82-2). * build-module-packages.sh: Order kernels by descending version (375.82-2). * Switch watch URL from ftp:// to https:// (375.82-1). * Update lintian overrides. . [ Luca Boccassi ] * Add pud-offset.patch to fix kernel module build on Linux 4.12 and newer. . nvidia-graphics-drivers-legacy-304xx (304.135-3) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.135-1 (jessie). * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze) (375.82-1). * not-parallel.patch: New, prevent parallel module build. . [ Luca Boccassi ] * Add drm-unload.patch to fix kernel module build on Linux 4.11 and newer. (Closes: #865964) nvidia-graphics-drivers-legacy-304xx (304.137-5~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers-legacy-304xx (304.137-5) unstable; urgency=medium . * The 304.xx legacy driver series has been declared as End-of-Life by NVIDIA. No further updates fixing security issues, critical bugs, or adding support for new Xorg or Linux releases will be issued. https://nvidia.custhelp.com/app/answers/detail/a_id/3142 . [ Andreas Beckmann ] * Add NEWS entry for End-of-Life status. * Include again the amd64 blob to build amd64 kernel modules on i386. (Closes: #887651) * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description (384.111-4). * Use dh_missing --fail-missing (384.111-4). * Update lintian overrides. . nvidia-graphics-drivers-legacy-304xx (304.137-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.3. No changes needed. * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * nvidia-legacy-304xx-alternative.prerm: Trigger register-glx-alternative- nvidia upon removal (384.111-3). (Closes: #883637) * libgl1-nvidia-legacy-304xx-glx.prerm: Do not forcibly remove the nvidia alternative, this would reset it from manual mode to auto mode while it could still be needed by other packages, e.g. libcuda1. Let the nvidia-legacy-304xx-alternative triggers handle it instead (384.111-3). . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. nvidia-graphics-drivers-legacy-304xx (304.137-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.3. No changes needed. * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * nvidia-legacy-304xx-alternative.prerm: Trigger register-glx-alternative- nvidia upon removal (384.111-3). (Closes: #883637) * libgl1-nvidia-legacy-304xx-glx.prerm: Do not forcibly remove the nvidia alternative, this would reset it from manual mode to auto mode while it could still be needed by other packages, e.g. libcuda1. Let the nvidia-legacy-304xx-alternative triggers handle it instead (384.111-3). . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. nvidia-graphics-drivers-legacy-304xx (304.137-3) unstable; urgency=medium . * Set Rules-Requires-Root: no (375.82-9). * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk (375.82-9). nvidia-graphics-drivers-legacy-304xx (304.137-3~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers-legacy-304xx (304.137-3) unstable; urgency=medium . * Set Rules-Requires-Root: no (375.82-9). * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk (375.82-9). . nvidia-graphics-drivers-legacy-304xx (304.137-2) unstable; urgency=medium . * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19) (375.82-7). * nvidia-detect: Detect devices in PCI classes 0301 (XGA compatible controller) and 0302 (3D controller), too (375.82-7). * bug-script: List these devices, too (375.82-7). * Use https:// URLs where possible (375.82-8). . nvidia-graphics-drivers-legacy-304xx (304.137-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.137 (2017-09-19). - Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.1. No changes needed. * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Simplify upstream changelog handling (375.82-5). . [ Luca Boccassi ] * Drop drm-driver-legacy.patch, deprecated-cpu-events.patch and drm-unload.patch, fixed upstream. * Refresh disable-mtrr.patch to remove fuzz from upstream changes. * Add nvidia-drm-pci-init.patch to fix kernel module build on Linux 4.14 and newer. . nvidia-graphics-drivers-legacy-304xx (304.135-5) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.0. No changes needed. . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Update pud-offset.patch to fix runtime error on Linux 4.12 and newer. Original patch: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4629#c11 (Closes: #875425) . [ Russ Allbery ] * Remove myself from Uploaders. . nvidia-graphics-drivers-legacy-304xx (304.135-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.0.1. No changes needed. * nvidia-alternative: Explicitly use interest-await triggers (375.82-2). * Switch from dh_install --list-missing to dh_missing (375.82-2). * Use dpkg makefile snippets instead of manual changelog parsing (375.82-2). * build-module-packages.sh: Order kernels by descending version (375.82-2). * Switch watch URL from ftp:// to https:// (375.82-1). * Update lintian overrides. . [ Luca Boccassi ] * Add pud-offset.patch to fix kernel module build on Linux 4.12 and newer. . nvidia-graphics-drivers-legacy-304xx (304.135-3) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.135-1 (jessie). * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze) (375.82-1). * not-parallel.patch: New, prevent parallel module build. . [ Luca Boccassi ] * Add drm-unload.patch to fix kernel module build on Linux 4.11 and newer. (Closes: #865964) nvidia-graphics-drivers-legacy-304xx (304.137-2) unstable; urgency=medium . * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19) (375.82-7). * nvidia-detect: Detect devices in PCI classes 0301 (XGA compatible controller) and 0302 (3D controller), too (375.82-7). * bug-script: List these devices, too (375.82-7). * Use https:// URLs where possible (375.82-8). nvidia-graphics-drivers-legacy-304xx (304.137-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.137 (2017-09-19). - Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.1. No changes needed. * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Simplify upstream changelog handling (375.82-5). . [ Luca Boccassi ] * Drop drm-driver-legacy.patch, deprecated-cpu-events.patch and drm-unload.patch, fixed upstream. * Refresh disable-mtrr.patch to remove fuzz from upstream changes. * Add nvidia-drm-pci-init.patch to fix kernel module build on Linux 4.14 and newer. nvidia-graphics-drivers-legacy-304xx (304.135-5) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.0. No changes needed. . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Update pud-offset.patch to fix runtime error on Linux 4.12 and newer. Original patch: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4629#c11 (Closes: #875425) . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-graphics-drivers-legacy-304xx (304.135-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.0.1. No changes needed. * nvidia-alternative: Explicitly use interest-await triggers. * Switch from dh_install --list-missing to dh_missing. * Use dpkg makefile snippets instead of manual parsing. * build-module-packages.sh: Order kernels by descending version. * Switch watch URL from ftp:// to https:// (375.82-1). * Update lintian overrides. . [ Luca Boccassi ] * Add pud-offset.patch to fix kernel module build on Linux 4.12 and newer. nvidia-graphics-drivers-legacy-304xx (304.135-3) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.135-1 (jessie). * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze). * not-parallel.patch: New, prevent parallel module build. . [ Luca Boccassi ] * Add drm-unload.patch to fix kernel module build on Linux 4.11 and newer. (Closes: #865964) nvidia-graphics-drivers-legacy-340xx (340.106-2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-graphics-drivers-legacy-340xx (340.106-2) unstable; urgency=medium . * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description (384.111-4). * Use dh_missing --fail-missing (384.111-4). * Update lintian overrides. . nvidia-graphics-drivers-legacy-340xx (340.106-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.106 (2018-01-16). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Fixed a compatibility problem between the nvidia.ko's Page Attribute Table (PAT) support and the kernel Page Table Isolation (PTI) patches. To optimize stores to memory, nvidia.ko contains support for configuring the CPU's PAT registers, as a fallback for Linux kernels that predate kernel native PAT support. On any recent kernel with CONFIG_X86_PAT enabled, the driver will detect that setup has already been done and skip its PAT setup. However, a static inline function called by nvidia.ko's PAT fallback support was updated in the PTI patches to use the EXPORT_SYMBOL_GPL symbol 'cpu_tlbstate'. nvidia.ko was updated to only contain its PAT fallback support, at build time, on kernels without CONFIG_X86_PAT. * Improved compatibility with recent Linux kernels. . [ Luca Boccassi ] * Drop nvidia-drm-pci-init.patch and timer.patch, fixed upstream. . nvidia-graphics-drivers-legacy-340xx (340.104-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.3. No changes needed. * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * Add #tls# substitution for the tls/ source directory (384.111-1). * nvidia-legacy-340xx-alternative.prerm: Trigger register-glx-alternative- nvidia upon removal (384.111-3). (Closes: #883637) * libgl1-nvidia-legacy-340xx-glx.prerm: Do not forcibly remove the nvidia alternative, this would reset it from manual mode to auto mode while it could still be needed by other packages, e.g. libcuda1. Let the nvidia-legacy-340xx-alternative triggers handle it instead (384.111-3). . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. . nvidia-graphics-drivers-legacy-340xx (340.104-3) unstable; urgency=medium . * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk (375.82-9). * Set Rules-Requires-Root: no (375.82-9). . nvidia-graphics-drivers-legacy-340xx (340.104-2) unstable; urgency=medium . * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19) (375.82-7). * nvidia-detect: Detect devices in PCI classes 0301 (XGA compatible controller) and 0302 (3D controller), too (375.82-7). * bug-script: List these devices, too (375.82-7). * Use https:// URLs where possible (375.82-8). . nvidia-graphics-drivers-legacy-340xx (340.104-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.104 (2017-09-19). * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Add GRID K1/K2/K340 to EoL models, no longer supported from 375.xx on. * Bump Standards-Version to 4.1.1. No changes needed. * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Simplify upstream changelog handling (375.82-5). . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Drop drm-driver-legacy.patch, deprecated-cpu-events.patch, vmf-address.patch, drm-unload.patch, fatal-signal.patch and set-memory.patch, fixed upstream. * Refresh vm-fault.patch to remove fuzz from upstream changes. * Add nvidia-drm-pci-init.patch to fix kernel module build on Linux 4.14 and newer. . [ Russ Allbery ] * Remove myself from Uploaders. . nvidia-graphics-drivers-legacy-340xx (340.102-3) unstable; urgency=medium . [ Andreas Beckmann ] * disable-preempt_rt_sanity_check.patch: Remove, unsupported upstream. * Bump Standards-Version to 4.0.1. No changes needed. * nvidia-alternative: Explicitly use interest-await triggers (375.82-2). * Switch from dh_install --list-missing to dh_missing (375.82-2). * Use dpkg makefile snippets instead of manual changelog parsing (375.82-2). * build-module-packages.sh: Order kernels by descending version. Skip PREEMPT_RT (*-rt-*) kernels, unsupported upstream (375.82-2). * Switch watch URL from ftp:// to https:// (375.82-1). * Update lintian overrides. . [ Luca Boccassi ] * Add set-memory.patch to fix kernel module build on Linux 4.12 and newer. (Closes: #872330) . nvidia-graphics-drivers-legacy-340xx (340.102-2) unstable; urgency=medium . [ Andreas Beckmann ] * nvidia-kernel-dkms: Honor parallel setting from dkms (375.82-1). * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze) (375.82-1). . [ Luca Boccassi ] * Add drm-unload.patch, fatal-signal.patch, and vm-fault.patch to fix kernel module build on Linux 4.11 and newer. (Closes: #865964) nvidia-graphics-drivers-legacy-340xx (340.106-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.106 (2018-01-16). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) * Improved compatibility with recent Linux kernels. . [ Luca Boccassi ] * Drop nvidia-drm-pci-init.patch and timer.patch, fixed upstream. nvidia-graphics-drivers-legacy-340xx (340.106-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers-legacy-340xx (340.106-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.106 (2018-01-16). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) * Improved compatibility with recent Linux kernels. . [ Luca Boccassi ] * Drop nvidia-drm-pci-init.patch and timer.patch, fixed upstream. . nvidia-graphics-drivers-legacy-340xx (340.104-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.3. No changes needed. * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * Add #tls# substitution for the tls/ source directory (384.111-1). * nvidia-legacy-340xx-alternative.prerm: Trigger register-glx-alternative- nvidia upon removal (384.111-3). (Closes: #883637) * libgl1-nvidia-legacy-340xx-glx.prerm: Do not forcibly remove the nvidia alternative, this would reset it from manual mode to auto mode while it could still be needed by other packages, e.g. libcuda1. Let the nvidia-legacy-340xx-alternative triggers handle it instead (384.111-3). . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. nvidia-graphics-drivers-legacy-340xx (340.104-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.3. No changes needed. * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * Add #tls# substitution for the tls/ source directory (384.111-1). * nvidia-legacy-340xx-alternative.prerm: Trigger register-glx-alternative- nvidia upon removal (384.111-3). (Closes: #883637) * libgl1-nvidia-legacy-340xx-glx.prerm: Do not forcibly remove the nvidia alternative, this would reset it from manual mode to auto mode while it could still be needed by other packages, e.g. libcuda1. Let the nvidia-legacy-340xx-alternative triggers handle it instead (384.111-3). . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. nvidia-graphics-drivers-legacy-340xx (340.104-3) unstable; urgency=medium . * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk (375.82-9). * Set Rules-Requires-Root: no (375.82-9). nvidia-graphics-drivers-legacy-340xx (340.104-3~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers-legacy-340xx (340.104-3) unstable; urgency=medium . * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk (375.82-9). * Set Rules-Requires-Root: no (375.82-9). . nvidia-graphics-drivers-legacy-340xx (340.104-2) unstable; urgency=medium . * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19) (375.82-7). * nvidia-detect: Detect devices in PCI classes 0301 (XGA compatible controller) and 0302 (3D controller), too (375.82-7). * bug-script: List these devices, too (375.82-7). * Use https:// URLs where possible (375.82-8). . nvidia-graphics-drivers-legacy-340xx (340.104-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.104 (2017-09-19). * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Add GRID K1/K2/K340 to EoL models, no longer supported from 375.xx on. * Bump Standards-Version to 4.1.1. No changes needed. * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Simplify upstream changelog handling (375.82-5). . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Drop drm-driver-legacy.patch, deprecated-cpu-events.patch, vmf-address.patch, drm-unload.patch, fatal-signal.patch and set-memory.patch, fixed upstream. * Refresh vm-fault.patch to remove fuzz from upstream changes. * Add nvidia-drm-pci-init.patch to fix kernel module build on Linux 4.14 and newer. . [ Russ Allbery ] * Remove myself from Uploaders. . nvidia-graphics-drivers-legacy-340xx (340.102-3) unstable; urgency=medium . [ Andreas Beckmann ] * disable-preempt_rt_sanity_check.patch: Remove, unsupported upstream. * Bump Standards-Version to 4.0.1. No changes needed. * nvidia-alternative: Explicitly use interest-await triggers (375.82-2). * Switch from dh_install --list-missing to dh_missing (375.82-2). * Use dpkg makefile snippets instead of manual changelog parsing (375.82-2). * build-module-packages.sh: Order kernels by descending version. Skip PREEMPT_RT (*-rt-*) kernels, unsupported upstream (375.82-2). * Switch watch URL from ftp:// to https:// (375.82-1). * Update lintian overrides. . [ Luca Boccassi ] * Add set-memory.patch to fix kernel module build on Linux 4.12 and newer. (Closes: #872330) . nvidia-graphics-drivers-legacy-340xx (340.102-2) unstable; urgency=medium . [ Andreas Beckmann ] * nvidia-kernel-dkms: Honor parallel setting from dkms (375.82-1). * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze) (375.82-1). . [ Luca Boccassi ] * Add drm-unload.patch, fatal-signal.patch, and vm-fault.patch to fix kernel module build on Linux 4.11 and newer. (Closes: #865964) nvidia-graphics-drivers-legacy-340xx (340.104-2) unstable; urgency=medium . * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19) (375.82-7). * nvidia-detect: Detect devices in PCI classes 0301 (XGA compatible controller) and 0302 (3D controller), too (375.82-7). * bug-script: List these devices, too (375.82-7). * Use https:// URLs where possible (375.82-8). nvidia-graphics-drivers-legacy-340xx (340.104-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.104 (2017-09-19). * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Add GRID K1/K2/K340 to EoL models, no longer supported from 375.xx on. * Bump Standards-Version to 4.1.1. No changes needed. * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Simplify upstream changelog handling (375.82-5). . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Drop drm-driver-legacy.patch, deprecated-cpu-events.patch, vmf-address.patch, drm-unload.patch, fatal-signal.patch and set-memory.patch, fixed upstream. * Refresh vm-fault.patch to remove fuzz from upstream changes. * Add nvidia-drm-pci-init.patch to fix kernel module build on Linux 4.14 and newer. . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-graphics-drivers-legacy-340xx (340.102-3) unstable; urgency=medium . [ Andreas Beckmann ] * disable-preempt_rt_sanity_check.patch: Remove, unsupported upstream. * Bump Standards-Version to 4.0.1. No changes needed. * nvidia-alternative: Explicitly use interest-await triggers. * Switch from dh_install --list-missing to dh_missing. * Use dpkg makefile snippets instead of manual parsing. * build-module-packages.sh: Order kernels by descending version. * Switch watch URL from ftp:// to https:// (375.82-1). * Update lintian overrides. . [ Luca Boccassi ] * Add set-memory.patch to fix kernel module build on Linux 4.12 and newer. (Closes: #872330) nvidia-graphics-drivers-legacy-340xx (340.102-2) unstable; urgency=medium . [ Andreas Beckmann ] * nvidia-kernel-dkms: Honor parallel setting from dkms. (Closes: #864639) * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze). . [ Luca Boccassi ] * Add drm-unload.patch, fatal-signal.patch, and vm-fault.patch to fix kernel module build on Linux 4.11 and newer. (Closes: #865964) nvidia-modprobe (384.111-2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-modprobe (384.111-2) unstable; urgency=medium . * Add setuid.patch to run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls. Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch! (Closes: #888952) * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. . nvidia-modprobe (384.111-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-modprobe (384.98-1) unstable; urgency=medium . * New upstream release. * Switch to https:// URLs. * Bump Standards-Version to 4.1.1. No changes needed. * Set Rules-Requires-Root: binary-targets. * Use dpkg makefile snippets instead of manual changelog parsing. * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Use a fixed OUTPUTDIR for improved reproducibility. nvidia-modprobe (384.111-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.1.3. No changes needed. nvidia-modprobe (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-modprobe (384.111-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-modprobe (384.98-1) unstable; urgency=medium . * New upstream release. * Switch to https:// URLs. * Bump Standards-Version to 4.1.1. No changes needed. * Set Rules-Requires-Root: binary-targets. * Use dpkg makefile snippets instead of manual changelog parsing. * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Use a fixed OUTPUTDIR for improved reproducibility. nvidia-modprobe (384.111-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-modprobe (384.111-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-modprobe (384.98-1) unstable; urgency=medium . * New upstream release. * Switch to https:// URLs. * Bump Standards-Version to 4.1.1. No changes needed. * Set Rules-Requires-Root: binary-targets. * Use dpkg makefile snippets instead of manual changelog parsing. * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Use a fixed OUTPUTDIR for improved reproducibility. nvidia-modprobe (384.98-1) unstable; urgency=medium . * New upstream release. * Switch to https:// URLs. * Bump Standards-Version to 4.1.1. No changes needed. * Set Rules-Requires-Root: binary-targets. * Use dpkg makefile snippets instead of manual changelog parsing. * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Use a fixed OUTPUTDIR for improved reproducibility. nvidia-persistenced (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-persistenced (384.111-1) unstable; urgency=medium . * New upstream release. * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-persistenced (384.98-1) unstable; urgency=medium . * New upstream release. * Use https:// URL in the watch file. * Bump Standards-Version to 4.1.1. No changes needed. * Set Rules-Requires-Root: no. * Use dpkg makefile snippets instead of manual changelog parsing. * Use a fixed OUTPUTDIR for improved reproducibility. nvidia-persistenced (384.111-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-persistenced (384.111-1) unstable; urgency=medium . * New upstream release. * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-persistenced (384.98-1) unstable; urgency=medium . * New upstream release. * Use https:// URL in the watch file. * Bump Standards-Version to 4.1.1. No changes needed. * Set Rules-Requires-Root: no. * Use dpkg makefile snippets instead of manual changelog parsing. * Use a fixed OUTPUTDIR for improved reproducibility. nvidia-persistenced (384.98-1) unstable; urgency=medium . * New upstream release. * Use https:// URL in the watch file. * Bump Standards-Version to 4.1.1. No changes needed. * Set Rules-Requires-Root: no. * Use dpkg makefile snippets instead of manual changelog parsing. * Use a fixed OUTPUTDIR for improved reproducibility. nvidia-settings (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-settings (384.111-1) unstable; urgency=medium . * New upstream release 384.111. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-settings (384.98-1) unstable; urgency=medium . * New upstream release 384.98. * New upstream release 384.59. - Fixed a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel. * New upstream release 384.47. - Fixed a bug that caused nvidia-settings to drop device BusID values when making changes to an existing X configuration file. . nvidia-settings (381.22-1) unstable; urgency=medium . * New upstream release 381.22. * New upstream release 381.09. - Fixed a bug that caused "nvidia-settings --query all" to print many duplicate entries. . nvidia-settings (378.13-1) unstable; urgency=medium . * New upstream release 378.13. - Added support in nvidia-settings to view configured PRIME displays. To enable PRIME displays, see "Offloading Graphics Display with RandR 1.4" in the README. . nvidia-settings (375.82-2) unstable; urgency=medium . * Set Rules-Requires-Root: no. * Use dh_missing --list-missing. * 13_clean.diff: Remove, fixed upstream since 337.12. * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19). * Remove support for versions predating 304.xx. * Remove Breaks/Replaces against packages older than jessie. . nvidia-settings (375.82-1) unstable; urgency=medium . * New upstream release 375.82. * Use GPL notice without FSF street address. * Bump Standards-Version to 4.1.1. No changes needed. * Use Luca's @debian.org address. * Remove Fathi Boudra from Uploaders, thanks for your work on nvidia-settings! (Closes: #879413) . nvidia-settings (375.66-3) unstable; urgency=medium . [ Luca Boccassi ] * Use https for links in debian/copyright. * Remove Debian menu system entry, deprecated in favour of Free Desktop entry. * Bump Standards-Version to 4.0.1. * Set build directory to _out/debian to make the build reproducible, instead of the upstream default of _out/($uname)_($uname -m). . [ Russ Allbery ] * Remove myself from Uploaders. . nvidia-settings (375.66-2) unstable; urgency=medium . * Add patches to make the build reproducible: SOURCE_DATE_EPOCH-for-manpage.patch, SOURCE_DATE_EPOCH-for-STAMP_C.patch and dummy-hostname-user-for-STAMP_C.patch * Remove workarounds in d/rules for date/user, it is fixed in the upstream makefiles. nvidia-settings (384.111-1~deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * Reinstate the PIE workarounds. . nvidia-settings (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-settings (384.111-1) unstable; urgency=medium . * New upstream release 384.111. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-settings (384.98-1) unstable; urgency=medium . * New upstream release 384.98. * New upstream release 384.59. - Fixed a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel. * New upstream release 384.47. - Fixed a bug that caused nvidia-settings to drop device BusID values when making changes to an existing X configuration file. . nvidia-settings (381.22-1) unstable; urgency=medium . * New upstream release 381.22. * New upstream release 381.09. - Fixed a bug that caused "nvidia-settings --query all" to print many duplicate entries. . nvidia-settings (378.13-1) unstable; urgency=medium . * New upstream release 378.13. - Added support in nvidia-settings to view configured PRIME displays. To enable PRIME displays, see "Offloading Graphics Display with RandR 1.4" in the README. . nvidia-settings (375.82-2) unstable; urgency=medium . * Set Rules-Requires-Root: no. * Use dh_missing --list-missing. * 13_clean.diff: Remove, fixed upstream since 337.12. * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19). * Remove support for versions predating 304.xx. * Remove Breaks/Replaces against packages older than jessie. . nvidia-settings (375.82-1) unstable; urgency=medium . * New upstream release 375.82. * Use GPL notice without FSF street address. * Bump Standards-Version to 4.1.1. No changes needed. * Use Luca's @debian.org address. * Remove Fathi Boudra from Uploaders, thanks for your work on nvidia-settings! (Closes: #879413) . nvidia-settings (375.66-3) unstable; urgency=medium . [ Luca Boccassi ] * Use https for links in debian/copyright. * Remove Debian menu system entry, deprecated in favour of Free Desktop entry. * Bump Standards-Version to 4.0.1. * Set build directory to _out/debian to make the build reproducible, instead of the upstream default of _out/($uname)_($uname -m). . [ Russ Allbery ] * Remove myself from Uploaders. . nvidia-settings (375.66-2) unstable; urgency=medium . * Add patches to make the build reproducible: SOURCE_DATE_EPOCH-for-manpage.patch, SOURCE_DATE_EPOCH-for-STAMP_C.patch and dummy-hostname-user-for-STAMP_C.patch * Remove workarounds in d/rules for date/user, it is fixed in the upstream makefiles. . nvidia-settings (375.66-1) unstable; urgency=medium . * New upstream release 375.66. - Updated the display configuration page in the nvidia-settings control panel to accurately reflect HDMI 3D refresh rates. nvidia-settings (384.111-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-settings (384.111-1) unstable; urgency=medium . * New upstream release 384.111. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-settings (384.98-1) unstable; urgency=medium . * New upstream release 384.98. * New upstream release 384.59. - Fixed a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel. * New upstream release 384.47. - Fixed a bug that caused nvidia-settings to drop device BusID values when making changes to an existing X configuration file. . nvidia-settings (381.22-1) unstable; urgency=medium . * New upstream release 381.22. * New upstream release 381.09. - Fixed a bug that caused "nvidia-settings --query all" to print many duplicate entries. . nvidia-settings (378.13-1) unstable; urgency=medium . * New upstream release 378.13. - Added support in nvidia-settings to view configured PRIME displays. To enable PRIME displays, see "Offloading Graphics Display with RandR 1.4" in the README. . nvidia-settings (375.82-2) unstable; urgency=medium . * Set Rules-Requires-Root: no. * Use dh_missing --list-missing. * 13_clean.diff: Remove, fixed upstream since 337.12. * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19). * Remove support for versions predating 304.xx. * Remove Breaks/Replaces against packages older than jessie. . nvidia-settings (375.82-1) unstable; urgency=medium . * New upstream release 375.82. * Use GPL notice without FSF street address. * Bump Standards-Version to 4.1.1. No changes needed. * Use Luca's @debian.org address. * Remove Fathi Boudra from Uploaders, thanks for your work on nvidia-settings! (Closes: #879413) . nvidia-settings (375.66-3) unstable; urgency=medium . [ Luca Boccassi ] * Use https for links in debian/copyright. * Remove Debian menu system entry, deprecated in favour of Free Desktop entry. * Bump Standards-Version to 4.0.1. * Set build directory to _out/debian to make the build reproducible, instead of the upstream default of _out/($uname)_($uname -m). . [ Russ Allbery ] * Remove myself from Uploaders. . nvidia-settings (375.66-2) unstable; urgency=medium . * Add patches to make the build reproducible: SOURCE_DATE_EPOCH-for-manpage.patch, SOURCE_DATE_EPOCH-for-STAMP_C.patch and dummy-hostname-user-for-STAMP_C.patch * Remove workarounds in d/rules for date/user, it is fixed in the upstream makefiles. nvidia-settings (384.98-1) unstable; urgency=medium . * New upstream release 384.98. * New upstream release 384.59. - Fixed a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel. * New upstream release 384.47. - Fixed a bug that caused nvidia-settings to drop device BusID values when making changes to an existing X configuration file. nvidia-settings (381.22-1) unstable; urgency=medium . * New upstream release 381.22. * New upstream release 381.09. - Fixed a bug that caused "nvidia-settings --query all" to print many duplicate entries. * typos.diff: Fix more typos found by lintian. nvidia-settings (378.13-1) unstable; urgency=medium . * New upstream release 378.13. - Added support in nvidia-settings to view configured PRIME displays. To enable PRIME displays, see "Offloading Graphics Display with RandR 1.4" in the README. nvidia-settings (375.82-2) unstable; urgency=medium . * Set Rules-Requires-Root: no. * Use dh_missing --list-missing. * 13_clean.diff: Remove, fixed upstream since 337.12. * Use debian/substvars for substitutions by dpkg-genchanges (dpkg 1.19). * Remove support for versions predating 304.xx. * Remove Breaks/Replaces against packages older than jessie. nvidia-settings (375.82-1) unstable; urgency=medium . * New upstream release 375.82. * Use GPL notice without FSF street address. * Bump Standards-Version to 4.1.1. No changes needed. * Use Luca's @debian.org address. * Remove Fathi Boudra from Uploaders, thanks for your work on nvidia-settings! (Closes: #879413) nvidia-settings (375.66-3) unstable; urgency=medium . [ Luca Boccassi ] * Use https for links in debian/copyright. * Remove Debian menu system entry, deprecated in favour of Free Desktop entry. * Bump Standards-Version to 4.0.1. . [ Russ Allbery ] * Remove myself from Uploaders. . [ Luca Boccassi ] * Set build directory to _out/debian to make the build reproducible, instead of the upstream default of _out/($uname)_($uname -m). nvidia-settings (375.66-2) unstable; urgency=medium . * Add patches to make the build reproducible: SOURCE_DATE_EPOCH-for-manpage.patch, SOURCE_DATE_EPOCH-for-STAMP_C.patch and dummy-hostname-user-for-STAMP_C.patch * Remove workarounds in d/rules for date/user, it is fixed in the upstream makefiles. nvidia-xconfig (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-xconfig (384.111-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-xconfig (384.98-1) unstable; urgency=medium . * New upstream release. - Fixed a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a`. . nvidia-xconfig (381.22-1) unstable; urgency=medium . * New upstream release. . nvidia-xconfig (378.13-1) unstable; urgency=medium . * New upstream release. * Add B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Set Rules-Requires-Root: no. . nvidia-xconfig (375.82-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release. * Switch to https:// URLs. * Set Priority to optional. * Bump Standards-Version to 4.1.1. * Use GPL notices without FSF street address. * Use dpkg makefile snippets instead of manual changelog parsing. * Use a fixed OUTPUTDIR for improved reproducibility. . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-xconfig (384.111-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-xconfig (384.111-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.1.3. No changes needed. . nvidia-xconfig (384.98-1) unstable; urgency=medium . * New upstream release. - Fixed a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a`. . nvidia-xconfig (381.22-1) unstable; urgency=medium . * New upstream release. . nvidia-xconfig (378.13-1) unstable; urgency=medium . * New upstream release. * Add B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Set Rules-Requires-Root: no. . nvidia-xconfig (375.82-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release. * Switch to https:// URLs. * Set Priority to optional. * Bump Standards-Version to 4.1.1. * Use GPL notices without FSF street address. * Use dpkg makefile snippets instead of manual changelog parsing. * Use a fixed OUTPUTDIR for improved reproducibility. . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-xconfig (384.98-1) unstable; urgency=medium . * New upstream release. - Fixed a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a`. nvidia-xconfig (381.22-1) unstable; urgency=medium . * New upstream release. nvidia-xconfig (378.13-1) unstable; urgency=medium . * New upstream release. * Add B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Set Rules-Requires-Root: no. nvidia-xconfig (375.82-1) unstable; urgency=medium . [ Andreas Beckmann ] * New upstream release. * Switch to https:// URLs. * Set Priority to optional. * Bump Standards-Version to 4.1.1. * Use GPL notices without FSF street address. * Use dpkg makefile snippets instead of manual changelog parsing. * Use a fixed OUTPUTDIR for improved reproducibility. . [ Russ Allbery ] * Remove myself from Uploaders. ocfs2-tools (1.8.4-4+deb9u1) stretch; urgency=medium . * Migrate from using rcS to standard runlevels (Closes: #876195) openafs (1.6.20-2+deb9u1) stretch-security; urgency=high . * Apply upstream patch for OPENAFS-SA-2017-001 (CVE-2017-17432). (Closes: #883602) opendmarc (1.3.2-2+deb9u1) stretch; urgency=medium . * Update opendmarc service file so changes in opendmarc.conf are used and update opendmarc.conf to match values previously hard-coded in the service file (Closes: #863612) - Thanks to Jack Bates for the patch openocd (0.9.0-1+deb8u1) stretch-security; urgency=high . * Update debian/gbp.conf to deal with stretch * Pull "bindto" command from upstream * Bind to localhost by default * Prevent some forms of Cross Protocol Scripting attacks (CVE-2018-5704) (Closes: #887488) openssh (1:7.4p1-10+deb9u3) stretch; urgency=medium . * CVE-2017-15906: sftp-server(8): In read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. openssl1.0 (1.0.2l-2+deb9u2) stretch-security; urgency=high . * CVE-2017-3737 (Read/write after SSL object in error state) * Add a testcase for CVE-2017-3737 * CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64) optipng (0.7.6-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229) (Closes: #882032) * gifread: Detect indirect circular dependencies in LZW tables (CVE-2017-16938) (Closes: #878839) osinfo-db (0.20180226-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . sinfo-db (0.20180226-1) unstable; urgency=medium . * Test that we can generate install scripts * New upstream git snapshot (Closes: #884521) * Update debian/watch URL. We're using git snapshots anyway but it's better to have this correct. (Closes: #884520) osinfo-db (0.20170811-1) unstable; urgency=medium . * [596e960] Fix vcs git url * [226d475] New upstream version 0.20170811 * [1cfe3ae] Drop debian-switch-to-archive-URLs-for-stretch.patch applied upstream otrs2 (5.0.16-1+deb9u5) stretch-security; urgency=high . * Add patch 20-OSA-2017-10: This fixes OSA-2017-10: An attacker can send a specially prepared email to an OTRS system. If this system has cookie support disabled, and a logged in agent clicks a link in this email, the session information could be leaked to external systems, allowing the attacker to take over the agent’s session. otrs2 (5.0.16-1+deb9u4) stretch-security; urgency=high . * Add patch 19-CVE-2017-16921: This fixes OSA-2017-09, also known as CVE-2017-16921: An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user. Closes: #883774 * Add patch 18-CVE-2017-16854: This fixes OSA-2017-08, also known as CVE-2017-16854: An attacker who is logged into OTRS as a customer can use the ticket search form to disclose internal article information of their customer tickets. p7zip (16.02+dfsg-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp (CVE-2017-17969) Thanks to Antoine Beaupré (Closes: #888297) pdns-recursor (4.0.4-1+deb9u3) stretch-security; urgency=high . * Security upload, including fix for CVE-2017-15120. pdns-recursor (4.0.4-1+deb9u3~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. php7.0 (7.0.27-0+deb9u1) stretch-security; urgency=high . * New upstream version 7.0.27 * Rebase patches on top of new upstream release * Kill extra TAB character in the ini file that was causing insserv troubles * Add signature support to d/watch * Add Ferenc Kovacs signing key to upstream GPG keyring php7.0 (7.0.26-1) unstable; urgency=medium . * New upstream version 7.0.26 * Rebase patches for new upstream version. php7.0 (7.0.25-1) unstable; urgency=medium . * New upstream version 7.0.25 * Rebase patches for new upstream release. php7.0 (7.0.22-3) unstable; urgency=medium . * Allow libgcrypt11-dev when it's not a transitional package * Correct the --extend-diff-ignore to ignore custom .gitlab-ci.yml in the root * Switch from curl-config to pkg-config for curl extension (Courtesy of Remi Collet) php7.0 (7.0.22-2) unstable; urgency=medium . * Update Vcs-* links to https://gitlab.com/deb.sury.org/... * Stop depending on obsolete automake1.11 (Closes: #865135) * Switch build-depends to libgcrypt20-dev (Closes: #864128) php7.0 (7.0.22-1) unstable; urgency=medium . * New upstream version 7.0.22 * Rebase patches for PHP 7.0.22 php7.0 (7.0.20-2) unstable; urgency=medium . * Add Ferenc Kovacs signing key to upstream GPG keyring * Add upstream patch to fix broken support for HOST/PATH ini sections php7.0 (7.0.20-1) unstable; urgency=medium . * Kill extra TAB character in the ini file that was causing insserv troubles * Add signature support to d/watch * New upstream version 7.0.20 * Refresh patches on top of PHP 7.0.20 release plasma-workspace (4:5.8.6-2.1+deb9u1) stretch-security; urgency=medium . * CVE-2018-6791 poco (1.7.6+dfsg1-5+deb9u1) stretch-security; urgency=high . * Add backported patch for CVE-2017-1000472 poppler (0.48.0-2+deb9u2) stretch-security; urgency=medium . * Fix regression in fix for CVE-2017-14519 * CVE-2017-1000456 * CVE-2017-14929 poppler (0.48.0-2+deb9u1) stretch-security; urgency=medium . * Fix CVE-2017-9406: a memory leak vulnerability was found in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file. * Fix CVE-2017-9408: memory leak in the function Object::initArray in Object.cc that allows attackers to cause a DoS via a crafted file. * Fix CVE-2017-9775: Stack buffer overflow in GfxState.cc in pdftocairo that allows remote attackers to cause a denial of service (application crash) via a crafted PDF document. * Fix CVE-2017-9776: Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in pdftocairo allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. * Fix CVE-2017-9865: The function GfxImageColorMap::getGray in GfxState.cc allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document * Fix CVE-2017-14517: NULL pointer dereference vulnerability in the XRef::parseEntry() function in XRef.cc * Fix CVE-2017-14518: Floating point exception in the isImageInterpolationRequired() function in Splash.cc * Fix CVE-2017-14519: A memory corruption may occur in a call to Object::streamGetChar * Fix CVE-2017-14520: Floating point exception in Splash::scaleImageYuXd() * Fix CVE-2017-14617: Floating point exception in the ImageStream class in Stream.cc * Fix CVE-2017-14975: NULL pointer dereference vulnerability in the FoFiType1C::convertToType0 function in FoFiType1C.cc * Fix CVE-2017-14976: Heap-based buffer over-read vulnerability in the FoFiType1C::convertToType0 function in FoFiType1C.cc * Fix CVE-2017-14977: NULL pointer dereference vulnerability in the FoFiTrueType::getCFFBlock function in FoFiTrueType.cc * Fix CVE-2017-15565: NULL Pointer Dereference in the GfxImageColorMap::getGrayLine() function in GfxState.cc postfix (3.1.8-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Rewrite debian/postfix-instance-generator to avoid use of postmulti to fix failures when inet_interfaces != all. Closes: #882141 * Refresh patches * Add postfix 3.1 specific watch file . [Wietse Venema] . * 3.1.7 - Bugfix (introduced: Postfix 3.1): DANE support. Postfix builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to some sites with "TLSA 2 X X" records associated with an intermediate CA certificate. Problem report and initial fix by Erwan Legrand. File: src/tls/tls_dane.c. - Bugfix (introduced: Postfix 3.0) missing dynamicmaps support in the Postfix sendmail command broke authorized_submit_users with a dynamically-loaded map type. File: sendmail/sendmail.c. * 3.1.8 - Bugfix (introduced: Postfix 2.1): don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect. File: smtpd/smtpd_check.c. - Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke Berkeley DB configurations with a relative pathname. File: util/dict_db.c. Closes: #879200 - Workaround: reportedly, some res_query(3) implementation can return -1 with h_errno==0. Instead of terminating with a panic, the Postfix DNS client now logs a warning and sets h_errno to TRY_AGAIN. File: dns/dns_lookup.c. - Documentation patches by Sven Neuhaus. Files: proto/FORWARD_SECRECY_README.html, proto/SMTPD_ACCESS_README.html. - Cleanup: missing mailbox seek-to-end error check in the local(8) delivery agent. File: local/mailbox.c. - Cleanup: incorrect mailbox seek-to-end error message in the virtual(8) delivery agent. File: virtual/mailbox.c. postgresql-9.6 (9.6.7-0+deb9u1) stretch; urgency=medium . * New upstream version. + Ensure that all temporary files made by pg_upgrade are non-world-readable (CVE-2018-1053) . + Change the behavior of contrib/cube's cube ~> int operator to make it compatible with KNN search. . The meaning of the second argument (the dimension selector) has been changed to make it predictable which value is selected even when dealing with cubes of varying dimensionalities. . This is an incompatible change, but since the point of the operator was to be used in KNN searches, it seems rather useless as-is. After installing this update, any expression indexes or materialized views using this operator will need to be reindexed/refreshed. publicsuffix (20180218.2049-0+deb9u1) stretch; urgency=medium . * new upstream publicsuffix data . publicsuffix (20180125.0922-0+deb9u1) stretch; urgency=medium . * new upstream publicsuffix data publicsuffix (20180125.0922-1) unstable; urgency=medium . * new upstream version publicsuffix (20171228.1526-2) unstable; urgency=medium . * standards-version: bump to 4.1.3 (no changes needed) * move to debhelper 11 * move debian revision control to salsa.debian.org publicsuffix (20171228.1526-1) unstable; urgency=medium . * new upstream version publicsuffix (20171028.2055-1) unstable; urgency=medium . * new upstream version python-evtx (0.5.3b-3+deb9u1) stretch; urgency=medium . * Fix Python3 dependencies (Closes: #867428) python-hacking (0.11.0-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . python-hacking (0.11.0-2.1) unstable; urgency=medium . * Non-maintainer upload. * Fix the python3-hacking dependencies. (Closes: #867431) python-hkdf (0.0.3-3~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . python-hkdf (0.0.3-3) unstable; urgency=medium . * QA upload. * Fix the python3-hkdf dependencies. (Closes: #867433) . python-hkdf (0.0.3-2) unstable; urgency=medium . * Add missing URL to package descriptions. closes: #864149. * Set maintainer to Debian QA Group. python-hkdf (0.0.3-2) unstable; urgency=medium . * Add missing URL to package descriptions. closes: #864149. * Set maintainer to Debian QA Group. python-mimeparse (0.1.4-3.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . python-mimeparse (0.1.4-3.1) unstable; urgency=medium . * Non-maintainer upload. * Fix the python3-mimeparse dependencies. (Closes: #867439) python-pyperclip (1.5.27-3~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . python-pyperclip (1.5.27-3) unstable; urgency=medium . * Fix typo in Depends for python3 package (Closes: #867450) python-spake2 (0.7-3~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . python-spake2 (0.7-3) unstable; urgency=high . * QA upload. * Set maintainer to Debian QA Group. (see #833947) * Fix the python3-spake2 dependencies. (Closes: #867457) qtpass (1.1.6-1+deb9u1) stretch; urgency=medium . * Fix insecure built-in password generator (Fixes: CVE-2017-18021) quagga (1.1.1-3+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * bgpd/security: invalid attr length sends NOTIFY with data overrun (CVE-2018-5378) Security issue: Quagga-2018-0543 * bgpd/security: Fix double free of unknown attribute (CVE-2018-5379) Security issue: Quagga-2018-1114 * bgpd/security: debug print of received NOTIFY data can over-read msg array (CVE-2018-5380) Security issue: Quagga-2018-1550 * bgpd/security: fix infinite loop on certain invalid OPEN messages (CVE-2018-5381) Security issue: Quagga-2018-1975 quota (4.03-2+deb9u1) stretch; urgency=medium . * Prevent quotacheck from running into an endless loop. Thanks to Christoph Biedl reportbug (7.1.7+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Don't CC secure-testing-team@lists.alioth.debian.org anymore. The testing security team didn't exist for a long time and the mailinglist will disappear when Alioth will be decomissioned. Thanks to Moritz Muehlenhoff (Closes: #888832) rsync (3.1.2-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Enforce trailing \0 when receiving xattr name values (CVE-2017-16548) (Closes: #880954) * Check fname in recv_files sooner (CVE-2017-17433) (Closes: #883667) * Sanitize xname in read_ndx_and_attrs (CVE-2017-17434) (Closes: #883665) * Check daemon filter against fnamecmp in recv_files() (CVE-2017-17434) (Closes: #883665) ruby-omniauth (1.3.1-1+deb9u1) stretch-security; urgency=high . * Fix security issue in returning post parameters from session in callback phase (CVE-2017-18076) (Closes: #888523) ruby-redis-store (1.1.6-1+deb9u1) stretch; urgency=high . * Team upload * Add upstream patch to fix CVE-2017-1000248, allowing unsafe objects to be loaded from redis (Closes: #882034) salt (2016.11.2+ds-1+deb9u1) stretch; urgency=medium . * Fix CVE-2017-12791: Directory traversal vulnerability on salt-master via crafted minion IDs (Closes: #872399) * Fix CVE-2017-14695: Directory traversal vulnerability in minion id validation in SaltStack (Closes: #879089) * Fix CVE-2017-14696: Remote Denial of Service with a specially crafted authentication request (Closes: #879090) * Check if data[return] is dict type (Closes: #887724) * Do not require sphinx-build for cleaning docs (Closes: #851559) sensible-utils (0.0.9+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Argument injection in sensible-browser (CVE-2017-17512) Thanks to Gabriel Corona (Closes: #881767) sensible-utils (0.0.9+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Argument injection in sensible-browser (CVE-2017-17512) Thanks to Gabriel Corona (Closes: #881767) simplesamlphp (1.14.11-1+deb9u1) stretch-security; urgency=high . * Update by the security team for stretch. CVE-2017-12867 CVE-2017-12869 CVE-2017-12874 CVE-2017-18121 CVE-2017-18122 CVE-2018-6519 CVE-2018-6521 SSPSA-201802-01 (closes: #889286). slic3r (1.2.9+dfsg-9~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . slic3r (1.2.9+dfsg-9) unstable; urgency=medium . * [1ae29f4] Patch "use lib" line in all installed binaries (Closes: #886125) . slic3r (1.2.9+dfsg-8) unstable; urgency=medium . * [c1b29a0] Acknowledge NMU (Closes: #869360) . slic3r (1.2.9+dfsg-7) unstable; urgency=medium . * [e77c05d] Fill up slic3r.desktop so that it can be used to open stl files * [9438384] Import patches to fix bugs. - Workaround missing GL_MULTISAMPLE macro (Closes: #872273) - Fix importing binary STLs on big-endian architectures * [99cbb39] Bump Standards-Version slic3r (1.2.9+dfsg-8) unstable; urgency=medium . * [c1b29a0] Acknowledge NMU (Closes: #869360) slic3r (1.2.9+dfsg-7) unstable; urgency=medium . * [e77c05d] Fill up slic3r.desktop so that it can be used to open stl files * [9438384] Import patches to fix bugs. - Workaround missing GL_MULTISAMPLE macro (Closes: #872273) - Fix importing binary STLs on big-endian architectures * [99cbb39] Bump Standards-Version slic3r (1.2.9+dfsg-6.1) unstable; urgency=medium . * Non-maintainer upload. * Fix "missing dependency on perlapi-*": add override_dh_perl in debian/rules to make dh_perl search for perl modules in the private directory as well. (Closes: #869360) smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u1) stretch-security; urgency=medium . * debian/patches: + Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes: #886460). soundtouch (1.9.2-2+deb9u1) stretch; urgency=medium . [ Gabor Karsay ] * Add patch to fix - CVE-2017-9258 (Closes: #870854) - CVE-2017-9259 (Closes: #870856) - CVE-2017-9260 (Closes: #870857) squid3 (3.5.23-5+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * ESI: make sure endofName never exceeds tagEnd (CVE-2018-1000024) (Closes: #888719) * Fix indirect IP logging for transactions without a client connection (CVE-2018-1000027) (Closes: #888720) systemd (232-25+deb9u2) stretch; urgency=medium . * networkd: Handle MTU field in IPv6 RA (Closes: #878162) * shared: Add a linker script so that all functions are tagged @SD_SHARED instead of @Base. This helps prevent symbol collisions with other programs and libraries. In particular, because PAM modules are loaded into the process that is creating the session, and systemd creates PAM sessions, the potential for collisions is high. (Closes: #873708) * resolved: Fix loop on packets with pseudo dns types. CVE-2017-15908 (Closes: #880026) * machinectl: Don't output "No machines." with --no-legend option (Closes: #880158) thunderbird (1:52.6.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:52.6.0-1~deb8u1) jessie-security; urgency=medium . [ Vincas Dargis ] * [e418a50] AppArmor: Fix Jessie AppArmor syntax error (Closes: #884217) . [ Carsten Schoenert ] * [edba169] debian/rules: override target dh_autoreconf Don't use dh_autoreconf, Mozilla uses wrapper around the autotools and we care about the needed files in debian/rules for long time anyway. * Rebuild for jessie-security thunderbird (1:52.5.2-2) unstable; urgency=medium . [ Carsten Schoenert ] * [f597157] Revert "d/thunderbird.postinst: reload AA profile on updates" The trigger automatics for appamor already is handling the needed reload on profile updates for the applications. (Closes: #885158) * [8ebdb96] debian/control: increase Standards-Version to 4.1.2 No further changes needed. * [81a8c00] use inverse logic on version for AA profile status check By this change we don't enforce the disabled profile from the previous version in some cases and can also handle possible version strings from -security and -backports. (Closes: #885157) thunderbird (1:52.5.2-2~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:52.5.2-2~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security thunderbird (1:52.5.2-1) unstable; urgency=high . [ intrigeri ] * [b791221] AppArmor: support new thunderbird executable path (Closes: #883561, #884217) . [ Carsten Schoenert ] * [1f46308] New upstream version 52.5.2 Fixed CVE issues in upstream version 52.5 (MFSA 2017-30) CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin CVE-2017-7847: Local path string can be leaked from RSS feed CVE-2017-7848: RSS Feed vulnerable to new line Injection * [0dd21b9] d/thunderbird.postinst: reload AA profile on updates * [8c57218] don't disable AA profile on package updates As people want to re-enable the AA profile a update of thunderbird doesn't have to disable this again. (Closes: #884191) thunderbird (1:52.5.0-1) unstable; urgency=high . [ intrigeri ] * [48e6b65] AppArmor: fix the Crash Reporter and avoid noisy denial logs (Closes: #880953) * [ad8b3b5] AppArmor: fix compatibility with NVIDIA hardware (Closes: #880532) * [d8ff6b6] Disable the AppArmor profile by default Due the various side effects by the enabled AppArmor profile in Thunderbird it's currently better for a user experience we disabling the AppArmor profile for to not get people get mad with to many broken things. Users can always enable the profile by themselves again. (Closes: #882672) * [e50eac5] README.Debian: document how to opt-in for AppArmor confinement * [860d325] README.Debian: document how one can debug the AppArmor profile . [Guido Günther] * [50a8f60] Drop myself from maintainers Thank you Guido for always helping out if we had some questions! . [ Carsten Schoenert ] * [b64509b] New upstream version 52.5.0 Fixed CVE issues in upstream version 52.5 (MFSA 2017-26) CVE-2017-7828: Use-after-free of PressShell while restyling layout CVE-2017-7830: Cross-origin URL information leak through Resource Timing API CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 * [3166018] thunderbird.links: let thunderbird pointing to thunderbird-bin (Closes: #856492) * [6fff70c] [buster] tb-wrapper: searching the correct dbgsym package * [4763ca6] adding a NEWS file for thunderbird package Giving a note about the now disabled AppArmor profile. * [0b9d656] disabling crashreporter for now Also don't build and ship the Crashreporter any more, it's useless until we can collect all symbols correctly. * [a285647] move AppArmor specific things into own README file Put all AppArmor related information into one dedicated file. * [5d56439] d/thunderbird.js: prepare a line for extra X-Debbugs-Cc A really old bug report ... building a compromise and put the requested extra header config into the configuration file but keep it deactivated as default. (Closes: #379304) thunderbird (1:52.5.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security . * [9fb0603] Revert "[buster] tb-wrapper: searching the correct dbgsym package" * [3ba70b8] Revert "[buster] move thunderbird-dbg into *-dbgsym package" * [b16725e] Revert "[buster] remove Replace and Breaks for icedove" * [9cf7315] Revert "[buster] remove transitional icedove package" * [a1b62c0] Revert "[buster] remove Replace, Breaks and Provides for icedove-dev" * [435f016] Revert "[buster] remove transitional icedove-dev package" * [43c5ec2] Revert "[buster] remove transitional icedove-dbg package" * [f014c58] Revert "[buster] remove Replace, Breaks and Provides for iceowl-extension" * [5db94a1] Revert "[buster] remove transitional iceowl-extension package" * [2860355] Revert "[buster] remove Replace, Breaks and Provides for icedove-l10n-*" * [f148d56] Revert "[buster] remove transitional icedove-l10n-* packages" * [b7debd2] Revert "[buster] remove Replace, Breaks and Provides for iceowl-l10n-*" * [e89d082] Revert "[buster] remove transitional iceowl-l10n-* packages" thunderbird (1:52.5.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security . * [d07b29f] Revert "[buster] tb-wrapper: searching the correct dbgsym package" * [6bd3655] Revert "[buster] move thunderbird-dbg into *-dbgsym package" * [5f1fa71] Revert "[buster] remove Replace and Breaks for icedove" * [17d9c31] Revert "[buster] remove transitional icedove package" * [c194e27] Revert "[buster] remove Replace, Breaks and Provides for icedove-dev" * [1118358] Revert "[buster] remove transitional icedove-dev package" * [14fefb8] Revert "[buster] remove transitional icedove-dbg package" * [d1f914b] Revert "[buster] remove Replace, Breaks and Provides for iceowl-extension" * [6f70669] Revert "[buster] remove transitional iceowl-extension package" * [d3976d0] Revert "[buster] remove Replace, Breaks and Provides for icedove-l10n-*" * [cb2c710] Revert "[buster] remove transitional icedove-l10n-* packages" * [7df3bd7] Revert "[buster] remove Replace, Breaks and Provides for iceowl-l10n-*" * [62617ed] Revert "[buster] remove transitional iceowl-l10n-* packages" thunderbird (1:52.4.0-2~exp1) experimental; urgency=medium . [ Carsten Schoenert ] * [a3e73e9] disable usage of libgnomeui parts The libgnomeui stuff (only relevant for GTK+2) is deprecated for a long time and will be removed in buster, and we don't need this at all. See https://lists.debian.org/debian-devel/2017/10/msg00299.html * [9efc5c9] debian/watch: switch to https * [bd5a635] rebuild patch queue from patch-queue branch Fixup for [da3c5cc], add ppc64 to the list of BE architectures. Thanks Adrian Glaubitz for pointing the issue. (Closes: #879270) * [42f5ab5] apparmor: update profile from upstream (Closes: #876333, #855346) . [ intrigeri ] * [d7febc8, b026d28] AppArmor: update profile from upstream (Closes: #880425, #877324) * [377e7b5] README.Debian: fixing small typo * [3b0a63a] AppArmor: fix importing public OpenPGP keys from file (Closes: #880715) . [ Carsten Schoenert ] * [241690e] d/control: s/Icedove/Thunderbird in desc's for lightning-l10n-* The lightning-l10n package were still using the name 'Icdeove' instead of 'Thunderbird'. * [f17f735] debian/control: moving transitional packages at bottom * [91f9897] autopkg: adjust icedove to thunderbird depends Now move over to depend in favor of thunderbird for some of the autopkg tests. * [8ae2ad7] autopkg: adjust icedove-dev to thunderbird-dev depends Doing the same as before for thunderbird-dev as the native replacement for icedove-dev. * [fa0134c] bump debhelper >= 10.2.5 * [8752789] debian/rules: try to build extensions reproducible The two extensions (lightning and calendar-google-provider) don't build reproducible right now. Trying to fix this by using the timestamp from the changelog entry for the files. May not work correctly and we need to tune more. * [1496368] d/thunderbird.install: also install the fonts folder Recent versions of Thunderbird needing the font EmojiOne which isn't provided by any other package. (Closes: #881299) . The following changes are take effect in removing all transitional packages related to the old icedove packaging only for buster. We still need all the transitional packages in wheezy, jessie and stretch! * [54c8a9b] [buster] remove transitional iceowl-l10n-* packages * [c338630] [buster] remove Replace, Breaks and Provides for iceowl-l10n-* * [4311683] [buster] remove transitional icedove-l10n-* packages * [f6e3a01] [buster] remove Replace, Breaks and Provides for icedove-l10n-* * [a9117e4] [buster] remove transitional iceowl-extension package * [5aed012] [buster] remove Replace, Breaks and Provides for iceowl-extension * [27fc04b] [buster] remove transitional icedove-dbg package * [53b4825] [buster] remove transitional icedove-dev package * [e2d808f] [buster] remove Replace, Breaks and Provides for icedove-dev * [97edfbe] [buster] remove transitional icedove package * [3748054] [buster] remove Replace and Breaks for icedove * [611a704] [buster] move thunderbird-dbg into *-dbgsym package thunderbird (1:52.4.0-1) unstable; urgency=medium . [ Guido Günther ] * [da3c5cc] Simplify endianness selection for ICU Since we need to build ICU on the various Debian releases we need to ensure the architecture detection isn't to strict. Thanks Guido for helping out here! . [ Carsten Schoenert ] * [47748ca] debian/control: be more relaxed on Breaks for enigmail * [6a54666] thunderbird-wrapper: fix small typo in help output A small typo was happen in the example call with the JS console. * [6d5266e] README.Debian: update info around tls fallback-limit The default behavior on the TLS fallback has changed some versions ago, document this accordingly. * [24ad883] debian/control: change maintainer Thanks Christoph for the work over the past years! * [c78200e] debian/control: move src pkg name to thunderbird By this version we move the source package name also back to thunderbird. This follows the changes that are already made to the binary package names and we can call the source package now also again thunderbird. (Closes: #857075) * [c26133d] debian/gbp.conf: rename components to real used names Due the changes of the source package the names for the sub-folders within the additional tarballs can also be changed to be closer on the real upstream used names. * [a5ce4f7] New upstream version 52.4.0 (Closes: #878845, #878870) Fixed CVE issues in upstream version 52.0 (MFSA 2017-23) CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces CVE-2017-7823: CSP sandbox directive did not create a unique origin CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4, and Thunderbird 52.4 * [104b4e5] rebuild patch queue from patch-queue branch * [d63662a] lintian: move oldlibs/extra -> oldlibs/optional By moving all transitional package to oldlibs/optional we can help deborphan to detect better not needed packages. * [fb56001] d/rules: reflect changes from renamed component tarballs The additional tarballs are stored in folders which reflect the upstream names of those components. This also needs to be respected for the build instructions of the package. * [61288fb] debian/control: change Vcs* fields due the src name change Addressing the changed source package name in the Git Vcs urls. * [ef95ab5] debian/control: increase Standards-Version to 4.1.1 No further changes needed. * [45e8fe2] apparmor: update profile from upstream Thanks to Simon Deziel and intrigeri we can simply use the apparmor profile changes done for the Ubuntu releases. * [6b1649c] lintian: adding a override for thunderbird-l10n-all * [ceab93f] debian/README.source: reflect src package name change tiff (4.0.8-2+deb9u2) stretch-security; urgency=high . * Fix CVE-2017-11335: heap based buffer write overflow in tiff2pdf (closes: #868513). * Fix CVE-2017-12944: OOM prevention in TIFFReadDirEntryArray() (closes: #872607). * Fix CVE-2017-13726: reachable assertion abort in TIFFWriteDirectorySec() (closes: #873880). * Fix CVE-2017-13727: reachable assertion abort in TIFFWriteDirectoryTagSubifd() (closes: #873879). * Fix CVE-2017-18013: NULL pointer dereference in TIFFPrintDirectory() (closes: #885985). * Fix CVE-2017-9935: heap-based buffer overflow in the t2p_write_pdf() function (closes: #866109). tomcat-native (1.2.12-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2017-15698: When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. tor (0.2.9.14-1) stretch-security; urgency=medium . * New upstream version, including among others: - Fix an issue causing DNS to fail on high-bandwidth exit nodes, making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for identifying and finding a workaround to this bug and to Moritz, Arthur Edelstein, and Roger for helping to track it down and analyze it. - Fix a denial of service bug where an attacker could use a malformed directory object to cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal. (Tor instances run without a terminal, which is the case for most Tor packages, are not impacted.) Fixes bug 24246; bugfix on every version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720. - Fix a denial of service issue where an attacker could crash a directory authority using a malformed router descriptor. Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010 and CVE-2017-8820. - When checking for replays in the INTRODUCE1 cell data for a (legacy) onion service, correctly detect replays in the RSA- encrypted part of the cell. We were previously checking for replays on the entire cell, but those can be circumvented due to the malleability of Tor's legacy hybrid encryption. This fix helps prevent a traffic confirmation attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 and CVE-2017-8819. - Fix a use-after-free error that could crash v2 Tor onion services when they failed to open circuits while expiring introduction points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is also tracked as TROVE-2017-013 and CVE-2017-8823. - When running as a relay, make sure that we never build a path through ourselves, even in the case where we have somehow lost the version of our descriptor appearing in the consensus. Fixes part of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822. tor (0.2.9.14-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * Build-depend on dh-apparmor version >= 2.10.95, which is in backports, to avoid running into Bug #822349. trafficserver (7.0.0-6+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch for CVE-2017-5660 * Add patch for CVE-2017-7671 transmission (2.92-2+deb9u1) stretch-security; urgency=medium . * Fix RPC vulnerability discovered by Tavis Ormandy tzdata (2018c-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following past and future timestamps: - São Tomé and Príncipe switched from +00 to +01 on 2018-01-01 at 01:00. - Southern Brazil will begin DST on 2018-11-04 instead of 2018-10-21. * debian/control: Update Vcs-Git and Vcs-Browser fields following the move to Salsa. tzdata (2018c-0+deb8u1) jessie; urgency=medium . * New upstream version, affecting the following past and future timestamps: - São Tomé and Príncipe switched from +00 to +01 on 2018-01-01 at 01:00. - Southern Brazil will begin DST on 2018-11-04 instead of 2018-10-21. tzdata (2018b-1) unstable; urgency=medium . [ Aurelien Jarno ] * Update Russian debconf translation, by Lev Lamberov. Closes: #883876. * Update German debconf translation, by Holger Wansing. Closes: #884811. . [ Clint Adams ] * New upstream version. tzdata (2017c-1) unstable; urgency=medium . * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. * debian/control, debian/copyright: update upstream links to use https. * debian/upstream/signing-key.asc: new file. * debian/watch: update watch file to version 4, add check for the OpenPGP signatures. * debian/control: Update Standards-Version to 4.1.1. ust (2.9.0-2+deb9u1) stable; urgency=medium . * [5ffa17d] Set gbp branch config * [8e770e4] Fix python3-lttngust load un-versioned library (Closes: #882366) uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758) (Closes: #889753) vagrant (1.9.1+dfsg-1+deb9u1) stretch; urgency=medium . * 0008-Convert-atlas-references-to-vagrant-cloud.patch: backport upstream patch to download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com (Closes: #889873) vdirsyncer (0.14.1-1+deb9u1) stretch; urgency=medium . * Backport fix for discovering Google contacts (Closes: #883299) virt-what (1.15-1+deb9u1) stable-proposed-updates; urgency=medium . * Unbreak virt detection on arm/aarch64 (Closes: #888690) w3m (0.5.3-34+deb9u1) stretch; urgency=medium . * New patch 955_tbl-indent.patch to fix stack overflow [CVE-2018-6196] * New patch 956_columnpos.patch to fix null deref [CVE-2018-6197] * New patch 957_mkdtemp.patch to fix /tmp file races [CVE-2018-6198] (closes: #888097) waagent (2.2.18-3~deb9u1) stretch; urgency=high . * Upload to stretch. waagent (2.2.18-2) unstable; urgency=medium . * Create /var/lib/waagent with mode 0700. (closes: #878951) waagent (2.2.18-1) unstable; urgency=medium . * New upstream version. waagent (2.2.14-1) unstable; urgency=medium . * New upstream version. wavpack (5.0.0-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-6767, CVE-2018-7253, CVE-2018-7254 several vulnerabilities allow a remote attacker to cause a denial-of-service or have unspecified other impact via maliciously crafted files (RF64, DSDIFF, CAF) webkit2gtk (2.18.6-1~deb9u1) stretch; urgency=medium . * Team upload. * New security and bugfix release backported from Buster. webkit2gtk (2.18.6-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . webkit2gtk (2.18.6-1) unstable; urgency=high . * New upstream release. + This fixes CVE-2018-4088, CVE-2017-13885, CVE-2017-7165, CVE-2017-13884, CVE-2017-7160, CVE-2017-7153, CVE-2017-7153, CVE-2017-7161 and CVE-2018-4096. webkit2gtk (2.18.6-1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy. * debian/control: + Build using libgeoclue-dev instead of libgeoclue-2-dev. + Build depend on clang-3.8. + Use ruby instead of ruby:native. * debian/rules: + Pass CC and CXX to dh_auto_configure so it uses clang instead of gcc. . webkit2gtk (2.18.6-1) unstable; urgency=high . * New upstream release. + This fixes CVE-2018-4088, CVE-2017-13885, CVE-2017-7165, CVE-2017-13884, CVE-2017-7160, CVE-2017-7153, CVE-2017-7153, CVE-2017-7161 and CVE-2018-4096. webkit2gtk (2.18.5-1) unstable; urgency=high . * New upstream release. + This includes fixes to mitigate the effects of the Spectre vulnerability (CVE-2017-5753 and CVE-2017-5715). webkit2gtk (2.18.5-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . webkit2gtk (2.18.5-1) unstable; urgency=high . * New upstream release. + This includes fixes to mitigate the effects of the Spectre vulnerability (CVE-2017-5753 and CVE-2017-5715). webkit2gtk (2.18.5-1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy. * debian/control: + Build using libgeoclue-dev instead of libgeoclue-2-dev. + Build depend on clang-3.8. + Use ruby instead of ruby:native. * debian/rules: + Pass CC and CXX to dh_auto_configure so it uses clang instead of gcc. . webkit2gtk (2.18.5-1) unstable; urgency=high . * New upstream release. + This includes fixes to mitigate the effects of the Spectre vulnerability (CVE-2017-5753 and CVE-2017-5715). webkit2gtk (2.18.4-1) unstable; urgency=high . [ Alberto Garcia ] * New upstream release. + This fixes CVE-2017-13866, CVE-2017-13870, CVE-2017-7156 and CVE-2017-13856. * Refresh all patches. * debian/control: + Request native version of the Ruby package (thanks, Helmut Grohne) (Closes: #881637). * Instead of passing -DUSE_GSTREAMER_GL=OFF explicitly, let CMake do it if libgstreamer-plugins-bad1.0-dev is not installed. + debian/patches/detect-gstreamer-gl.patch: - Disable USE_GSTREAMER_GL if GStreamerGL is not found. + debian/rules: - Remove the list of architectures that are not using GStreamerGL. * debian/control: + Don't require libgstreamer-plugins-bad1.0-dev in hppa, m68k, powerpcspe, sh4 or x32. . [ Jeremy Bicha ] * debian/control: Update Vcs-Git to point to correct branch. * Allow setting the distributor name in the User Agent string. Ubuntu wants this patch, but since it makes it easier to identify the user let's leave it disabled in Debian (Closes: #883712). + debian/patches/user-agent-branding.patch: - Patch to support updating the User-Agent string. + debian/rules: - Pass -DUSER_AGENT_GTK_DISTRIBUTOR_NAME when building for Ubuntu. webkit2gtk (2.18.4-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . webkit2gtk (2.18.4-1) unstable; urgency=high . [ Alberto Garcia ] * New upstream release. + This fixes CVE-2017-13866, CVE-2017-13870, CVE-2017-7156 and CVE-2017-13856. * Refresh all patches. * debian/control: + Request native version of the Ruby package (thanks, Helmut Grohne) (Closes: #881637). * Instead of passing -DUSE_GSTREAMER_GL=OFF explicitly, let CMake do it if libgstreamer-plugins-bad1.0-dev is not installed. + debian/patches/detect-gstreamer-gl.patch: - Disable USE_GSTREAMER_GL if GStreamerGL is not found. + debian/rules: - Remove the list of architectures that are not using GStreamerGL. * debian/control: + Don't require libgstreamer-plugins-bad1.0-dev in hppa, m68k, powerpcspe, sh4 or x32. . [ Jeremy Bicha ] * debian/control: Update Vcs-Git to point to correct branch. * Allow setting the distributor name in the User Agent string. Ubuntu wants this patch, but since it makes it easier to identify the user let's leave it disabled in Debian (Closes: #883712). + debian/patches/user-agent-branding.patch: - Patch to support updating the User-Agent string. + debian/rules: - Pass -DUSER_AGENT_GTK_DISTRIBUTOR_NAME when building for Ubuntu. webkit2gtk (2.18.4-1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy. * debian/control: + Build using libgeoclue-dev instead of libgeoclue-2-dev. + Build depend on clang-3.8. + Use ruby instead of ruby:native. * debian/rules: + Pass CC and CXX to dh_auto_configure so it uses clang instead of gcc. . webkit2gtk (2.18.4-1) unstable; urgency=high . [ Alberto Garcia ] * New upstream release. + This fixes CVE-2017-13866, CVE-2017-13870, CVE-2017-7156 and CVE-2017-13856. * Refresh all patches. * debian/control: + Request native version of the Ruby package (thanks, Helmut Grohne) (Closes: #881637). * Instead of passing -DUSE_GSTREAMER_GL=OFF explicitly, let CMake do it if libgstreamer-plugins-bad1.0-dev is not installed. + debian/patches/detect-gstreamer-gl.patch: - Disable USE_GSTREAMER_GL if GStreamerGL is not found. + debian/rules: - Remove the list of architectures that are not using GStreamerGL. * debian/control: + Don't require libgstreamer-plugins-bad1.0-dev in hppa, m68k, powerpcspe, sh4 or x32. . [ Jeremy Bicha ] * debian/control: Update Vcs-Git to point to correct branch. * Allow setting the distributor name in the User Agent string. Ubuntu wants this patch, but since it makes it easier to identify the user let's leave it disabled in Debian (Closes: #883712). + debian/patches/user-agent-branding.patch: - Patch to support updating the User-Agent string. + debian/rules: - Pass -DUSER_AGENT_GTK_DISTRIBUTOR_NAME when building for Ubuntu. webkit2gtk (2.18.3-1) unstable; urgency=high . * New upstream release. * The WebKitGTK+ security advisory WSA-2017-0009 lists the following security fixes in the latest versions of WebKitGTK+: + CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796 and CVE-2017-13802 (fixed in 2.18.1). + CVE-2017-13788, CVE-2017-13798, CVE-2017-13803 (fixed in 2.18.3) * Several cross-compilation fixes in debian/rules (thanks, Helmut Grohne) (Closes: #881341): + Include /usr/share/dpkg/architecture.mk instead of calling dpkg-architecture manually to set the DEB_*_ARCH variables. + Use DEB_BUILD_ARCH_BITS to decide whether to pass --no-keep-memory to the linker. + Use DEB_HOST_ARCH to decide whether to use -g1, -DENABLE_JIT=OFF and -DUSE_GSTREAMER_GL=OFF. + Remove the --no-relax flag for alpha, this was a workaround for a 10 year old binutils bug. webkit2gtk (2.18.3-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . webkit2gtk (2.18.3-1) unstable; urgency=high . * New upstream release. * The WebKitGTK+ security advisory WSA-2017-0009 lists the following security fixes in the latest versions of WebKitGTK+: + CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796 and CVE-2017-13802 (fixed in 2.18.1). + CVE-2017-13788, CVE-2017-13798, CVE-2017-13803 (fixed in 2.18.3) * Several cross-compilation fixes in debian/rules (thanks, Helmut Grohne) (Closes: #881341): + Include /usr/share/dpkg/architecture.mk instead of calling dpkg-architecture manually to set the DEB_*_ARCH variables. + Use DEB_BUILD_ARCH_BITS to decide whether to pass --no-keep-memory to the linker. + Use DEB_HOST_ARCH to decide whether to use -g1, -DENABLE_JIT=OFF and -DUSE_GSTREAMER_GL=OFF. + Remove the --no-relax flag for alpha, this was a workaround for a 10 year old binutils bug. webkit2gtk (2.18.3-1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy. * debian/control: + Build using libgeoclue-dev instead of libgeoclue-2-dev. + Build depend on clang-3.8. * debian/rules: + Pass CC and CXX to dh_auto_configure so it uses clang instead of gcc. . webkit2gtk (2.18.3-1) unstable; urgency=high . * New upstream release. * The WebKitGTK+ security advisory WSA-2017-0009 lists the following security fixes in the latest versions of WebKitGTK+: + CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796 and CVE-2017-13802 (fixed in 2.18.1). + CVE-2017-13788, CVE-2017-13798, CVE-2017-13803 (fixed in 2.18.3) * Several cross-compilation fixes in debian/rules (thanks, Helmut Grohne) (Closes: #881341): + Include /usr/share/dpkg/architecture.mk instead of calling dpkg-architecture manually to set the DEB_*_ARCH variables. + Use DEB_BUILD_ARCH_BITS to decide whether to pass --no-keep-memory to the linker. + Use DEB_HOST_ARCH to decide whether to use -g1, -DENABLE_JIT=OFF and -DUSE_GSTREAMER_GL=OFF. + Remove the --no-relax flag for alpha, this was a workaround for a 10 year old binutils bug. webkit2gtk (2.18.2-1) unstable; urgency=medium . * New upstream release. * debian/control: + Set the minimum versions of these build dependencies: cmake >= 3.3, libcairo2-dev >= 1.10.2, libfontconfig1-dev >= 2.8, and libgcrypt20-dev >= 1.7.0, libxml2-dev >= 2.8. webkit2gtk (2.18.2-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. webkit2gtk (2.18.2-1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy. * debian/control: + Build using libgeoclue-dev instead of libgeoclue-2-dev. + Build depend on clang-3.8. * debian/rules: + Pass CC and CXX to dh_auto_configure so it uses clang instead of gcc. webkit2gtk (2.18.1-1) unstable; urgency=medium . * New upstream release. * The WebKitGTK+ security advisory WSA-2017-0008 lists the following security fixes in the latest versions of WebKitGTK+: + CVE-2017-7081 and CVE-2017-7142 (fixed in 2.16.1). + CVE-2017-7094 (fixed in 2.16.3). + CVE-2017-7099 (fixed in 2.16.4). + CVE-2017-7087, CVE-2017-7089, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120 (fixed in 2.18.0). * debian/control: + Recommend the Pulseaudio or ALSA GStreamer plugins, since they're needed for audio playback (Closes: #877281). * debian/patches/fix-ftbfs-alpha.patch: + This patch is no longer needed, drop it. * Refresh all other patches. * debian/control: + Remove 'Priority: extra' fields, all packages have optional priority now (the 'extra' priority has been deprecated). * debian/copyright: + Use https for the Format URL. webkit2gtk (2.18.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. webkit2gtk (2.18.1-1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy. * debian/control: + Build using libgeoclue-dev instead of libgeoclue-2-dev. + Build depend on clang-3.8, cmake >= 3.3 and libgcrypt20-dev >= 1.7.0 (we need to use the backports of all these packages) * debian/rules: + Pass CC and CXX to dh_auto_configure so it uses clang instead of gcc. webkit2gtk (2.18.0-2) unstable; urgency=medium . * Upload to unstable. * debian/gbp.conf: + Update upstream branch name. * The WebKitGTK+ security advisory WSA-2017-0007 lists the following security fixes in WebKitGTK+ 2.16.3: + CVE-2017-1000121. + CVE-2017-1000122. webkit2gtk (2.18.0-1) experimental; urgency=medium . * New upstream release. webkit2gtk (2.17.92-1) experimental; urgency=medium . * New upstream development release. * Disable GStreamerGL in the Hurd: + Pass -DUSE_GSTREAMER_GL=OFF in debian/rules. + Remove build dependency on libgstreamer-plugins-bad1.0-dev from debian/control. * debian/control: + Recommmend libgl1-mesa-dri (Closes: #873084). * debian/patches/fix-ftbfs-m68k.patch: + Refresh. webkit2gtk (2.17.91-1) experimental; urgency=medium . * New upstream development release. * Refresh all patches and remove no-whole-archive.patch. * debian/patches/fix-ftbfs-hurd.patch: + Work around missing PATH_MAX definition in ConfigFile.h * Disable GStreamerGL in kFreeBSD and sparc64: + Pass -DUSE_GSTREAMER_GL=OFF in debian/rules. + Remove build dependency on libgstreamer-plugins-bad1.0-dev from debian/control. webkit2gtk (2.17.90-1) experimental; urgency=medium . * New upstream development release. * Refresh all patches. * debian/control: + Add build dependency on libtasn1-6-dev (for Web Crypto). * debian/libwebkit2gtk-4.0-37.symbols: + Update symbols. * Disable GStreamerGL in armel and armhf, the usage of two different GL implementations causes a build failure (see WebKit but #175127). + debian/control: Don't install libgstreamer-plugins-bad1.0-dev in those architectures. + debian/rules: Pass -DUSE_GSTREAMER_GL=OFF. * debian/patches/no-whole-archive.patch: + Don't use --whole-archive for the WebKit2 target libraries. webkit2gtk (2.17.5-2) experimental; urgency=medium . * debian/rules: + Don't pass -DENABLE_DISASSEMBLER=0, this is no longer necessary. + Don't disable JIT in arm64. + Don't disable the gold linker in any architecture. * debian/control: + Add build dependency on mesa-common-dev (GStreamerGL needs GL/gl.h), this is automatically pulled in some architectures by libgl1-mesa-dev, but without it the build fails in all others. * Refresh debian/patches/fix-ftbfs-m68k.patch. webkit2gtk (2.17.5-1) experimental; urgency=medium . * New upstream development release. * Refresh all patches. * debian/source/lintian-overrides: + Update source-is-missing overrides. * debian/patches/fix-ftbfs-m68k.patch: + Fix FTBFS in m68k. * debian/control: + Add build dependency on libgstreamer-plugins-bad1.0-dev for GStreamerGL and bump all GStreamer dependencies to >= 1.2.3. + Add build dependency on libgles2-mesa-dev for all architectures (GStreamerGL needs GLES3/gl3.h). * debian/libwebkit2gtk-4.0-37.symbols: + Update symbols. * Override typelib-package-name-does-not-match and gir-missing-typelib-dependency lintian warnings in gir1.2-javascriptcoregtk-4.0, gir1.2-webkit2-4.0, libjavascriptcoregtk-4.0-dev and libwebkit2gtk-4.0-dev. webkit2gtk (2.17.4-1) experimental; urgency=medium . * New upstream development release. * debian/patches/fix-ftbfs-sparc64.patch: + Refresh. * debian/patches/fix-ftbfs-x86.patch: + Update to fix build in x86_64. * debian/libwebkit2gtk-4.0-37.symbols: + Update symbols. webkit2gtk (2.17.3-1) experimental; urgency=medium . * New upstream development release. * Refresh all patches. * debian/patches/fix-ftbfs-x86.patch: + Fix FTBFS in x86. * debian/watch, debian/gbp.conf: + Update for 2.17.x packages in experimental. * debian/libwebkit2gtk-4.0-37.symbols: + Update symbols. webkit2gtk (2.16.6-1) unstable; urgency=high . * New upstream release. * The WebKitGTK+ security advisory WSA-2017-0006 lists the following security fixes in the latest versions of WebKitGTK+: + CVE-2017-7020 (fixed in 2.16.1). + CVE-2017-7006, CVE-2017-7012, CVE-2017-7019, CVE-2017-7038, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7049 (fixed in 2.16.2). + CVE-2017-7011, CVE-2017-7040, CVE-2017-7059 (fixed in 2.16.3). + CVE-2017-7052 (fixed in 2.16.4). + CVE-2017-7018, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7039, CVE-2017-7046, CVE-2017-7048, CVE-2017-7055, CVE-2017-7056, CVE-2017-7061, CVE-2017-7064 (fixed in 2.16.6). * debian/patches/fix-ftbfs-m68k.patch: + Fix FTBFS in m68k (Closes: #868126). * Override typelib-package-name-does-not-match and gir-missing-typelib-dependency lintian warnings in gir1.2-javascriptcoregtk-4.0, gir1.2-webkit2-4.0, libjavascriptcoregtk-4.0-dev and libwebkit2gtk-4.0-dev. webkit2gtk (2.16.6-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . webkit2gtk (2.16.6-1) unstable; urgency=high . * New upstream release. * The WebKitGTK+ security advisory WSA-2017-0006 lists the following security fixes in the latest versions of WebKitGTK+: + CVE-2017-7020 (fixed in 2.16.1). + CVE-2017-7006, CVE-2017-7012, CVE-2017-7019, CVE-2017-7038, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7049 (fixed in 2.16.2). + CVE-2017-7011, CVE-2017-7040, CVE-2017-7059 (fixed in 2.16.3). + CVE-2017-7052 (fixed in 2.16.4). + CVE-2017-7018, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7039, CVE-2017-7046, CVE-2017-7048, CVE-2017-7055, CVE-2017-7056, CVE-2017-7061, CVE-2017-7064 (fixed in 2.16.6). * debian/patches/fix-ftbfs-m68k.patch: + Fix FTBFS in m68k (Closes: #868126). * Override typelib-package-name-does-not-match and gir-missing-typelib-dependency lintian warnings in gir1.2-javascriptcoregtk-4.0, gir1.2-webkit2-4.0, libjavascriptcoregtk-4.0-dev and libwebkit2gtk-4.0-dev. webkit2gtk (2.16.6-1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy. * debian/control: + Build using libgeoclue-dev instead of libgeoclue-2-dev. . webkit2gtk (2.16.6-1) unstable; urgency=high . * New upstream release. * The WebKitGTK+ security advisory WSA-2017-0006 lists the following security fixes in the latest versions of WebKitGTK+: + CVE-2017-7020 (fixed in 2.16.1). + CVE-2017-7006, CVE-2017-7012, CVE-2017-7019, CVE-2017-7038, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7049 (fixed in 2.16.2). + CVE-2017-7011, CVE-2017-7040, CVE-2017-7059 (fixed in 2.16.3). + CVE-2017-7052 (fixed in 2.16.4). + CVE-2017-7018, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7039, CVE-2017-7046, CVE-2017-7048, CVE-2017-7055, CVE-2017-7056, CVE-2017-7061, CVE-2017-7064 (fixed in 2.16.6). * debian/patches/fix-ftbfs-m68k.patch: + Fix FTBFS in m68k (Closes: #868126). * Override typelib-package-name-does-not-match and gir-missing-typelib-dependency lintian warnings in gir1.2-javascriptcoregtk-4.0, gir1.2-webkit2-4.0, libjavascriptcoregtk-4.0-dev and libwebkit2gtk-4.0-dev. wireshark (2.2.6+g32dac6a-2+deb9u2) stretch-security; urgency=medium . * Non-maintainer upload by the Wheezy LTS Team. * fix for CVE-2018-5334 * fix for CVE-2018-5335 * fix for CVE-2018-5336 Several parsers of wireshark could be crashed by malformed packets. wireshark (2.2.6+g32dac6a-2+deb9u1) stretch-security; urgency=medium . * CVE-2017-11408 / CVE-2017-13766 / CVE-2017-17083.patch / CVE-2017-17084.patch CVE-2017-17085 wordpress (4.7.5+dfsg-2+deb9u2) stretch-security; urgency=high . * Backport security patches from 4.9.1 Closes: #883314 - CVE-2017-17091 Use a properly generated hash for the newbloguser key instead of a determinate substring. Changeset 42272 - CVE-2017-17092 Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability Changeset 42275 - CVE-2017-17093 Add escaping to the language attributes used on html elements Changeset 42273 - CVE-2017-17094 Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds Changeset 42274 * Also backport patch for $wpdb->prepare CVE-2017-16510 Closes: 880528 wordpress (4.7.5+dfsg-2+deb9u2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * Several security issues fixed xchain (1.0.1-9~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . xchain (1.0.1-9) unstable; urgency=medium . * QA upload. * Revert path change, depend on "wish" only. Re-closes: #878090 . xchain (1.0.1-8) unstable; urgency=medium . * QA upload. * Update path to wish (it's /usr/bin/wish8.5 now). Closes: #878090 * Priority optional. xchain (1.0.1-8) unstable; urgency=medium . * QA upload. * Update path to wish (it's /usr/bin/wish8.5 now). Closes: #878090 * Priority optional. xen (4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) stretch-security; urgency=high . * Security fixes from upstream XSAs: XSA-252 CVE-2018-7540 XSA-255 CVE-2018-7541 XSA-256 CVE-2018-7542 The upstream BTI changes from XSA-254 (Spectre v2 mitigation) are *not* included. They are currently failing in upstream CI. * init scripts: Do not kill per-domain qemu processes. Closes:#879751. * Install Meltdown READMEs on all architectures. Closes:#890488. * Ship xen-diag (by cherry-picking the appropriate commits from upstream). This can help with diagnosis of #880554. xen (4.8.3+comet2+shim4.10.0+comet3-1+deb9u4.1) stretch-security; urgency=high . * Fix builds on other than amd64. . xen (4.8.3+comet2+shim4.10.0+comet3-1+deb9u4) stretch-security; urgency=high . * Update to new upstream version 4.8.3+comet2+shim4.10.0+comet3. Specifically, this is two upstreams: - Upstream Xen 4.8.3 "git merge"d with upstream Xen Security Team (XSA-254) 4.8.3pre-shim-comet-2, in `.' - Upstream Xen 4.10.0-shim-comet-3 in `shim'. The upstream tarballs are from `git archive' with the gitattributes for mangling .gitarchive-info disabled. Therefore, we include these security fixes: XSA-254 CVE-2017-5754 but SP3 "Meltdown" only XSA-253 CVE-2018-5244 XSA-251 CVE-2017-17565 XSA-250 CVE-2017-17564 XSA-249 CVE-2017-17563 XSA-248 CVE-2017-17566 * Ship README.pti and README.comet from the upstream XSA-254 advisory in /usr/share/doc/xen-utils/common/. xen (4.8.3+comet2+shim4.10.0+comet3-1+deb9u4) stretch-security; urgency=high . * Update to new upstream version 4.8.3+comet2+shim4.10.0+comet3. Specifically, this is two upstreams: - Upstream Xen 4.8.3 "git merge"d with upstream Xen Security Team (XSA-254) 4.8.3pre-shim-comet-2, in `.' - Upstream Xen 4.10.0-shim-comet-3 in `shim'. The upstream tarballs are from `git archive' with the gitattributes for mangling .gitarchive-info disabled. Therefore, we include these security fixes: XSA-254 CVE-2017-5754 but SP3 "Meltdown" only XSA-253 CVE-2018-5244 XSA-251 CVE-2017-17565 XSA-250 CVE-2017-17564 XSA-249 CVE-2017-17563 XSA-248 CVE-2017-17566 * Ship README.pti and README.comet from the upstream XSA-254 advisory in /usr/share/doc/xen-utils/common/. xmltooling (1.6.0-4+deb9u1) stretch-security; urgency=high . [ Russ Allbery ] * [4e7dec2] Remove myself from Uploaders . [ Ferenc Wágner ] * [2e5cad6] New patch fixing CVE-2018-0486: vulnerability to forged user attribute data. The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. While the use of XML Encryption can serve as a mitigation for this bug, it may still be possible to construct attacks in such cases, and the SP does not provide a means to enforce its use. https://shibboleth.net/community/advisories/secadv_20180112.txt CPPXT-127 - Block entity reference nodes during unmarshalling. https://issues.shibboleth.net/jira/browse/CPPXT-127 * [91c50ae] New patches fixing CVE-2018-0489: additional data forgery flaws. These flaws allow for changes to an XML document that do not break a digital signature but alter the user data passed through to applications enabling impersonation attacks and exposure of protected information. https://shibboleth.net/community/advisories/secadv_20180227.txt https://issues.shibboleth.net/jira/browse/CPPXT-128 The Add-disallowDoctype-to-parser-configuration.patch is not effective under Xerces 3.1 in stretch, but provides more generic protection under Xerces 3.2 against issues like CVE-2018-0486. It's included here for completeness and to avoid a conflict applying the CVE-2018-0489 patch. xmltooling (1.6.0-4+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. xrdp (0.9.1-9+deb9u2) stretch; urgency=medium . * Fix CVE-2017-16927. (Closes: #882463) * Fix high CPU load on ssl_tls_accept. (Closes: #884453) ====================================== Sat, 09 Dec 2017 - Debian 9.3 released ====================================== ========================================================================= [Date: Sat, 09 Dec 2017 08:35:43 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnet-ping-external-perl | 0.13-1 | source, all Closed bugs: 881203 ------------------- Reason ------------------- unmaintained, security issues ---------------------------------------------- ========================================================================= abiword (3.0.2-2+deb9u1) stretch; urgency=medium . * QA upload. * Fix flickering (Closes: #851052, #848838) (LP: #1574278). asterisk (1:13.14.1~dfsg-2+deb9u2) stretch-security; urgency=high . * CVE-2017-14603 / AST-2017-008 This is a follow-up for AST-2017-005: RTP/RTCP information leak improving robustness of the security fix and fixing a regression with re-INVITEs (Closes: #876328) * Fix one-way audio with chan_sip when transcoding (Closes: #875450) base-files (9.9+deb9u3) stretch; urgency=medium . * Change /etc/debian_version to 9.3, for Debian 9.3 point release. base-files (9.9+deb9u2) stretch; urgency=medium . * Change /etc/debian_version to 9.2, for Debian 9.2 point release. bchunk (1.2.0-12+deb9u1) stretch-security; urgency=high . * Non-maintainer upload. * Fix CVE-2017-15953, CVE-2017-15954 and CVE-2017-15955. bchunk was vulnerable to a heap-based buffer overflow with an resultant invalid free when processing a malformed CUE (.cue) file that may lead to the execution of arbitrary code or a application crash. (Closes: #880116) bchunk (1.2.0-12+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2017-15953, CVE-2017-15954 and CVE-2017-15955. bchunk was vulnerable to a heap-based buffer overflow with an resultant invalid free when processing a malformed CUE (.cue) file that may lead to the execution of arbitrary code or a application crash. (Closes: #880116) berusky (1.7-1+deb9u1) stretch; urgency=medium . * Add crash-on-startup.patch and fix the startup crash with certain video card configurations. (Closes: #877979) bzr (2.7.0+bzr6619-7+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Use 'localhost' rather than '127.0.0.1' in SSL certificates, as the latter trips up pycurl (Closes: #868966) * Ship a refreshed copy of the ssl certs used in testsuite * Prevent SSH command line options from being specified in bzr+ssh:// URLs (CVE-2017-14176) (Closes: #874429) charmtimetracker (1.11.4-1+deb9u1) stretch; urgency=medium . * Fix "Missing binary dependency on libqt5sql5-sqlite" (Closes: #873918) - Adding libqt5sql5-sqlite to depends list of charmtimetracker. * Fix "Please drop "Cross-Platform" from package description" rewrite discription for the pacakge (Closes: #873917) chromium-browser (62.0.3202.89-1~deb9u1) stretch-security; urgency=medium . * New upstream security release. - CVE-2017-15398: Stack buffer overflow in QUIC. Reported by Ned Williamson - CVE-2017-15399: Use after free in V8. Reported by Zhao Qixun chromium-browser (62.0.3202.75-1) unstable; urgency=medium . * New upstream stable release (closes: #879451). - CVE-2017-5124: UXSS with MHTML. Reported by Anonymous - CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous - CVE-2017-5126: Use after free in PDFium. Reported by Luat Nguyen - CVE-2017-5127: Use after free in PDFium. Reported by Luat Nguyen - CVE-2017-5128: Heap overflow in WebGL. Reported by Omair - CVE-2017-5129: Use after free in WebAudio. Reported by Omair - CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous - CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan - CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic - CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu - CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu - CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah - CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr - CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang - CVE-2017-15391: Extension limitation bypass in Extensions. Reported by João Lucas Melo Brasio - CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu - CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin - CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam - CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by Johannes Bergman - CVE-2017-15396: Stack overflow in V8. Reported by Yuan Deng * Enable chromecast feature switch (closes: #878244). chromium-browser (62.0.3202.75-1~deb9u1) stretch-security; urgency=medium . * New upstream stable release. - CVE-2017-5124: UXSS with MHTML. Reported by Anonymous - CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous - CVE-2017-5126: Use after free in PDFium. Reported by Luat Nguyen - CVE-2017-5127: Use after free in PDFium. Reported by Luat Nguyen - CVE-2017-5128: Heap overflow in WebGL. Reported by Omair - CVE-2017-5129: Use after free in WebAudio. Reported by Omair - CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous - CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan - CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic - CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu - CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu - CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah - CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr - CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang - CVE-2017-15391: Extension limitation bypass in Extensions. Reported by João Lucas Melo Brasio - CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu - CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin - CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam - CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by Johannes Bergman - CVE-2017-15396: Stack overflow in V8. Reported by Yuan Deng chromium-browser (61.0.3163.100-2) unstable; urgency=medium . * Add liblcms2-dev as a build dependency (closes: #876804). chromium-browser (61.0.3163.100-1) unstable; urgency=medium . * New upstream stable release (closes: #876030). - CVE-2017-5111: Use after free in PDFium. Reported by Luật Nguyễn - CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Kleini - CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous - CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by Ke Liu - CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini - CVE-2017-5116: Type confusion in V8. Reported by Anonymous - CVE-2017-5117: Use of uninitialized value in Skia. Reported by Tobias Klein - CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by WenXu Wu - CVE-2017-5119: Use of uninitialized value in Skia. Reported by Anonymous - CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. Reported by Xiaoyin Liu - CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet - CVE-2017-5122: Out-of-bounds access in V8. Reported by Choongwoo Han - Adds support for gcc7 (closes: #853347). * Update standards version. * Use system libstdc++ instead of chromium's bundled custom libc++. * Improve error message when network is unreachable (closes: #864539). * Fix a mistake that lead to unstripped binary files (closes: #870531). corebird (1.4.1-1+deb9u1) stretch; urgency=medium . * Allow 280 characters per tweet curl (7.52.1-5+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816 https://curl.haxx.se/docs/adv_2017-11e7.html * Fix FTP wildcard out of bounds read as per CVE-2017-8817 https://curl.haxx.se/docs/adv_2017-ae72.html curl (7.52.1-5+deb9u2) stretch-security; urgency=medium . * Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257 https://curl.haxx.se/docs/adv_20171023.html curl (7.52.1-5+deb9u1) stretch-security; urgency=medium . * Fix TFTP sends more than buffer size as per CVE-2017-1000100 https://curl.haxx.se/docs/adv_20170809B.html * Fix URL globbing out of bounds read as per CVE-2017-1000101 https://curl.haxx.se/docs/adv_20170809A.html * Fix FTP PWD response parser out of bounds read as per CVE-2017-1000254 https://curl.haxx.se/docs/adv_20171004.html dbus (1.10.24-0+deb9u1) stretch; urgency=medium . * New upstream stable release - dbus/dbus-sysdeps-unix.c: Increase listen() backlog of AF_UNIX sockets to the maximum possible, minimizing failed connections under heavy load (Closes: #872144) - bus/config-loader-expat.c: When parsing dbus-daemon configuration, don't delay startup if high-quality entropy is not yet available: we trust the configuration anyway, so algorithmic complexity attacks via hash table collisions are not a concern - bus/*: When using the Monitoring interface, match message filters that specify a destination correctly - test/monitor.c: Add test-cases for this - tools/dbus-send.c: Avoid a compiler warning when gcc gets confused about a conditionally-initialized variable - dbus/dbus-sysdeps-unix.c: Avoid a compiler warning on Solaris (not relevant to Debian) dbus (1.10.22-1) unstable; urgency=medium . * New upstream stable release * Run build-time tests (Closes: #630152) - Skip build-time tests when only building Architecture: all. Once per architecture is enough. * Build-depend on python3{,-dbus,-gi} if we will run build-time tests. This is a circular dependency, but is flagged as so it can be omitted when cross-compiling or bootstrapping. * Enable valgrind integration in the debug build on mips64 * Replace stage1 build profile with pkg.dbus.minimal * Drop explicit dependency on autotools-dev, implied by debhelper 10 * debian/upstream/signing-key.asc: Update subkeys and uids debian-edu-doc (1.921~20170603+deb9u3) stretch; urgency=medium . [ Holger Levsen ] * Merge stretch related documentation and translation updates from the debian-edu-doc package in sid: * Update Debian Edu Stretch manual from the wiki. . [ Stretch manual translation updates ] * Dutch: Frans Spiesschaert. * German: Wolfgang Schweer. * Italian: Claudio Carboncini. * Japanese: Victory. * Norwegian Bokmål: Petter Reinholdtsen. * Simplified Chinese: Ma Yong. . [ Frans Spiesschaert ] * images/nl: add a Dutch images folder and Dutch screenshots for the manual. . [ Wolfgang Schweer ] * documentation/common/edu.css.xml: improve HTML manual readability. . [ ITIL manual translation updates ] * Dutch: Frans Spiesschaert. debian-installer-netboot-images (20170615+deb9u2.b1) stretch; urgency=medium . * Update to 20170615+deb9u2+b1 images, from stretch-proposed-updates dehydrated (0.3.1-3+deb9u1) stretch; urgency=medium . * Update the default License Subscriber Agreement URL. Closes: #881974 dnsmasq (2.76-5+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-14491: DNS heap buffer overflow * CVE-2017-14492: DHCPv6 RA heap overflow * CVE-2017-14493: DHCPv6 - Stack buffer overflow * CVE-2017-14494: Infoleak handling DHCPv6 forwarded requests * CVE-2017-14496: Integer underflow in DNS response creation * CVE-2017-14495: OOM in DNS response creation * Misc code cleanups arising from Google analysis * CVE-2017-14491: DNS heap buffer overflow (further fix) doit (0.28.0-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * python-doit: Add Breaks: nikola (<< 7.6.0-1~). nikola is not in stretch (or even in sid any longer) and the jessie version needs doit <= 0.27. (Closes: #870162) exim4 (4.89-2+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Avoid release of store if there have been later allocations (CVE-2017-16943) (Closes: #882648) * Chunking: do not treat the first lonely dot special (CVE-2017-16944) (Closes: #882671) ffmpeg (7:3.2.9-1~deb9u1) stretch-security; urgency=medium . * New upstream release. - avcodec/x86/lossless_videoencdsp: Fix out of array access. (CVE-2017-15186) - avcodec/ffv1dec: Fix out of array read in slice counting. (CVE-2017-15672) * debian/patches: avcodec/vc2enc_dwt: Fix out of bounds read. (CVE-2017-16840) ffmpeg (7:3.2.8-1~deb9u1) stretch-security; urgency=high . * New upstream release. - avformat/rmdec: Fix DoS due to lack of eof check. (CVE-2017-14054) - avformat/mvdec: Fix DoS due to lack of eof check. (CVE-2017-14055) - avformat/rl2: Fix DoS due to lack of eof check. (CVE-2017-14056) - avformat/asfdec: Fix DoS due to lack of eof check. (CVE-2017-14057) - avformat/hls: Fix DoS due to infinite loop. (CVE-2017-14058) - avformat/cinedec: Fix DoS due to lack of eof check. (CVE-2017-14059) - avformat/mxfdec: Fix Sign error. (CVE-2017-14169) - avformat/mxfdec: Fix DoS issues. (CVE-2017-14170) - avformat/nsvdec: Fix DoS due to lack of eof check. (CVE-2017-14171) - avformat/mov: Fix DoS. (CVE-2017-14222) - avformat/asfdec: Fix DoS. (CVE-2017-14223) - ffprobe: Fix null pointer dereference with color primaries. (CVE-2017-14225) - avformat/rtpdec_h264: Fix heap-buffer-overflow. (CVE-2017-14767) fig2dev (1:3.2.6a-2+deb9u1) stretch; urgency=medium . * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG files (Closes: #881143, #881144). * 32_fill-style-overflow: Sanitize input of fill patterns (Closes: #881396). firefox-esr (52.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.5.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.4.0esr-2) unstable; urgency=medium . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. flickcurl (1.26-2+deb9u1) stable; urgency=medium . * Apply patch from upstream to fix oauth token fetching * Apply patch from upstream to prevent double free corruption during authentication (Closes: #875800) * Remove broken devhelp link in flickcurl-doc (Closes: #859019) flightgear (1:2016.4.4+dfsg-3+deb9u1) stretch; urgency=medium . * Add patches init-allowed-paths-earlier-secu-fix-f372d7.patch and prevent-arbitrary-file-writes-secu-fix-58d8e1.patch: prevent malicious add-ons from overriding arbitrary files. Closes: #873439 (CVE-2017-13709) ganeti (2.15.2-7+deb9u1) stretch; urgency=medium . * Depend on lsb-base (>= 3.0.6) for init-functions. * Backport upstream support for non-DSA SSH keys (Closes: #853129). + non-DSA-SSH-key-support.patch: backport upstream work from the (unreleased as of today) stable-2.16 branch. + fix-ssh-key-renewal-on-single-node-clusters.patch: fix gnt-cluster renew-crypto --new-ssh-keys on single-node clusters. + set-defaults-for-ssh-type-bits.patch: transparently handle the new SSH key type/length parameters without running cfgupgrade. * Fix failover from dead nodes when using extstorage (Closes: #864756). * Fix pre-migration version compatibility check that would always fail when different HV versions were detected. Note that this does not mean that migrations between different KVM versions are safe and/or supported! * Fix instance import/export/move with current socat versions, by letting socat decide the best TLS method to use (Closes: #871771). gdm3 (3.22.3-3+deb9u1) stretch; urgency=medium . * Backports a bunch of patches to fix XDMCP support including a potential cracher (Closes: #873199, #814989) getmail4 (4.53.0-1+deb9u1) stretch; urgency=medium . * Rebuild for stretch. * This patch fixes a single error in the getmail_fetch command introduced in 4.53.0 and fixed in 4.54.0. This also contains the patch for the upstream version used in the source to be bump to 4.54.0 . This should make users not to complain about the buggy version in stable. Closes: #877916 grok (1.20110708.1-4.3~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. * Drop the gperf 3.1 patches . grok (1.20110708.1-4.3) unstable; urgency=medium . * Non-maintainer upload. * libgrok-dev: Add the missing dependencies on: - libgrok1 (Closes: #875422) - libtokyocabinet-dev (Closes: #779034) . grok (1.20110708.1-4.2) unstable; urgency=medium . * Non-maintainer upload. * Apply Steve Langasek's fix for wrong pointer alias bug (Closes: #841668) * Apply patches to allow build grok with gperf >= 3.1 grok (1.20110708.1-4.2) unstable; urgency=medium . * Non-maintainer upload. * Apply Steve Langasek's fix for wrong pointer alias bug (Closes: #841668) * Apply patches to allow build grok with gperf >= 3.1 (Closes: #869594) gunicorn (19.6.0-10+deb9u1) stretch; urgency=medium . * Drop unnecessary "Pre-Depends" on dpkg-dev which was causing gunicorn and python-gunicorn to bring in a compiler as a dependency. . It was orignally added as dpkg-maintscript-helper(1) was being used in the preinst script requiring a pre-dependency to ensure that the version of dpkg has been unpacked. . However, this version of dpkg-dev is now satisfiable in squeeze, jessie and stretch and can thus be safely dropped. Thanks to Neil Williams for the bug report. (Closes: #877712) icu (57.1-6+deb9u1) stretch; urgency=high . * Backport upstream security fix for CVE-2017-14952: double free in createMetazoneMappings() (closes: #878840). imagemagick (8:6.9.7.4+dfsg-11+deb9u3) stretch-security; urgency=medium . * CVE-2017-12983 (Closes: #873134) * CVE-2017-13134 (Closes: #873099) * CVE-2017-13758 (Closes: #878508) * CVE-2017-13769 (Closes: #878507) * CVE-2017-14224 (Closes: #876097) * CVE-2017-14607 (Closes: #878527) * CVE-2017-14682 (Closes: #876488) * CVE-2017-14989 (Closes: #878562) * CVE-2017-15277 (Closes: #878578) imagemagick (8:6.9.7.4+dfsg-11+deb9u2) stretch-security; urgency=high . * Avoid unbounded loop in pwp coder (Closes: #870526) * Fix memory exhaustion in PCX coder (Closes: #870491) * Fix double free in RelinquishMagickMemory (Closes: #870119) * coders/png.c: Memory leak Fix Issue 600 (Closes: #870116) * Fix hard lock in LockSemaphoreInfo after reading a png with width==MAGICK_WIDTH_LIMIT (Closes: #870111) * Fix out-of-bounds read with the MNG CLIP chunk. (Closes: #870109) * Fix heap buffer overflow in ReadOneMNGImage (Closes: #870106) * Detect corrupted png early and avoid a crash (Closes: #870105) * CVE-2017-11640 When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to an address access exception in the WritePTIFImage() function in coders/tiff.c. (Closes: #870067) * CVE-2017-11639 When ImageMagick processes a crafted file in convert, it can lead to a heap-based buffer over-read in the WriteCIPImage() function in coders/cip.c, related to the GetPixelLuma function in MagickCore/pixel-accessor.h. (Closes: #870065) * Fix assertion failed in DestroyImageInfo (Closes: #870014) * CVE-2017-11523: endless loop in ReadTXTImage (Closes: #869210) * Fix use of uninitialized data in ImageMagick/coders/mat.c (Closes: #870012) * CVE-2017-11533 heap buffer overflow in uil coder (Closes: #869834) * Fix a crash in jp2 codec (Closes: #869830) * CVE-2017-11535 Fix heap based overflow in ps.c (Closes: #869827) * CVE-2017-11446 The ReadPESImage function in coders\pes.c has an infinite loop vulnerability that can cause CPU exhaustion via a crafted PES file. (Closes: #868950) * Avoid a crash in mpc coder (Closes: #869728) * CVE-2017-11537 Fix a palm coder FPE (Closes: #869712) * Fix a use after free in ReadWMFImage (Closes: #869715) * Fix a wmf file memory leak in CloneDrawInfo (Closes: #869713) * Fix CVE-2017-9500: An assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file. (Closes: #867778) * Add README.Debian.security. iproute2 (4.9.0-1+deb9u1) stretch; urgency=medium . * Backport upstream commit 97a02cabef to fix segfault with iptables 1.6; the xtables_globals structure needs to have its new member compat_rev initialized. (Closes: #868059) * Sync include/xtables.h from iptables to make sure the right offset is used when accessing structure members defined in libxtables. One could get “Extension does not know id …” otherwise. (See also: #868059) irssi (1.0.2-1+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Address IRSSI-SA-2017-10. - CVE-2017-15228: Unterminated colour formatting sequences may cause data access beyond the end of the buffer. - CVE-2017-15227: Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on. - CVE-2017-15721: Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. - CVE-2017-15723: Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. - CVE-2017-15722: Read beyond end of buffer may occur if a Safe channel ID is not long enough. (Closes: #879521) jackson-databind (2.8.6-1+deb9u2) stretch-security; urgency=high . * Team upload * CVE-2017-15095: incomplete fixes for CVE-2017-7525 jackson-databind (2.8.6-1+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper. (Closes: #870848) jdcal (1.0-1.2~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . jdcal (1.0-1.2) unstable; urgency=medium . * Non-maintainer upload. * Fix a mistake in ${python:Depends} for Python3 (needs to be ${python3:Depends}). Thanks again to Adrian Bunk. (Closes: #867406) . jdcal (1.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * Added ${python:Depends} variable to Depends field in all packages. Thanks to Adrian Bunk . (Closes: #867406) jdcal (1.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * Added ${python:Depends} variable to Depends field in all packages. Thanks to Adrian Bunk . (Closes: #867406) kde-gtk-config (4:5.8.6-1+deb9u1) stretch; urgency=medium . * Update debian/rules: set DATA_INSTALL_DIR variable in configuration options: it is required for correct search of preview.ui file in gtk*_preview programs. (These programs have not been working since version 4:5.1.95-0ubuntu1) * Add patch fix-search-of-gtk-preview-executables. It is required for showing preview buttons in KDE-GTK-config UI. (These buttons have not been working since version 4:5.1.95-0ubuntu1) konversation (1.6.2-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-15923: Crash in parsing IRC color formatting codes (Closes: #881586) lasi (1.1.0-2~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . lasi (1.1.0-2) unstable; urgency=medium . * QA upload. * Set maintainer to Debian QA Group. (see #867050) * Add the missing libpango1.0-dev and libfreetype6-dev dependencies to liblasi-dev. (Closes: #845497) * Add ${misc:Depends} to the package dependencies. libdatetime-timezone-perl (1:2.09-1+2017c) stretch; urgency=medium . * Update to Olson database version 2017c. This update contains contemporary changes for Northern Cyprus, Fiji, Namibia, Sudan, Tonga, and Turks & Caicos. libdbd-firebird-perl (1.24-1+deb9u1) stretch; urgency=medium . * add upstream patch fixing fetching of decimal(x,y) values between -1 and 0 (Closes: #877720) libdbi (0.9.0-4+deb9u1) stretch; urgency=medium . * Backport fix to re-enable a call to _error_handler() that was commented out for no obvious reason in dbi_result_next_row() . libdbi (0.9.0-4+deb8u1) jessie; urgency=medium . * Backport fix to re-enable a call to _error_handler() that was commented out for no obvious reason in dbi_result_next_row() . liblog-log4perl-perl (1.48-1+deb9u1) stretch; urgency=medium . * Team upload. * Workaround for Perl 5.24 no longer allowing syswrite and utf8 together (Closes: #855894) liblouis (3.0.0-3+deb9u1) stretch; urgency=medium . Fix buffer overflow and use-after-free CVEs. . * debian/patches/CVE-2017-13738-and-2017-13744.patch: New patch. * debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch: New patch * debian/patches/CVE-2017-13741.patch: New patch. * debian/patches/CVE-2017-13741-2.patch: New patch. * debian/patches/CVE-2017-13743.patch: New patch. libmpd (0.20.0-2~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . libmpd (0.20.0-2) unstable; urgency=medium . * QA upload. * Set maintainer to Debian QA Group. (see #876951) * libmpd-dev: Add the missing dependency on libglib2.0-dev. (Closes: #518429) libofx (1:0.9.10-2+deb9u1) stretch; urgency=medium . * Add upstream patches to fix: - CVE-2017-2816 (Closes: #875801). - CVE-2017-14731 (Closes: #877442). libpam4j (1.4-2+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2017-12197 (Closes: #879001): It was discovered that libpam4j does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account was able to log in. libpam4j (1.4-2+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-12197 (Closes: #879001): It was discovered that libpam4j does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account was able to log in. libvirt (3.0.0-4+deb9u1) stretch-security; urgency=high . * CVE-2017-1000256: qemu: ensure TLS clients always verify the server certificate (Closes: #878799) libxfont (1:2.0.1-3+deb9u1) stretch-security; urgency=medium . * Check for end of string in PatternMatch (CVE-2017-13720) * pcfGetProperties: Check string boundaries (CVE-2017-13722) libxkbcommon (0.7.1-2~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . libxkbcommon (0.7.1-2) unstable; urgency=medium . * Remove Cyril from Uploaders. * Add missing dependency libxkbcommon-x11-dev → libxkbcommon-dev (closes: #872874). libxml-libxml-perl (2.0128+dfsg-1+deb9u1) stretch-security; urgency=high . * Team upload. * CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call (Closes: #866676) libxsettings-client (0.17-9~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . libxsettings-client (0.17-9) unstable; urgency=medium . * QA upload. * Add the missing libxsettings-client-dev -> libxsettings-dev dependency. (Closes: #695584) linux (4.9.65-3) stretch; urgency=medium . [ Salvatore Bonaccorso ] * xen/time: do not decrease steal time after live migration on xen (Closes: #871608) linux (4.9.65-2) stretch; urgency=medium . * [s390x] qeth: Ignore ABI changes (fixes FTBFS) linux (4.9.65-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.52 - mm: prevent double decrease of nr_reserved_highatomic - IB/{qib, hfi1}: Avoid flow control testing for RDMA write operation - IB/addr: Fix setting source address in addr6_resolve() - tty: improve tty_insert_flip_char() fast path - tty: improve tty_insert_flip_char() slow path - tty: fix __tty_insert_flip_char regression - [x86] pinctrl/amd: save pin registers over suspend/resume - [mips*] math-emu: .: Fix quiet NaN propagation - [mips*] math-emu: .: Fix cases of both inputs zero - [mips*] math-emu: .: Fix cases of both inputs negative - [mips*] math-emu: .: Fix cases of input values with opposite signs - [mips*] math-emu: .: Fix cases of both infinite inputs - [mips*] math-emu: MINA.: Fix some cases of infinity and zero inputs - [mips*] math-emu: Handle zero accumulator case in MADDF and MSUBF separately - [mips*] math-emu: .: Fix NaN propagation - [mips*] math-emu: .: Fix some cases of infinite inputs - [mips*] math-emu: .: Fix some cases of zero inputs - [mips*] math-emu: .: Clean up "maddf_flags" enumeration - [mips*] math-emu: .S: Fix accuracy (32-bit case) - [mips*] math-emu: .D: Fix accuracy (64-bit case) - [x86] crypto: ccp - Fix XTS-AES-128 support on v5 CCPs - crypto: AF_ALG - remove SGL terminator indicator when chaining - ext4: fix incorrect quotaoff if the quota feature is enabled - ext4: fix quota inconsistency during orphan cleanup for read-only mounts - [powerpc*] Fix DAR reporting when alignment handler faults - block: Relax a check in blk_start_queue() - md/bitmap: disable bitmap_resize for file-backed bitmaps. - skd: Avoid that module unloading triggers a use-after-free - skd: Submit requests to firmware before triggering the doorbell - [s390x] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled - [s390x] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path - [s390x] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records - [s390x] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA - [s390x] scsi: zfcp: fix missing trace records for early returns in TMF eh handlers - [s390x] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records - [s390x] scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response - [s390x] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN - scsi: megaraid_sas: set minimum value of resetwaittime to be 1 secs - scsi: megaraid_sas: Check valid aen class range to avoid kernel panic - scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead - [x86] scsi: storvsc: fix memory leak on ring buffer busy - scsi: sg: remove 'save_scat_len' - scsi: sg: use standard lists for sg_requests - scsi: sg: off by one in sg_ioctl() - scsi: sg: factor out sg_fill_request_table() - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE - scsi: qla2xxx: Correction to vha->vref_count timeout - ftrace: Fix selftest goto location on error - ftrace: Fix memleak when unregistering dynamic ops when tracing disabled - tracing: Add barrier to trace_printk() buffer nesting modification - tracing: Apply trace_clock changes to instance max buffer - [x86] PCI: shpchp: Enable bridge bus mastering if MSI is enabled - PCI: pciehp: Report power fault only once until we clear it - net/netfilter/nf_conntrack_core: Fix net_conntrack_lock() - [s390x] mm: fix local TLB flushing vs. detach of an mm address space - [s390x] mm: fix race on mm->context.flush_mm - media: v4l2-compat-ioctl32: Fix timespec conversion - media: uvcvideo: Prevent heap overflow when accessing mapped controls - PM / devfreq: Fix memory leak when fail to register device - bcache: initialize dirty stripes in flash_dev_run() - bcache: Fix leak of bdev reference - bcache: do not subtract sectors_to_gc for bypassed IO - bcache: correct cache_dirty_target in __update_writeback_rate() - bcache: Correct return value for sysfs attach errors - bcache: fix for gc and write-back race - bcache: fix bch_hprint crash and improve output https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.53 - cifs: release cifs root_cred after exit_cifs - cifs: release auth_key.response for reconnect. - fs/proc: Report eip/esp in /prod/PID/stat for coredumping - mac80211: fix VLAN handling with TXQs - mac80211_hwsim: Use proper TX power - mac80211: flush hw_roc_start work before cancelling the ROC - genirq: Make sparse_irq_lock protect what it should protect - [powerpc*] KVM: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() - [powerpc*] KVM: Book3S HV: Protect updates to spapr_tce_tables list - tracing: Fix trace_pipe behavior for instance traces - tracing: Erase irqsoff trace with empty write - md/raid5: fix a race condition in stripe batch - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list - drm/radeon: disable hard reset in hibernate for APUs - crypto: drbg - fix freeing of resources - security/keys: properly zero out sensitive key material in big_key - security/keys: rewrite all of big_key crypto - KEYS: fix writing past end of user-supplied buffer in keyring_read() - KEYS: prevent creating a different user's keyrings - KEYS: prevent KEYCTL_READ on negative key (CVE-2017-12192) - [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node() - [powerpc*] tm: Flush TM only if CPU has TM feature - [powerpc*] ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS - [s390x] mm: fix write access check in gup_huge_pmd() - PM: core: Fix device_pm_check_callbacks() - cifs: Fix SMB3.1.1 guest authentication to Samba - SMB3: Warn user if trying to sign connection that authenticated as guest - SMB: Validate negotiate (to protect against downgrade) even if signing off - SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets - iw_cxgb4: remove the stid on listen create failure - iw_cxgb4: put ep reference in pass_accept_req() - seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() - [arm64] Make sure SPsel is always set - [arm64] fault: Route pte translation faults via do_translation_fault - [x86] KVM: VMX: extract __pi_post_block - [x86] KVM: VMX: avoid double list add with VT-d posted interrupts - [x86] KVM: VMX: simplify and fix vmx_vcpu_pi_load - [x86] kvm: Handle async PF in RCU read-side critical sections - xfs: validate bdev support for DAX inode flag - [armhf] etnaviv: fix gem object list corruption - PCI: Fix race condition with driver_override - btrfs: fix NULL pointer dereference from free_reloc_roots() - btrfs: propagate error to btrfs_cmp_data_prepare caller - btrfs: prevent to set invalid default subvolid - [x86] mm: Fix fault error path using unsafe vma pointer - [x86] fpu: Don't let userspace set bogus xcomp_bv - gfs2: Fix debugfs glocks dump - timer/sysctl: Restrict timer migration sysctl values to 0 and 1 - [x86] KVM: VMX: do not change SN bit in vmx_update_pi_irte() - [x86] KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt - [powerpc*] cxl: Fix driver use count - [x86] KVM: VMX: use cmpxchg64 - swiotlb-xen: implement xen_swiotlb_dma_mmap callback https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.54 - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define - drm: bridge: add DT bindings for TI ths8135 - GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next - [x86] drm/i915: Fix the overlay frontbuffer tracking - [armhf] dts: exynos: Add CPU OPPs for Exynos4412 Prime - [armhf] clk: sunxi-ng: fix PLL_CPUX adjusting on H3 - RDS: RDMA: Fix the composite message user notification - [mips*] Ensure bss section ends on a long-aligned address - scsi: be2iscsi: Add checks to validate CID alloc/free - [armhf] dts: am335x-chilisom: Wakeup from RTC-only state by power on event - igb: re-assign hw address pointer on reset after PCI error - hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes - IB/rxe: Add a runtime check in alloc_index() - IB/rxe: Fix a MR reference leak in check_rkey() - [x86] drm/i915/psr: disable psr2 for resolution greater than 32X20 - serial: 8250: moxa: Store num_ports in brd - serial: 8250_port: Remove dangerous pr_debug() - IB/ipoib: Fix deadlock over vlan_mutex - IB/ipoib: rtnl_unlock can not come after free_netdev - IB/ipoib: Replace list_del of the neigh->list with list_del_init - [amd64] drm/amdkfd: fix improper return value on error - USB: serial: mos7720: fix control-message error handling - USB: serial: mos7840: fix control-message error handling - sfc: get PIO buffer size from the NIC - partitions/efi: Fix integer overflow in GPT size calculation - ASoC: dapm: handle probe deferrals - audit: log 32-bit socketcalls - ath10k: prevent sta pointer rcu violation - [armhf,arm64] iommu/arm-smmu: Set privileged attribute to 'default' instead of 'unprivileged' - [armhf,arm64] usb: chipidea: vbus event may exist before starting gadget - ASoC: dapm: fix some pointer error handling - [arm64] drm: mali-dp: Fix destination size handling when rotating - [arm64] drm: mali-dp: Fix transposed horizontal/vertical flip - HID: wacom: release the resources before leaving despite devm - net: core: Prevent from dereferencing null pointer when releasing SKB - net/packet: check length in getsockopt() called with PACKET_HDRLEN - team: fix memory leaks - udp: disable inner UDP checksum offloads in IPsec case - qed: Fix possible system hang in the dcbnl-getdcbx() path. - mmc: sdio: fix alignment issue in struct sdio_func - bridge: netlink: register netdevice before executing changelink - Btrfs: fix segmentation fault when doing dio read - Btrfs: fix potential use-after-free for cloned bio - sata_via: Enable hotplug only on VT6421 - hugetlbfs: initialize shared policy as part of inode allocation - netfilter: invoke synchronize_rcu after set the _hook_ to NULL - [mips*] IRQ Stack: Unwind IRQ stack onto task stack - nvme-rdma: handle cpu unplug when re-establishing the controller - netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max - nfs: make nfs4_cb_sv_ops static - [x86] cpufreq: intel_pstate: Update pid_params.sample_rate_ns in pid_param_set() - [x86] acpi: Restore the order of CPU IDs - [armhf,arm64] iommu/io-pgtable-arm: Check for leaf entry before dereferencing it - mm/cgroup: avoid panic when init with low memory - rds: ib: add error handle - md/raid10: submit bio directly to replacement disk - netfilter: nf_tables: set pktinfo->thoff at AH header if found - [arm64] i2c: meson: fix wrong variable usage in meson_i2c_put_data - xfs: remove kmem_zalloc_greedy - libata: transport: Remove circular dependency at free time - tools/power turbostat: bugfix: GFXMHz column not changing - IB/qib: fix false-postive maybe-uninitialized warning - ttpci: address stringop overflow warning - [s390x] mm: make pmdp_invalidate() do invalidation only https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.55 - USB: gadgetfs: Fix crash caused by inadequate synchronization - USB: gadgetfs: fix copy_to_user while holding spinlock - usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives - usb-storage: fix bogus hardware error messages for ATA pass-thru devices - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (CVE-2017-16529) - usb: pci-quirks.c: Corrected timeout values used in handshake - USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse - USB: dummy-hcd: fix connection failures (wrong speed) - USB: dummy-hcd: fix infinite-loop resubmission bug - USB: dummy-hcd: Fix erroneous synchronization change - usb: gadget: mass_storage: set msg_registered after msg registered - USB: g_mass_storage: Fix deadlock when driver is unbound - USB: uas: fix bug in handling of alternate settings (CVE-2017-16530) - USB: core: harden cdc_parse_cdc_header (CVE-2017-16534) - usb: Increase quirk delay for USB devices - USB: fix out-of-bounds in usb_set_configuration (CVE-2017-16531) - xhci: fix finding correct bus_state structure for USB 3.1 hosts - xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround - xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor - [x86] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts" - [armhf] iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()' - [armhf] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()' - iio: core: Return error for failed read_reg - uwb: properly check kthread_run return value (CVE-2017-16526) - uwb: ensure that endpoint is interrupt - mm, oom_reaper: skip mm structs with mmu notifiers - lib/ratelimit.c: use deferred printk() version - Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members" - ALSA: usx2y: Suppress kernel warning at page allocation failures - net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker - sctp: potential read out of bounds in sctp_ulpevent_type_enabled() - tcp: update skb->skb_mstamp more carefully - bpf/verifier: reject BPF_ALU64|BPF_END - tcp: fix data delivery rate - udpv6: Fix the checksum computation when HW checksum does not apply - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header - net: phy: Fix mask value write on gmii2rgmii converter speed register - ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline - net/sched: cls_matchall: fix crash when used with classful qdisc - tcp: fastopen: fix on syn-data transmit failure - [powerpc,ppc64] net: emac: Fix napi poll list corruption - packet: hold bind lock when rebinding to fanout hook (CVE-2017-15649) - bpf: one perf event close won't free bpf program attached by another perf event - net_sched: always reset qdisc backlog in qdisc_reset() - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit - l2tp: Avoid schedule while atomic in exit_net - l2tp: fix race condition in l2tp_tunnel_delete - tun: bail out from tun_get_user() if the skb is empty - net: dsa: Fix network device registration order - packet: in packet_do_bind, test fanout with bind_lock held (CVE-2017-15649) - packet: only test po->has_vnet_hdr once in packet_snd - net: Set sk_prot_creator when cloning sockets to the right proto - netlink: do not proceed if dump's start() errs - ip6_gre: ip6gre_tap device should keep dst - ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path - tipc: use only positive error codes in messages - net: rtnetlink: fix info leak in RTM_GETSTATS call - [powerpc*/*64*]: Use emergency stack for kernel TM Bad Thing program checks (CVE-2017-1000255) - [powerpc*] tm: Fix illegal TM state in signal handler (CVE-2017-1000255) - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts - driver core: platform: Don't read past the end of "driver_override" buffer - [x86] Drivers: hv: fcopy: restore correct transfer length - ftrace: Fix kmemleak in unregister_ftrace_graph - HID: i2c-hid: allocate hid buffers for real worst case - HID: wacom: leds: Don't try to control the EKR's read-only LEDs - HID: wacom: Always increment hdev refcount within wacom_get_hdev_data - HID: wacom: bits shifted too much for 9th and 10th buttons - netlink: fix nla_put_{u8,u16,u32} for KASAN - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD - iwlwifi: add workaround to disable wide channels in 5GHz - scsi: sd: Do not override max_sectors_kb sysfs setting - brcmfmac: add length check in brcmf_cfg80211_escan_handler() (CVE-2017-0786) - brcmfmac: setup passive scan if requested by user-space - [x86] drm/i915/bios: ignore HDMI on port A - nvme-pci: Use PCI bus address for data/queues in CMB - mmc: core: add driver strength selection when selecting hs400es - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs - vfs: deny copy_file_range() for non regular files - ext4: fix data corruption for mmap writes - ext4: don't allow encrypted operations without keys - f2fs: don't allow encrypted operations without keys https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.56 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.57 - ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets - CIFS: Reconnect expired SMB sessions - nl80211: Define policy for packet pattern attributes - rcu: Allow for page faults in NMI handlers - USB: dummy-hcd: Fix deadlock caused by disconnect detection - [mips*] math-emu: Remove pr_err() calls from fpu_emu() - [armhf] dmaengine: edma: Align the memcpy acnt array size with the transfer - [armhf] dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse - HID: usbhid: fix out-of-bounds bug (CVE-2017-16533) - crypto: shash - Fix zero-length shash ahash digest crash - [x86] KVM: MMU: always terminate page walks at level 1 - [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit - [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap() - device property: Track owner device of device property - fs/mpage.c: fix mpage_writepage() for pages with buffers - ALSA: usb-audio: Kill stray URB at exiting (CVE-2017-16527) - ALSA: seq: Fix use-after-free at creating a port (CVE-2017-15265) - ALSA: seq: Fix copy_from_user() call inside lock - ALSA: caiaq: Fix stray URB at probe error path - ALSA: line6: Fix missing initialization before error path - ALSA: line6: Fix leftover URB at error-path during probe - [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off - [x86] drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get() - [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel - usb: gadget: configfs: Fix memory leak of interface directory data - usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options - direct-io: Prevent NULL pointer access in submit_page_section - fix unbalanced page refcounting in bio_map_user_iov (CVE-2017-12190) - more bio_map_user_iov() leak fixes - bio_copy_user_iov(): don't ignore ->iov_offset - USB: serial: console: fix use-after-free after failed setup (CVE-2017-16525) - [x86] alternatives: Fix alt_max_short macro to really be a max() - [x86] KVM: nVMX: update last_nonleaf_level when initializing nested EPT (CVE-2017-12188) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.58 - [mips*] Fix minimum alignment requirement of IRQ stack - xen-netback: Use GFP_ATOMIC to allocate hash - irqchip/crossbar: Fix incorrect type of local variables - initramfs: finish fput() before accessing any binary from initramfs - mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length - qed: Don't use attention PTT for configuring BW - mac80211: fix power saving clients handling in iwlwifi - net/mlx4_en: fix overflow in mlx4_en_init_timestamp() - netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value. - f2fs: do SSR for data when there is enough free space - sched/fair: Update rq clock before changing a task's CPU affinity - Btrfs: send, fix failure to rename top level inode due to name collision - f2fs: do not wait for writeback in write_begin - md/linear: shutup lockdep warnning - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs - mm/memory_hotplug: set magic number to page->freelist instead of page->lru.next - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock - scsi: scsi_dh_emc: return success in clariion_std_inquiry() - drm/amdgpu: refuse to reserve io mem for split VRAM buffers - [armhf] net: mvpp2: release reference to txq_cpu[] entry after unmapping - qede: Prevent index problems in loopback test - qed: Reserve doorbell BAR space for present CPUs - qed: Read queue state before releasing buffer - ceph: don't update_dentry_lease unless we actually got one - ceph: fix bogus endianness change in ceph_ioctl_set_layout - ceph: clean up unsafe d_parent accesses in build_dentry_path - uapi: fix linux/mroute6.h userspace compilation errors - [amd64] IB/hfi1: Use static CTLE with Preset 6 for integrated HFIs - [amd64] IB/hfi1: Allocate context data on memory node - target/iscsi: Fix unsolicited data seq_end_offset calculation - hrtimer: Catch invalid clockids again - nfsd/callback: Cleanup callback cred on shutdown - [powerpc*] perf: Add restrictions to PMC5 in power9 DD1 - drm/nouveau/gr/gf100-: fix ccache error logging - regulator: core: Resolve supplies before disabling unused regulators - btmrvl: avoid double-disable_irq() race - [x86] EDAC, mce_amd: Print IPID and Syndrome on a separate line - usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.59 - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() (CVE-2017-16535) - usb: hub: Allow reset retry for USB2 devices on connect bounce - can: gs_usb: fix busy loop if no more TX context is available - iio: dummy: events: Add missing break - [armhf] usb: musb: sunxi: Explicitly release USB PHY on exit - [armhf] usb: musb: Check for host-mode using is_host_active() on reset interrupt - xhci: Identify USB 3.1 capable hosts by their port protocol capability - can: esd_usb2: Fix can_dlc value for received RTR, frames - drm/nouveau/bsp/g92: disable by default - drm/nouveau/mmu: flush tlbs before deleting page tables - ALSA: seq: Enable 'use' locking in all configurations - ALSA: hda: Remove superfluous '-' added by printk conversion - ALSA: hda: Abort capability probe at invalid register read - [x86] i2c: ismt: Separate I2C block read from SMBus block read - i2c: piix4: Fix SMBus port selection for AMD Family 17h chips - brcmfmac: Add check for short event packets - brcmsmac: make some local variables 'static const' to reduce stack size - [armel,armhf] bus: mbus: fix window size calculation for 4GB windows - [i386] clockevents/drivers/cs5535: Improve resilience to spurious interrupts - rtlwifi: rtl8821ae: Fix connection lost problem - [x86] microcode/intel: Disable late loading on model 79 - KEYS: encrypted: fix dereference of NULL user_key_payload - lib/digsig: fix dereference of NULL user_key_payload - KEYS: don't let add_key() update an uninstantiated key (CVE-2017-15299) - pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. - [x86] vmbus: fix missing signaling in hv_signal_on_read() - xfs: don't unconditionally clear the reflink flag on zero-block files - xfs: evict CoW fork extents when performing finsert/fcollapse - fs/xfs: Use %pS printk format for direct addresses - xfs: report zeroed or not correctly in xfs_zero_range() - xfs: update i_size after unwritten conversion in dio completion - xfs: perag initialization should only touch m_ag_max_usable for AG 0 - xfs: Capture state of the right inode in xfs_iflush_done - xfs: always swap the cow forks when swapping extents - xfs: handle racy AIO in xfs_reflink_end_cow - xfs: Don't log uninitialised fields in inode structures - xfs: move more RT specific code under CONFIG_XFS_RT - xfs: don't change inode mode if ACL update fails - xfs: reinit btree pointer on attr tree inactivation walk - xfs: handle error if xfs_btree_get_bufs fails - xfs: cancel dirty pages on invalidation - xfs: trim writepage mapping to within eof - fscrypt: fix dereference of NULL user_key_payload - KEYS: Fix race between updating and finding a negative key (CVE-2017-15951) - FS-Cache: fix dereference of NULL user_key_payload https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.60 - workqueue: replace pool->manager_arb mutex with a flag - ceph: unlock dangling spinlock in try_flush_caps() - usb: xhci: Handle error condition in xhci_stop_device() - [powerpc*] KVM: Fix oops when checking KVM_CAP_PPC_HTM (CVE-2017-15306) - fuse: fix READDIRPLUS skipping an entry - xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() - Input: gtco - fix potential out-of-bound access (CVE-2017-16643) - assoc_array: Fix a buggy node-splitting case - [s390x] scsi: zfcp: fix erp_action use-before-initialize in REC action trace - scsi: sg: Re-fix off by one in sg_fill_request_table() - drm/amd/powerplay: fix uninitialized variable - [armhf] can: sun4i: fix loopback mode - can: kvaser_usb: Correct return value in printout - can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages - cfg80211: fix connect/disconnect edge cases - ipsec: Fix aborted xfrm policy dump crash (CVE-2017-16939) - [armhf] regulator: fan53555: fix I2C device ids - ecryptfs: fix dereference of NULL user_key_payload https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.61 - ALSA: timer: Add missing mutex lock for compat ioctls - ALSA: seq: Fix nested rwsem annotation for lockdep splat - cifs: check MaxPathNameComponentLength != 0 before using it (Closes: #880504) - KEYS: return full count in keyring_read() if buffer is too small - KEYS: fix out-of-bounds read during ASN.1 parsing - [arm64] ensure __dump_instr() checks addr_limit - [armhf,arm64] KVM: set right LR register value for 32 bit guest when inject abort - [armhf,arm64] kvm: Disable branch profiling in HYP code - [armel,armhf] 8715/1: add a private asm/unaligned.h - drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting - ocfs2: fstrim: Fix start offset of first cluster group during fstrim - [x86] drm/i915/edp: read edp display control registers unconditionally - [arm64] drm/msm: Fix potential buffer overflow issue - [arm64] drm/msm: fix an integer overflow test - cpufreq: Do not clear real_cpus mask on policy init - [x86] crypto: ccp - Set the AES size field for all modes - IB/mlx5: Assign DSCP for R-RoCE QPs Address Path - PM / wakeirq: report a wakeup_event on dedicated wekup irq - scsi: megaraid_sas: Do not set fp_possible if TM capable for non-RW syspdIO, change fp_possible to bool - [armhf] mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped - bnxt_en: Added PCI IDs for BCM57452 and BCM57454 ASICs - staging: rtl8712u: Fix endian settings for structs describing network packets - PCI/MSI: Return failure when msix_setup_entries() fails - ext4: fix stripe-unaligned allocations - ext4: do not use stripe_width if it is not set - [x86] net/ena: change driver's default timeouts - drm/amdgpu: when dpm disabled, also need to stop/start vce. - perf tools: Only increase index if perf_evsel__new_idx() succeeds - iwlwifi: mvm: use the PROBE_RESP_QUEUE to send deauth to unknown station - [armhf,arm64] clocksource/drivers/arm_arch_timer: Add dt binding for hisilicon-161010101 erratum - net: phy: dp83867: Recover from "port mirroring" N/A MODE4 - cx231xx: Fix I2C on Internal Master 3 Bus - ath10k: fix reading sram contents for QCA4019 - [armhf] clk: sunxi-ng: Check kzalloc() for errors and cleanup error path - [armhf] mtd: nand: sunxi: Fix the non-polling case in sunxi_nfc_wait_events() - xen/manage: correct return value check on xenbus_scanf() - scsi: aacraid: Process Error for response I/O - [x86] platform: intel_mid_thermal: Fix module autoload - [x86] staging: lustre: llite: don't invoke direct_IO for the EOF case - [x86] staging: lustre: hsm: stack overrun in hai_dump_data_field - [x86] staging: lustre: ptlrpc: skip lock if export failed - [x86] staging: lustre: lmv: Error not handled for lmv_find_target - brcmfmac: check brcmf_bus_get_memdump result for error - vfs: open() with O_CREAT should not create inodes with unknown ids - [x86] ASoC: Intel: boards: remove .pm_ops in all Atom/DPCM machine drivers - [armhf] exynos4-is: fimc-is: Unmap region obtained by of_iomap() - [x86] mei: return error on notification request to a disconnected client - [s390x] dasd: check for device error pointer within state change interrupts - [s390x] prng: Adjust generation of entropy to produce real 256 bits. - [s390x] crypto: Extend key length check for AES-XTS in fips mode. - bt8xx: fix memory leak - [armhf] drm/exynos: g2d: prevent integer overflow in - PCI: Avoid possible deadlock on pci_lock and p->pi_lock - [powerpc*/*64*]: Don't try to use radix MMU under a hypervisor - xen: don't print error message in case of missing Xenstore entry - [armel,armhf] dts: mvebu: pl310-cache disable double-linefill https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.62 - [armel,armhf] PCI: mvebu: Handle changes to the bridge windows while enabled - sched/core: Add missing update_rq_clock() call in sched_move_task() - xen/netback: set default upper limit of tx/rx queues to 8 - [x86] EDAC, amd64: Add x86cpuid sanity check during init - PM / OPP: Error out on failing to add static OPPs for v1 bindings - [armhf] clk: samsung: exynos5433: Add IDs for PHYCLK_MIPIDPHY0_* clocks - drm: drm_minor_register(): Clean up debugfs on failure - [powerpc*] KVM: Book 3S: XICS: correct the real mode ICP rejecting counter - [armhf,arm64] iommu/arm-smmu-v3: Clear prior settings when updating STEs - [x86] pinctrl: baytrail: Fix debugfs offset output - [powerpc*] corenet: explicitly disable the SDHC controller on kmcoge4 - [powerpc*] cxl: Force psl data-cache flush during device shutdown - [arm64] dma-mapping: Only swizzle DMA ops for IOMMU_DOMAIN_DMA - [powerpc*] crypto: vmx - disable preemption to enable vsx in aes_ctr.c - [arm64] drm: mali-dp: fix Lx_CONTROL register fields clobber - iio: trigger: free trigger resource correctly - [x86] iio: proximity: sx9500: claim direct mode during raw proximity reads - libertas: fix improper return value - usb: hcd: initialize hcd->flags to 0 when rm hcd - netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family - brcmfmac: setup wiphy bands after registering it first - rt2800usb: mark tx failure on timeout - apparmor: fix undefined reference to `aa_g_hash_policy' - IPsec: do not ignore crypto err in ah4 input - [x86] EDAC, amd64: Save and return err code from probe_one_instance() - [s390x] topology: make "topology=off" parameter work - [powerpc] sched/cputime: Fix stale scaled stime on context switch - IB/ipoib: Change list_del to list_del_init in the tx object - [armhf] dts: STiH410-family: fix wrong parent clock frequency - [s390x] qeth: fix retrieval of vipa and proxy-arp addresses - [s390x] qeth: issue STARTLAN as first IPA command - [arm64] wcn36xx: Don't use the destroyed hal_mutex - IB/rxe: Fix reference leaks in memory key invalidation code - [armhf] clk: mvebu: adjust AP806 CPU clock frequencies to production chip - [x86] platform: hp-wmi: Fix detection for dock and tablet mode - cdc_ncm: Set NTB format again after altsetting switch for Huawei devices - KEYS: trusted: sanitize all key material - KEYS: trusted: fix writing past end of buffer in trusted_read() - [x86] platform: hp-wmi: Fix error value for hp_wmi_tablet_state - [x86] platform: hp-wmi: Do not shadow error values - [x86] uaccess, sched/preempt: Verify access_ok() context - workqueue: Fix NULL pointer dereference - crypto: ccm - preserve the IV buffer - [x86] crypto: sha1-mb - fix panic due to unaligned access - [x86] crypto: sha256-mb - fix panic due to unaligned access - KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] - [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit - ALSA: seq: Fix OSS sysex delivery in OSS emulation - [x86] drm/i915: Do not rely on wm preservation for ILK watermarks - [mips*] Fix CM region target definitions - [mips*] SMP: Use a completion event to signal CPU up - [mips*] Fix race on setting and getting cpu_online_mask - [mips*] SMP: Fix deadlock & online race - [armhf] ASoC: sun4i-spdif: remove legacy dapm components - rbd: use GFP_NOIO for parent stat and data requests - [x86] drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue - [arm64] drm/bridge: adv7511: Rework adv7511_power_on/off() so they can be reused internally - [arm64] drm/bridge: adv7511: Reuse __adv7511_power_on/off() when probing EDID - [arm64] drm/bridge: adv7511: Re-write the i2c address before EDID probing - [armhf] can: sun4i: handle overrun in RX FIFO - [x86] smpboot: Make optimization of delay calibration work correctly - [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.63 - gso: fix payload length when gso_size is zero - tun/tap: sanitize TUNSETSNDBUF input - ipv6: addrconf: increment ifp refcount before ipv6_del_addr() - netlink: do not set cb_running if dump's start() errs - net: call cgroup_sk_alloc() earlier in sk_clone_lock() - tcp: fix tcp_mtu_probe() vs highest_sack - l2tp: check ps->sock before running pppol2tp_session_ioctl() - tun: call dev_get_valid_name() before register_netdevice() - sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect - tcp/dccp: fix ireq->opt races - packet: avoid panic in packet_getsockopt() - soreuseport: fix initialization race - ipv6: flowlabel: do not leave opt->tot_len with garbage - sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND - tcp/dccp: fix lockdep splat in inet_csk_route_req() - tcp/dccp: fix other lockdep splats accessing ireq_opt - net/unix: don't show information about sockets from other namespaces - tap: double-free in error path in tap_open() - ipip: only increase err_count for some certain type icmp in ipip_err - ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err - ip6_gre: update dst pmtu if dev mtu has been updated by toobig in __gre6_xmit - tun: allow positive return values on dev_get_valid_name() call - sctp: reset owner sk for data chunks on out queues when migrating a sock - net_sched: avoid matching qdisc with zero handle - ppp: fix race in ppp device destruction - mac80211: accept key reinstall without changing anything (CVE-2017-13080) - mac80211: use constant time comparison with keys - mac80211: don't compare TKIP TX MIC key in reinstall prevention (CVE-2017-13080) - usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) - Input: ims-psu - check if CDC union descriptor is sane (CVE-2017-16645) - ALSA: seq: Cancel pending autoload work at unbinding device (CVE-2017-16528) - netfilter: nat: avoid use of nf_conn_nat extension - netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable" - brcmfmac: remove setting IBSS mode when stopping AP - [arm64,mips*] security/keys: add CONFIG_KEYS_COMPAT to Kconfig (Closes: #881830) - target/iscsi: Fix iSCSI task reassignment handling - qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.64 - media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) - media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646) - [armel,armhf] crypto: reduce priority of bit-sliced AES cipher - Bluetooth: btusb: fix QCA Rome suspend/resume - [armhf,arm64] extcon: Remove potential problem when calling extcon_register_notifier() - [armhf] extcon: palmas: Check the parent instance to prevent the NULL - fm10k: request reset when mbx->state changes - [armhf] dts: Fix compatible for ti81xx uarts for 8250 - [armhf] dts: Fix am335x and dm814x scm syscon to probe children - [armhf] OMAP2+: Fix init for multiple quirks for the same SoC - [armhf] dts: Fix omap3 off mode pull defines - [armhf] dts: omap5-uevm: Allow bootloader to configure USB Ethernet MAC - igb: reset the PHY before reading the PHY ID - igb: close/suspend race in netif_device_detach - igb: Fix hw_dbg logging in igb_update_flash_i210 - scsi: ufs: add capability to keep auto bkops always enabled - tcp: provide timestamps for partial writes - staging: rtl8188eu: fix incorrect ERROR tags from logs - [x86] irq, trace: Add __irq_entry annotation to x86's platform IRQ handlers - scsi: lpfc: Add missing memory barrier - scsi: lpfc: FCoE VPort enable-disable does not bring up the VPort - scsi: lpfc: Correct host name in symbolic_name field - scsi: lpfc: Correct issue leading to oops during link reset - scsi: lpfc: Clear the VendorVersion in the PLOGI/PLOGI ACC payload - ALSA: vx: Don't try to update capture stream before running - ALSA: vx: Fix possible transfer overflow - [armhf] drm/omap: panel-sony-acx565akm.c: Add MODULE_ALIAS - [x86] gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap - [arm64] dts: NS2: reserve memory for Nitro firmware - ixgbe: Configure advertised speeds correctly for KR/KX backplane - ixgbe: fix AER error handling - ixgbe: handle close/suspend race with netif_device_detach/present - ixgbe: Fix reporting of 100Mb capability - ixgbe: Reduce I2C retry count on X550 devices - ixgbe: add mask for 64 RSS queues - ixgbe: do not disable FEC from the driver - [mips*] End asm function prologue macros with .insn - [mips*] init: Ensure bootmem does not corrupt reserved memory - [mips*] init: Ensure reserved memory regions are not added to bootmem - [mips*] traps: Ensure L1 & L2 ECC checking match for CM3 systems - crypto: dh - Don't permit 'p' to be 0 - crypto: dh - Don't permit 'key' or 'g' size longer than 'p' - USB: usbfs: compute urb->actual_length for isochronous - usb: gadget: f_fs: Fix use-after-free in ffs_free_inst - USB: serial: garmin_gps: fix I/O after failed probe and remove - USB: serial: garmin_gps: fix memory leak on probe errors - [x86] MCE/AMD: Always give panic severity for UC errors in kernel context - brcmfmac: don't preset all channels as disabled https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.65 - tcp_nv: fix division by zero in tcpnv_acked() - net: vrf: correct FRA_L3MDEV encode type - tcp: do not mangle skb->cb[] in tcp_make_synack() - netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed - bonding: discard lowest hash bit for 802.3ad layer3+4 - net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649) - net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650) - qmi_wwan: Add missing skb_reset_mac_header-call - net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647) - vlan: fix a use-after-free in vlan_device_event() - af_netlink: ensure that NLMSG_DONE never fails in dumps - sctp: do not peel off an assoc from one netns to another one (CVE-2017-15115) - net/sctp: Always set scope_id in sctp_inet6_skb_msgname - crypto: dh - fix memleak in setkey - crypto: dh - Fix double free of ctx->p - ima: do not update security.ima if appraisal status is not INTEGRITY_PASS - [armhf] serial: omap: Fix EFR write on RTS deassertion - serial: 8250_fintek: Fix finding base_port with activated SuperIO - ocfs2: fix cluster hang after a node dies - ocfs2: should wait dio before inode lock in ocfs2_setattr() - ipmi: fix unsigned long underflow - mm/page_alloc.c: broken deferred calculation - coda: fix 'kernel memory exposure attempt' in fsync - mm/pagewalk.c: report holes in hugetlb ranges . [ Ben Hutchings ] * [armhf] dts: exynos: Add dwc3 SUSPHY quirk (Closes: #843448) * [mips*] Remove pt_regs adjustments in indirect syscall handler (Closes: #867358) * [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911) * l2tp: Ignore ABI change * [armel,armhf] mbus: Ignore ABI change * usb: gadget: Ignore ABI change * [s390x] mm: Avoid ABI change in 4.9.52 * mac80211: Avoid ABI change in 4.9.53 * mmc: sdio: Avoid ABI change in 4.9.54 * KEYS: Limit ABI change in 4.9.59 * netfilter: nat: Avoid ABI change in 4.9.63 * mm/page_alloc: Avoid ABI change in 4.9.65 * Revert "phy: increase size of MII_BUS_ID_SIZE and bus_id" to avoid ABI change * Revert "bpf: one perf event close won't free bpf program attached ..." to avoid ABI change * [rt] Add new signing subkey for Steven Rostedt * [rt] Update to 4.9.61-rt52: - Revert "pci: Use __wake_up_all_locked in pci_unblock_user_cfg_access()" - drivers/zram: fix zcomp_stream_get() smp_processor_id() use in preemptible code - fs/dcache: disable preemption on i_dir_seq's write side - tpm_tis: fix stall after iowrite*()s - fs: convert two more BH_Uptodate_Lock related bitspinlocks - locking/rt-mutex: fix deadlock in device mapper / block-IO - md/raid5: do not disable interrupts * mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (Closes: #865416) * mm/mmap.c: expand_downwards: don't require the gap if !vm_prev * mmap: Remember the MAP_FIXED flag as VM_FIXED * [x86] mmap: Add an exception to the stack gap for Hotspot JVM compatibility (Closes: #865303) . [ Salvatore Bonaccorso ] * media: cx231xx-cards: fix NULL-deref on missing association descriptor (CVE-2017-16536) * mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() (CVE-2017-1000405) live-config (5.20170112+deb9u1) stretch; urgency=medium . [ Cyril Brulebois ] * Cherry-pick the change below to improve KDE live images. . [ Алексей Шилин ] * Add components/0085-sddm to configure autologin for KDE / Plasma live images. Closes: #865382. lxc (1:2.0.7-2+deb9u1) stretch; urgency=medium . * 0003-lxc-debian-don-t-hardcode-valid-releases.patch: don't hardcode list of valid Debian releases. Allows creating stable, buster, testing, and unstable containers. * 0004-lxc-debian-don-t-write-C.-locales-to-etc-locale.gen.patch: don't insert C.* locales into /etc/locale.gen (Closes: #879595) mediawiki (1:1.27.4-1~deb9u1) stretch-security; urgency=high . * Imported Upstream version 1.27.4 (security release), fixing CVE-2017-8809, CVE-2017-8810, CVE-2017-8808, CVE-2017-8811, CVE-2017-8812, CVE-2017-8814, CVE-2017-8815. * Users who used the default configuration should not be affected by CVE-2017-9841, but an extra .htaccess file will restrict web access to the vendor/ directory. mediawiki (1:1.27.4-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. mongodb (1:3.2.11-2+deb9u1) stretch; urgency=medium . * Fix segfault/FTBFS on ARM64 with 48-bit virtual addresses (Closes: #871906) * Fix spidermonkey GC segfault when built with GCC 6 (Closes: #876755) * mongodb.service: start after network.target (Closes: #864407) mupdf (1.9a+ds1-4+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * A compiler optimization was removing the fix for CVE-2017-15587 mupdf (1.9a+ds1-4+deb9u1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, and CVE-2017-15587 (Closes: #877379, #879055) nautilus (3.22.3-1+deb9u1) stretch-security; urgency=high . [ Phil Wyett ] * CVE-2017-14604: desktop_file_trust.patch + Spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. (Closes: #860268). - Initial patch by Phil Wyett - Translations additions by Donncha O'Cearbhaill . [ Yves-Alexis Perez ] * Non-maintainer upload by the Security Team. nss (2:3.26.2-1.1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7805: Potential use-after-free in TLS 1.2 server when verifying client authentication openjdk-8 (8u151-b12-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security openjdk-8 (8u144-b01-2) unstable; urgency=medium . [ Matthias Klose ] * Don't regenerate the control file during the build. * Enable systemtap on sh4. * Bump standards version to 4.1.0. * Build using GCC 7 on recent development versions. . [ Tiago Stürmer Daitx ] * debian/rules: - when zero/shark alternate vm is build, add '-zero KNOWN' to jvm.cfg. - for non-hotspot builds add '-zero ALIASED_TO -server' to jvm.cfg. - enable zero alternate vm on armhf. * debian/jvm.cfg-client_default: aarch32 only builds the client compiler and requires its own default jvm. Closes: #874434. openjdk-8 (8u144-b01-1) unstable; urgency=medium . * Update to 8u144-b01. - fix regression introduced by security fix S8169392. LP: #1707082. . [ Matthias Klose ] * Fix libjvm.so's .debug file names. LP: #1548434. * Remove dependency on multiarch-support. Closes: #870520. . [ Tiago Stürmer Daitx ] * debian/apport-hook.py: - truncate hs_err if bigger than 100 KiB instead of ignoring it. - add message if hs_err file is not found at expected location. - report file size in human readble SI units. * debian/control.in: - move 'Breaks:' from openjdk-8-jdk-headless to openjdk-8-jre-headless. - remove jamvm references. * debian/control.jamvm-jre: removed. * debian/control.jamvm-trans: transactional package for jamvm. * debian/rules: - add aarch32 hotspot support. - build aarch32 using client jvm-variant (no server in aarch32 port). - use DEB_HOST_ARCH instead of DEB_HOST_ARCH_CPU as armel and armhf are both reported as arm. - explicitly add kfreebsd-i386, kfreebsd-amd64, hurd-i386 to arch_map and archdir_map due to usage of DEB_HOST_ARCH. - avoid building zero as an alternative vm for aarch32. - disable precompiled headers on Trusty to minimize g++-4.8 segfaults. - don't build zero alternate vm on Trusty, avoid g++-4.8 segfaults. - add a 'Breaks:' entry to ca-certificates-java for all releases except Trusty. LP: #1706567. - remove jamvm. * debian/patches/aarch64.diff: remove unnecessary chunks as aarch64 is now upstream. * debian/patches/aarch32.diff: add required changes to root and jdk to build aarch32. * debian/patches/hotspot-libpath-aarch32.diff: copied from hotspot-libpath-default.diff. * debian/patches/ppc64le-8036767.diff: updated. * debian/patches/jdk-ppc64el-S8170153.patch: updated to include aarch64. * debian/patches/jdk-java-nio-bits-unligned-aarch64.diff: Check for "aarch64" along with other unaligned access supporting architectures. openjdk-8 (8u141-b15-3) unstable; urgency=high . * Fix building the javadocs, build error introduced by the m68k changes. * Update the kfreebsd patches (Adrian Glaubitz). Closes: #869643, #869672. openjdk-8 (8u141-b15-2) unstable; urgency=high . [ Matthias Klose ] * Update the m68k-support patch (Adrian Glaubitz). Closes: #864180. * Disable generation of jvmti.html on m68k (Adrian Glaubitz). Closes: #864205. * Disable the jamvm autopkg tests. * CVE-2017-10243 is also fixed in 8u141-b15 (S8182054). . [ Tiago Stürmer Daitx ] * patches/hotspot-ppc64el-S8181055-use-numa-v2-api.patch: mbind invalid argument message is still seen after S8175813; use numa_interleave_memory v2 api when available. LP: #1705763. openjdk-8 (8u141-b15-1) unstable; urgency=high . * Update to 8u141-b15, Hotspot 8u141-b16 for AArch64. * Security fixes from 8u141: - CVE-2017-10102, S8163958: Improved garbage collection. - CVE-2017-10053, S8169209: Improved image post-processing steps. - CVE-2017-10067, S8169392: Additional jar validation steps. - CVE-2017-10081, S8170966: Right parenthesis issue. - CVE-2017-10078, S8171539: Better script accessibility for JavaScript. - CVE-2017-10087, S8172204: Better Thread Pool execution. - CVE-2017-10089, S8172461: Service Registration Lifecycle. - CVE-2017-10090, S8172465: Better handling of channel groups. - CVE-2017-10096, S8172469: Transform Transformer Exceptions. - CVE-2017-10101, S8173286: Better reading of text catalogs. - CVE-2017-10107, S8173697: Less Active Activations. - CVE-2017-10074, S8173770: Image conversion improvements. - CVE-2017-10110, S8174098: Better image fetching. - CVE-2017-10108, S8174105: Better naming attribution. - CVE-2017-10109, S8174113: Better sourcing of code. - CVE-2017-10115, S8175106: Higher quality DSA operations. - CVE-2017-10118, S8175110: Higher quality ECDSA operations. - CVE-2017-10116, S8176067: Proper directory lookup processing. - CVE-2017-10135, S8176760: Better handling of PKCS8 material. - CVE-2017-10176, S8178135: Additional elliptic curve support. - CVE-2017-10193, S8179101: Improve algorithm constraints implementation. - CVE-2017-10198, S8179998: Clear certificate chain connections. - S8174770: Check registry registration location. - S8174873: Improved certificate procesing. - S8176055: JMX diagnostic improvements. - S8176536: Improved algorithm constraints checking. - S8181420: PPC: Image conversion improvements. - S8182054: Improve wsdl support. - S8184185: Rearrange MethodHandle arrangements. . [ Matthias Klose ] * Provide jvmdir symlink in /usr/lib/debug. Closes: #867314. * Fix pt_BR translation in awt message. Closes: #863331. . [ Tiago Stürmer Daitx ] * debian/rules: - enable apport hook on Ubuntu and derivatives only. - remove with_zenhai logic. - remove unused with_tzdata logic, move tzdata build dependency to control.in. - add Breaks:tzdata-java except for wheezy, jessie or trusty. - re-enable jamvm for Xenial only. - run debian/control before build so we won't build with a invalid control file. - remove logic to select between ttf or font packages and depend on fonts-wqy-microhei and fonts-wqy-zenhei instead * debian/apport-hook.py: add an apport hook to include conffiles modified by the user on any report and the hs_err log file on crash report only. LP: #1696886. * patches/fontconfig-arphic-uming.diff: only enabled when with_zenhai was false; not required since lenny. * patches/hotspot-ppc64el-S8175813-mbind-invalid-argument.patch: prevent invalid argument message when invoking UseNUMA on a system with non-consecutive numa topology. LP: #1697348. openjpeg2 (2.1.2-1.1+deb9u2) stretch-security; urgency=medium . * Fix whitespace/indent mess * CVE-2017-14039: CVE-2017-14039.patch * CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch * CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch * CVE-2017-14151: afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch * CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch openjpeg2 (2.1.2-1.1+deb9u1) stretch-security; urgency=medium . * CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch * CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch * CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch * CVE-2016-10504: 397f62c0a838e15d667ef50e27d5d011d2c79c04.patch opensaml2 (2.6.0-4+deb9u1) stretch-security; urgency=high . * [9e2c41f] New patch: Security fix from V2.6.1 (CPPOST-105) Thanks to Scott Cantor opensaml2 (2.6.0-4+deb9u1~bpo8+1) jessie-backports; urgency=high . * Rebuild for jessie-backports. openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium . * Test configuration before starting or reloading sshd under systemd (closes: #865770). * Adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme (closes: #877800). * Make "--" before the hostname terminate argument processing after the hostname too (closes: #873201). openssl (1.1.0f-3+deb9u1) stretch-security; urgency=medium . * Fix CVE-2017-3735 * Fix CVE-2017-3736 openssl1.0 (1.0.2l-2+deb9u1) stretch-security; urgency=medium . * Fix CVE-2017-3735 * Fix CVE-2017-3736 otrs2 (5.0.16-1+deb9u3) stretch-security; urgency=high . * Add patch 17-CVE-2017-16664: This fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user. Closes: #882370 otrs2 (5.0.16-1+deb9u2) stretch-security; urgency=high . * Add patch 16-CVE-2017-14635: This fixes OSA-2017-04, also known as CVE-2017-14635: An attacker who is logged into OTRS as an agent with write permissions for statistics can inject arbitrary code into the system. This can lead to serious problems like privilege escalation, data loss, and denial of service. Closes: #876462 pdns (4.0.3-1+deb9u2) stretch; urgency=medium . * Add upstream patch fixing security issue: * Missing check on API operations. CVE-2017-15091 pdns (4.0.3-1+deb9u1) stretch; urgency=medium . * Fix incorrect qname casing in NSEC3 generation (Closes: #869222) pdns-recursor (4.0.4-1+deb9u2) stretch; urgency=medium . * Add upstream patches fixing security issues: * Insufficient validation of DNSSEC signatures. CVE-2017-15090 * Cross-Site Scripting in the web interface. CVE-2017-15092 * Configuration file injection in the API. CVE-2017-15093 * Memory leak in DNSSEC parsing. CVE-2017-15094 postgresql-9.6 (9.6.6-0+deb9u1) stretch-security; urgency=medium . * New upstream version. . + Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (Dean Rasheed) . The update path of INSERT ... ON CONFLICT DO UPDATE requires SELECT permission on the columns of the arbiter index, but it failed to check for that in the case of an arbiter specified by constraint name. In addition, for a table with row level security enabled, it failed to check updated rows against the table's SELECT policies (regardless of how the arbiter index was specified). (CVE-2017-15099) . + Fix crash due to rowtype mismatch in json{b}_populate_recordset() (Michael Paquier, Tom Lane) . These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. (CVE-2017-15098) . + Fix BRIN index summarization to handle concurrent table extension correctly (Álvaro Herrera) . Previously, a race condition allowed some table rows to be omitted from the index. It may be necessary to reindex existing BRIN indexes to recover from past occurrences of this problem. postgresql-9.6 (9.6.5-1) unstable; urgency=medium . * Team upload. * New upstream version. postgresql-9.6 (9.6.5-0+deb9u1) stretch; urgency=medium . * New upstream bugfix release. postgresql-9.6 (9.6.5-0+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . postgresql-9.6 (9.6.5-0+deb9u1) stretch; urgency=medium . * New upstream bugfix release. . postgresql-9.6 (9.6.4-0+deb9u1) stretch-security; urgency=high . * New upstream security release. . + Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. See the release notes for instructions for applying the fix to existing database clusters. (CVE-2017-7547; extends fix for CVE-2017-7484) + Disallow empty passwords in all password-based authentication methods. (CVE-2017-7546) + Make lo_put() check for UPDATE privilege on the target large object. (CVE-2017-7548) . * Remove debian/patches/s390x-fpic, implemented upstream. . postgresql-9.6 (9.6.3-3) unstable; urgency=medium . * pg_config: Unbreak CFLAGS_SL on sparc64. . postgresql-9.6 (9.6.3-2) unstable; urgency=medium . * pg_config: Set CFLAGS_SL=-fPIC on s390x. (Closes: #862948) postgresql-9.6 (9.6.4-1) unstable; urgency=medium . * Team upload. * New upstream version. . + Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. See the release notes for instructions for applying the fix to existing database clusters. (CVE-2017-7547; extends fix for CVE-2017-7484) + Disallow empty passwords in all password-based authentication methods. (CVE-2017-7546) + Make lo_put() check for UPDATE privilege on the target large object. (CVE-2017-7548) . * debian/rules: Unconditionally use DEB_BUILD_MAINT_OPTIONS=hardening=+all. The old logic is kept around for compiling on older distributions. * Remove long obsolete --with-krb5 and move c/ldflags to configure switches. postgresql-common (181+deb9u1) stretch-security; urgency=medium . * pg_ctlcluster, pg_createcluster, pg_upgradecluster: Use lchown instead of chown to mitigate privilege escalation via symlinks. (CVE-2017-8806. Related to CVE-2017-12172 in PostgreSQL; extends our earlier fix for CVE-2016-1255.) procmail (3.22-25+deb9u1) stretch-security; urgency=high . * Fix buffer overflow in loadbuf(). Closes: #876511. Reported by Jakub Wilk using American Fuzzy Lop. For reference, this is CVE-2017-16844. publicsuffix (20171028.2055-0+deb9u1) stable; urgency=medium . * new upstream publicsuffix data publicsuffix (20170910.1557-1) unstable; urgency=medium . * new upstream version publicsuffix (20170910.1557-0+deb9u1) stable; urgency=medium . * new upstream publicsuffix data publicsuffix (20170828.2009-1) unstable; urgency=medium . * new upstream version publicsuffix (20170809.0951-1) unstable; urgency=medium . * new upstream version * Standards-Version: bump to 4.0.1 (Priority: extra → optional) * wrap-and-sort -ast * bump to debhelper 10 publicsuffix (20170713.1023-1) unstable; urgency=medium . * new upstream version publicsuffix (20170711.1723-1) unstable; urgency=medium . * new upstream version publicsuffix (20170622.1007-1) unstable; urgency=medium . * new upstream version publicsuffix (20170616.1637-1) unstable; urgency=medium . * new upstream version pyosmium (2.11.3-1) stretch; urgency=medium . * New upstream bugfix release. - handler functions not called when using replication service (#38) - handler functions not called when using Reader instead of file python-diff-match-patch (20121119-3~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . python-diff-match-patch (20121119-3) unstable; urgency=medium . * Add missing python3 dependency on Python 3 package, with thanks to Adrian Bunk for the report (Closes: #867424). * Update Standards-Version to 4.0.0 (no changes required) python-inflect (0.2.5-1.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . python-inflect (0.2.5-1.1) unstable; urgency=medium . * Non-maintainer Upload * Apply patch from Adrian Bunk to correctly generate dependencies for the python 3 package (Closes: #867438) python-tablib (0.9.11-2+deb9u1) stretch; urgency=low . * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818). python-tablib (0.9.11-2+deb8u1) jessie; urgency=low . * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818). python2.7 (2.7.13-2+deb9u2) stretch; urgency=medium . * Backport c3c9db89273fabc62ea1b48389d9a3000c1c03ae to address CVE-2017-1000158 / https://bugs.python.org/issue30657 python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload with maintainer's permission * Support all groups in TLS communication (Closes: #868143) qemu (1:2.8+dfsg-6+deb9u3) stretch-security; urgency=high . * xhci-dont-kick-in-xhci_submit-and-xhci_fire_ctl_transfer.patch This is a pre-required patch for the next patch to work right. Closes: #869945 * xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch After applying previous patch, this one can be applied again Closes: #864219, CVE-2017-9375 * ide-do-not-flush-empty-CDROM-drives-CVE-2017-12809.patch Closes: #873849, CVE-2017-12809 * vga-stop-passing-pointers-to-vga_draw_line-functions-CVE-2017-13672.patch Closes: #873851, CVE-2017-13672 * multiboot-validate-multiboot-header-address-values-CVE-2017-14167.patch Closes: #874606, CVE-2017-14167 * slirp-fix-clearing-ifq_so-from-pending-packets-CVE-2017-13711.patch Closes: #873875, CVE-2017-13711 * exec-add-lock-parameter-to-qemu_ram_ptr_length.patch upstream patch fixing memory leak after exec-use-qemu_ram_ptr_length-to-access-guest-ram-CVE-2017-11334.patch Closes: #871648, #871702, #872257 qtcurve (1.8.18+git20160320-3d8622c-3+deb9u1) stable; urgency=medium . * Add patch replace-memcmp-with-strncmp. It fixes crash when using QtCurve widget style and Breeze preset. (Closes: #865765) [Thanks to Sergey Sharybin] quagga (1.1.1-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * bgpd: Fix AS_PATH size calculation for long paths (CVE-2017-16227) (Closes: #879474) roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high . * Backport fix for CVE-2017-16651: File disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. https://github.com/roundcube/roundcubemail/issues/6026 ruby-httparty (0.13.7-1+deb9u1) stretch; urgency=medium . * Relax dependency version in gem dependency on json. This fixes loading httparty with the gem command (Closes: #864723) ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium . * Team upload * Add fix_parse_obj_segfault.patch picked from upstream + fix CVE-2017-15928: segmentation fault in parse_obj (Closes: #881445) ruby-ox (2.1.1-2+deb8u1) jessie; urgency=medium . * Team upload * Add fix_parse_obj_segfault.patch picked from upstream + fix CVE-2017-15928: segmentation fault in parse_obj (Closes: #881445) ruby-pygments.rb (0.6.3-2+deb9u1) stretch; urgency=medium . * Team upload * Add Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch to avoid closing too many files when mentos starts (Closes: #876768) ruby2.3 (2.3.3-1+deb9u2) stretch-security; urgency=high . * asn1: fix out-of-bounds read in decoding constructed objects [CVE-2017-14033] (Closes: #875928) Original patch by Kazuki Yamaguchi; backported from the standalone openssl package * lib/webrick/log.rb: sanitize any type of logs [CVE-2017-10784] (Closes: #875931) Original patch by Yusuke Endoh; backported to Ruby 2.3 by Usaku NAKAMURA * fix Buffer underrun vulnerability in Kernel.sprintf [CVE-2017-0898] (Closes: #875936) Backported to Ruby 2.3 by Usaku NAKAMURA * Whitelist classes and symbols that are in Gem spec YAML [CVE-2017-0903] (Closes: #879231) Original patch by Aaron Patterson; backported from the standalone Rubygems package * thread_pthread.c: do not wakeup inside child processes Avoid child Ruby processed being stuck in a busy loop (Closes: #876377) Original patch by Eric Wong samba (2:4.5.12+dfsg-2+deb9u1) stretch-security; urgency=high . * This is a security release in order to address the following defects: - CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. - CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug. schroot (1.6.10-3+deb9u1) stretch; urgency=medium . * Fix up bash completion file. Closes: #855283 * Add systemd service file with Type=oneshot to avoid issues with timeouts when you have many schroot sessions open. Closes: #835104 Thanks to Laurent Bigonville for the patch. * Add missing Homepage field. shadowsocks-libev (2.6.3+ds-3+deb9u1) stretch-security; urgency=high . * debian/patches: - Backport a few patches from upstream. + [c67d275] Fix potential local exploit issue. Thanks to X41 D-Sec GmbH, Niklas Abel, for the reporting: https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/ shadowsocks-libev (2.6.3+ds-3+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1) stretch-security; urgency=high . * [bf25c5f] New patch: Security fix from V2.6.1 (SSPCPP-763) Thanks to Scott Cantor shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1~bpo8+1) jessie-backports; urgency=high . * Rebuild for jessie-backports. . shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1) stretch-security; urgency=high . * [bf25c5f] New patch: Security fix from V2.6.1 (SSPCPP-763) Thanks to Scott Cantor simutrans (120.1.3+repack-3+deb9u1) stretch; urgency=medium . * Team upload. * Enable sound for simutrans again. Switch from SDL to mixer_sdl backend. (Closes: #869029) sitesummary (0.1.28+deb9u1) stretch; urgency=medium . [ Wolfgang Schweer ] * Adjust nagios kernel version checking module to work with 4.x kernels. (Closes: #883323) slic3r (1.2.9+dfsg-6.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . slic3r (1.2.9+dfsg-6.1) unstable; urgency=medium . * Non-maintainer upload. * Fix "missing dependency on perlapi-*": add override_dh_perl in debian/rules to make dh_perl search for perl modules in the private directory as well. (Closes: #869360) slurm-llnl (16.05.9-1+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-15566 caused by insecure SPANK environment variable handling, allowing privilege escalation to root during Prolog or Epilog execution (Closes: #880530) spamassassin (3.4.1-6+deb9u1) stretch; urgency=medium . * Ensure that spamd doesn't automatically start upon initial installation. * Disable bb.barracudacentral.org (RCVD_IN_BRBL_LASTEXT), as it requires users to register. (Closes: #861671) * Update the systemd unit file to use the same pid file as was used in the sysvinit script. (Closes: #808804) * Update spamassassin docs to remove outdated gpg version compatibility note. (Closes: #853913) * Update systemd unit dependencies to include network and syslog. (Closes: 864810) * Fix inappropriate invocation of invoke-rc.d in cron script. (Closes: 865514) * Fix spamd service manage on upgrades. (Closes: #865356) sqldeveloper-package (0.2.4+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add required '--' before debian/rules target (Closes: #868673) * Add --no-tgz-check as sqldeveloper is non-free sqlite3 (3.16.2-5+deb9u1) stretch; urgency=medium . * Fix CVE-2017-10989 , heap-based buffer over-read via undersized RTree blobs (closes: #867618). swauth (1.2.0-2+deb9u1) stretch-security; urgency=high . * Hash token before storing it in Swift (CVE-2017-16613, Closes: #882314) swauth (1.2.0-2+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . swauth (1.2.0-2+deb9u1) stretch-security; urgency=high . * Hash token before storing it in Swift (CVE-2017-16613, Closes: #882314) syslinux (3:6.03+dfsg-14.1+deb9u1) stretch; urgency=medium . * Add patch from upstream to fix btrfs logical to physical block address mapping (Closes: #865462). * Add patch from upstream to fix boot problem for old BIOS firmware from around 2005 by correcting the C/H/S order (thanks Thomas Schmitt, Closes: #879004). * Add patch 0018-ext4-Fix-64bit-feature.patch from upstream to support ext4 64bit feature (Closes: #833057). tdbcodbc (1.0.4-2+deb9u1) stretch; urgency=medium . * Fixed bug in odbc libraries search as it caused a non existing symbol to be loaded thunderbird (1:52.4.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security . [ Guido Günther ] * [da3c5cc] Simplify endianness selection for ICU Since we need to build ICU on the various Debian releases we need to ensure the architecture detection isn't to strict. Thanks Guido for helping out here! . [ Carsten Schoenert ] * [47748ca] debian/control: be more relaxed on Breaks for enigmail * [6a54666] thunderbird-wrapper: fix small typo in help output A small typo was happen in the example call with the JS console. * [6d5266e] README.Debian: update info around tls fallback-limit The default behavior on the TLS fallback has changed some versions ago, document this accordingly. * [24ad883] debian/control: change maintainer Thanks Christoph for the work over the past years! * [c78200e] debian/control: move src pkg name to thunderbird By this version we move the source package name also back to thunderbird. This follows the changes that are already made to the binary package names and we can call the source package now also again thunderbird. (Closes: #857075) * [c26133d] debian/gbp.conf: rename components to real used names Due the changes of the source package the names for the sub-folders within the additional tarballs can also be changed to be closer on the real upstream used names. * [a5ce4f7] New upstream version 52.4.0 (Closes: #878845, #878870) Fixed CVE issues in upstream version 52.0 (MFSA 2017-23) CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces CVE-2017-7823: CSP sandbox directive did not create a unique origin CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4, and Thunderbird 52.4 * [104b4e5] rebuild patch queue from patch-queue branch * [d63662a] lintian: move oldlibs/extra -> oldlibs/optional By moving all transitional package to oldlibs/optional we can help deborphan to detect better not needed packages. * [fb56001] d/rules: reflect changes from renamed component tarballs The additional tarballs are stored in folders which reflect the upstream names of those components. This also needs to be respected for the build instructions of the package. * [61288fb] debian/control: change Vcs* fields due the src name change Addressing the changed source package name in the Git Vcs urls. * [ef95ab5] debian/control: increase Standards-Version to 4.1.1 No further changes needed. * [45e8fe2] apparmor: update profile from upstream Thanks to Simon Deziel and intrigeri we can simply use the apparmor profile changes done for the Ubuntu releases. * [6b1649c] lintian: adding a override for thunderbird-l10n-all * [ceab93f] debian/README.source: reflect src package name change thunderbird (1:52.4.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security . [ Guido Günther ] * [da3c5cc] Simplify endianness selection for ICU Since we need to build ICU on the various Debian releases we need to ensure the architecture detection isn't to strict. Thanks Guido for helping out here! . [ Carsten Schoenert ] * [47748ca] debian/control: be more relaxed on Breaks for enigmail * [6a54666] thunderbird-wrapper: fix small typo in help output A small typo was happen in the example call with the JS console. * [6d5266e] README.Debian: update info around tls fallback-limit The default behavior on the TLS fallback has changed some versions ago, document this accordingly. * [24ad883] debian/control: change maintainer Thanks Christoph for the work over the past years! * [c78200e] debian/control: move src pkg name to thunderbird By this version we move the source package name also back to thunderbird. This follows the changes that are already made to the binary package names and we can call the source package now also again thunderbird. (Closes: #857075) * [c26133d] debian/gbp.conf: rename components to real used names Due the changes of the source package the names for the sub-folders within the additional tarballs can also be changed to be closer on the real upstream used names. * [a5ce4f7] New upstream version 52.4.0 (Closes: #878845, #878870) Fixed CVE issues in upstream version 52.0 (MFSA 2017-23) CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces CVE-2017-7823: CSP sandbox directive did not create a unique origin CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4, and Thunderbird 52.4 * [104b4e5] rebuild patch queue from patch-queue branch * [d63662a] lintian: move oldlibs/extra -> oldlibs/optional By moving all transitional package to oldlibs/optional we can help deborphan to detect better not needed packages. * [fb56001] d/rules: reflect changes from renamed component tarballs The additional tarballs are stored in folders which reflect the upstream names of those components. This also needs to be respected for the build instructions of the package. * [61288fb] debian/control: change Vcs* fields due the src name change Addressing the changed source package name in the Git Vcs urls. * [ef95ab5] debian/control: increase Standards-Version to 4.1.1 No further changes needed. * [45e8fe2] apparmor: update profile from upstream Thanks to Simon Deziel and intrigeri we can simply use the apparmor profile changes done for the Ubuntu releases. * [6b1649c] lintian: adding a override for thunderbird-l10n-all * [ceab93f] debian/README.source: reflect src package name change thunderbird (1.5.0.7-2) unstable; urgency=low * go through new upload ... reenable thunderbird-dbg * increase reference count for fontconfig charset 91_fontconfig_reference_increment_388739 (Closes: 388739) thunderbird (1.5.0.7-1) unstable; urgency=high * disabled new package to avoid queue new: thunderbird-dbg * new upstream release fixes security issues: + MFSA 2006-64 - CVE-2006-4571 + MFSA 2006-63 - CVE-2006-4570 + MFSA 2006-62 - CVE-2006-4569 + MFSA 2006-61 - CVE-2006-4568 + MFSA 2006-60 - CVE-2006-4340 (related to CVE-2006-4339) + MFSA 2006-59 - CVE-2006-4253 + MFSA 2006-58 - CVE-2006-4567 + MFSA 2006-57 - CVE-2006-4565, CVE-2006-4566 * disable patch 90_gcc-extern-fix, because it has been pulled in upstream * disable 91_271815.overthespot.v1.2, because applied upstream thunderbird (1.5.0.5-1) unstable; urgency=high * new upstream release fixes various security flaws: + MFSA 2006-44, CVE-2006-3801 + MFSA 2006-46, CVE-2006-3113 + MFSA 2006-47, CVE-2006-3802 + MFSA 2006-48, CVE-2006-3803 + MFSA 2006-49, CVE-2006-3804 + MFSA 2006-50, CVE-2006-3805, CVE-2006-3806 + MFSA 2006-51, CVE-2006-3807 + MFSA 2006-52, CVE-2006-3808 + MFSA 2006-53, CVE-2006-3809 + MFSA 2006-54, CVE-2006-3810 + MFSA 2006-55, CVE-2006-3811 * including patch 91_271815.overthespot.v1.2.dpatch (Closes: 379936, 363814) * improve manpage: Document -g, --debug options (Closes: 381096) * update for ja.po, contributed by Kenshi Muto (Closes: 379946) * update for pt.po, contributed by Rui Branco (Closes: 381444) * Provide virtual package news-reader (Closes: 363834) * Apply patch which introduces ReplyToList MessageType. This is the base to allow extensions that provide ReplyToList button to get installed. Thanks to Armin Berres for pointing out this unintrusive patch. (Closes: 381273) * fix README.Debian for firefox integration as well as example of global pref.js (firefox.js.tmpl) (Closes: 363723) * further improvements for README.Debian * fix gnome integration program path in a hard-coded fashion in 91_gnome_path_fix.dpatch (Closes: 365610) thunderbird (1.5.0.4-3) unstable; urgency=critical * fixing gcc-4.1 ftbfs (Closes: 377176) * improved manpage by Bastian Kleineidam documenting -safe-mode option (Closes: 370254) * include *no xgot* patch for mips/mipsel contributed by Thiemo Seufer (Closes: 374882) thunderbird (1.5.0.4-2) unstable; urgency=critical * fix version in install.rdf for inspector and typeaheafind (Closes: 374382) * (last one was a new upstream release fixing various security issues (Closes: 373878, 373553) * urgency=critical thunderbird (1.5.0.4-1) unstable; urgency=low * new upstream release fixing various security issues: MFSA 2006-42, CVE-2006-2783: Web site XSS using BOM on UTF-8 pages MFSA 2006-40, CVE-2006-2781: Double-free on malformed VCard MFSA 2006-38, CVE-2006-2778: Buffer overflow in crypto.signText() MFSA 2006-37, CVE-2006-2776: Remote compromise via content-defined setter on object prototypes MFSA 2006-35, CVE-2006-2775: Privilege escalation through XUL persist MFSA 2006-33, CVE-2006-2786: HTTP response smuggling MFSA 2006-32, CVE-2006-2779, CVE-2006-2780: Fixes for crashes with potential memory corruption MFSA 2006-31, CVE-2006-2787: EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) * build depends: + xorg-dev -> libx11-dev, libxt-dev, libxinerama-dev, libxft-dev, libfreetype6-dev, libxrender-dev + removed binutils, coreutils and po-debconf * enable xinerama in debian/rules * fixed lintian errors: + do not depend on xorg dev meta package + debhelper depend is now versioned + changed package description(s) to not start with 'thunderbird' thunderbird (1.5.0.2-3) unstable; urgency=low * patch-robbery from firefox package: + removed old mips and arm patches + added 50_arch_arm_fix + added 50_arch_alpha_fix + added 50_arch_m68k_fix + added 50_arch_mips_Makefile_fix + added 50_arch_mips_fix (Closes: 357755) + added 50_arch_parisc_Makefile_fix + added 50_arch_parisc_fix * included install.rdf for default theme in extensions dir (Closes: 363956) * removed chrome.d locales.d extensions.d from var/lib/thunderbird thunderbird (1.5.0.2-2) unstable; urgency=critical * debian/thunderbird.sgml. Greatly improved manpage for thunderbird, thanks to Sam Morris for contributing this (Closes: 361069) * add missing build depend to sharutils to fix ftbfs (Closes: 365539) * fix gnome-support package removing gnome dependencies from pure thunderbird package. * set urgency to critical which I forgot to set properly for the last upload thunderbird (1.5.0.2-1) unstable; urgency=low * removed enable xprint in order to build after X11R7 transition. * removed xprint recommends from control file. * 91_fontsfix_359763.dpatch: fix for 'thunderbird shows text illegibly' for some encodings. (Closes: 359763) * myspell is now depends (Closes: 357623) * (re-)including 10_mips_optimization_patch * debian/patches/90_ppc64-build-fix.dpatch: patch for 'FTBFS (ppc64)', thanks to Andreas Jochens for adding the final patch to the report. (Closes: 361036) * Thanks to Bastian Kleineidam for contributing: * Standards version 3.6.2.1 * Use debhelper v5 with debian/compat * Remove unneeded thunderbird.conffiles now that debhelper v5 is used * Remove CVS directories in debian/ * Fix debian/changelog syntax errors, and convert to UTF-8 * Fix bashism in debian/thunderbird.postrm, using 2> instead of &>. * Add ${misc:Depends} to thunderbird* dependencies, fixing a missing dependency on debconf * Move db_input commands from postinst into a separate thunderbird.config file. * distinct gnome-support package added. adds a good bunch of gnome build depends to allow module linking against gnome libs. * added new fhunderbird-branding in debian/fhunderbird-branding.tmpl (Closes: 358198) * use only one profile directory in configure (Closes: 358378) * Various security issues are fixed in this release. Namely: CVE-2006-1741 CVE-2006-1742 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1736 CVE-2006-1735 CVE-2006-1734 CVE-2006-1733 CVE-2006-1732 CVE-2006-0749 CVE-2006-1731 CVE-2006-1724 CVE-2006-0884 CVE-2006-1730 CVE-2006-1729 CVE-2006-1728 CVE-2006-1727 CVE-2006-1045 CVE-2006-0748 CVE-2006-1726 CVE-2006-1725 CVE-2005-2353 CVE-2006-1529 CVE-2006-1530 CVE-2006-1531 CVE-2006-1723 CVE-2006-0292/CVE-2006-0293 (Closes: 349242) CVE-2006-0294 CVE-2006-0295 CVE-2006-0296 CVE-2006-0297 CVE-2006-0298 CVE-2006-0299 tor (0.2.9.13-1) stretch; urgency=medium . * New upstream version: - update directory authority set tor (0.2.9.12-1) stretch-security; urgency=medium . * New upstream version: - CVE-2017-0380 (TROVE-2017-008): Stack disclosure in hidden services logs when SafeLogging disabled - other maintenance and security related fixes, see upstream changelog. tor (0.2.9.12-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * Build-depend on dh-apparmor version >= 2.10.95, which is in backports, to avoid running into Bug #822349. tor (0.2.9.11-1) unstable; urgency=high . * New upstream version. - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. (closes: #864424) tzdata (2017c-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. tzdata (2017c-0+deb8u1) jessie; urgency=medium . * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. tzdata (2017b-2) unstable; urgency=medium . [ Aurelien Jarno ] * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #861700. * debian/control: provide tzdata-buster instead of tzdata-stretch. udftools (1.3-2~deb9u1) stretch; urgency=low . * Fix path to pktsetup in udftools init script varnish (5.0.0-7+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Avoid buffer read overflow on vcl_error and -sfile (CVE-2017-8807) vlc (2.2.7-1~deb9u1) stretch-security; urgency=high . * New upstream release. - Fix crash in libavcodec module (heap write out-of band). (CVE-2017-10699) - Fix flac heap write overflow on format change. (CVE-2017-9300) - Fix AVI read/write overflow. * Update ffmpeg to 2.8.13. * debian/{control,*.maintscript}: Bump versions to ensure proper upgrades from jessie. vlc (2.2.7-1~deb8u1) jessie-security; urgency=high . * New upstream release. - Fix crash in libavcodec module (heap write out-of band). (CVE-2017-10699) - Fix flac heap write overflow on format change. (CVE-2017-9300) - Fix AVI read/write overflow. vlc (2.2.6-6) unstable; urgency=medium . * Update to ffmpeg 2.8.13. vlc (2.2.6-5) unstable; urgency=medium . * debian/control: Bump Standards-Version. * debian/patches: Add support for libupnp 1.8. (Closes: #868936) vlc (2.2.6-4) unstable; urgency=medium . * debian/upstream: Add DEP-12 metadata. * debian/control: - Restrict Recommends on vlc-plugin-samba to linux-any kfreebsd-any. - Switch to timgm6mb-soundfont. (Closes: #870790) - Bump Standards-Version. * debian/{rules,control,vlc-plugin-base}: No longer build directfb plugin. directfb upstream is inactive and the plugin got removed for vlc 3.0. * debian/vlc-plugin-base.lintian-overrides: Override shlibs-with-non-pic-code. See lintian overrides of ffmpeg for more details. vlc (2.2.6-3) unstable; urgency=medium . [ Mateusz Łukasik ] * debian/patches: avcodec: Check visible sizes (CVE-2017-10699). . [ Sebastian Ramacher ] * debian/patches: flac: Fix heap write overflow on frame format change. (CVE-2017-9300) vlc (2.2.6-2) unstable; urgency=medium . * Upload to unstable. * Update to ffmpeg 2.8.12. * debian/control: - Remove Build-Conflicts. - Bump Standards-Version. * debian/rules: Build with hardening=+all. vlc (2.2.6-1) experimental; urgency=medium . * New upstream release. - demuxer: Fix heap buffer overflows (CVE-2017-8312). weechat (1.6-1+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * logger: call strftime before replacing buffer local variables (CVE-2017-14727) (Closes: #876553) wget (1.18-5+deb9u1) stretch-security; urgency=medium . * CVE-2017-13089 / CVE-2017-13090 wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium . * Backport patches from 4.8.2 Closes: #876274 - CVE-2017-14723 $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) Changeset 41472, 41498 - CVE-2017-14724 Cross-site scripting (XSS) vulnerability in the oEmbed discovery Changeset 41451 - CVE-2017-14726 Cross-site scripting (XSS) vulnerability in the visual editor Changeset 41436 - CVE-2017-14719 Path traversal vulnerability in the file unzipping code Changeset 41459 - CVE-2017-14721 Cross-site scripting (XSS) vulnerability in the plugin editor Changeset 41413 - CVE-2017-14725 Open redirect in the user and term edit screens Changeset 41418 - CVE-2017-14722 Path traversal vulnerability in the customizer Changeset 41430 - CVE-2017-14720 Cross-site scripting (XSS) vulnerability in template names Changeset 41413 (same as plugin editor) - CVE-2017-14718 Cross-site scripting (XSS) vulnerability in the link modal * Hash user activation key Closes: #877629 Fixes CVE-2017-14990 wordpress (4.7.5+dfsg-2+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild stretch version for jessie-backports. * Fixes security issues, see 4.7.5+dfsg-2+deb9u1 entry . wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium . * Backport patches from 4.8.2 Closes: #876274 - CVE-2017-14723 $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) Changeset 41472, 41498 - CVE-2017-14724 Cross-site scripting (XSS) vulnerability in the oEmbed discovery Changeset 41451 - CVE-2017-14726 Cross-site scripting (XSS) vulnerability in the visual editor Changeset 41436 - CVE-2017-14719 Path traversal vulnerability in the file unzipping code Changeset 41459 - CVE-2017-14721 Cross-site scripting (XSS) vulnerability in the plugin editor Changeset 41413 - CVE-2017-14725 Open redirect in the user and term edit screens Changeset 41418 - CVE-2017-14722 Path traversal vulnerability in the customizer Changeset 41430 - CVE-2017-14720 Cross-site scripting (XSS) vulnerability in template names Changeset 41413 (same as plugin editor) - CVE-2017-14718 Cross-site scripting (XSS) vulnerability in the link modal * Hash user activation key Closes: #877629 Fixes CVE-2017-14990 wpa (2:2.4-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088): - hostapd: Avoid key reinstallation in FT handshake - Prevent reinstallation of an already in-use group key - Extend protection of GTK/IGTK reinstallation of - Fix TK configuration to the driver in EAPOL-Key 3/4 - Prevent installation of an all-zero TK - Fix PTK rekeying to generate a new ANonce - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode - WNM: Ignore WNM-Sleep Mode Response without pending - FT: Do not allow multiple Reassociation Response frames - TDLS: Ignore incoming TDLS Setup Response retries xen (4.8.2+xsa245-0+deb9u1) stretch-security; urgency=high . * Update to upstream stable 4.8 branch, which is currently at Xen 4.8.2 plus a number of bugfixes and security fixes. Result is that we now include security fixes for: XSA-231 CVE-2017-14316 XSA-232 CVE-2017-14318 XSA-233 CVE-2017-14317 XSA-234 CVE-2017-14319 (235 already included in 4.8.1-1+deb9u3) XSA-236 CVE-2017-15597 XSA-237 CVE-2017-15590 XSA-238 (no CVE yet) XSA-239 CVE-2017-15589 XSA-240 CVE-2017-15595 XSA-241 CVE-2017-15588 XSA-242 CVE-2017-15593 XSA-243 CVE-2017-15592 XSA-244 CVE-2017-15594 XSA-245 (no CVE yet) and a number of upstream functionality fixes, which are not easily disentangled from the security fixes. * Apply two more security fixes: XSA-246 (no CVE yet) XSA-247 (no CVE yet) xml2 (0.4-3.1+deb9u1) stretch; urgency=medium . * QA upload. * Set maintainer to Debian QA Group. * Backport patch to fix corruption when dealing with UTF-8 files. (Closes: #506805; Closes: #698072) * Backport patch to fix usage string for 2csv tool. (Closes: #506788) xorg-server (2:1.19.2-1+deb9u2) stretch-security; urgency=high . * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177) * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178) * Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer (CVE-2017-12179) * Unvalidated lengths in - XFree86-VidModeExtension (CVE-2017-12180) - XFree86-DGA (CVE-2017-12181) - XFree86-DRI (CVE-2017-12182) - XFIXES (CVE-2017-12183) - XINERAMA (CVE-2017-12184 - MIT-SCREEN-SAVER (CVE-2017-12185 - X-Resource (CVE-2017-12186 - RENDER (CVE-2017-12187) * os: Make sure big requests have sufficient length. * Xext/shm: Validate shmseg resource id (CVE-2017-13721) * xkb: Handle xkb formated string output safely (CVE-2017-13723) * xkb: Escape non-printable characters correctly. * render: Fix out of boundary heap access xrdp (0.9.1-9+deb9u1) stretch; urgency=medium . * Fix high CPU load on SSL shutdown. (Closes: #876976) + xrdp could in some situations cause permanent high load on a system if an SSL shutdown got into an endless loop. yadifa (2.2.3-1+deb9u1) stretch-security; urgency=medium . * Fixes an issue where a maliciously crafted message may block the server. Closes: #876315, CVE-2017-14339 * Update build dependency for debhelper. ====================================== Sat, 07 Oct 2017 - Debian 9.2 released ====================================== ========================================================================= [Date: Sat, 07 Oct 2017 08:28:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: clapack | 3.2.1+dfsg-1 | source libcblas-dev | 3.2.1+dfsg-1 | amd64, arm64, armel, armhf, mips, mips64el, mipsel, ppc64el, s390x libcblas3 | 3.2.1+dfsg-1 | amd64, arm64, armel, armhf, mips, mips64el, mipsel, ppc64el, s390x libclapack-dev | 3.2.1+dfsg-1 | amd64, arm64, armel, armhf, mips, mips64el, mipsel, ppc64el, s390x libclapack3 | 3.2.1+dfsg-1 | amd64, arm64, armel, armhf, mips, mips64el, mipsel, ppc64el, s390x libctmg-dev | 3.2.1+dfsg-1 | amd64, arm64, armel, armhf, mips, mips64el, mipsel, ppc64el, s390x libctmg3 | 3.2.1+dfsg-1 | amd64, arm64, armel, armhf, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 875565 ------------------- Reason ------------------- outdated and unmaintained fork of lapack ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:42:28 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: btrfs-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x crc-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x crypto-dm-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x crypto-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x dasd-extra-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x dasd-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x ext4-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x fat-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x fuse-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x isofs-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x kernel-image-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x linux-headers-4.9.0-3-all-s390x | 4.9.30-2+deb9u3 | s390x linux-headers-4.9.0-3-s390x | 4.9.30-2+deb9u3 | s390x linux-image-4.9.0-3-s390x | 4.9.30-2+deb9u3 | s390x linux-image-4.9.0-3-s390x-dbg | 4.9.30-2+deb9u3 | s390x loop-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x md-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x multipath-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x nbd-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x nic-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x scsi-core-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x scsi-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x udf-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x virtio-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x xfs-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x zlib-modules-4.9.0-3-s390x-di | 4.9.30-2+deb9u3 | s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:42:53 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: acpi-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 ata-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 btrfs-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 cdrom-core-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 crc-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 crypto-dm-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 crypto-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 efi-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 event-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 ext4-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 fat-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 fb-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 firewire-core-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 fuse-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 hyperv-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 i2c-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 input-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 isofs-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 jfs-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 kernel-image-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 linux-headers-4.9.0-3-all-amd64 | 4.9.30-2+deb9u3 | amd64 linux-headers-4.9.0-3-amd64 | 4.9.30-2+deb9u3 | amd64 linux-headers-4.9.0-3-rt-amd64 | 4.9.30-2+deb9u3 | amd64 linux-image-4.9.0-3-amd64 | 4.9.30-2+deb9u3 | amd64 linux-image-4.9.0-3-amd64-dbg | 4.9.30-2+deb9u3 | amd64 linux-image-4.9.0-3-rt-amd64 | 4.9.30-2+deb9u3 | amd64 linux-image-4.9.0-3-rt-amd64-dbg | 4.9.30-2+deb9u3 | amd64 loop-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 md-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 mmc-core-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 mmc-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 mouse-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 multipath-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 nbd-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 nic-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 nic-pcmcia-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 nic-shared-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 nic-usb-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 nic-wireless-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 ntfs-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 pata-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 pcmcia-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 pcmcia-storage-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 ppp-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 sata-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 scsi-core-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 scsi-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 serial-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 sound-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 speakup-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 squashfs-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 udf-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 uinput-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 usb-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 usb-serial-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 usb-storage-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 virtio-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 xfs-modules-4.9.0-3-amd64-di | 4.9.30-2+deb9u3 | amd64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:43:38 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: ata-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el btrfs-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el cdrom-core-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el crc-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el crypto-dm-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el crypto-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el event-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el ext4-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el fancontrol-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el fat-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el firewire-core-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el fuse-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el hypervisor-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el input-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el isofs-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el jfs-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el kernel-image-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el linux-headers-4.9.0-3-all-ppc64el | 4.9.30-2+deb9u3 | ppc64el linux-headers-4.9.0-3-powerpc64le | 4.9.30-2+deb9u3 | ppc64el linux-image-4.9.0-3-powerpc64le | 4.9.30-2+deb9u3 | ppc64el linux-image-4.9.0-3-powerpc64le-dbg | 4.9.30-2+deb9u3 | ppc64el loop-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el md-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el mouse-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el multipath-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el nbd-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el nic-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el nic-shared-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el ppp-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el sata-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el scsi-core-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el scsi-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el serial-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el squashfs-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el udf-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el uinput-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el usb-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el usb-serial-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el usb-storage-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el virtio-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el xfs-modules-4.9.0-3-powerpc64le-di | 4.9.30-2+deb9u3 | ppc64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:43:53 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: linux-headers-4.9.0-3-all-mipsel | 4.9.30-2+deb9u3 | mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:44:12 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: affs-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel ata-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel btrfs-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel cdrom-core-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel crc-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel crypto-dm-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel crypto-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel event-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel ext4-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel fat-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel fb-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel firewire-core-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel fuse-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel hfs-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel input-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel isofs-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel jfs-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel kernel-image-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel linux-headers-4.9.0-3-loongson-3 | 4.9.30-2+deb9u3 | mips64el, mipsel linux-image-4.9.0-3-loongson-3 | 4.9.30-2+deb9u3 | mips64el, mipsel linux-image-4.9.0-3-loongson-3-dbg | 4.9.30-2+deb9u3 | mips64el, mipsel loop-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel md-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel minix-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel multipath-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel nbd-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel nfs-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel nic-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel nic-shared-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel nic-usb-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel nic-wireless-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel ntfs-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel pata-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel ppp-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel sata-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel scsi-core-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel scsi-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel sound-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel speakup-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel squashfs-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel udf-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel usb-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel usb-serial-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel usb-storage-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel virtio-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel xfs-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel zlib-modules-4.9.0-3-loongson-3-di | 4.9.30-2+deb9u3 | mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:44:36 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: affs-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el ata-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el btrfs-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el cdrom-core-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el crc-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el crypto-dm-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el crypto-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el event-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el ext4-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el fat-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el fuse-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el hfs-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el i2c-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el input-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el isofs-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el jfs-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el kernel-image-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el linux-headers-4.9.0-3-all-mips64el | 4.9.30-2+deb9u3 | mips64el loop-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el md-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el minix-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el mmc-core-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el mmc-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el mouse-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el multipath-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el nbd-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el nic-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el nic-shared-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el nic-usb-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el nic-wireless-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el ntfs-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el pata-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el ppp-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el sata-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el scsi-core-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el scsi-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el sound-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el squashfs-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el udf-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el usb-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el usb-serial-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el usb-storage-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el virtio-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el xfs-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el zlib-modules-4.9.0-3-5kc-malta-di | 4.9.30-2+deb9u3 | mips64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:45:01 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: affs-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel ata-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel btrfs-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel cdrom-core-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel crc-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel crypto-dm-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel crypto-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel event-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel ext4-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel fat-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel fuse-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel hfs-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel i2c-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel input-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel isofs-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel jfs-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel kernel-image-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel linux-headers-4.9.0-3-4kc-malta | 4.9.30-2+deb9u3 | mips, mipsel linux-image-4.9.0-3-4kc-malta | 4.9.30-2+deb9u3 | mips, mipsel linux-image-4.9.0-3-4kc-malta-dbg | 4.9.30-2+deb9u3 | mips, mipsel loop-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel md-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel minix-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel mmc-core-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel mmc-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel mouse-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel multipath-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel nbd-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel nic-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel nic-shared-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel nic-usb-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel nic-wireless-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel ntfs-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel pata-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel ppp-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel sata-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel scsi-core-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel scsi-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel sound-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel squashfs-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel udf-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel usb-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel usb-serial-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel usb-storage-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel virtio-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel xfs-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel zlib-modules-4.9.0-3-4kc-malta-di | 4.9.30-2+deb9u3 | mips, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:45:23 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: affs-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel btrfs-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel cdrom-core-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel crc-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel crypto-dm-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel crypto-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel event-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel ext4-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel fat-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel fuse-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel hfs-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel input-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel isofs-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel jfs-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel kernel-image-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel linux-headers-4.9.0-3-5kc-malta | 4.9.30-2+deb9u3 | mips, mips64el, mipsel linux-headers-4.9.0-3-octeon | 4.9.30-2+deb9u3 | mips, mips64el, mipsel linux-image-4.9.0-3-5kc-malta | 4.9.30-2+deb9u3 | mips, mips64el, mipsel linux-image-4.9.0-3-5kc-malta-dbg | 4.9.30-2+deb9u3 | mips, mips64el, mipsel linux-image-4.9.0-3-octeon | 4.9.30-2+deb9u3 | mips, mips64el, mipsel linux-image-4.9.0-3-octeon-dbg | 4.9.30-2+deb9u3 | mips, mips64el, mipsel loop-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel md-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel minix-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel multipath-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel nbd-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel nic-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel nic-shared-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel nic-usb-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel nic-wireless-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel ntfs-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel pata-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel ppp-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel rtc-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel sata-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel scsi-core-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel scsi-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel sound-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel squashfs-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel udf-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel usb-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel usb-serial-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel usb-storage-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel virtio-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel xfs-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel zlib-modules-4.9.0-3-octeon-di | 4.9.30-2+deb9u3 | mips, mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:45:45 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: linux-headers-4.9.0-3-all-mips | 4.9.30-2+deb9u3 | mips ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:46:25 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: acpi-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 acpi-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 ata-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 ata-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 btrfs-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 btrfs-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 cdrom-core-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 cdrom-core-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 crc-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 crc-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 crypto-dm-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 crypto-dm-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 crypto-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 crypto-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 efi-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 efi-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 event-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 event-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 ext4-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 ext4-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 fat-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 fat-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 fb-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 fb-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 firewire-core-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 firewire-core-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 fuse-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 fuse-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 hyperv-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 hyperv-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 i2c-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 i2c-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 input-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 input-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 isofs-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 isofs-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 jfs-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 jfs-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 kernel-image-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 kernel-image-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 linux-headers-4.9.0-3-686 | 4.9.30-2+deb9u3 | i386 linux-headers-4.9.0-3-686-pae | 4.9.30-2+deb9u3 | i386 linux-headers-4.9.0-3-all-i386 | 4.9.30-2+deb9u3 | i386 linux-headers-4.9.0-3-rt-686-pae | 4.9.30-2+deb9u3 | i386 linux-image-4.9.0-3-686 | 4.9.30-2+deb9u3 | i386 linux-image-4.9.0-3-686-dbg | 4.9.30-2+deb9u3 | i386 linux-image-4.9.0-3-686-pae | 4.9.30-2+deb9u3 | i386 linux-image-4.9.0-3-686-pae-dbg | 4.9.30-2+deb9u3 | i386 linux-image-4.9.0-3-rt-686-pae | 4.9.30-2+deb9u3 | i386 linux-image-4.9.0-3-rt-686-pae-dbg | 4.9.30-2+deb9u3 | i386 loop-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 loop-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 md-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 md-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 mmc-core-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 mmc-core-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 mmc-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 mmc-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 mouse-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 mouse-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 multipath-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 multipath-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 nbd-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 nbd-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 nic-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 nic-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 nic-pcmcia-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 nic-pcmcia-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 nic-shared-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 nic-shared-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 nic-usb-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 nic-usb-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 nic-wireless-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 nic-wireless-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 ntfs-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 ntfs-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 pata-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 pata-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 pcmcia-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 pcmcia-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 pcmcia-storage-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 pcmcia-storage-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 ppp-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 ppp-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 sata-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 sata-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 scsi-core-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 scsi-core-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 scsi-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 scsi-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 serial-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 serial-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 sound-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 sound-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 speakup-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 speakup-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 squashfs-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 squashfs-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 udf-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 udf-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 uinput-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 uinput-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 usb-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 usb-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 usb-serial-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 usb-serial-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 usb-storage-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 usb-storage-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 virtio-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 virtio-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 xfs-modules-4.9.0-3-686-di | 4.9.30-2+deb9u3 | i386 xfs-modules-4.9.0-3-686-pae-di | 4.9.30-2+deb9u3 | i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:46:42 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: ata-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf btrfs-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf crc-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf crypto-dm-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf crypto-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf efi-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf event-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf ext4-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf fat-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf fb-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf fuse-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf i2c-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf input-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf isofs-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf jfs-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf kernel-image-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf leds-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf linux-headers-4.9.0-3-all-armhf | 4.9.30-2+deb9u3 | armhf linux-headers-4.9.0-3-armmp | 4.9.30-2+deb9u3 | armhf linux-headers-4.9.0-3-armmp-lpae | 4.9.30-2+deb9u3 | armhf linux-image-4.9.0-3-armmp | 4.9.30-2+deb9u3 | armhf linux-image-4.9.0-3-armmp-dbg | 4.9.30-2+deb9u3 | armhf linux-image-4.9.0-3-armmp-lpae | 4.9.30-2+deb9u3 | armhf linux-image-4.9.0-3-armmp-lpae-dbg | 4.9.30-2+deb9u3 | armhf loop-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf md-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf mmc-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf mtd-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf multipath-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf nbd-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf nic-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf nic-shared-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf nic-usb-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf nic-wireless-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf pata-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf ppp-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf sata-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf scsi-core-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf scsi-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf squashfs-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf udf-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf uinput-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf usb-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf usb-storage-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf virtio-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf zlib-modules-4.9.0-3-armmp-di | 4.9.30-2+deb9u3 | armhf ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:47:25 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: btrfs-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel cdrom-core-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel crc-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel crypto-dm-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel crypto-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel event-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel ext4-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel fat-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel fb-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel fuse-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel input-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel ipv6-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel isofs-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel jffs2-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel jfs-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel kernel-image-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel leds-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel linux-headers-4.9.0-3-all-armel | 4.9.30-2+deb9u3 | armel linux-headers-4.9.0-3-marvell | 4.9.30-2+deb9u3 | armel linux-image-4.9.0-3-marvell | 4.9.30-2+deb9u3 | armel linux-image-4.9.0-3-marvell-dbg | 4.9.30-2+deb9u3 | armel loop-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel md-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel minix-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel mmc-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel mouse-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel mtd-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel multipath-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel nbd-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel nic-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel nic-shared-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel nic-usb-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel ppp-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel sata-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel scsi-core-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel squashfs-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel udf-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel uinput-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel usb-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel usb-serial-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel usb-storage-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel zlib-modules-4.9.0-3-marvell-di | 4.9.30-2+deb9u3 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:47:44 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: ata-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 btrfs-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 cdrom-core-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 crc-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 crypto-dm-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 crypto-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 efi-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 event-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 ext4-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 fat-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 fb-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 fuse-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 i2c-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 input-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 isofs-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 jfs-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 kernel-image-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 leds-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 linux-headers-4.9.0-3-all-arm64 | 4.9.30-2+deb9u2 | arm64 linux-headers-4.9.0-3-arm64 | 4.9.30-2+deb9u2 | arm64 linux-image-4.9.0-3-arm64 | 4.9.30-2+deb9u2 | arm64 linux-image-4.9.0-3-arm64-dbg | 4.9.30-2+deb9u2 | arm64 loop-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 md-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 mmc-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 multipath-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 nbd-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 nic-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 nic-shared-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 nic-usb-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 nic-wireless-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 ppp-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 sata-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 scsi-core-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 scsi-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 squashfs-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 udf-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 uinput-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 usb-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 usb-storage-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 virtio-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 xfs-modules-4.9.0-3-arm64-di | 4.9.30-2+deb9u2 | arm64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:48:06 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: linux-headers-4.9.0-3-all | 4.9.30-2+deb9u2 | arm64 linux-headers-4.9.0-3-all | 4.9.30-2+deb9u3 | amd64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:49:10 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: firefox-esr-dbg | 45.9.0esr-1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by firefox-esr) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:57:04 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: firefox-esr-l10n-be | 45.9.0esr-1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:57:35 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: iceweasel-dbg | 45.9.0esr-1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:57:46 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: iceweasel-l10n-be | 1:45.9.0esr-1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:57:59 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: linux-headers-4.9.0-3-common | 4.9.30-2+deb9u3 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:58:10 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: linux-headers-4.9.0-3-common-rt | 4.9.30-2+deb9u3 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 07 Oct 2017 08:58:23 +0000] [ftpmaster: Ansgar Burchardt] Removed the following packages from stable: linux-support-4.9.0-3 | 4.9.30-2+deb9u3 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= aodh (3.0.0-4+deb9u1) stretch-security; urgency=medium . * CVE-2017-12440: apply upstream patch (Closes: #872605). apache2 (2.4.25-3+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method (Closes: #876109) apache2 (2.4.25-3+deb9u2) stretch-security; urgency=medium . * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory apt (1.4.8) stretch; urgency=medium . [ Balint Reczey ] * Gracefully terminate process when stopping apt-daily-upgrade (LP: #1690980) . [ David Kalnischkies ] * don't ask an uninit _system for supported archs, this crashes the mirror method (LP: #1613184) . [ Julian Andres Klode ] * Do not warn about duplicate "legacy" targets (Closes: #839259) (LP: #1697120) * apt-daily: Pull in network-online.target in service, not timer - this can cause a severe boot performance regression / hang (LP: #1716973) asterisk (1:13.14.1~dfsg-2+deb9u1) stretch-security; urgency=high . * CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) * CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) at-spi2-core (2.22.0-6+deb9u1) stretch; urgency=medium . * patches/accessible_get_parent.diff: Upstream fix for crash on switching between windows (Closes: Bug#872912). atril (1.16.1-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload * Add 0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch Fixes a command injection vulnerability in CBT handler. CVE-2017-1000083 (Closes: #868500) augeas (1.8.0-1+deb9u1) stretch-security; urgency=high . * Add patch to fix CVE-2017-7555 (Closes: #872400) bareos (16.2.4-3+deb9u1) stretch; urgency=medium . * Fix permissions of bareos-dir logrotate config on upgrade. (Closes: #864926) * Remove duplicate config check call in the init script. - Avoids (harmless) warning when /etc/bareos/bareos-dir.conf doesn't exist. * Fix file corruption when using SHA1 signature. (Closes: #869608) * Add autopkgtest for SHA1 signature. bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium . [ Bernhard Schmidt ] * Import upcoming DNSSEC KSK-2017 from 9.10.5 . [ Ondřej Surý ] * Non-maintainer upload. bind9 (1:9.10.3.dfsg.P4-12.3+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches: - CVE-2017-3142_regression added, fix a regression introduced in with the correction for CVE-2017-3142. bluez (5.43-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req (Closes: #875633) bridge-utils (1.5-13+deb9u1) stretch; urgency=low . * Fix a problem with some vlan interfaces not being created. Closes: #866687. caja (1.16.6-1+deb9u1) stretch; urgency=medium . [ Pablo Barciela ] * debian/patches: + Add 0001_fix-high-cpu-while-loading-background-image.patch. (Closes: #875717). catdoc (1:0.94.3~git20160113.dbc9ec6+dfsg-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-11110: Heap buffer overflow in ole_init (Closes: #867717) chromium-browser (61.0.3163.100-1~deb9u1) stretch-security; urgency=medium . * New upstream stable release - CVE-2017-5111: Use after free in PDFium. Reported by Luật Nguyễn - CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Klein - CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous - CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by Ke Liu - CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini - CVE-2017-5116: Type confusion in V8. Reported by Anonymous - CVE-2017-5117: Use of uninitialized value in Skia. Reported by Tobias Klein - CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by WenXu Wu - CVE-2017-5119: Use of uninitialized value in Skia. Reported by Anonymous - CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. Reported by Xiaoyin Liu - CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet - CVE-2017-5122: Out-of-bounds access in V8. Reported by Choongwoo Han chromium-browser (60.0.3112.78-1) unstable; urgency=medium . * New upstream stable release: - CVE-2017-5091: Use after free in IndexedDB. Reported by Ned Williamson - CVE-2017-5092: Use after free in PPAPI. Reported by Yu Zhou, Yuan Deng - CVE-2017-5093: UI spoofing in Blink. Reported by Luan Herrera - CVE-2017-5094: Type confusion in extensions. Reported by Anonymous - CVE-2017-5095: Out-of-bounds write in PDFium. Reported by Anonymous - CVE-2017-5096: User information leak via Android intents. Reported by Takeshi Terada - CVE-2017-5097: Out-of-bounds read in Skia. Reported by Anonymous - CVE-2017-5098: Use after free in V8. Reported by Jihoon Kim - CVE-2017-5099: Out-of-bounds write in PPAPI. Reported by Yuan Deng, Yu Zhou - CVE-2017-5100: Use after free in Chrome Apps. Reported by Anonymous - CVE-2017-5101: URL spoofing in OmniBox. Reported by Luan Herrera - CVE-2017-5102: Uninitialized use in Skia. Reported by Anonymous - CVE-2017-5103: Uninitialized use in Skia. Reported by Anonymous - CVE-2017-5104: UI spoofing in browser. Reported by Khalil Zhani - CVE-2017-7000: Pointer disclosure in SQLite. Reported by Chaitin Security Research Lab - CVE-2017-5105: URL spoofing in OmniBox. Reported by Rayyan Bijoora - CVE-2017-5106: URL spoofing in OmniBox. Reported by Jack Zac - CVE-2017-5107: User information leak via SVG. Reported by David Kohlbrenner - CVE-2017-5108: Type confusion in PDFium. Reported by Guang Gong - CVE-2017-5109: UI spoofing in browser. Reported by José María Acuña Morgado - CVE-2017-5110: UI spoofing in payments dialog. Reported by xisigr chromium-browser (60.0.3112.78-1~deb9u1) stretch-security; urgency=medium . * New upstream stable release. - CVE-2017-5087: Sandbox Escape in IndexedDB. Reported by Ned Williamson - CVE-2017-5088: Out of bounds read in V8. Reported by Xiling Gong - CVE-2017-5089: Domain spoofing in Omnibox. Reported by Michał Bentkowski - CVE-2017-5091: Use after free in IndexedDB. Reported by Ned Williamson - CVE-2017-5092: Use after free in PPAPI. Reported by Yu Zhou, Yuan Deng - CVE-2017-5093: UI spoofing in Blink. Reported by Luan Herrera - CVE-2017-5094: Type confusion in extensions. Reported by Anonymous - CVE-2017-5095: Out-of-bounds write in PDFium. Reported by Anonymous - CVE-2017-5096: User information leak via Android intents. Reported by Takeshi Terada - CVE-2017-5097: Out-of-bounds read in Skia. Reported by Anonymous - CVE-2017-5098: Use after free in V8. Reported by Jihoon Kim - CVE-2017-5099: Out-of-bounds write in PPAPI. Reported by Yuan Deng, Yu Zhou - CVE-2017-5100: Use after free in Chrome Apps. Reported by Anonymous - CVE-2017-5101: URL spoofing in OmniBox. Reported by Luan Herrera - CVE-2017-5102: Uninitialized use in Skia. Reported by Anonymous - CVE-2017-5103: Uninitialized use in Skia. Reported by Anonymous - CVE-2017-5104: UI spoofing in browser. Reported by Khalil Zhani - CVE-2017-5105: URL spoofing in OmniBox. Reported by Rayyan Bijoora - CVE-2017-5106: URL spoofing in OmniBox. Reported by Jack Zac - CVE-2017-5107: User information leak via SVG. Reported by David Kohlbrenner - CVE-2017-5108: Type confusion in PDFium. Reported by Guang Gong - CVE-2017-5109: UI spoofing in browser. Reported by José María Acuña Morgado - CVE-2017-5110: UI spoofing in payments dialog. Reported by xisigr - CVE-2017-7000: Pointer disclosure in SQLite. Reported by Chaitin Security Research Lab chromium-browser (60.0.3112.72-1) unstable; urgency=medium . * New upstream beta release. - Adds support for gcc 6.4 (closes: #868926). * Update to debhelper version 10. * Update to standards version 4.0.0. * Only include pak files that are needed. * Drop chromedriver transitional package. * Drop ffmpeg.patch, now applied upstream. * Drop libgnome-keyring-dev build dependency (closes: #867917). * Install chromium-shell to /usr/lib/chromium (closes: #864565). - Thanks to Bert Schulze. chromium-browser (59.0.3071.104-1) unstable; urgency=medium . * New upstream security release. - CVE-2017-5087: Sandbox Escape in IndexedDB. Reported by Ned Williamson - CVE-2017-5088: Out of bounds read in V8. Reported by Xiling Gong - CVE-2017-5089: Domain spoofing in Omnibox. Reported by Michał Bentkowski * Update get-orig-source to support really long arguments to tar --delete. chrony (3.0-4+deb9u1) stretch; urgency=medium . * debian/chrony.if-up: - Do not pass the “burst” command to chronyc as the script could return an error in certain situations. As a consequence, that would prevent ifupdown from writing the current state of the interfaces in /run/network/ifstate. Thanks to John Eikenberry for reporting that issue. (Closes: #868491) . * debian/chrony.ppp.ip-up: - Take the same action as for the “chrony.if-up” script as a precautionary measure. connman (1.33-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12865: Fix crash on malformed DNS response (Closes: #872844) cross-gcc (113+deb9u1) stretch; urgency=medium . * Fixup outdated patch for gcc 6.3.0-18 in stable (Closes: 865493) cvs (2:1.12.13+real-22+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-12836 (Closes: #871810) cvxopt (1.1.4-1.5+deb9u1) stretch; urgency=medium . * Team upload. * d/p/glpk-4.49.diff: remove the compatibility layer for lpx_main(), it is not needed and uses a missing symbol. (Closes: #840159) db5.3 (5.3.28-12+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * CVE-2017-10140: Reads DB_CONFIG from the current working directory. Do not access DB_CONFIG when db_home is not set. (Closes: #872436) dbus (1.10.22-0+deb9u1) stretch; urgency=medium . * New upstream stable release - d/copyright: Update - Drop Doxygen reproducibility patch, applied upstream - d/p/backports/Replace-DBUS_USE_TEST_BINARY-(etc.).patch: Update backported patch to apply to 1.10.22 * debian/gbp.conf: Set git branch to debian/stretch dbus (1.10.20-1) unstable; urgency=medium . * New upstream stable release - Drop Doxygen reproducibility patch, applied upstream * Merge packaging from experimental: - Don't capture build directory in the debug build, using a patch backported from upstream git master - Move doxygen and xsltproc to Build-Depends-Indep, and don't build documentation when not building dbus-1-doc. This speeds up architecture-specific builds. - Remove support for DEB_BUILD_OPTIONS="nodoc noudeb". Use build profiles instead; support nocheck, nodoc, noudeb and stage1 profiles (Closes: #728820) - Simplify the layout of the debug build. - Drop the dbus-1-dbg binary package. Move the debug build to dbus-tests, and the debug symbols to automatically generated -dbgsym packages. - Don't run the installed-tests two different ways, just use gnome-desktop-testing. - Configure the debug build with --enable-embedded-tests rather than --enable-tests. The latter requires python, python-dbus and python-gi, but only for build-time tests that we do not actually run (#630152). + Drop build-dependencies on python, python-dbus and python-gi + This should make dbus much easier to cross-compile (Closes: #560834) - gnome-desktop-testing: Require xauth and xvfb-run for better test coverage - Clean up upgrade/compatibility code that is no longer needed: + Stop creating the symlinks required to keep dbus-daemon 1.8 from Debian 8 'jessie' able to reload configuration after an upgrade to dbus 1.10 in Debian 9 'stretch'. Upgrades that skip a stable release are not supported. + On upgrade, remove compatibility symlinks created by that upgrade, if they exist. + Stop cleaning those symlinks up during package removal. - Stop patching system.conf, session.conf to load /etc/dbus-1/*.conf.dpkg-bak. - debian/copyright: Use https for Format and Source - debian/dbus.triggers: Add a trigger on /usr/share/dbus-1/system.d to reload the dbus-daemon - Unversion (build)-dependencies that are satisfied in oldstable - Declare Policy 4.0.0 compliance - Use the debug-build binaries to run the debug-build tests debian-edu-doc (1.921~20170603+deb9u2) stretch; urgency=medium . * Merge stretch related documentation and translation updates from the debian-edu-doc package in sid: * Update Debian Edu Stretch manual from the wiki. . [ Wolfgang Schweer ] * Replace existing boot menu screenshots with recent ones from the wiki. * documentation/debian-edu-stretch: Add Debian_Edu_Network_Stretch.odg as source for the related (en|fr|de) PNG files. . [ Stretch Manual translation updates ] * Simplified Chinese: Ma Yong. * Italian: Claudio Carboncini. * German: Wolfgang Schweer. * Japanese: Victory, also provided screenshots in Japanese. * Norwegian Bokmål: Petter Reinholdtsen. * Dutch: Frans Spiesschaert. debian-installer (20170615+deb9u2) stretch; urgency=medium . * Bump Linux kernel version from 4.9.0-3 to 4.9.0-4. This is unusual, but the linux kernel ABI got bumped in stable. debian-installer-netboot-images (20170615+deb9u2) stretch; urgency=medium . * Update to 20170615+deb9u2 images, from stretch-proposed-updates desktop-base (9.0.2+deb9u1) stretch; urgency=medium . * Ensure postinst doesn’t fails on upgrade even when an incomplete theme pack is active. (Closes: #858643) * Fix XML syntax errors in gnome wallpaper description files making Joy wallpapers unavailable by default. (Closes: #862228) dns-root-data (2017072601~deb9u1) stretch; urgency=high . * Update root.hints to 2017072601 version * Add gbp.conf for master-stretch branch * Change the state of KSK-2017 to VALID dns-root-data (2017072601~deb8u1) jessie; urgency=high . * Add KSK-2017 to root.key file * Update root.hints to 2017072601 version * Add gbp.conf for master-jessie branch dns-root-data (2017071401) unstable; urgency=medium . * Update the root.hints to 2017060102 version * Change the state of KSK-2017 to VALID dnsdist (1.1.0-2+deb9u1) stretch; urgency=medium . * Fix CVE-2016-7069, CVE-2017-7557 using patches from upstream (Closes: #872854) dnsviz (0.6.4-1+deb9u1) stretch; urgency=medium . * Cherry-pick upstream fixes related to root.hints and root.keys changes * Update gbp.conf for debian/stretch branch dose3 (5.0.1-8+deb9u1) stretch; urgency=medium . * patch virtual_provides: packages that provide the same virtual package in different versions, or that provide the same versioned virtual package as a real package, are co-installable (closes: #867104). * add test-case for versioned virtual packages ecl (15.3.7+dfsg1-2+deb9u1) stretch; urgency=medium . * Team upload. * Add dependency on libffi-dev for ecl (Closes: #873091). emacs24 (24.5+1-11+deb9u1) stretch-security; urgency=medium . * Remove unsafe enriched mode translations emacs25 (25.1+1-4+deb9u1) stretch-security; urgency=high . * Block remote code execution via enriched text. Add 0012-A-remote-execution-exploit-via-enriched-text-has-bee.patch to fix the problem. Thanks to David Bremner for the alert and Salvatore Bonaccorso for reporting the problem to Debian. (Closes: 875447) enigmail (2:1.9.8.1-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security (Closes: #869774) . enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.8-1) unstable; urgency=medium . * New upstream release. * Standards-Version to 4.0.0 (no changes needed) * use dpkg/pkg-info.mk instead of dpkg-parsechangelog * use wrap-and-sort -ast enigmail (2:1.9.8.1-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security (Closes: #869774) . enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.8-1) unstable; urgency=medium . * New upstream release. * Standards-Version to 4.0.0 (no changes needed) * use dpkg/pkg-info.mk instead of dpkg-parsechangelog * use wrap-and-sort -ast . enigmail (2:1.9.7-2) unstable; urgency=medium . * enable re-certifying keys with expired certs (Closes: #863273) . enigmail (2:1.9.7-1) unstable; urgency=medium . * new upstream bugfix release . enigmail (2:1.9.6-2) unstable; urgency=medium . * pulled a bugfix from upstream, refreshed patches . enigmail (2:1.9.6-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.5-7) unstable; urgency=medium . * fix "exchange repair" variant format of e-mail . enigmail (2:1.9.5-6) unstable; urgency=medium . * refresh patches from upstream enigmail-1.9-branch . enigmail (2:1.9.5-5) unstable; urgency=medium . * fix query for getKeyFileType (Closes: #842212) . enigmail (2:1.9.5-4) unstable; urgency=medium . * avoid parallel build failures . enigmail (2:1.9.5-3) unstable; urgency=medium . * more patches from upstream * bump to debhelper 10 (no changes needed) . enigmail (2:1.9.5-2) unstable; urgency=medium . * include two patches from upstream . enigmail (2:1.9.5-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.4-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.3-2) unstable; urgency=medium . * pulled more fixes from upstream . enigmail (2:1.9.3-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.2-1) unstable; urgency=medium . * new upstream release * drop old upstream patches, pull more fixes from upstream . enigmail (2:1.9.1-2) unstable; urgency=medium . * changed dependencies to acknowledge newer versions of gnupg. * bumped Standards-Version to 3.9.8 (no changes needed) . enigmail (2:1.9.1-1) unstable; urgency=medium . * new upstream release * incorporated some additional minor patches from upstream's enigmial-1.9-branch as well. . enigmail (2:1.9-1) unstable; urgency=medium . * new upstream release * include upstream fix for excessive dumping * bumped Standards-Version to 3.9.7 (no changes needed) . enigmail (2:1.9~beta2+16.gd99b-1) experimental; urgency=medium . * new upstream snapshot . enigmail (2:1.9~beta2-1) experimental; urgency=medium . * new upstream beta release. * depend directly on gnupg2 -- 1.9 and later won't work with gpg1. . enigmail (2:1.9~beta1-1) experimental; urgency=medium . * package new upstream beta for experimental. . enigmail (2:1.8.2-4) unstable; urgency=medium . * pass through {GTK,QT}_IM_MODULE, XMODIFIERS, and DBUS_SESSION_BUS_ADDRESS so that modern pinentry works. (Closes: #794627) * correct reported version number of enigmail enigmail (2:1.9.8-1) unstable; urgency=medium . * New upstream release. * Standards-Version to 4.0.0 (no changes needed) * use dpkg/pkg-info.mk instead of dpkg-parsechangelog * use wrap-and-sort -ast erlang-p1-tls (1.0.7-2+deb9u1) stretch; urgency=medium . * Added backported upstream patch to "use openssl built-in function for setting up ECDH curves" (Closes: 871264) Thanks Adrien Dorsaz for reporting and providing the patch. evolution (3.22.6-1+deb9u1) stretch; urgency=medium . [ Phil Wyett ] * Added debian/patches/20_composer_hangs_right_click.patch. - Backport patch from git - Fix hangs on right click in composer window. (Closes: #871626) expat (2.2.0-2+deb9u1) stretch-security; urgency=high . * Replace the Mozilla CVE-2016-9063 fix with the more complete, upstream one. * Fix CVE-2017-9233: external entity infinite loop DoS. expect (5.45-7+deb9u1) stretch; urgency=medium . * Added a patch by Georg-Johann Lay which now properly checks for EOF and doesn't lose input when there are some characters in the input buffer and EOF flag happens. ffmpeg (7:3.2.7-1~deb9u1) stretch-security; urgency=high . * New upstream release. - apadec: Fix integer overflow. (CVE-2016-11399) - rtmppkt: Fix out-of-bound access. (CVE-2017-11665) - dnxhddec: Fix out-of-bound access. (CVE-2017-11719) - dnxhd_parser: Fix NULL pointer access. (CVE-2017-9608) - hls, avidec: Check file extensions. (CVE-2017-9993) ffmpeg (7:3.2.6-1) unstable; urgency=medium . * Team upload. * New upstream release. * debian/control: Bump Standards-Version. fife (0.4.0-3+deb9u1) stretch; urgency=medium . * Team upload. * Add 1000-icon-mem-leak.patch and fix a memory leak. Thanks to Petter Reinholdtsen for the report and testing and LinuxDonald for the patch. (Closes: #871782) file (1:5.30-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-1000249: stack based buffer overflow via specially crafted .notes section in an ELF binary firefox-esr (52.4.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-22, also known as: CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, CVE-2017-7805, CVE-2017-7814, CVE-2017-7823, CVE-2017-7810. * debian/rules: Really build with gcc 6 on unstable. Closes: #871583. . * js/src/jsmath.cpp: Add GETRANDOM_NR definition for powerpc and mips. bz#1389281. * media/libcubeb/tests/moz.build: Fixup workaround for binutil assertion on mips. firefox-esr (52.4.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-22, also known as: CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, CVE-2017-7805, CVE-2017-7814, CVE-2017-7823, CVE-2017-7810. * debian/rules: Really build with gcc 6 on unstable. Closes: #871583. firefox-esr (52.3.0esr-2) unstable; urgency=medium . * debian/rules: Really build with gcc 6. Closes: #871583. firefox-esr (52.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-19, also known as: CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7784, CVE-2017-7802, CVE-2017-7785, CVE-2017-7786, CVE-2017-7753, CVE-2017-7787, CVE-2017-7807, CVE-2017-7792, CVE-2017-7791, CVE-2017-7803, CVE-2017-7779. . * debian/upstream.mk: Set DIST differently for experimental. * debian/control*, debian/rules: Build with gcc 6 because display is broken with gcc 7. . * FTBFS fixes: - js/src/jsmath.cpp: Define GETRANDOM_NR on more artitectures. bz#1352236, bz#1357874. - media/libyuv/source/row_mips.cc: Only use the perf opcode on mips arches that support it. bz#1012232. firefox-esr (52.3.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-19, also known as: CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7784, CVE-2017-7802, CVE-2017-7785, CVE-2017-7786, CVE-2017-7753, CVE-2017-7787, CVE-2017-7807, CVE-2017-7792, CVE-2017-7791, CVE-2017-7803, CVE-2017-7779. . * debian/upstream.mk: - Consider testing/unstable as buster, which implies build depending on system nspr, nss and sqlite again. - Support DEB_DISTRIBUTION being bustersomething or sid. Closes: #865650. . * debian/upstream.mk: Set DIST differently for experimental. * debian/control*, debian/rules: Build with gcc 6 because display is broken with gcc 7. . * FTBFS fixes: - js/src/jsmath.cpp: Define GETRANDOM_NR on more artitectures. bz#1352236, bz#1357874. - media/libyuv/source/row_mips.cc: Only use the perf opcode on mips arches that support it. bz#1012232. firefox-esr (52.3.0esr-1~deb8u2) jessie-security; urgency=medium . * js/src/jsmath.cpp: Add GETRANDOM_NR definition for powerpc and mips. bz#1389281. * media/libcubeb/tests/moz.build: Fixup workaround for binutil assertion on mips. firefox-esr (52.2.0esr-2) unstable; urgency=medium . * debian/upstream.mk: - Consider testing/unstable as buster, which implies build depending on system nspr, nss and sqlite again. - Support DEB_DISTRIBUTION being bustersomething or sid. Closes: #865650. firefox-esr (52.2.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-16, also known as: CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7778, CVE-2017-7758, CVE-2017-7764, CVE-2017-5470. . * debian/rules, debian/control.in: Switch to GCC 4.8 on wheezy. * debian/rules: Don't remove debian/control on clean. Thanks to Emilio Pozuelo Monfort for those two changes for wheezy LTS support. * debian/control.in: Bump nss build dependency. * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk: Rename the BACKPORT variable to DIST, and set it to "stretch" for unstable/testing targetted builds. * debian/rules: Normalize the system libraries used depending on the Debian version. firefox-esr (52.2.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-16, also known as: CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7778, CVE-2017-7758, CVE-2017-7764, CVE-2017-5470. . * debian/rules, debian/control.in: Switch to GCC 4.8 on wheezy. * debian/rules: Don't remove debian/control on clean. Thanks to Emilio Pozuelo Monfort for those two changes for wheezy LTS support. * debian/control.in: Bump nss build dependency. * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk: Rename the BACKPORT variable to DIST, and set it to "stretch" for unstable/testing targetted builds. * debian/rules: Normalize the system libraries used depending on the Debian version. . firefox-esr (52.1.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-12, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459, CVE-2017-5466, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5469, CVE-2017-5445, CVE-2017-5449, CVE-2017-5451, CVE-2017-5462, CVE-2017-5467, CVE-2017-5430, CVE-2017-5429. . firefox-esr (52.0.2esr-1) experimental; urgency=medium . * New upstream release. * debian/browser.mozconfig.in, debian/mls.key: Enable geolocation using Mozilla's Location Service. Closes: #726230. . * browser/app/profile/firefox.js: Use the Mozilla Location Service when the Google Key is not there. . firefox-esr (52.0.1esr-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2017-08, also known as CVE-2017-5428. . * debian/browser.mozconfig.in: Build with --enable-alsa. Closes: #857281. . firefox-esr (52.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-05, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5406, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5426, CVE-2017-5427, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5405, CVE-2017-5421, CVE-2017-5422, CVE-2017-5399, CVE-2017-5398. . * debian/control*: - Bump nss and sqlite build dependencies. - Build depend on libjsoncpp-dev. * debian/rules: - Update ICU_DATA_FILE version. - Don't build against system sqlite until we have the right version in Debian. * debian/browser.lintian-overrides.in: Add a lintian override for NSPR and NSS. * debian/browser.install.in: - Install chrome.manifest, libmozsandbox.so and minidump-analyzer. - Remove browser/components. . * browser/installer/allowed-dupes.mn, toolkit/mozapps/installer/find-dupes.py, toolkit/mozapps/installer/packager.mk: Preprocess find-dupes exception list. bz#1315309. * config/system-headers, toolkit/crashreporter/jsoncpp/src/lib_json/moz.build, toolkit/crashreporter/minidump-analyzer/moz.build: Build against system libjsoncpp. . firefox (51.0.1-3) unstable; urgency=medium . * js/src/jit/mips-shared/Assembler-mips-shared.h, js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp, js/src/jit/mips-shared/CodeGenerator-mips-shared.h, js/src/jit/mips-shared/MacroAssembler-mips-shared-inl.h, js/src/jit/mips-shared/MacroAssembler-mips-shared.cpp, js/src/jit/mips-shared/MacroAssembler-mips-shared.h, js/src/jit/mips32/MacroAssembler-mips32-inl.h, js/src/jit/mips32/MacroAssembler-mips32.cpp, js/src/jit/mips32/MacroAssembler-mips32.h, js/src/jit/mips64/MacroAssembler-mips64-inl.h, js/src/jit/mips64/MacroAssembler-mips64.cpp, js/src/jit/mips64/MacroAssembler-mips64.h: Apply patch from bz#1303688 hopefully fixing the FTBFS on mips*. . firefox (51.0.1-2) unstable; urgency=medium . * debian/symbols.mk: - Better handle downloading symbols from packages with epochs. - Don't filter file names when getting symbols. - Add experimental buildd apt source for symbols download. - Avoid apt-get download being re-run when the file is already there. - Adjust DBGTYPE depending on package version, not whether it's a backport. - Only dump symbols for files of type application/x-sharedlib. This covers binary executables too because they are PIE and undistinguishable from shared libraries as a consequence. * debian/rules: - Add -fno-schedule-insns2 back. Closes: #854258. - Build with -fno-schedule-insns on armel and armhf when building with GCC6. Closes: #854640. - Hack to disable --gc-sections when building NSS, working around bug #844357 again. Should fix FTBFS on mips*. * debian/browser.desktop.in, debian/rules: Followup for the StartupWMClass changes in 51.0.1-1: Use the same name in desktop file and application.ini RemotingName. Closes: #854397. . firefox (51.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/browser.desktop.in: - Use the application name as StartupWMClass in the desktop file. Along the change to nsAppRunner.cpp, this prevents e.g. GNOME Shell from making Firefox appear as Firefox ESR when both are used. - Remove Encoding key from desktop file. Closes: #812493 * debian/rules: Remove -fno-schedule-insns2 and add -fno-lifetime-dse when building with GCC6. * debian/rules, debian/control*: Build with GCC6 on arm*. Closes: #852009. AFAIK, that will lead to FTBFS on at least armhf, but let's already see how it goes. * debian/upstream.mk: Use pkg-info.mk to figure out source name and version. Closes: #850720. * debian/control*: - Remove build dependency and suggest on libgnome*. It hasn't actually been used for a long time. Closes: #850265. - Bump Standards-Version to 3.9.8. No changes required. - Bump libvpx build dependency. * debian/rules: Resize the symbolic icon. * Move the -l10n-all package to the metapackages section. Closes: #824784. * debian/browser.postrm.in, debian/browser.preinst.in, debian/rules: Don't install preinst and postrm at all for the firefox package. * debian/symbols.apt.conf, debian/symbols.mk, debian/symbols.sources.list: Add scripts to create symbols archive to upload to Mozilla crash servers. * debian/browser-dev.links.in, debian/browser.install.in, debian/browser.mozconfig.in, debian/control*, debian/make.mk, debian/rules: Add more granularity as to what system libraries are used and only disable NSPR/NSS until we have the right versions in Debian. . * gfx/2d/BorrowedContext.h, gfx/layers/composite/LayerManagerComposite.*, gfx/layers/moz.build: Fix --disable-skia builds. bz#1319374. * gfx/skia/moz.build: Build Skia NEON code on arm64. * toolkit/xre/nsAppRunner.cpp: Set program name from the remoting name. * config/recurse.mk: Work around race condition between building NSPR and NSS. bz#1115944, bz#1315882. . firefox (51.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-01, also known as: CVE-2017-5375, CVE-2017-5376, CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5390, CVE-2017-5389, CVE-2017-5396, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5391, CVE-2017-5393, CVE-2017-5387, CVE-2017-5388, CVE-2017-5374, CVE-2017-5373. . * debian/upstream.mk: Don't rely on FIREFOX_*_RELEASE tags to pull some files to determine all source urls. * debian/browser.bug-presubj.in: Add a note about submitting crash reports upstream and pasting the url to Debian bug reports. * debian/rules, debian/control*: Adjust rust build configure to new upstream. It requires rustc >= 1.10 and cargo, the latter of which is not available on arm64. Also depend on cargo >= 0.13, that doesn't access the network with the Cargo.toml files in the source. Note rust code is still not enabled unless building a beta release. * debian/control*: Bump nspr, nss and sqlite build dependencies. * debian/rules, debian/control: Use more embedded libraries until the required versions of NSPR and NSS can be in unstable. . * build/moz.configure/rust.configure: Force use the i686 rust target. * gfx/skia/skia/include/core/SkPreConfig.h: Generically set SK_CPU_[BL]ENDIAN based on __BYTE_ORDER__ when available. bz#1319389. . firefox (50.1.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-95, also known as: CVE-2016-9894, CVE-2016-9899, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9904, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903, CVE-2016-9080, CVE-2016-9893. . firefox (50.0.2-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{91-92}, also known as: CVE-2016-9078, CVE-2016-9079. . * widget/gtk/mozgtk/mozgtk.c: work around race in system Cairo's XShm usage. bz#1271100. . firefox (50.0-3) unstable; urgency=medium . * media/libjpeg/simd/jsimd_mips.c: Pull libjpeg-turbo upstream fix for FTBFS on mips. * widget/gtk/mozgtk/gtk3/moz.build: Work around Debian bug #844357. . firefox (50.0-2) unstable; urgency=medium . * debian/rules: Use mach to run icu_source_data.py. This should fix FTBFS on big endian platforms. . * js/src/jit/mips64/CodeGenerator-mips64.cpp: Fix CodeGenerator::visitAsmSelectI64. bz#1290811. . firefox (50.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{87,89} also known as: CVE-2016-5287, CVE-2016-5288, CVE-2016-5296, CVE-2016-5292, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-9067, CVE-2016-9068, CVE-2016-9075, CVE-2016-9077, CVE-2016-5291, CVE-2016-9070, CVE-2016-9073, CVE-2016-9076, CVE-2016-9063, CVE-2016-9071, CVE-2016-5289, CVE-2016-5290. . * debian/rules: Only generate configure files on nightlies, and use client.mk to generate them instead of using autoconf manually (which, while compatible, is wrong nowadays). * debian/control*: - Remove outdated alternative build dependencies. - Bump sqlite and nss build dependency. - Add build dependency on libx11-xcb-dev. * debian/browser.mozconfig.in, debian/control*, debian/rules: Enable rust on non-release/ESR. * debian/browser.install.in: Add the EmojiOneMozilla font. . firefox (49.0-5) unstable; urgency=medium . * debian/rules: - Don't install crashreporter files on arm64, where it's not built. Should fix FTBFS on arm64. - Ship a symbolic icon from the silhouette icon from branding. Closes: #832297. - Remove old workaround for GCC 4.5 on armel. - Remove old workarounds for ia64. - Remove GENSYMBOLS_FLAGS, which hasn't been used for 5 years. - Remove CMP_AWK, which hasn't been used since xulrunner packages were removed. - Remove dh_builddeb override forcing xz compression, which is the default since dpkg 1.15.6. - Remove old workaround for ppc64. - Disable both baseline JIT and ion on mips via prefs. * debian/rules, debian/control: Re-enable Gtk+3 to see how it goes. Closes: #832301. . * security/sandbox/linux/SandboxFilter.cpp: Allow media plugins to call madvise with MADV_FREE. bz#1303813. Closes: #838911. * js/src/jit/AtomicOperations.h: Fix crashes in AtomicOperations-none on s390x. Should fix FTBFS on s390x. . firefox (49.0-4) unstable; urgency=medium . * debian/rules, dbeian/browser.install.in: Always install GMP clearkey. Should fix FTBFSes on non-x86/x86-64, this time. * debian/browser.js.in: Unset media.gmp-manager.url.override. Closes: #838902. * debian/compat, debian/control*: Bump debhelper compat and dependency to 9. * debian/rules, debian/control*: Generate debug symbols debs when not backporting. * debian/browser.install.in, browser.mozconfig.in, debian/rules: Don't disable the crash reporter. . firefox (49.0-3) unstable; urgency=medium . * debian/browser.desktop.in: Use the full path to the real Firefox executable in the .desktop file. Closes: #832298 . * toolkit/moz.configure: Ensure we don't enable Widevine unintentionally. bz#1299694. Should fix FTBFSes on non-x86/x86-64. . firefox (49.0-2) unstable; urgency=medium . * debian/rules, debian/control*: Only force GCC 5 on arm when building for stretch+. * debian/browser.mozconfig.in, debian/browser.install.in, debian/rules: Do not disable EME. Closes: #838478. * debian/rules, debian/browser.install.in: Build and use big-endian ICU data on big-endian architectures. Fixes FTBFS on big-endian architectures. . * build/autoconf/icu.m4: Allow to override ICU_DATA_FILE from the environment. * js/src/jit/mips-shared/MacroAssembler-mips-shared.cpp: OdinMonkey: MIPS: Fix nop-jump patching code. bz#1277478. Fixes FTBFS on mips*el. * media/libjpeg/moz.build: Fix CPU_ARCH test for libjpeg on mips. Fixes FTBFS on mips. . firefox (49.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa-2016-85, also known as: CVE-2016-2827, CVE-2016-5270, CVE-2016-5271, CVE-2016-5272, CVE-2016-5273, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5275, CVE-2016-5278, CVE-2016-5279, CVE-2016-5280, CVE-2016-5281, CVE-2016-5282, CVE-2016-5283, CVE-2016-5284, CVE-2016-5256, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) * debian/control*: Force build against libnss3-dev >= 2:3.26-2~, which fixed its symbols file. Closes: #833719. . * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) . firefox (48.0-2) unstable; urgency=medium . * debian/rules: Build with -fno-schedule-insns2 and -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles Firefox. Closes: #836533. . firefox (48.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa-2016-{62-68,70-81,83-84}, also known as: CVE-2016-2836, CVE-2016-2835, CVE-2016-2830, CVE-2016-2838, CVE-2016-2839, CVE-2016-5251, CVE-2016-5252, CVE-2016-0718, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-2837, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5268, CVE-2016-5250. . * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --build from configure invocation. * debian/browser.mozconfig.in: s/NATIVE/SYSTEM/. The variables set for --enable-system flags have changed upstream. * debian/browser.install.in, debian/browser.links.in: Don't install webapprt files, they are gone. * debian/browser.install.in: - Install ICU data file. - libfreebl3 changed name. - Take mozicon128.png from dist/firefox instead of dist/bin. . firefox (47.0.1-1) unstable; urgency=medium . * New upstream release. . firefox (47.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa-2016-{49-52,54,56-60}, also known as: CVE-2016-2815, CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2825, CVE-2016-2828, CVE-2016-2829, CVE-2016-2831, CVE-2016-2832, CVE-2016-2833. . * debian/rules: Read default toolkit from old-configure.in, but still keep Gtk+3 disabled. * debian/upstream.mk: Use l10n_changesets.txt from last candidate build for L10N_REV. . firefox (46.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/control*: Remove build dependencies that were only required for the iceweasel branding. * debian/control*, debian/browser.mozconfig.in: Remove configure flags and build dependencies related to gnomevfs. They have been ignored for close to a year. * debian/browser.mozconfig.in: - Remove configure flags explicitly enabling gio, it has been enabled by default for more than 3 years. - Remove --enable-svg, the option has been ignored for more than 5 years. - Remove --enable-mathml, the option has been ignored for more than 4 years. - Remove --enable-pango, the option has been ignored for 2 years. - Remove --disable-pedantic, the option has been ignored for 3 years. - Remove --disable-long-long-warning, the option has been ignored for almost 5 years. - Remove --disable-gnomeui, it is the default. - Remove --disable-mochitest, the option has been ignored for more than 7 years. - Remove --disable-debug, it is the default. - Remove --enable-canvas, the option has been ignored for more than 6 years. - Remove --disable-installer, the option has been ignored for close to 4 years. - Remove --disable-javaxpcom, the option has been ignored for close to 5 years. - Remove --disable-elf-dynstr-gc, the option has been ignored for more than 2 years. - Remove --enable-url-classifier, it is the default. - Remove --with-user-appdir=.mozilla, it is the default. - Remove --enable-single-profile, the option has been ignored for more than 7 years. - Remove --disable-profilesharing, the option has been ignored for more than 7 years. * debian/rules: Use the mach compare-locales command for l10n. * debian/upstream.mk, debian/watch: Remove "mozilla.org" from path in archive.mozilla.org urls. * debian/upstream.mk: Don't use get a separate source tarball for compare-locales. There is a copy in-tree that we now use. * debian/browser.desktop.in, debian/control*, debian/rules: Allow to distinguish between firefox and firefox-esr. Closes: #821952. * debian/control, debian/rules: Disable Gtk+3 for now. Closes: #822807. . firefox (46.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,42,44-48}, also known as: CVE-2016-2807, CVE-2016-2806, CVE-2016-2804, CVE-2016-2811, CVE-2016-2812, CVE-2016-2814, CVE-2016-2816, CVE-2016-2817, CVE-2016-2808, CVE-2016-2820. . * debian/browser.install.in: Add ffmpeg vp9 libraries. * debian/browser.lintian-overrides.in: Add a lintian override for libmozavutil.so, which is not exactly libavutil. * debian/control*: Bump nss and sqlite3 build dependencies. * debian/browser.mozconfig.in, debian/control*, debian/rules: Remove gstreamer dependencies and such, gstreamer support was removed upstream. firefox-esr (52.1.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-12, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459, CVE-2017-5466, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5469, CVE-2017-5445, CVE-2017-5449, CVE-2017-5451, CVE-2017-5462, CVE-2017-5467, CVE-2017-5430, CVE-2017-5429. firefox-esr (52.0.2esr-1) experimental; urgency=medium . * New upstream release. * debian/browser.mozconfig.in, debian/mls.key: Enable geolocation using Mozilla's Location Service. Closes: #726230. . * browser/app/profile/firefox.js: Use the Mozilla Location Service when the Google Key is not there. firefox-esr (52.0.1esr-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2017-08, also known as CVE-2017-5428. . * debian/browser.mozconfig.in: Build with --enable-alsa. Closes: #857281. firefox-esr (52.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-05, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5406, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5426, CVE-2017-5427, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5405, CVE-2017-5421, CVE-2017-5422, CVE-2017-5399, CVE-2017-5398. . * debian/control*: - Bump nss and sqlite build dependencies. - Build depend on libjsoncpp-dev. * debian/rules: - Update ICU_DATA_FILE version. - Don't build against system sqlite until we have the right version in Debian. * debian/browser.lintian-overrides.in: Add a lintian override for NSPR and NSS. * debian/browser.install.in: - Install chrome.manifest, libmozsandbox.so and minidump-analyzer. - Remove browser/components. . * browser/installer/allowed-dupes.mn, toolkit/mozapps/installer/find-dupes.py, toolkit/mozapps/installer/packager.mk: Preprocess find-dupes exception list. bz#1315309. * config/system-headers, toolkit/crashreporter/jsoncpp/src/lib_json/moz.build, toolkit/crashreporter/minidump-analyzer/moz.build: Build against system libjsoncpp. flatpak (0.8.7-2~deb9u1) stretch; urgency=medium . * Rebuild for stretch * Merge changelog from stretch-security * debian/gbp.conf: Switch branch to debian/stretch flatpak (0.8.7-1) unstable; urgency=high . * New upstream stable release - Security: prevent deploying files with inappropriate permissions (world-writable, setuid, etc.) (Closes: #865413) - Security: make ~/.local/share/flatpak private to user to defend against app vendors that might have released files with inappropriate permissions in the past - If an error occurs during pull, do not double-set an error, which is considered to be invalid - Increase some arbitrary timeouts in a test to make it more reliable flatpak (0.8.6-1) unstable; urgency=medium . * New upstream release - Fix the return value type for filtered NameHasOwner() D-Bus calls (upstream issue 817) - Security hardening: Only export .desktop files, D-Bus session services and icons, but not other files that an app might try to export - Allow remote repositories to specify a new GPG key (for key rollover) or a new URL (for location migration) in their signed metadata - Let KDE apps bind-mount ~/.config/kdeglobals into the sandbox: + Allow bind-mounting regular files in the XDG cache, config or data directories, not just directories + Allow bind-mounting files in the XDG directories read-only, not just read/write - Close a race condition in app identification by portals - Cope with a non-default WAYLAND_DISPLAY - Cope with /tmp on the host being a symlink - Clear TMPDIR in the sandbox, fixing sandboxed Spotify - Add X-Flatpak=$app_id to exported .desktop files so that the desktop environment can identify what will be launched - Make the host's /etc/hosts and /etc/host.conf available in the sandbox, fixing sandboxed Spotify - Update Hungarian translation fontforge (1:20161005~dfsg-4+deb9u1) stretch-security; urgency=high . * Import upstream patches fixing following CVE's CVE-2017-11577, CVE-2017-11576, CVE-2017-11575, CVE-2017-11574, CVE-2017-11572, CVE-2017-11571, CVE-2017-11569, CVE-2017-11568. freeradius (3.0.12+dfsg-5+deb9u1) stretch-security; urgency=high . * Apply upstream patches: fr-ad-001.patch fr-gv-201.patch (CVE-2017-10978) fr-gv-206.patch (CVE-2017-10983) fr-gv-301.patch (CVE-2017-10984) fr-gv-302.patch (CVE-2017-10985) fr-gv-303.patch (CVE-2017-10986) fr-gv-304.patch (CVE-2017-10987) fr-gv-305.patch (Closes: #868765) freerdp (1.1.0~git20140921.1.440916e+dfsg1-13+deb9u2) stretch; urgency=medium . [ Bernhard Miklautz ] * debian/patches: + Add 0009-enable-TLS-12.patch. Enable TLS 1+ support. (Closes: #871478). freerdp (1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1) stretch-security; urgency=high . [ Bernhard Miklautz ] * debian/patches: + Add fix for CVE-2017-2834, CVE-2017-2835, CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839 (Closes: #869880) freexl (1.0.2-2+deb9u1) stretch-security; urgency=high . * Update branch in gbp.conf & Vcs-Git URL. * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. (closes: #875690, #875691) gdk-pixbuf (2.36.5-2+deb9u1) stretch-security; urgency=medium . * CVE-2017-2862 ghostscript (9.20~dfsg-3.2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Bounds check the array allocations methods (CVE-2017-9835) (Closes: #869907) * Bounds check zone pointer in Ins_MIRP() (CVE-2017-9611) (Closes: #869917) * Bounds check zone pointers in Ins_IP() (CVE-2017-9612) (Closes: #869916) * Bounds check zone pointer in Ins_MDRP (CVE-2017-9726) (Closes: #869915) * Make bounds check in gx_ttfReader__Read more robust (CVE-2017-9727) (Closes: #869913) * Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910) * Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977) git (1:2.11.0-3+deb9u2) stretch-security; urgency=high . * Fix remote shell command execution via CVS protocol: - git-shell: drop cvsserver support by default - git-cvsserver: harden backtick captures against user input * Avoid shell command injection in other commands as well: - git-cvsimport: harden backtick captures against user input - git-archimport: harden backtick captures against user input . Thanks to joernchen of Phenoelit for discovering, reporting, and fixing this vulnerability, and to Junio C Hamano and Jeff King for the fixes to related issues. git (1:2.11.0-3+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-1000117, arbitrary code execution issues via URLs: - reject ssh hostname that begins with a dash - add test for hostname starting with dash to the testsuite - factor out "looks like command line option" check - reject dashed arguments to $GIT_PROXY_COMMAND - ssh:// and local URLs: reject path to repositories that look like command line options . Thanks to Joern Schneeweisz of Recurity Labs for discovering this vulnerability, Brian Neel at GitLab for reporting it to the Git project, and Junio Hamano and Jeff King for writing the patches to address it. gnome-exe-thumbnailer (0.9.4-2+deb9u1) stretch; urgency=high . * Add patch switch-to-msiinfo.patch: - Switch to msitools' msiinfo for ProductVersion fetching, replacing the insecure VBScript-based parsing as described at http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html (Closes: #868705; LP: #651610; CVE-2017-11421) * Add msitools to recommends; it is now used to fetch .msi version info. * Add patch fix-version-label-readability.patch backported from https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb to fix unreadable white-on-white text on version labels. gnupg2 (2.1.18-8~deb9u1) stretch; urgency=medium . * Bugfix update for debian stretch point release. . gnupg2 (2.1.18-8) unstable; urgency=medium . * updated scdaemon fix from gniibe (Closes: #862032) . gnupg2 (2.1.18-7) unstable; urgency=medium . * scdaemon fixes from gniibe * more upstream fixes (Closes: #854359, #854829) * skip over missing signing keys (Closes: #834922) * drop all skel files (Closes: #858082) * Avoid spurious warnings when sharing a keybox with gpg >= 2.1.20 gnupg2 (2.1.18-7) unstable; urgency=medium . * scdaemon fixes from gniibe * more upstream fixes (Closes: #854359, #854829) * skip over missing signing keys (Closes: #834922) * drop all skel files (Closes: #858082) * Avoid spurious warnings when sharing a keybox with gpg >= 2.1.20 gnutls28 (3.5.8-5+deb9u3) stretch; urgency=medium . * 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch 38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa signatures. https://gitlab.com/gnutls/gnutls/issues/223 Thanks to Nikos Mavrogiannopoulos for the suggestion. gosa-plugin-mailaddress (0.99.5-2+deb9u1) stretch; urgency=medium . * debian/patches: + Add 0001_php-7-compat-fix-parent-constructor-calls.patch. Fix parent constructor calls. (Closes: #869214). * debian/control: + Update versioned D (gosa-plugin-mailaddress): gosa (>= 2.7.4+reloaded2-12~). Reason: since rev 12, gosa in Debian uses the new constructor API required for PHP 7. gsoap (2.8.35-4+deb9u1) stretch; urgency=medium . * Fix for CVE-2017-9765 Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via a large XML document. haveged (1.9.1-5+deb9u1) stretch; urgency=medium . * Start haveged.service after systemd-tmpfiles-setup.service has been run. Many thanks to Jan Echternach for reporting the problem and suggesting a fix. (Closes: #858134) icedove (1:52.3.0-4~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security * [9e08bf9] debian/control: be more relaxed on Breaks for enigmail icedove (1:52.3.0-4~deb8u2) jessie-security; urgency=medium . [ Guido Günther ] * [6214253] Simplify endianess selection for ICU icedove (1:52.3.0-4~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security * [7f05741] debian/control: be more relaxed on Breaks for enigmail * [72e63f8] debian/mozconfig.default: stay on GTK2 toolkit for Jessie (Closes: #871438, #870719) icedove (1:52.3.0-3) unstable; urgency=medium . [ Carsten Schoenert ] * [c08f005] rebuild patch queue from patch-queue branch * [f658cab] debian/rules: enable verbose build for ICU icedove (1:52.3.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [d544a01] debian/rules: correct icu build sequence icedove (1:52.3.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [8e852be] New upstream version 52.3.0 Fixed CVE issues in upstream version 52.0 (MFSA 2017-20) CVE-2017-7800: Use-after-free in WebSockets during disconnection CVE-2017-7801: Use-after-free with marquee during window resizing CVE-2017-7809: Use-after-free while deleting attached editor DOM node CVE-2017-7784: Use-after-free with image observers CVE-2017-7802: Use-after-free resizing image elements CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM CVE-2017-7786: Buffer overflow while painting non-displayable SVG CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements CVE-2017-7787: Same-origin policy bypass with iframes through page reloads CVE-2017-7807: Domain hijacking through AppCache fallback CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections CVE-2017-7803: CSP containing 'sandbox' improperly applied CVE-2017-7779: Memory safety bugs fixed in Firefox 55, Firefox ESR 52.3, and Thunderbird 52.3 * [0b7243b] debian/rules: build icudt5*.dat on our own if needed If we need to use the internal sources of ICU (triggered by using --with-system-icu) we need to build the platform depended file icudt*[b,l].dat before we can call the configure run. This is needed as Mozilla only ships a precompiled little endian version of the file icudt*.dat and all platforms with big endianness are failing later due issues related to the wrong endianness. * [1964469] debian/mozconfig.default: enable i18n on big endian * [6b58ac5] debian/control: increase Standards-Version to 4.0.1 * [e59cf81] rebuild patch queue from patch-queue branch removed patche(s) (applied upstream): - fixes/Bug-1308908-Compare-the-whole-accessible-name-when-checki.patch updated/refreshed patches (no changes): - porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch . [ Simon Deziel ] * [a574010] apparmor/usr.bin.thunderbird: small update to avoid noise icedove (1:52.2.1-5) unstable; urgency=high . [ Carsten Schoenert ] * [133a574] Use gcc-6 and g++-6 due broken GUI with GCC-7 The usage of the GCC-7 suite introduces a broken GUI currently that make using thunderbird mostly impossible. (Closes: #871629) * [3ebacd1] d/rules: use DEB_* variables for entries from changelog By using variables that are prepared by dpkg we don't need to manually search for dates and versions. etc. * [52c2b83] d/copyright: MPL-1.1 and MPL-2.0 now provided by common-licenses Since policy 4.0.0 the two Mozilla related licenses are included and don't need to be added extra. * [3f37967] adjust X-Debian-Homepage to existing Thunderbird page * [41b5c03] debian/control: increase Standards-Version to 4.0.0 * [e3c3994] mozconfig.default: use proper disabled options * [2d4b846] debian/control: increase Breaks for enigmail version (Closes: #869789) . [ John Paul Adrian Glaubitz ] * [4879401] sh4: disable option --disable-pie (Closes: #867553) . [ Carsten Schoenert ] * [2646f3f] autpkgtests: disable the idlTest.sh test case icedove (1:52.2.1-4) unstable; urgency=medium . [ Guido Günther ] * [04de899] Don't use different profile folder for jessie and wheezy . [ Carsten Schoenert ] * [692d3ce] rebuild patch queue from patch-queue branch (Closes: #867013) added patch (provided by Adrian): - porting-alpha/FTBFS-alpha-adjust-some-source-to-prevent-build-issues.patch removed patch: - porting-hurd/FTBFS-hurd-adding-GNU-to-the-configure-platform-detection.patch (wrong approach, the Python wrapper around configure isn't yet smart enough) . [ John Paul Adrian Glaubitz ] * [5153ce2] mips: final fixups to prevent FTBFS icedove (1:52.2.1-3) unstable; urgency=medium . [ John Paul Adrian Glaubitz ] * [99b323a] d/mozconfig.default: fixups for --without-intl-api icedove (1:52.2.1-2) unstable; urgency=medium . [ Carsten Schoenert ] * [e8ce299] disabling ICU support on some big endian systems This hack should enable at least successful building of all RC platforms and needs to be solved in a not such agressive way without loosing ICU support on the problematic platforms. Thanks John Paul Adrian Glaubitz for catching the root of the issue. * [a66e812] rebuild patch queue from patch-queue branch Adding a small needed fix for getting mips* out od FTBFS. Also GNU/Hurd should pass the configure script now. icedove (1:52.2.1-1) unstable; urgency=medium . [ Guido Günther ] * [4e87d6b] d/rules: Make sure DIST is not passed on to configure . [ Carsten Schoenert ] * [35b84ef] rebuild patch queue from patch-queue branch added patches: - porting-mips/Fix-CPU_ARCH-test-for-libjpeg-on-mips.patch - porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch (Closes: #864974) * [c818874] New upstream version 52.2.1 (Closes: #861840) * [8c776c9] Icedove2Thunderbird: add opt out for dialogue pop-up (Closes: #860381) icedove (1:52.2.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [9ebc11d] mozconfig.default: remove configure option '--disable-methodjit' on armel This options isn't alive any more and was forgotten to removed on the previous upload. [ Simon Deziel ] * [d8e5d42] usr.bin.thunderbird: merge gpg(1) and gpg2 subprofiles (Closes: #859179) * [f18884e] usr.bin.thunderbird: allow accessing gpgconf in gpg subprofile * [e73afbb] usr.bin.thunderbird: allow accessing any gpg2keys providers . [ Carsten Schoenert ] * [066ddb9] mozconfig.default: switch back to internal libjpeg Going back and using the libjpeg library that's shipped by Mozilla, the system library probably provoking broken builds on various platforms. As we prepare the uploads for (old-)stable-security we need to use the internal libjpeg library at all. * [ff92bfa] rebuild patch queue from patch-queue branch modified patches: - porting-m68k/Add-m68k-support-to-Thunderbird.patch - porting-sh4/Add-sh4-support-to-Thunderbird.patch (Closes: #859271, #859508) * [0a89f76] New upstream version 52.2.0 Fixed CVE issues in upstream version 52.0 (MFSA 2017-17) CVE-2017-5472: Use-after-free using destroyed node when regenerating trees CVE-2017-7749: Use-after-free during docshell reloading CVE-2017-7750: Use-after-free with track elements CVE-2017-7751: Use-after-free with content viewer listeners CVE-2017-7752: Use-after-free with IME input CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors CVE-2017-7757: Use-after-free in IndexedDB CVE-2017-7778: Vulnerabilities in the Graphite 2 library CVE-2017-7758: Out-of-bounds read in Opus encoder CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52 * [e03380e] rebuild patch queue from patch-queue branch modified patch: - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch icedove (1:52.1.1-1) experimental; urgency=medium . [ Guido Günther ] * [db8d0db] Tighten meta package dependencies Be more strict on depends and add a version to all related Thunderbird specific packages. * [defb689] Copy-edit thunderbird-wrapper-helper.sh * [54b35d4] Allow one to override the location of the wrapper-helper Make $TB_HELPER more flexible and give the variable a default value, so a user can override it with it's own. * [a187364] dh-exec: avoid multiple spaces around filenames * [a85bc7a] thunderbird-wrapper: robustness when sourcing helper * [eee56ab] Drop replaces on packages no longer in any release . [ Carsten Schoenert ] * [1d85980] rebuild patch queue from patch-queue branch added patches: - porting-mk68/Add-m68k-support-to-Thunderbird.patch - porting-sparc64/Add-sparc64-support-to-Thunderbird.patch (Closes: #859151, #859271) * [2717849] tb-wrapper: call thunderbird starting with exec (Closes: #858100) * [8afa31b] d/gbp.conf: adjust upstream branch to new ESR version * [43d2e70] New upstream version 52.1.1 Fixed CVE issues in upstream version 52.0 (MFSA 2017-09) CVE-2017-5413: Segmentation fault during bidirectional operations CVE-2017-5414: File picker can choose incorrect default directory CVE-2017-5416: Null dereference crash in HttpChannel CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses CVE-2017-5419: Repeated authentication prompts lead to DOS attack CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports CVE-2017-5421: Print preview spoofing CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52 Fixed CVE issues in upstream version 52.1.0 (MFSA 2017-13) CVE-2017-5433: Use-after-free in SMIL animation functions CVE-2017-5435: Use-after-free during transaction processing in the editor CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2 CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS CVE-2017-5459: Buffer overflow in WebGL CVE-2017-5466: Origin confusion when reloading isolated data:text/html URLs CVE-2017-5434: Use-after-free during focus handling CVE-2017-5432: Use-after-free in text input selection CVE-2017-5460: Use-after-free in frame selection CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing CVE-2017-5441: Use-after-free with selection during scroll events CVE-2017-5442: Use-after-free during style changes CVE-2017-5464: Memory corruption with accessibility and DOM manipulation CVE-2017-5443: Out-of-bounds write during BinHex decoding CVE-2017-5444: Buffer overflow while parsing application/http-index-format contents CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data CVE-2017-5447: Out-of-bounds read during glyph processing CVE-2017-5465: Out-of-bounds read in ConvolvePixel CVE-2016-10196: Vulnerabilities in Libevent library CVE-2017-5454: Sandbox escape allowing file system read access through file picker CVE-2017-5469: Potential Buffer overflow in flex-generated code CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content CVE-2017-5449: Crash during bidirectional unicode manipulation with animation CVE-2017-5451: Addressbar spoofing with onblur event CVE-2017-5462: DRBG flaw in NSS CVE-2017-5467: Memory corruption when drawing Skia content CVE-2017-5430: Memory safety bugs fixed in Firefox 53, Firefox ESR 52.1, Thunderbird 52.1 CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, Firefox ESR 52.1, and Thunderbird 52.1 (Closes: #855344, #495372, #861480, #682208, #698244, #859909, #857593, #837771) * [de561ef] rebuild patch queue from patch-queue branch added patches: - debian-hacks/Allow-to-override-ICU_DATA_FILE-from-the-environment.patch - debian-hacks/Build-against-system-libjsoncpp.patch - debian-hacks/Don-t-build-testing-suites-and-stuff.patch - debian-hacks/Force-use-the-i686-rust-target.patch - fixes/Bug-1308908-Compare-the-whole-accessible-name-when-checki.patch (Closes: #826325) - porting-sh4/Add-sh4-support-to-Thunderbird.patch (Closes: #859508) removed patches (obsoleted by upstream changes): - debian-hacks/Don-t-build-example-component.patch - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - fixes/Bug-1245076-Don-t-include-mozalloc.h-from-the-cstdlib-wra.patch - fixes/Bug-1273020-Add-missing-null-checks-in-ApplicationAccessi.patch - fixes/Bug-1277295-Remove-obsolete-reference-to-storage-service-.patch - fixes/Bug-1340724-fix-SMTP-server-name-output-in-SMTP-logging.-.patch - fixes/Bug-497488-Implement-verify-mode-in-the-subscribe-dialog-.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit-1.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit.patch - porting-arm64/Bug-1091515-Don-t-set-64KB-page-size-on-aarch64.-r-glandi.patch - porting-kfreebsd-hurd/CrossProcessMutex.h-fix-build-on-kfreebsd-and-GNU-hurd.patch - porting-kfreebsd-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - porting-kfreebsd-hurd/correcting-file-inclusion-for-kfreebsd-and-hurd.patch - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch - porting-mips/libyuv_disable-mips-assembly-for-MIPS64.patch - porting-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch - porting-sparc64/Add-sparc64-support-to-Thunderbird.patch (unclear state, will be added later again) - porting/Add-xptcall-support-for-SH4-processors.patch (Closes: #859362) - debian-hacks/Move-profile.patch modified or adjusted patches: - debian-hacks/changing-the-default-search-engine.patch - debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch - icedove-l10n/disable-extension-update-extension-is-managed-by-apt.patch --> icedove-l10n/thunderbird-l10n-disable-external-extension-update.patch (renamed to and modified due new languages) - icedove/fix-installdir.patch --> debian-hacks/Thunderbird-fix-installdir-for-icons.patch * [684ad58] d/source.filter: update due upstream changes * [d005649] debian/control: modify various B-D * [7a8a98d] debian/rules: add some extra C*FLAGS Adding '-fno-lifetime-dse' to not enable dead store elimination of objects within their lifetime, some parts of the source is relying on the persistent values of such objects. Some other distributions as Ubuntu, Fedora and Arch e.g. use this flag too (at least with ESR52) to prevent possible segfaults. * [56f8f4b] debian/rules: adding hack to preserve correct config.status * [fb500a6] mozconfig.default: remove no longer existing options * [c9a3e60] mozconfig.default: some minor adjustments to configure options * [f584857] mozconfig.default: enable GTK3 theme explicit (Closes: #857593) * [3cbe1fb] debian/control: add packages for *-dsb language * [8317735] debian/control: add packages for *-hsb language * [39d90c1] debian/control: add packages for *-kab language * [82b4f50] debian/control: add missing packages for *-ast language * [0edde96] debian/rules: include also l10n folder with 3 characters * [47f17a4] lintian-overrides: modify the list for the js files to ignore * [8872d34] debian/copyright: update after upstream changes * [6755547] mozconfig.default: use some internal libraries Use libicu-dev, libnspr4-dev, libnss3-dev, libsqlite3-dev from shipped source as Stretch versions not recent enough. * [5b04b32] thunderbird.install: pick up icu*.dat if around * [edf24d7] debian/control: mark thunderbird-dbg as Multi-Arch: same * [5d5392b] apparmor/usr.bin.thunderbird: update for version 52 (cherry-picked from upstream) (Closes: #859179) * [f49ad79] apparmor/usr.bin.thunderbird: grant access to commonly used locations (cherry-picked from upstream) * [510fd6f] debian/rules: install lightning-l10n files into correct place * [d70ade4] lightning-l10n: adjust min/max version for ESR 52 cycle With the new ESR version tweaking the extension version of l10n packages for lightning > 52.0 and < 52.*. * [c0dd18f] debian/rules: install icudt5*.dat file more flexible * [b5136f7] autopkg: improve the output of idlTest.sh * [7ac04f6] autopkg: add extra test icudatfileTest.sh . [ Christoph Goehre ] * [13f5178] lintian-overrides: we build against internal nspr and nss * [56bbf23] rebuild patch queue from patch-queue branch added patches: - porting-sparc64/Add-sparc64-support-to-Thunderbird.patch (Closes: #859151) modified patches: - porting-mk68/Add-m68k-support-to-Thunderbird.patch -> porting-m68k/Add-m68k-support-to-Thunderbird.patch (renamed) * [6a7ef60] tests/idlTest.sh: remove duplicated 'done' output * [42bf8e1] debian/rules: remove duplicate .so files in thunderbird-dev * [5dc08bc] tests/soSymlinkTest.sh: check for symlinked .so files imagemagick (8:6.9.7.4+dfsg-11+deb9u1) stretch-security; urgency=high . * Fix security bugs: + Previous CVE-2017-9144 fix was incomplete. A crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c (Closes: #863126) + CVE-2017-10928: A heap-based buffer over-read in the GetNextToken function in token.c allows remote attackers to obtain sensitive information from process memory or possibly have unspecified other impact via a crafted SVG document that is mishandled in the GetUserSpaceCoordinateValue function in coders/svg.c. (Closes: #867367). + CVE-2017-9500: An assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file. (Closes: #867778). + CVE-2017-9501: An assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file. (Closes: #867721). + CVE-2017-9440: A memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file. (Closes: 864273). + CVE-2017-9439: A memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file. (Closes: #864274). + CVE-2017-11188: CPU exhaustion in ReadDPXImage Because dpx.file.image_offset is a unsigned int, it can be controlled as large as 4294967295. This will cause ImageMagick spend a lot of time to process a crafted DPX imagefile, even if the imagefile is very small. (Closes: #867806) + CVE-2017-11141: memory exhaustion in ReadMATImage When identify MAT file, imagemagick will allocate memory to store data in function ReadMATImage. Modifying MAT's MATLAB_HDR field can cause ImageMagick to allocate a anysize amount of memory, this may cause a memory exhaustion (Closes: #868264) + CVE-2017-11170: memory exhaustion in ReadTGAImage When identify VST file, imagemagick will allocate memory to store data in function ReadTGAImage in coders/tga.c using tga_info.bits_per_pixel field diretly from VST file without checking in tga.c By review the founction code, tga_info.bits_per_pixel max valid value is 32. On 32bit os, size_t one will be 32bit, so image->colors can be overflow to 0. On 64bit os, size_t one will be 64bit, so image->colors can be large as 0x100000000(64GB). (Closes: #868184) + Memory exhaustion in ReadCINImage When identify CIN file that contains User defined data, imagemagick will allocate memory to store the data in function ReadCINImage in coders\inc.c There is a security checking in the function SetImageExtent, but it after memory allocation, so IM can not control the memory usage (Closes: #867810) + CPU exhaustion in ReadRLEImage A corrupted rle file could trigger a DOS (Closes: #867808) + Memory leak in ReadDIBImage in dib.c The ReadDIBImage function in dib.c allows attackers to cause a denial of service (memory leak) via a small crafted dib file. (Closes: #867811) + Memory exhaustion in ReadDPXImage in dpx.c When identify DPX file that contains user header data, imagemagick will allocate memory to store the data in function ReadDPXImage in coders\dpx.c There is a security checking in the function SetImageExtent, but it is too late, so IM can not control the memory usage. (Closes: #867812) + Enable heap overflow check for stdin for mpc files Enabling seekable streams is required to ensure checking the blob size works when an image is streamed on stdin. (Closes: #867896) + Assertion failure in WriteBlob A crafted file revealed an assertion failure in blob.c. (Closes: #867798) + Memory exhaustion in ReadEPTImage in ept.c When identify EPT file , imagemagick will allocate memory to store the data. There is a security checking in the function SetImageExtent, but it is not used in the allocation function, so IM can not control the memory usage. (Closes: #867821) + CPU exhaustion in ReadOneJNGImage Due to lack of validation of PNG format, imagemagick could loop 2^32 in a CPU intensive loop. (Closes: #867824, #867825). + CPU exhaustion in ReadOneDJVUImag Due to lack of format validation, a crafted file will cause a loop to run endless. (Closes: #867826). + Zero pixel buffer Avoid a data leak in case of incorrect file by clearing a buffer (Closes: #867893). + memory leak in ReadMATImage in mat.c The ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a small crafted mat file. (Closes: #867823). + Avoid heap based overflow for jpeg A corrupted jpeg file could trigger an heap overflow (Closes: #867894). + Fix a memory leak in screenshot coder (Closes: #867897) ioquake3 (1.36+u20161101+dfsg1-2+deb9u1) stretch-security; urgency=medium . * Reference CVE-2017-6903 in previous changelog entry * Add patch from upstream: + Address read buffer overflow in MSG_ReadBits (CVE-2017-11721) (Closes: #870725) + Check buffer boundary exactly in MSG_WriteBits, instead of potentially failing with a few bytes still available iortcw (1.50a+dfsg1-3+deb9u1) stretch-security; urgency=medium . * d/p/security/All-Fix-improve-buffer-overflow-in-MSG_ReadBits-MSG_Write.patch: Add patch (from ioquake3 via upstream) to fix a read buffer overflow in MSG_ReadBits (CVE-2017-11721) ipsec-tools (1:0.8.2+20140711-8+deb9u1) stable; urgency=medium . * Import NetBSD's patch to address CVE-2016-10396 (Closes: #867986) irssi (1.0.2-1+deb9u2) stretch; urgency=high . * Security related update pulling upstream 5e26325317 (closes: 867598): - Fix null pointer dereference (CVE-2017-10965) - Fix use-after-free condition for nicklist (CVE-2017-10966) kanatest (0.4.8-3+deb9u1) stretch; urgency=medium . * Team upload. * Apply remove-DISABLE_DEPRECATED-flags.patch because those flags cause implicit pointer conversion and thus a segmentation fault on startup. (Closes: #868315) kdepim (4:16.04.3-4~deb9u1) stretch; urgency=high . * Team upload. . [ Sandro Knauß ] * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864804) - Added upstream patch fix-CVE-2017-9604.patch kf5-messagelib (4:16.04.3-3~deb9u1) stretch; urgency=high . * Team upload. . [ Sandro Knauß ] * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803) - Added upstream patch fix-CVE-2017-9604.patch krb5 (1.15-1+deb9u1) stretch; urgency=high . * CVE-2017-11368: Remote authenticated attackers can crash the KDC, Closes: #869260 * Upstream patches to fix startup if getaddrinfo() returns a wildcard v6 address, and to fix handling of explicitly specified v4 wildcard address; regression over previous versions, Closes: #860767 * Fix SRV lookups to respect udp_preference_limit, regression over previous versions with OTP, Closes: #856307 lava-tool (0.21-1+deb9u1) stretch; urgency=medium . * Add missing dependency: python-simplejson. (Closes: #872782) libgcrypt20 (1.7.6-2+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * ecc: Add input validation for X25519 [CVE-2017-0379] Mitigate a local side-channel attack on Curve25519 dubbed "May the Fourth be With You". (Closes: #873383) libgd2 (2.2.4-2+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-6362: Double-free in gdImagePngPtr() libgd2 (2.2.4-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7890: Fix unitialized memory read vulnerability in GIF reading (Closes: #869263) libidn2-0 (0.16-1+deb9u1) stretch-security; urgency=high . * CVE-2017-14062: Fix integer overflow in decode_digit (Closes: #873902) * Add myself to Uploaders: libmspack (0.5-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload. * Correct rejection of empty strings. * Fix mis-handling of sys->read() errors in cabd_read_string() (CVE-2017-11423) (Closes: #868956). * Reject negative output length in SpanInfo (CVE-2017-6419) (Closes: #871263). libmspack (0.5-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Correct rejection of empty strings. * Fix mis-handling of sys->read() errors in cabd_read_string() (CVE-2017-11423) (Closes: #868956). * Reject negative output length in SpanInfo (CVE-2017-6419) (Closes: #871263). libraw (0.17.2-6+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New patch for fixing CVE-2017-6886 and CVE-2017-6887: CVE-2017-6886_6887.patch librsb (1.2.0-rc5-3+deb9u1) stretch; urgency=medium . * d/p/fix-numerical-computation.patch: New patch. This minimal patch backports the fixes to a few severe bugs leading to numerically wrong results. These bugs are fixed in the upstream version 1.2.0-rc7. Thanks to Michele Martone for the patch (Closes: #870137) * Add unit test for numerical bug fixed in version 1.2.0-rc7. Thanks to Michele Martone for the source file libsolv (0.6.24-1+deb9u1) stretch; urgency=medium . * debian/control: + Fix typo in D (python3-solv): Change ${python:Depends} to ${python3:Depends}. Spotted by Adrian Bunk. (Closes: #867407). libsoup2.4 (2.56.0-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix chunked decoding buffer overrun (CVE-2017-2885) libwpd (0.10.1-5+deb9u1) stretch; urgency=medium . * debian/patches/libwpd-tdf112269.diff: backport patch to fix CVE-2017-14226 (closes: #876001) libxml2 (2.9.4+dfsg1-2.2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Increase buffer space for port in HTTP redirect support (CVE-2017-7376) Incorrect limit was used for port values. (Closes: #870865) * Prevent unwanted external entity reference (CVE-2017-7375) Missing validation for external entities in xmlParsePEReference. (Closes: #870867) * Fix handling of parameter-entity references (CVE-2017-9049, CVE-2017-9050) - Heap-based buffer over-read in function xmlDictComputeFastKey (CVE-2017-9049). - Heap-based buffer over-read in function xmlDictAddString (CVE-2017-9050). (Closes: #863019, #863018) * Fix buffer size checks in xmlSnprintfElementContent (CVE-2017-9047, CVE-2017-9048) - Buffer overflow in function xmlSnprintfElementContent (CVE-2017-9047). - Stack-based buffer overflow in function xmlSnprintfElementContent (CVE-2017-9048). (Closes: #863022, #863021) * Fix type confusion in xmlValidateOneNamespace (CVE-2017-0663) Heap buffer overflow in xmlAddID. (Closes: #870870) linux (4.9.51-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.48 - [x86] i2c: ismt: Don't duplicate the receive length for block reads - [x86] i2c: ismt: Return EMSGSIZE for block reads with bogus length - crypto: algif_skcipher - only call put_page on referenced and used pages - mm, uprobes: fix multiple free of ->uprobes_state.xol_area - mm, madvise: ensure poisoned pages are removed from per-cpu lists - ceph: fix readpage from fscache - cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs - cpuset: Fix incorrect memory_pressure control file mapping - CIFS: Fix maximum SMB2 header size - lib/mpi: kunmap after finishing accessing buffer - drm/ttm: Fix accounting error when fail to get pages for pool - [armhf,arm64] kvm: Force reading uncached stage2 PGD - epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.49 - usb:xhci:Fix regression when ATI chipsets detected - [armhf] USB: musb: fix external abort on suspend - USB: core: Avoid race of async_completed() w/ usbdev_release() - [x86] staging/rts5208: fix incorrect shift to extract upper nybble - driver core: bus: Fix a potential double free - ath10k: fix memory leak in rx ring buffer allocation - Input: trackpoint - assume 3 buttons when buttons detection fails - rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter - dlm: avoid double-free on error path in dlm_device_{register,unregister} - mwifiex: correct channel stat buffer overflows - [s390x] mm: avoid empty zero pages for KVM guests to avoid postcopy hangs - drm/nouveau/pci/msi: disable MSI on big-endian platforms by default - scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE - scsi: sg: recheck MMAP_IO request length with lock held - [arm64] drm/bridge: adv7511: Use work_struct to defer hotplug handing to out of irq context - [arm64] drm/bridge: adv7511: Switch to using drm_kms_helper_hotplug_event() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.50 - [armhf] mtd: nand: mxc: Fix mxc_v1 ooblayout - nvme-fabrics: generate spec-compliant UUID NQNs - btrfs: resume qgroup rescan on rw remount - mm/memory.c: fix mem_cgroup_oom_disable() call missing - ALSA: msnd: Optimize / harden DSP and MIDI loops - [arm64] dts: marvell: armada-37xx: Fix GIC maintenance interrupt - [armhf] 8692/1: mm: abort uaccess retries upon fatal signal - NFS: Fix 2 use after free issues in the I/O code - NFS: Sync the correct byte range during synchronous writes https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.51 - ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() - ipv6: add rcu grace period before freeing fib6_node - macsec: add genl family module alias - udp: on peeking bad csum, drop packets even if not at head - qlge: avoid memcpy buffer overflow - [x86] netvsc: fix deadlock betwen link status and removal - cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() - kcm: do not attach PF_KCM sockets to avoid deadlock - Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()" - bridge: switchdev: Clear forward mark when transmitting packet - Revert "net: use lib/percpu_counter API for fragmentation mem accounting" - Revert "net: fix percpu memory leaks" - gianfar: Fix Tx flow control deactivation - vhost_net: correctly check tx avail during rx busy polling - ip6_gre: update mtu properly in ip6gre_err - ipv6: fix memory leak with multiple tables during netns destruction - ipv6: fix typo in fib6_net_exit() - sctp: fix missing wake ups in some situations - ip_tunnel: fix setting ttl and tos value in collect_md mode - f2fs: let fill_super handle roll-forward errors - f2fs: check hot_data for roll-forward recovery - [amd64] fsgsbase: Fully initialize FS and GS state in start_thread_common - [amd64] fsgsbase: Report FSBASE and GSBASE correctly in core dumps - [amd64] switch_to: Rewrite FS/GS switching yet again to fix AMD CPUs - xfs: fix spurious spin_is_locked() assert failures on non-smp kernels - xfs: push buffer of flush locked dquot to avoid quotacheck deadlock - xfs: try to avoid blowing out the transaction reservation when bunmaping a shared extent - xfs: release bli from transaction properly on fs shutdown - xfs: remove bli from AIL before release on transaction abort - xfs: don't allow bmap on rt files - xfs: free uncommitted transactions during log recovery - xfs: free cowblocks and retry on buffered write ENOSPC - xfs: don't crash on unexpected holes in dir/attr btrees - xfs: check _btree_check_block value - xfs: set firstfsb to NULLFSBLOCK before feeding it to _bmapi_write - xfs: check _alloc_read_agf buffer pointer before using - xfs: fix quotacheck dquot id overflow infinite loop - xfs: fix multi-AG deadlock in xfs_bunmapi - xfs: Fix per-inode DAX flag inheritance - xfs: fix inobt inode allocation search optimization - xfs: clear MS_ACTIVE after finishing log recovery - xfs: don't leak quotacheck dquots when cow recovery - iomap: fix integer truncation issues in the zeroing and dirtying helpers - xfs: write unmount record for ro mounts - xfs: toggle readonly state around xfs_log_mount_finish - xfs: Properly retry failed inode items in case of error during buffer writeback - xfs: fix recovery failure when log record header wraps log end - xfs: always verify the log tail during recovery - xfs: fix log recovery corruption error due to tail overwrite - xfs: handle -EFSCORRUPTED during head/tail verification - xfs: stop searching for free slots in an inode chunk when there are none - xfs: evict all inodes involved with log redo item - xfs: check for race with xfs_reclaim_inode() in xfs_ifree_cluster() - xfs: don't log dirty ranges for ordered buffers - xfs: skip bmbt block ino validation during owner change - xfs: move bmbt owner change to last step of extent swap - xfs: disallow marking previously dirty buffers as ordered - xfs: relog dirty buffers during swapext bmbt owner change - xfs: disable per-inode DAX flag - xfs: fix incorrect log_flushed on fsync - xfs: don't set v3 xflags for v2 inodes - xfs: open code end_buffer_async_write in xfs_finish_page_writeback - md/raid5: release/flush io in raid5_do_work() - ipv6: Fix may be used uninitialized warning in rt6_check . [ Ben Hutchings ] * Fix regressions caused by fix for CVE-2016-7097 (Closes: #873026): - ext4: preserve i_mode if __ext4_set_acl() fails - ext4: Don't clear SGID when inheriting ACLs * [mips{,64}el/loongson-3] Add support for Loongson-3A/B 3000 CPUs, thanks to YunQiang Su (Closes: #871701): - Add Loongson-3A R3 basic support - Add NMI handler support - Support 4 packages in CPU Hwmon driver - IRQ balancing for PCI devices - support irq_set_affinity() in i8259 chip - Make enum loongson_cpu_type more clear * [ppc64el] Invalidate ERAT on powersave wakeup for POWER9, thanks to Michael Neuling (Closes: #868887) * ip6_fib: Avoid ABI change in 4.9.51 * inet_frag: Limit ABI change in 4.9.51 * nfs: Ignore ABI change in 4.9.50 linux (4.9.47-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.31 - driver: vrf: Fix one possible use-after-free issue - [s390x] qeth: handle sysfs error during initialization - [s390x] qeth: unbreak OSM and OSN support - [s390x] qeth: avoid null pointer dereference on OSN - [s390x] qeth: add missing hash table initializations - [arm64] bpf: fix faulty emission of map access in tail calls - netem: fix skb_orphan_partial() - net: fix compile error in skb_orphan_partial() - tcp: avoid fragmenting peculiar skbs in SACK - sctp: fix src address selection if using secondary addresses for ipv6 - net/packet: fix missing net_device reference release - net/mlx5e: Use the correct pause values for ethtool advertising - net/mlx5e: Fix ethtool pause support and advertise reporting - tcp: eliminate negative reordering in tcp_clean_rtx_queue - net: Improve handling of failures on link and route dumps - bridge: netlink: check vlan_default_pvid range - qmi_wwan: add another Lenovo EM74xx device ID - bridge: start hello_timer when enabling KERNEL_STP in br_stp_start - bonding: fix accounting of active ports in 3ad - net/mlx5: Avoid using pending command interface slots - net: phy: marvell: Limit errata to 88m1101 - vlan: Fix tcp checksum offloads in Q-in-Q vlans - be2net: Fix offload features for Q-in-Q packets - virtio-net: enable TSO/checksum offloads for Q-in-Q vlans - tcp: avoid fastopen API to be used on AF_UNSPEC - sctp: fix ICMP processing if skb is non-linear - ipv4: add reference counting to metrics - bpf: add bpf_clone_redirect to bpf_helper_changes_pkt_data - fs/ufs: Set UFS default maximum bytes per file - [powerpc*] spufs: Fix hash faults for kernel regions - drivers/tty: 8250: only call fintek_8250_probe when doing port I/O - i2c: i2c-tiny-usb: fix buffer not being DMA capable - [x86] MCE: Export memory_error() - acpi, nfit: Fix the memory error check in nfit_handle_mce() - Revert "ACPI / button: Change default behavior to lid_init_state=open" - mmc: sdhci-iproc: suppress spurious interrupt with Multiblock read - iscsi-target: Always wait for kthread_should_stop() before kthread exit - ibmvscsis: Clear left-over abort_cmd pointers - ibmvscsis: Fix the incorrect req_lim_delta - HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference - nvme-rdma: support devices with queue size < 32 - nvme: use blk_mq_start_hw_queues() in nvme_kill_queues() - nvme: avoid to use blk_mq_abort_requeue_list() - scsi: mpt3sas: Force request partial completion alignment - drm/radeon/ci: disable mclk switching for high refresh rates (v2) - drm/radeon: Unbreak HPD handling for r600+ - drm/radeon: Fix vram_size/visible values in DRM_RADEON_GEM_INFO ioctl - pcmcia: remove left-over %Z format - ALSA: hda - apply STAC_9200_DELL_M22 quirk for Dell Latitude D430 - mm/migrate: fix refcount handling when !hugepage_migration_supported() - mlock: fix mlock count can not decrease in race condition - mm: consider memblock reservations for deferred memory initialization sizing - RDMA/qib,hfi1: Fix MR reference count leak on write with immediate - [x86] boot: Use CROSS_COMPILE prefix for readelf - ksm: prevent crash after write_protect_page fails - slub/memcg: cure the brainless abuse of sysfs attributes - mm/slub.c: trace free objects at KERN_INFO - [x86] drm/gma500/psb: Actually use VBT mode when it is found - xfs: Fix missed holes in SEEK_HOLE implementation - xfs: use ->b_state to fix buffer I/O accounting release race - xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff() - xfs: verify inline directory data forks - xfs: rework the inline directory verifiers - xfs: fix kernel memory exposure problems - xfs: use dedicated log worker wq to avoid deadlock with cil wq - xfs: fix over-copying of getbmap parameters from userspace - xfs: actually report xattr extents via iomap - xfs: drop iolock from reclaim context to appease lockdep - xfs: fix integer truncation in xfs_bmap_remap_alloc - xfs: handle array index overrun in xfs_dir2_leaf_readbuf() - xfs: prevent multi-fsb dir readahead from reading random blocks - xfs: fix up quotacheck buffer list error handling - xfs: support ability to wait on new inodes - xfs: update ag iterator to support wait on new inodes - xfs: wait on new inodes during quotaoff dquot release - xfs: reserve enough blocks to handle btree splits when remapping - xfs: fix use-after-free in xfs_finish_page_writeback - xfs: fix indlen accounting error on partial delalloc conversion - xfs: BMAPX shouldn't barf on inline-format directories - xfs: bad assertion for delalloc an extent that start at i_size - xfs: xfs_trans_alloc_empty - xfs: avoid mount-time deadlock in CoW extent recovery - xfs: fix unaligned access in xfs_btree_visit_blocks - xfs: Fix off-by-in in loop termination in xfs_find_get_desired_pgoff() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.32 - bnx2x: Fix Multi-Cos - vxlan: eliminate cached dst leak - cxgb4: avoid enabling napi twice to the same queue - tcp: disallow cwnd undo when switching congestion control - vxlan: fix use-after-free on deletion - net: ping: do not abuse udp_poll() - net/ipv6: Fix CALIPSO causing GPF with datagram support - net: ethoc: enable NAPI before poll may be scheduled - net: stmmac: fix completely hung TX when using TSO - net: bridge: start hello timer only if device is up - serial: ifx6x60: fix use-after-free on module unload - ptrace: Properly initialize ptracer_cred on fork - crypto: asymmetric_keys - handle EBUSY due to backlog correctly - KEYS: fix dereferencing NULL payload with nonzero length - KEYS: fix freeing uninitialized memory in key_update() - KEYS: encrypted: avoid encrypting/decrypting stack buffers - crypto: drbg - wait for crypto op not signal safe - crypto: gcm - wait for crypto op not signal safe - drm/amdgpu/ci: disable mclk switching for high refresh rates (v2) - nfsd4: fix null dereference on replay - nfsd: Fix up the "supattr_exclcreat" attributes - efi: Don't issue error message when booted under Xen - kvm: async_pf: fix rcu_irq_enter() with irqs enabled - [x86] KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation - [arm64] KVM: Preserve RES1 bits in SCTLR_EL2 - [arm64] KVM: Allow unaligned accesses at EL2 - [armhf] KVM: Allow unaligned accesses at HYP - KVM: async_pf: avoid async pf injection when in guest mode - [armhf,arm64] KVM: vgic-v3: Do not use Active+Pending state for a HW interrupt - [armhf,arm64] KVM: vgic-v2: Do not use Active+Pending state for a HW interrupt - dmaengine: usb-dmac: Fix DMAOR AE bit definition - dmaengine: ep93xx: Always start from BASE0 - dmaengine: ep93xx: Don't drain the transfers in terminate_all() - dmaengine: mv_xor_v2: handle mv_xor_v2_prep_sw_desc() error properly - dmaengine: mv_xor_v2: properly handle wrapping in the array of HW descriptors - dmaengine: mv_xor_v2: do not use descriptors not acked by async_tx - dmaengine: mv_xor_v2: enable XOR engine after its configuration - dmaengine: mv_xor_v2: fix tx_submit() implementation - dmaengine: mv_xor_v2: remove interrupt coalescing - dmaengine: mv_xor_v2: set DMA mask to 40 bits - cfq-iosched: fix the delay of cfq_group's vdisktime under iops mode - xen/privcmd: Support correctly 64KB page granularity when mapping memory - ext4: fix SEEK_HOLE - ext4: keep existing extra fields when inode expands - ext4: fix data corruption with EXT4_GET_BLOCKS_ZERO - ext4: fix fdatasync(2) after extent manipulation operations - drm: Fix oops + Xserver hang when unplugging USB drm devices - usb: gadget: f_mass_storage: Serialize wake and sleep execution - usb: chipidea: udc: fix NULL pointer dereference if udc_start failed - usb: chipidea: debug: check before accessing ci_role - staging/lustre/lov: remove set_fs() call from lov_getstripe() - iio: adc: bcm_iproc_adc: swap primary and secondary isr handler's - iio: light: ltr501 Fix interchanged als/ps register field - iio: proximity: as3935: fix AS3935_INT mask - iio: proximity: as3935: fix iio_trigger_poll issue - mei: make sysfs modalias format similar as uevent modalias - cpufreq: cpufreq_register_driver() should return -ENODEV if init fails - target: Re-add check to reject control WRITEs with overflow data - [arm64] drm/msm: Expose our reservation object when exporting a dmabuf. - ahci: Acer SA5-271 SSD Not Detected Fix - cgroup: Prevent kill_css() from being called more than once - Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled - cpuset: consider dying css as offline - fs: add i_blocksize() - ufs: restore proper tail allocation - fix ufs_isblockset() - ufs: restore maintaining ->i_blocks - ufs: set correct ->s_maxsize - ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments() - ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path - cxl: Fix error path on bad ioctl - cxl: Avoid double free_irq() for psl,slice interrupts - btrfs: use correct types for page indices in btrfs_page_exists_in_range - btrfs: fix memory leak in update_space_info failure path - [armhf,arm64] KVM: Handle possible NULL stage2 pud when ageing pages - scsi: qla2xxx: don't disable a not previously enabled PCI device - scsi: qla2xxx: Modify T262 FW dump template to specify same start/end to debug customer issues - scsi: qla2xxx: Set bit 15 for DIAG_ECHO_TEST MBC - scsi: qla2xxx: Fix mailbox pointer error in fwdump capture - [powerpc*] sysdev/simple_gpio: Fix oops in gpio save_regs function - [powerpc*] numa: Fix percpu allocations to be NUMA aware - [powerpc*] hotplug-mem: Fix missing endian conversion of aa_index - [powerpc*] kernel: Fix FP and vector register restoration (Closes: #868902) - [powerpc*] kernel: Initialize load_tm on task creation - [x86] drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() - drm/nouveau/tmr: fully separate alarm execution/pending lists - ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380) - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (CVE-2017-1000380) - ASoC: Fix use-after-free at card unregistration - cpu/hotplug: Drop the device lock on error - drivers: char: mem: Fix wraparound check to allow mappings up to the end - serial: sh-sci: Fix panic when serial console and DMA are enabled - [arm64] traps: fix userspace cache maintenance emulation on a tagged pointer - [arm64] hw_breakpoint: fix watchpoint matching for tagged pointers - [arm64] entry: improve data abort handling of tagged pointers - [armel,armhf] 8637/1: Adjust memory boundaries after reservations - usercopy: Adjust tests to deal with SMAP/PAN - [x86] drm/i915/vbt: don't propagate errors from intel_bios_init() - [x86] drm/i915/vbt: split out defaults that are set when there is no VBT - cpufreq: schedutil: move cached_raw_freq to struct sugov_policy - cpufreq: schedutil: Fix per-CPU structure initialization in sugov_start() - netfilter: nft_set_rbtree: handle element re-addition after deletion https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.33 - PCI/PM: Add needs_resume flag to avoid suspend complete optimization - [x86] drm/i915: Prevent the system suspend complete optimization - partitions/msdos: FreeBSD UFS2 file systems are not recognized - netfilter: nf_conntrack_sip: fix wrong memory initialisation - ibmvnic: Fix endian errors in error reporting output - ibmvnic: Fix endian error when requesting device capabilities - net: xilinx_emaclite: fix freezes due to unordered I/O - net: xilinx_emaclite: fix receive buffer overflow - tcp: tcp_probe: use spin_lock_bh() - ipv6: Handle IPv4-mapped src to in6addr_any dst. - ipv6: Inhibit IPv4-mapped src address on the wire. - tipc: Fix tipc_sk_reinit race conditions - gfs2: Use rhashtable walk interface in glock_hash_walk - NET: Fix /proc/net/arp for AX.25 - ibmvnic: Call napi_disable instead of napi_enable in failure path - ibmvnic: Initialize completion variables before starting work - NET: mkiss: Fix panic - net: hns: Fix the device being used for dma mapping during TX - sierra_net: Skip validating irrelevant fields for IDLE LSIs - sierra_net: Add support for IPv6 and Dual-Stack Link Sense Indications - i2c: piix4: Request the SMBUS semaphore inside the mutex - i2c: piix4: Fix request_region size - [powerpc*] powernv: Properly set "host-ipi" on IPIs - kernel/ucount.c: mark user_header with kmemleak_ignore() - net: thunderx: Fix PHY autoneg for SGMII QLM mode - ipv6: addrconf: fix generation of new temporary addresses - vfio/spapr_tce: Set window when adding additional groups to container - ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches - PM / runtime: Avoid false-positive warnings from might_sleep_if() - jump label: pass kbuild_cflags when checking for asm goto support - shmem: fix sleeping from atomic context - kasan: respect /proc/sys/kernel/traceoff_on_warning - log2: make order_base_2() behave correctly on const input value zero - ethtool: do not vzalloc(0) on registers dump - net: phy: Fix lack of reference count on PHY driver - net: phy: Fix PHY module checks and NULL deref in phy_attach_direct() - net: fix ndo_features_check/ndo_fix_features comment ordering - fscache: Fix dead object requeue - fscache: Clear outstanding writes when disabling a cookie - FS-Cache: Initialise stores_lock in netfs cookie - ipv6: fix flow labels when the traffic class is non-0 - drm/nouveau: prevent userspace from deleting client object - drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers - net/mlx4_core: Avoid command timeouts during VF driver device shutdown - gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page - [x86] pinctrl: baytrail: Rectify debounce support (part 2) - cec: fix wrong last_la determination - drm: prevent double-(un)registration for connectors - drm: Don't race connector registration - net: adaptec: starfire: add checks for dma mapping errors - [x86] drm/i915: Check for NULL i915_vma in intel_unpin_fb_obj() - net/mlx5: E-Switch, Err when retrieving steering name-space fails - net/mlx5: Return EOPNOTSUPP when failing to get steering name-space - net: phy: micrel: add support for KSZ8795 - gtp: add genl family modules alias - drm/nouveau: Intercept ACPI_VIDEO_NOTIFY_PROBE - drm/nouveau: Rename acpi_work to hpd_work - drm/nouveau: Handle fbcon suspend/resume in seperate worker - drm/nouveau: Don't enabling polling twice on runtime resume - drm/nouveau: Fix drm poll_helper handling - drm/ast: Fixed system hanged if disable P2A - ravb: unmap descriptors when freeing rings - nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED" - nvmet-rdma: Fix missing dma sync to nvme data structures - r8152: avoid start_xmit to call napi_schedule during autosuspend - r8152: check rx after napi is enabled - r8152: re-schedule napi for tx - r8152: fix rtl8152_post_reset function - r8152: avoid start_xmit to schedule napi when napi is disabled - bnxt_en: Fix bnxt_reset() in the slow path task. - bnxt_en: Enhance autoneg support. - bnxt_en: Fix RTNL lock usage on bnxt_update_link(). - bnxt_en: Fix RTNL lock usage on bnxt_get_port_module_status(). - sctp: sctp gso should set feature with NETIF_F_SG when calling skb_segment - sctp: sctp_addr_id2transport should verify the addr before looking up assoc - usb: musb: Fix external abort on non-linefetch for musb_irq_work() - romfs: use different way to generate fsid for BLOCK or MTD - frv: add atomic64_add_unless() - frv: add missing atomic64 operations - proc: add a schedule point in proc_pid_readdir() - userfaultfd: fix SIGBUS resulting from false rwsem wakeups - kernel/watchdog.c: move hardlockup detector to separate file - kernel/watchdog.c: move shared definitions to nmi.h - kernel/watchdog: prevent false hardlockup on overloaded system - [x86] vhost/vsock: handle vhost_vq_init_access() error - tipc: ignore requests when the connection state is not CONNECTED - tipc: fix connection refcount error - tipc: add subscription refcount to avoid invalid delete - tipc: fix nametbl_lock soft lockup at node/link events - netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL - netfilter: nft_log: restrict the log prefix length to 127 - RDMA/qedr: Dispatch port active event from qedr_add - RDMA/qedr: Fix and simplify memory leak in PD alloc - RDMA/qedr: Don't reset QP when queues aren't flushed - RDMA/qedr: Don't spam dmesg if QP is in error state - RDMA/qedr: Return max inline data in QP query result - [s390x] kvm: do not rely on the ILC on kvm host protection fauls - [x86] drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail - [x86] drm/i915: Always recompute watermarks when distrust_bios_wm is set, v2. https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.34 - fs: pass on flags in compat_writev - configfs: Fix race between create_link and configfs_rmdir - can: gs_usb: fix memory leak in gs_cmd_reset() - ila_xlat: add missing hash secret initialization - cpufreq: conservative: Allow down_threshold to take values from 1 to 10 - vb2: Fix an off by one error in 'vb2_plane_vaddr' - mac80211: don't look at the PM bit of BAR frames - mac80211/wpa: use constant time memory comparison for MACs - drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions. - [x86] drm/i915: Fix GVT-g PVINFO version compatibility check - usb: musb: dsps: keep VBUS on for host-only mode - mac80211: fix CSA in IBSS mode - mac80211: fix packet statistics for fast-RX - mac80211: fix IBSS presp allocation size - mac80211: strictly check mesh address extension mode - mac80211: fix dropped counter in multiqueue RX - mac80211: don't send SMPS action frame in AP mode when not needed - [armhf,arm64] drm/vc4: Fix OOPSes from trying to cache a partially constructed BO. - serial: efm32: Fix parity management in 'efm32_uart_console_get_options()' - serial: sh-sci: Fix late enablement of AUTORTS - [i386] mm: Set the '__vmalloc_start_set' flag in initmem_init() - mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode - staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data() - staging: iio: tsl2x7x_core: Fix standard deviation calculation - iio: st_pressure: Fix data sign - iio: proximity: as3935: recalibrate RCO after resume - iio: adc: ti_am335x_adc: allocating too much in probe - IB/mlx5: Fix kernel to user leak prevention logic - usb: gadget: udc: renesas_usb3: fix pm_runtime functions calling - usb: gadget: udc: renesas_usb3: fix deadlock by spinlock - usb: gadget: udc: renesas_usb3: lock for PN_ registers access - USB: hub: fix SS max number of ports - usb: core: fix potential memory leak in error path during hcd creation - USB: usbip: fix nonconforming hub descriptor - pvrusb2: reduce stack usage pvr2_eeprom_analyze() - USB: gadget: dummy_hcd: fix hub-descriptor removable fields - usb: r8a66597-hcd: select a different endpoint on timeout - usb: r8a66597-hcd: decrease timeout - ath10k: fix napi crash during rmmod when probe firmware fails - misc: mic: double free on ioctl error path - drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR() - usb: xhci: Fix USB 3.1 supported protocol parsing - usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk - USB: gadget: fix GPF in gadgetfs - USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks - mm/memory-failure.c: use compound_head() flags for huge pages - swap: cond_resched in swap_cgroup_prepare() - iio: imu: inv_mpu6050: add accel lpf setting for chip >= MPU6500 - sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off() - genirq: Release resources in __setup_irq() error path - alarmtimer: Prevent overflow of relative timers - usb: gadget: composite: Fix function used to free memory - usb: dwc3: exynos fix axius clock error path to do cleanup - [mips*] Fix bnezc/jialc return address calculation - [mips*] .its targets depend on vmlinux - vTPM: Fix missing NULL check - alarmtimer: Rate limit periodic intervals - Allow stack to grow up to address space limit https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.35 - clk: sunxi-ng: a31: Correct lcd1-ch1 clock register offset - xen/blkback: fix disconnect while I/Os in flight - ALSA: firewire-lib: Fix stall of process context at packet error - ALSA: pcm: Don't treat NULL chmap as a fatal error - [powerpc*] perf: Fix oops when kthread execs user process - autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL - lib/cmdline.c: fix get_options() overflow while parsing ranges - [x86] perf/intel: Add 1G DTLB load/store miss support for SKL - [s390x] KVM: gaccess: fix real-space designation asce handling for gmap shadows - [powerpc*] KVM: Book3S HV: Preserve userspace HTM state properly - [powerpc*] KVM: Book3S HV: Context-switch EBB registers properly - CIFS: Improve readdir verbosity - cxgb4: notify uP to route ctrlq compl to rdma rspq - HID: Add quirk for Dell PIXART OEM mouse - signal: Only reschedule timers on signals timers have sent - [powerpc*] kprobes: Pause function_graph tracing during jprobes handling - powerpc/64s: Handle data breakpoints in Radix mode - Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list - brcmfmac: add parameter to pass error code in firmware callback - brcmfmac: use firmware callback upon failure to load - brcmfmac: unbind all devices upon failure in firmware callback - time: Fix clock->read(clock) race around clocksource changes - time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting - [arm64] vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW - target: Fix kref->refcount underflow in transport_cmd_finish_abort - iscsi-target: Fix delayed logout processing greater than SECONDS_FOR_LOGOUT_COMP - iscsi-target: Reject immediate data underflow larger than SCSI transfer length - drm/radeon: add a PX quirk for another K53TK variant - drm/radeon: add a quirk for Toshiba Satellite L20-183 - drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating - drm/amdgpu: adjust default display clock - of: Add check to of_scan_flat_dt() before accessing initial_boot_params - mtd: spi-nor: fix spansion quad enable - usb: gadget: f_fs: avoid out of bounds access on comp_desc - rt2x00: avoid introducing a USB dependency in the rt2x00lib module - net: phy: Initialize mdio clock at probe function - dmaengine: bcm2835: Fix cyclic DMA period splitting - spi: double time out tolerance - net: phy: fix marvell phy status reading - jump label: fix passing kbuild_cflags when checking for asm goto support - brcmfmac: fix uninitialized warning in brcmf_usb_probe_phase2() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.36 - ipv6: release dst on error in ip6_dst_lookup_tail - net: don't call strlen on non-terminated string in dev_set_alias() - decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb - net: Zero ifla_vf_info in rtnl_fill_vfinfo() - net: vrf: Make add_fib_rules per network namespace flag - af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers - Fix an intermittent pr_emerg warning about lo becoming free. - sctp: disable BH in sctp_for_each_endpoint - net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx - net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse - net/mlx5e: Added BW check for DIM decision mechanism - net/mlx5e: Fix wrong indications in DIM due to counter wraparound - proc: snmp6: Use correct type in memset - igmp: acquire pmc lock for ip_mc_clear_src() - igmp: add a missing spin_lock_init() - ipv6: fix calling in6_ifa_hold incorrectly for dad work - sctp: return next obj by passing pos + 1 into sctp_transport_get_idx - net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it - net/mlx5: Wait for FW readiness before initializing command interface - net/mlx5e: Fix timestamping capabilities reporting - decnet: always not take dst->__refcnt when inserting dst into hash table - net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev - sfc: provide dummy definitions of vswitch functions - ipv6: Do not leak throw route references - rtnetlink: add IFLA_GROUP to ifla_policy - netfilter: xt_TCPMSS: add more sanity tests on tcph->doff - netfilter: synproxy: fix conntrackd interaction - NFSv4: fix a reference leak caused WARNING messages - xen/blkback: don't use xen_blkif_get() in xen-blkback kthread - drm/ast: Handle configuration without P2A bridge - mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff() - [mips*] head: Reorder instructions missing a delay slot - [mips*] Avoid accidental raw backtrace - [mips*] pm-cps: Drop manual cache-line alignment of ready_count - [mips*] Fix IRQ tracing & lockdep when rescheduling - ALSA: hda - Fix endless loop of codec configure - ALSA: hda - set input_path bitmap to zero after moving it to new place - NFSv4.1: Fix a race in nfs4_proc_layoutget - gpiolib: fix filtering out unwanted events - [x86] drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr - dm thin: do not queue freed thin mapping for next stage processing - [x86] mm: Fix boot crash caused by incorrect loop count calculation in sync_global_pgds() - usb: gadget: f_fs: Fix possibe deadlock - l2tp: fix race in l2tp_recv_common() - l2tp: ensure session can't get removed during pppol2tp_session_ioctl() - l2tp: fix duplicate session creation - l2tp: hold session while sending creation notifications - l2tp: take a reference on sessions used in genetlink handlers - mm: numa: avoid waiting on freed migrated pages - net: ethtool: add support for 2500BaseT and 5000BaseT link modes - net: phy: add an option to disable EEE advertisement - dt-bindings: net: add EEE capability constants - net: phy: fix sign type error in genphy_config_eee_advert - net: phy: use boolean dt properties for eee broken modes - dt: bindings: net: use boolean dt properties for eee broken modes - [arm64] dts: meson-gxbb-odroidc2: fix GbE tx link breakage - xen/blkback: don't free be structure too early - [x86] KVM: fix fixing of hypercalls - scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type - stmmac: add missing of_node_put - scsi: lpfc: Set elsiocb contexts to NULL after freeing it - qla2xxx: Terminate exchange if corrupted - qla2xxx: Fix erroneous invalid handle message - drm/amdgpu: fix program vce instance logic error. - drm/amdgpu: add support for new hainan variants - net: phy: dp83848: add DP83620 PHY support - [x86] perf/intel: Handle exclusive threadid correctly on CPU hotplug - net: korina: Fix NAPI versus resources freeing - [powerpc*] eeh: Enable IO path on permanent error - net: ethtool: Initialize buffer when querying device channel settings - xen-netback: fix memory leaks on XenBus disconnect - xen-netback: protect resource cleaning on XenBus disconnect - bnxt_en: Fix "uninitialized variable" bug in TPA code path. - bpf: don't trigger OOM killer under pressure with map alloc - objtool: Fix IRET's opcode - gianfar: Do not reuse pages from emergency reserve - Btrfs: Fix deadlock between direct IO and fast fsync - Btrfs: fix truncate down when no_holes feature is enabled - virtio_console: fix a crash in config_work_handler - swiotlb-xen: update dev_addr after swapping pages - xen-netfront: Fix Rx stall during network stress and OOM - scsi: virtio_scsi: Reject commands when virtqueue is broken - iwlwifi: fix kernel crash when unregistering thermal zone - [x86] platform: ideapad-laptop: handle ACPI event 1 - amd-xgbe: Check xgbe_init() return code - net: dsa: Check return value of phy_connect_direct() - drm/amdgpu: check ring being ready before using - vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null - mlxsw: spectrum_router: Correctly reallocate adjacency entries - virtio_net: fix PAGE_SIZE > 64k - ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() - vxlan: do not age static remote mac entries - ibmveth: Add a proper check for the availability of the checksum features - kernel/panic.c: add missing \n - [x86] perf/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code - [x86] pinctrl: intel: Set pin direction properly - net: phy: marvell: fix Marvell 88E1512 used in SGMII mode - mac80211: recalculate min channel width on VHT opmode changes - [x86] perf/intel: Use ULL constant to prevent undefined shift behaviour - HID: i2c-hid: Add sleep between POWER ON and RESET - scsi: lpfc: avoid double free of resource identifiers - spi: davinci: use dma_mapping_error() - [arm64] assembler: make adr_l work in modules under KASLR - net: thunderx: acpi: fix LMAC initialization - drm/radeon/si: load special ucode for certain MC configs - drm/amd/powerplay: fix vce cg logic error on CZ/St. - drm/amd/powerplay: refine vce dpm update code on Cz. - pmem: return EIO on read_pmem() failure - mac80211: initialize SMPS field in HT capabilities - [x86] tsc: Add the Intel Denverton Processor to native_calibrate_tsc() - [x86] mpx: Use compatible types in comparison to fix sparse error - perf/core: Fix sys_perf_event_open() vs. hotplug - [x86] perf: Reject non sampling events with precise_ip - aio: fix lock dep warning - coredump: Ensure proper size of sparse core files - swiotlb: ensure that page-sized mappings are page-aligned - [s390x] ctl_reg: make __ctl_load a full memory barrier - usb: dwc2: gadget: Fix GUSBCFG.USBTRDTIM value - be2net: fix status check in be_cmd_pmac_add() - be2net: don't delete MAC on close on unprivileged BE3 VFs - be2net: fix MAC addr setting on privileged BE3 VFs - perf probe: Fix to show correct locations for events on modules - net: phy: dp83867: allow RGMII_TXID/RGMII_RXID interface types - tipc: allocate user memory with GFP_KERNEL flag - perf probe: Fix to probe on gcc generated functions in modules - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV - sctp: check af before verify address in sctp_addr_id2transport - ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets - ravb: Fix use-after-free on `ifconfig eth0 down` - mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings - xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY - xfrm: NULL dereference on allocation failure - xfrm: Oops on error in pfkey_msg2xfrm_state() - netfilter: use skb_to_full_sk in ip_route_me_harder - watchdog: bcm281xx: Fix use of uninitialized spinlock. - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting - spi: When no dma_chan map buffers with spi_master's parent - spi: fix device-node leaks - regulator: tps65086: Fix expected switch DT node names - regulator: tps65086: Fix DT node referencing in of_parse_cb - [armhf] OMAP2+: omap_device: Sync omap_device and pm_runtime after probe defer - [armhf] dts: OMAP3: Fix MFG ID EEPROM - [arm64] ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation - [armel,armhf] 8685/1: ensure memblock-limit is pmd-aligned - [x86] tools arch: Sync arch/x86/lib/memcpy_64.S with the kernel - [x86] boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug - [x86] mpx: Correctly report do_mpx_bt_fault() failures to user-space - [x86] mm: Fix flush_tlb_page() on Xen - ocfs2: o2hb: revert hb threshold to keep compatible - iommu/vt-d: Don't over-free page table directories - iommu: Handle default domain attach failure - iommu/dma: Don't reserve PCI I/O windows - iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid() - iommu/amd: Fix interrupt remapping when disable guest_mode - cpufreq: s3c2416: double free on driver init error path - clk: scpi: don't add cpufreq device if the scpi dvfs node is disabled - brcmfmac: avoid writing channel out of allocated array - i2c: brcmstb: Fix START and STOP conditions - mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program - [arm64] fix NULL dereference in have_cpu_die() - [x86] KVM: fix emulation of RSM and IRET instructions - [x86] KVM: vPMU: fix undefined shift in intel_pmu_refresh() - [x86] KVM: zero base3 of unusable segments - [x86] KVM: nVMX: Fix exception injection https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.37 - fs: add a VALID_OPEN_FLAGS - fs: completely ignore unknown open flags - driver core: platform: fix race condition with driver_override (CVE-2017-12146) - ceph: choose readdir frag based on previous readdir reply - tracing/kprobes: Allow to create probe with a module name starting with a digit - media: entity: Fix stream count check - usb: dwc3: replace %p with %pK - USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick - Add USB quirk for HVR-950q to avoid intermittent device resets - usb: usbip: set buffer pointers to NULL after free - usb: Fix typo in the definition of Endpoint[out]Request - USB: core: fix device node leak - mac80211_hwsim: Replace bogus hrtimer clockid - sysctl: don't print negative flag for proc_douintvec - sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec - [arm64] pinctrl: qcom: ipq4019: add missing pingroups for pins > 70 - [arm64] pinctrl: meson: meson8b: fix the NAND DQS pins - [x86] pinctrl: cherryview: Add terminate entry for dmi_system_id tables - [armhf] pinctrl: sunxi: Fix SPDIF function name for A83T - xhci: Limit USB2 port wake support for AMD Promontory hosts - gfs2: Fix glock rhashtable rcu bug - tpm: fix a kernel memory leak in tpm-sysfs.c - [x86] uaccess: Optimize copy_user_enhanced_fast_string() for short strings - ath10k: override CE5 config for QCA9377 - KEYS: Fix an error code in request_master_key() - crypto: drbg - Fixes panic in wait_for_completion call - RDMA/uverbs: Check port number supplied by user verbs cmds - rt286: add Thinkpad Helix 2 to force_combo_jack_table https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.38 - Add "shutdown" to "struct class". - tpm: Issue a TPM2_Shutdown for TPM2 devices. - perf thread_map: Correctly size buffer used with dirent->dt_name - perf tests: Avoid possible truncation with dirent->d_name + snprintf - perf bench numa: Avoid possible truncation when using snprintf() - perf header: Fix handling of PERF_EVENT_UPDATE__SCALE - perf scripting perl: Fix compile error with some perl5 versions - perf probe: Fix to probe on gcc generated symbols for offline kernel - perf probe: Add error checks to offline probe post-processing - md: fix incorrect use of lexx_to_cpu in does_sb_need_changing - md: fix super_offset endianness in super_1_rdev_size_change - locking/rwsem-spinlock: Fix EINTR branch in __down_write_common() - staging: vt6556: vnt_start Fix missing call to vnt_key_init_table. - staging: comedi: fix clean-up of comedi_class in comedi_init() - crypto: caam - fix gfp allocation flags (part I) - crypto: rsa-pkcs1pad - use constant time memory comparison for MACs - ext4: check return value of kstrtoull correctly in reserved_clusters_store - [x86] mm/pat: Don't report PAT on CPUs that don't support it - saa7134: fix warm Medion 7134 EEPROM read https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.39 - xen-netfront: Rework the fix for Rx stall during OOM and network stress - net_sched: fix error recovery at qdisc creation - net: sched: Fix one possible panic when no destroy callback - net/phy: micrel: configure intterupts after autoneg workaround - ipv6: avoid unregistering inet6_dev for loopback - net: dp83640: Avoid NULL pointer dereference. - tcp: reset sk_rx_dst in tcp_disconnect() - net: prevent sign extension in dev_get_stats() - bridge: mdb: fix leak on complete_info ptr on fail path - rocker: move dereference before free - bpf: prevent leaking pointer via xadd on unpriviledged - net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish() - net/mlx5: Cancel delayed recovery work when unloading the driver - liquidio: fix bug in soft reset failure detection - net/mlx5e: Fix TX carrier errors report in get stats ndo - ipv6: dad: don't remove dynamic addresses if link is down - vxlan: fix hlist corruption - net: core: Fix slab-out-of-bounds in netdev_stats_to_stats64 - net: ipv6: Compare lwstate in detecting duplicate nexthops - vrf: fix bug_on triggered by rx when destroying a vrf - rds: tcp: use sock_create_lite() to create the accept socket - brcmfmac: Fix a memory leak in error handling path in 'brcmf_cfg80211_attach' - brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain - sfc: don't read beyond unicast address list - cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE - cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES - cfg80211: Check if PMKID attribute is of expected size - cfg80211: Check if NAN service ID is of expected size - irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity - thp, mm: fix crash due race in MADV_FREE handling - kernel/extable.c: mark core_kernel_text notrace - mm/list_lru.c: fix list_lru_count_node() to be race free - fs/dcache.c: fix spin lockup issue on nlru->lock - binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370, CVE-2017-1000371) - [armel,armhf] move ELF_ET_DYN_BASE to 4MB - [arm64] move ELF_ET_DYN_BASE to 4GB / 4MB - [powerpc*] move ELF_ET_DYN_BASE to 4GB / 4MB - [s390x] reduce ELF_ET_DYN_BASE - exec: Limit arg stack to at most 75% of _STK_LIM - [arm64] dts: marvell: armada37xx: Fix timer interrupt specifiers - vt: fix unchecked __put_user() in tioclinux ioctls - rcu: Add memory barriers for NOCB leader wakeup - nvmem: core: fix leaks on registration errors - mnt: In umount propagation reparent in a separate pass - mnt: In propgate_umount handle visiting mounts in any order - mnt: Make propagate_umount less slow for overlapping mount propagation trees - selftests/capabilities: Fix the test_execve test - mm: fix overflow check in expand_upwards() - crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD - [x86] crypto: sha1-ssse3 - Disable avx2 - crypto: caam - properly set IV after {en,de}crypt - crypto: caam - fix signals handling - Revert "sched/core: Optimize SCHED_SMT" - sched/fair, cpumask: Export for_each_cpu_wrap() - sched/topology: Fix building of overlapping sched-groups - sched/topology: Optimize build_group_mask() - sched/topology: Fix overlapping sched_group_mask - PM / wakeirq: Convert to SRCU - PM / QoS: return -EINVAL for bogus strings - tracing: Use SOFTIRQ_OFFSET for softirq dectection for more accurate results - [x86] kvm: vmx: Do not disable intercepts for BNDCFGS - [x86] kvm: Guest BNDCFGS requires guest MPX support - [x86] kvm: vmx: Check value written to IA32_BNDCFGS - [x86] kvm: vmx: allow host to access guest MSR_IA32_BNDCFGS https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.40 - dm mpath: cleanup -Wbool-operation warning in choose_pgpath() - s5p-jpeg: don't return a random width/height - thermal: max77620: fix device-node reference imbalance - thermal: cpu_cooling: Avoid accessing potentially freed structures - ath9k: fix tx99 use after free - ath9k: fix tx99 bus error - ath9k: fix an invalid pointer dereference in ath9k_rng_stop() - NFC: fix broken device allocation - NFC: nfcmrvl_uart: add missing tty-device sanity check - NFC: nfcmrvl: do not use device-managed resources - NFC: nfcmrvl: use nfc-device for firmware download - NFC: nfcmrvl: fix firmware-management initialisation - nfc: Ensure presence of required attributes in the activate_target handler - nfc: Fix the sockaddr length sanitization in llcp_sock_connect - NFC: Add sockaddr length checks before accessing sa_family in bind handlers - [x86] perf intel-pt: Move decoder error setting into one condition - [x86] perf intel-pt: Improve sample timestamp - [x86] perf intel-pt: Fix missing stack clear - [x86] perf intel-pt: Ensure IP is zero when state is INTEL_PT_STATE_NO_IP - [x86] perf intel-pt: Fix last_ip usage - [x86] perf intel-pt: Ensure never to set 'last_ip' when packet 'count' is zero - [x86] perf intel-pt: Use FUP always when scanning for an IP - [x86] perf intel-pt: Clear FUP flag on error - Bluetooth: use constant time memory comparison for secret values - wlcore: fix 64K page support - btrfs: Don't clear SGID when inheriting ACLs - igb: Explicitly select page 0 at initialization - ASoC: compress: Derive substream from stream based on direction - PM / Domains: Fix unsafe iteration over modified list of device links - PM / Domains: Fix unsafe iteration over modified list of domain providers - PM / Domains: Fix unsafe iteration over modified list of domains - scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails. - scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state - iscsi-target: Add login_keys_workaround attribute for non RFC initiators - xen/scsiback: Fix a TMR related use-after-free - [powerpc*] pseries: Fix passing of pp0 in updatepp() and updateboltedpp() - [powerpc*/*64*] Fix atomic64_inc_not_zero() to return an int - [powerpc*] Fix emulation of mcrf in emulate_step() - [powerpc*] Fix emulation of mfocrf in emulate_step() - [powerpc*] asm: Mark cr0 as clobbered in mftb() - [powerpc*] mm/radix: Properly clear process table entry - af_key: Fix sadb_x_ipsecrequest parsing - PCI: Work around poweroff & suspend-to-RAM issue on Macbook Pro 11 - PCI: rockchip: Use normal register bank for config accessors - PCI/PM: Restore the status of PCI devices across hibernation - ipvs: SNAT packet replies only for NATed connections - xhci: fix 20000ms port resume timeout - xhci: Fix NULL pointer dereference when cleaning up streams for removed host - xhci: Bad Ethernet performance plugged in ASM1042A host - mxl111sf: Fix driver to use heap allocate buffers for USB messages - usb: storage: return on error to avoid a null pointer dereference - USB: cdc-acm: add device-id for quirky printer - usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL - usb: renesas_usbhs: gadget: disable all eps when the driver stops - md: don't use flush_signals in userspace processes - [x86] xen: allow userspace access during hypercalls - cx88: Fix regression in initial video standard setting - libnvdimm, btt: fix btt_rw_page not returning errors - libnvdimm: fix badblock range handling of ARS range - Raid5 should update rdev->sectors after reshape - [s390x] syscalls: Fix out of bounds arguments access - drm/amd/amdgpu: Return error if initiating read out of range on vram - drm/radeon/ci: disable mclk switching for high refresh rates (v2) - drm/radeon: Fix eDP for single-display iMac10,1 (v2) - ipmi: use rcu lock around call to intf->handlers->sender() - ipmi:ssif: Add missing unlock in error branch - xfs: Don't clear SGID when inheriting ACLs - f2fs: sanity check size of nat and sit cache - f2fs: Don't clear SGID when inheriting ACLs - drm/ttm: Fix use-after-free in ttm_bo_clean_mm - ovl: drop CAP_SYS_RESOURCE from saved mounter's credentials - vfio: Fix group release deadlock - vfio: New external user group/file match - nvme-rdma: remove race conditions from IB signalling - ftrace: Fix uninitialized variable in match_records() - [mips*] Fix mips_atomic_set() retry condition - [mips*] Fix mips_atomic_set() with EVA - [mips*] Negate error syscall return in trace - ubifs: Don't leak kernel memory to the MTD - ACPI / EC: Drop EC noirq hooks to fix a regression - Revert "ACPI / EC: Enable event freeze mode..." to fix a regression - [x86] acpi: Prevent out of bound access caused by broken ACPI tables - [x86] ioapic: Pass the correct data to unmask_ioapic_irq() - [mips*] Fix MIPS I ISA /proc/cpuinfo reporting - [mips*] Save static registers before sysmips - [mips*] Actually decode JALX in `__compute_return_epc_for_insn' - [mips*] Fix unaligned PC interpretation in `compute_return_epc' - [mips*] math-emu: Prevent wrong ISA mode instruction emulation - [mips*] Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' - [mips*] Send SIGILL for linked branches in `__compute_return_epc_for_insn' - [mips*] Send SIGILL for R6 branches in `__compute_return_epc_for_insn' - [mips*] Fix a typo: s/preset/present/ in r2-to-r6 emulation error message - Input: i8042 - fix crash at boot time - IB/iser: Fix connection teardown race condition - IB/core: Namespace is mandatory input for address resolution - sunrpc: use constant time memory comparison for mac - NFS: only invalidate dentrys that are clearly invalid. - udf: Fix deadlock between writeback and udf_setsize() - target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce - iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done - perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target - staging: rtl8188eu: add TL-WN722N v2 support - staging: comedi: ni_mio_common: fix AO timer off-by-one regression - staging: sm750fb: avoid conflicting vesafb - staging: lustre: ko2iblnd: check copy_from_iter/copy_to_iter return code - ceph: fix race in concurrent readdir - RDMA/core: Initialize port_num in qp_attr - drm/mst: Fix error handling during MST sideband message reception - drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req() - drm/mst: Avoid processing partially received up/down message transactions - mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms[] array - hfsplus: Don't clear SGID when inheriting ACLs - ovl: fix random return value on mount - acpi/nfit: Fix memory corruption/Unregister mce decoder on failure - of: device: Export of_device_{get_modalias, uvent_modalias} to modules - spmi: Include OF based modalias in device uevent - reiserfs: Don't clear SGID when inheriting ACLs - PM / Domains: defer dev_pm_domain_set() until genpd->attach_dev succeeds if present - tracing: Fix kmemleak in instance_rmdir - alarmtimer: don't rate limit one-shot timers https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.41 - af_key: Add lock to key dump - pstore: Make spinlock per zone instead of global - net: reduce skb_warn_bad_offload() noise - jfs: Don't clear SGID when inheriting ACLs - ALSA: fm801: Initialize chip after IRQ handler is registered - ALSA: hda - Add missing NVIDIA GPU codec IDs to patch table - [powerpc*] pseries: Fix of_node_put() underflow during reconfig remove - NFS: invalidate file size when taking a lock. - NFSv4.1: Fix a race where CB_NOTIFY_LOCK fails to wake a waiter - crypto: authencesn - Fix digest_null crash - [powerpc*] KVM: Book3S HV: Enable TM before accessing TM registers - md/raid5: add thread_group worker async_tx_issue_pending_all - drm/nouveau/disp/nv50-: bump max chans to 21 - drm/nouveau/bar/gf100: fix access to upper half of BAR2 - [powerpc*] KVM: Book3S HV: Restore critical SPRs to host values on guest exit - [powerpc*] KVM: Book3S HV: Save/restore host values of debug registers - [powerpc*] Revert "powerpc/numa: Fix percpu allocations to be NUMA aware" - Staging: comedi: comedi_fops: Avoid orphaned proc entry - smp/hotplug: Move unparking of percpu threads to the control CPU - smp/hotplug: Replace BUG_ON and react useful - nfc: Fix hangup of RC-S380* in port100_send_ack() - nfc: fdp: fix NULL pointer dereference - net: phy: Do not perform software reset for Generic PHY - isdn: Fix a sleep-in-atomic bug - ath10k: fix null deref on wmi-tlv when trying spectral scan - wil6210: fix deadlock when using fw_no_recovery option - mailbox: always wait in mbox_send_message for blocking Tx mode - mailbox: skip complete wait event if timer expired - mailbox: handle empty message in tx_tick - sched/cgroup: Move sched_online_group() back into css_online() to fix crash - RDMA/uverbs: Fix the check for port number - ipmi/watchdog: fix watchdog timeout set on reboot - v4l: s5c73m3: fix negation operator - pstore: Allow prz to control need for locking - pstore: Correctly initialize spinlock and flags - pstore: Use dynamic spinlock initializer - net: skb_needs_check() accepts CHECKSUM_NONE for tx - device-dax: fix sysfs duplicate warnings - [x86] mce/AMD: Make the init code more robust - r8169: add support for RTL8168 series add-on card. - [armhf] omap2+: fixing wrong strcat for Non-NULL terminated string - dt-bindings: power/supply: Update TPS65217 properties - dt-bindings: input: Specify the interrupt number of TPS65217 power button - [armhf] dts: n900: Mark eMMC slot with no-sdio and no-sd flags - net/mlx5: Disable RoCE on the e-switch management port under switchdev mode - ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output - net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach - net/mlx4: Remove BUG_ON from ICM allocation routine - net/mlx4_core: Fix raw qp flow steering rules under SRIOV - [arm64] drm/msm: Ensure that the hardware write pointer is valid - [arm64] drm/msm: Put back the vaddr in submit_reloc() - [arm64] drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set - irqchip/keystone: Fix "scheduling while atomic" on rt - ASoC: tlv320aic3x: Mark the RESET register as volatile - spi: dw: Make debugfs name unique between instances - ASoC: nau8825: fix invalid configuration in Pre-Scalar of FLL - irqchip/mxs: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND - openrisc: Add _text symbol to fix ksym build error - dmaengine: ioatdma: Add Skylake PCI Dev ID - dmaengine: ioatdma: workaround SKX ioatdma version - l2tp: consider '::' as wildcard address in l2tp_ip6 socket lookup - dmaengine: ti-dma-crossbar: Add some 'of_node_put()' in error path. - usb: dwc3: omap: fix race of pm runtime with irq handler in probe - [arm64] zynqmp: Fix W=1 dtc 1.4 warnings - [arm64] zynqmp: Fix i2c node's compatible string - perf probe: Fix to get correct modname from elf header - ACPI / scan: Prefer devices without _HID/_CID for _ADR matching - usb: gadget: Fix copy/pasted error message - Btrfs: use down_read_nested to make lockdep silent - Btrfs: fix lockdep warning about log_mutex - benet: stricter vxlan offloading check in be_features_check - Btrfs: adjust outstanding_extents counter properly when dio write is split - [armhf] Xen: Zero reserved fields of xatp before making hypervisor call - tools lib traceevent: Fix prev/next_prio for deadline tasks - xfrm: Don't use sk_family for socket policy lookups - perf tools: Install tools/lib/traceevent plugins with install-bin - perf symbols: Robustify reading of build-id from sysfs - video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremap - vfio-pci: Handle error from pci_iomap - [arm64] mm: fix show_pte KERN_CONT fallout - nvmem: imx-ocotp: Fix wrong register size - net: usb: asix_devices: add .reset_resume for USB PM - ASoC: fsl_ssi: set fifo watermark to more reliable value - sh_eth: enable RX descriptor word 0 shift on SH7734 - ALSA: usb-audio: test EP_FLAG_RUNNING at urb completion - [x86] platform/intel-mid: Rename 'spidev' to 'mrfld_spidev' - [x86] perf: Set pmu->module in Intel PMU modules - [x86] ASoC: Intel: bytcr-rt5640: fix settings in internal clock mode - HID: ignore Petzl USB headlamp - scsi: fnic: Avoid sending reset to firmware when another reset is in progress - scsi: snic: Return error code on memory allocation failure - scsi: bfa: Increase requested firmware version to 3.2.5.1 - [x86] ASoC: Intel: Skylake: Release FW ctx in cleanup - ASoC: dpcm: Avoid putting stream state to STOP when FE stream is paused https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.42 - cgroup: create dfl_root files on subsys registration - cgroup: fix error return value from cgroup_subtree_control() - libata: array underflow in ata_find_dev() - workqueue: restore WQ_UNBOUND/max_active==1 to be ordered - iwlwifi: dvm: prevent an out of bounds access - brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice - NFSv4: Fix EXCHANGE_ID corrupt verifier issue - device property: Make dev_fwnode() public - mmc: core: Fix access to HS400-ES devices - mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries - cpuset: fix a deadlock due to incomplete patching of cpusets_enabled() - ALSA: hda - Fix speaker output from VAIO VPCL14M1R - drm/amdgpu: Fix undue fallthroughs in golden registers initialization - ASoC: do not close shared backend dailink - KVM: async_pf: make rcu irq exit if not triggered from idle task - mm/page_alloc: Remove kernel address exposure in free_reserved_area() - timers: Fix overflow in get_next_timer_interrupt - [powerpc*] tm: Fix saving of TM SPRs in core dump - [powerpc*/*64*] Fix __check_irq_replay missing decrementer interrupt - iommu/amd: Enable ga_log_intr when enabling guest_mode - gpiolib: skip unwanted events, don't convert them to opposite edge - ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize - ext4: fix overflow caused by missing cast in ext4_resize_fs() - [armhf] dts: armada-38x: Fix irq type for pca955 - media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl - iscsi-target: Fix initial login PDU asynchronous socket close OOPs - mmc: dw_mmc: Use device_property_read instead of of_property_read - mmc: core: Use device_property_read instead of of_property_read - media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds - f2fs: sanity check checkpoint segno and blkoff (CVE-2017-10663) - Btrfs: fix early ENOSPC due to delalloc - saa7164: fix double fetch PCIe access condition (CVE-2017-8831) - tcp_bbr: cut pacing rate only if filled pipe - tcp_bbr: introduce bbr_bw_to_pacing_rate() helper - tcp_bbr: introduce bbr_init_pacing_rate_from_rtt() helper - tcp_bbr: remove sk_pacing_rate=0 transient during init - tcp_bbr: init pacing rate on first RTT sample - ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() - net: Zero terminate ifr_name in dev_ifname(). - net: dsa: b53: Add missing ARL entries for BCM53125 - ipv4: initialize fib_trie prior to register_netdev_notifier call. - rtnetlink: allocate more memory for dev_set_mac_address() - mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled - openvswitch: fix potential out of bound access in parse_ct - packet: fix use-after-free in prb_retire_rx_blk_timer_expired() - ipv6: Don't increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment() - net: ethernet: nb8800: Handle all 4 RGMII modes identically - dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly - dccp: fix a memleak that dccp_ipv4 doesn't put reqsk properly - dccp: fix a memleak for dccp_feat_init err process - sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() - sctp: fix the check for _sctp_walk_params and _sctp_walk_errors - net/mlx5: Consider tx_enabled in all modes on remap - net/mlx5: Fix command bad flow on command entry allocation failure - net/mlx5e: Fix outer_header_zero() check size - net/mlx5e: Fix wrong delay calculation for overflow check scheduling - net/mlx5e: Schedule overflow check work to mlx5e workqueue - net: phy: Correctly process PHY_HALTED in phy_stop_machine() - xen-netback: correctly schedule rate-limited queues - wext: handle NULL extra data in iwe_stream_add_point better - sh_eth: fix EESIPR values for SH77{34|63} - sh_eth: R8A7740 supports packet shecksumming - net: phy: dp83867: fix irq generation - tg3: Fix race condition in tg3_get_stats64(). - [x86] boot: Add missing declaration of string functions - spi: spi-axi: Free resources on error path - ASoC: rt5645: set sel_i2s_pre_div1 to 2 - netfilter: use fwmark_reflect in nf_send_reset - phy state machine: failsafe leave invalid RUNNING state - ipv4: make tcp_notsent_lowat sysctl knob behave as true unsigned int - clk/samsung: exynos542x: mark some clocks as critical - scsi: qla2xxx: Get mutex lock before checking optrom_state - drm/virtio: fix framebuffer sparse warning - [armhf] dts: sunxi: Change node name for pwrseq pin on Olinuxino-lime2-emmc - iw_cxgb4: do not send RX_DATA_ACK CPLs after close/abort - nbd: blk_mq_init_queue returns an error code on failure, not NULL - virtio_blk: fix panic in initialization error path - [armel,armhf] 8632/1: ftrace: fix syscall name matching - mm, slab: make sure that KMALLOC_MAX_SIZE will fit into MAX_ORDER - lib/Kconfig.debug: fix frv build failure - signal: protect SIGNAL_UNKILLABLE from unintentional clearing. - mm: don't dereference struct page fields of invalid pages - net/mlx5: E-Switch, Re-enable RoCE on mode change only after FDB destroy - net: phy: Fix PHY unbind crash - workqueue: implicit ordered attribute should be overridable https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.43 - ppp: Fix false xmit recursion detect with two ppp devices - ppp: fix xmit recursion detection on ppp channels - tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states - net: fix keepalive code vs TCP_FASTOPEN_CONNECT - [s390x] bpf: fix jit branch offset related to ldimm64 - net/mlx4_en: don't set CHECKSUM_COMPLETE on SCTP packets - net: sched: set xt_tgchk_param par.nft_compat as 0 in ipt_init_target - tcp: fastopen: tcp_connect() must refresh the route - net: avoid skb_warn_bad_offload false positives on UFO - igmp: Fix regression caused by igmp sysctl namespace code. - packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111) - udp: consistently apply ufo or fragmentation (CVE-2017-1000112) - [armhf,arm64] KVM: Handle hva aging while destroying the vm https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.44 - mm: ratelimit PFNs busy info message - mm: fix list corruptions on shmem shrinklist - futex: Remove unnecessary warning from get_futex_key - mtd: nand: Fix timing setup for NANDs that do not support SET FEATURES - iscsi-target: fix memory leak in iscsit_setup_text_cmd() - iscsi-target: Fix iscsi_np reset hung task during parallel delete - target: Fix node_acl demo-mode + uncached dynamic shutdown regression - fuse: initialize the flock flag in fuse_file on allocation - nand: fix wrong default oob layout for small pages using soft ecc - mmc: mmc: correct the logic for setting HS400ES signal voltage - nfs/flexfiles: fix leak of nfs4_ff_ds_version arrays - drm/etnaviv: Fix off-by-one error in reloc checking - [x86] drm/i915: Fix out-of-bounds array access in bdw_load_gamma_lut - USB: serial: option: add D-Link DWM-222 device ID - USB: serial: cp210x: add support for Qivicon USB ZigBee dongle - USB: serial: pl2303: add new ATEN device id - usb: musb: fix tx fifo flush handling again - USB: hcd: Mark secondary HCD as dead if the primary one died - staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read - iio: accel: bmc150: Always restore device to normal mode after suspend-resume - iio: light: tsl2563: use correct event code - staging: comedi: comedi_fops: do not call blocking ops when !TASK_RUNNING - uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069 - usb: gadget: udc: renesas_usb3: Fix usb_gadget_giveback_request() calling - usb: renesas_usbhs: Fix UGCTRL2 value for R-Car Gen3 - USB: Check for dropped connection before switching to full speed - usb: core: unlink urbs from the tail of the endpoint's urb_list - usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter - usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume - iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits - pnfs/blocklayout: require 64-bit sector_t - [armhf] pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver - [x86] pinctrl: intel: merrifield: Correct UART pin lists - [armhf] pinctrl: samsung: Remove bogus irq_[un]mask from resource management - [arm64] pinctrl: meson-gxbb: Add missing GPIODV_18 pin entry https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.45 - netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister - audit: Fix use after free in audit_remove_watch_rule() - [x86] crypto: sha1 - Fix reads beyond the number of blocks passed - Input: elan_i2c - add ELAN0608 to the ACPI table - Input: elan_i2c - Add antoher Lenovo ACPI ID for upcoming Lenovo NB - ALSA: seq: 2nd attempt at fixing race creating a queue - ALSA: usb-audio: Apply sample rate quirk to Sennheiser headset - ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices - mm: discard memblock data later - mm: fix double mmap_sem unlock on MMF_UNSTABLE enforced SIGBUS - mm/mempolicy: fix use after free when calling get_mempolicy - [amd64,arm64] mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes - xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511) - blk-mq-pci: add a fallback when pci_irq_get_affinity returns NULL - [powerpc*] Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC - xen-blkfront: use a right index when checking requests - [amd64] asm: Clear AC on NMI entries - genirq: Restore trigger settings in irq_modify_status() - genirq/ipi: Fixup checks against nr_cpu_ids - Sanitize 'move_pages()' permission checks - pids: make task_tgid_nr_ns() safe - usb: optimize acpi companion search for usb port devices - usb: qmi_wwan: add D-Link DWM-222 device ID https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.46 - af_key: do not use GFP_KERNEL in atomic contexts - dccp: purge write queue in dccp_destroy_sock() - dccp: defer ccid_hc_tx_delete() at dismantle time - ipv4: fix NULL dereference in free_fib_info_rcu() - net_sched/sfq: update hierarchical backlog when drop packet - net_sched: remove warning from qdisc_hash_add - bpf: fix bpf_trace_printk on 32 bit archs - openvswitch: fix skb_panic due to the incorrect actions attrlen - ptr_ring: use kmalloc_array() - ipv4: better IP_MAX_MTU enforcement - nfp: fix infinite loop on umapping cleanup - sctp: fully initialize the IPv6 address in sctp_v6_to_addr() - tipc: fix use-after-free - ipv6: reset fn->rr_ptr when replacing route - ipv6: repair fib6 tree in failure case - tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled - irda: do not leak initialized list.dev to userspace - net: sched: fix NULL pointer dereference when action calls some targets - net_sched: fix order of queue length updates in qdisc_replace() - bpf, verifier: add additional patterns to evaluate_reg_imm_alu - bpf: adjust verifier heuristics - bpf, verifier: fix alu ops against map_value{, _adj} register types - bpf: fix mixed signed/unsigned derived min/max value bounds - bpf/verifier: fix min/max handling in BPF_SUB - Input: trackpoint - add new trackpoint firmware ID - Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310 - Input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad - [s390x] KVM: sthyi: fix sthyi inline assembly - [s390x] KVM: sthyi: fix specification exception detection - [x86] KVM: block guest protection keys unless the host has them enabled - ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets - ALSA: core: Fix unexpected error at replacing user TLV - ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) - ALSA: firewire: fix NULL pointer dereference when releasing uninitialized data of iso-resource - mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled - i2c: designware: Fix system suspend - mm/madvise.c: fix freeing of locked page with MADV_FREE - fork: fix incorrect fput of ->exe_file causing use-after-free - mm/memblock.c: reversed logic in memblock_discard() - drm: Release driver tracking before making the object available again - drm/atomic: If the atomic check fails, return its value first - tracing: Call clear_boot_tracer() at lateinit_sync - tracing: Fix kmemleak in tracing_map_array_free() - tracing: Fix freeing of filter in create_filter() when set_str is false - kbuild: linker script do not match C names unless LD_DEAD_CODE_DATA_ELIMINATION is configured - cifs: Fix df output for users with quota limits - cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() - nfsd: Limit end of page list when decoding NFSv4 WRITE - ftrace: Check for null ret_stack on profile function graph entry function - perf/core: Fix group {cpu,task} validation - perf probe: Fix --funcs to show correct symbols for offline module - [x86] perf/intel/rapl: Make package handling more robust - timers: Fix excessive granularity of new timers after a nohz idle - [x86] mm: Fix use-after-free of ldt_struct - net: sunrpc: svcsock: fix NULL-pointer exception - Revert "leds: handle suspend/resume in heartbeat trigger" - netfilter: nat: fix src map lookup - Bluetooth: hidp: fix possible might sleep error in hidp_session_thread - Bluetooth: cmtp: fix possible might sleep error in cmtp_session - Bluetooth: bnep: fix possible might sleep error in bnep_session - iio: imu: adis16480: Fix acceleration scale factor for adis16480 - iio: hid-sensor-trigger: Fix the race with user space powering up sensors - staging: rtl8188eu: add RNX-N150NUB support - Clarify (and fix) MAX_LFS_FILESIZE macros - ntb_transport: fix qp count bug - ntb_transport: fix bug calculating num_qps_mw - NTB: ntb_test: fix bug printing ntb_perf results - ntb: no sleep in ntb_async_tx_submit - ntb: ntb_test: ensure the link is up before trying to configure the mws - ntb: transport shouldn't disable link due to bogus values in SPADs - ACPI: ioapic: Clear on-stack resource before using it - ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal - ACPI: EC: Fix regression related to wrong ECDT initialization order - [powerpc*] mm: Ensure cpumask update is ordered https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.47 - p54: memset(0) whole array - [armhf,arm64] kvm: Fix race in resetting stage2 PGD - [arm64] mm: abort uaccess retries upon fatal signal - [arm64] fpsimd: Prevent registers leaking across exec - scsi: sg: protect accesses to 'reserved' page array - scsi: sg: reset 'res_in_use' after unlinking reserved array . [ Ben Hutchings ] * [x86] KVM: fix singlestepping over syscall (CVE-2017-7518) * xfrm: policy: check policy direction value (CVE-2017-11600) * [armhf] udeb: Add sunxi_wdt to kernel-image (Closes: #866130) * udeb: Add dm-raid to md-modules (Closes: #868251) * [arm64] sound: Enable SND_HDA_INTEL as module (Closes: #867611) * [x86] ideapad-laptop: Add various IdeaPad models to no_hw_rfkill list (Closes: #866706) * firmware: dmi: Add DMI_PRODUCT_FAMILY identification string * firmware: dmi: Avoid ABI break for DMI_PRODUCT_FAMILY * [x86] pinctrl: cherryview: Extend the Chromebook DMI quirk to Intel_Strago systems (Closes: #862723) * [armhf] Add ARM Mali Midgard device tree bindings and gpu node for rk3288 (thanks to Guillaume Tucker) (Closes: #865646) * workqueue: Fix flag collision * Bump ABI to 4 * [mips*el/loongson-3] Select MIPS_L1_CACHE_SHIFT_6 (deferred from 4.9.30) * [rt] Update to 4.9.47-rt37: - sched: Prevent task state corruption by spurious lock wakeup - sched: Remove TASK_ALL - kernel/locking: use an exclusive wait_q for sleepers - sched/migrate disable: handle updated task-mask mg-dis section . [ Cyril Brulebois ] * [arm64,armhf] udeb: Ship usb3503 module in usb-modules, needed for e.g. Arndale development boards, thanks to Wei Liu (Closes: #865645). linux (4.9.30-2+deb9u5~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports: - Revert "[x86] psmouse: Enable MOUSE_PS2_VMMOUSE", which breaks xserver-xorg-input-vmmouse and several metapackages in jessie - Revert changes to use gcc-6 compiler, not found in jessie - Change ABI number to 0.bpo.3 - Revert changes to flex and asciidoc build-dependencies - linux-image-dbg: Revert changes to packaging of debug symbols - Revert "enable `perf data' support" as libbabeltrace is not available - [mips*] Disable RELOCATABLE and RANDOMIZE_BASE. . linux (4.9.30-2+deb9u5) stretch-security; urgency=medium . * [amd64] mm: revert ELF_ET_DYN_BASE base changes (fixes regression of ASan) . linux (4.9.30-2+deb9u4) stretch-security; urgency=high . * [x86] KVM: fix singlestepping over syscall (CVE-2017-7518) * binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370, CVE-2017-1000371) * ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380) * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (CVE-2017-1000380) * xfrm: policy: check policy direction value (CVE-2017-11600) * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111) * ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output * udp: consistently apply ufo or fragmentation (CVE-2017-1000112) * sctp: Avoid out-of-bounds reads from address storage (CVE-2017-7558) * xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511) * driver core: platform: fix race condition with driver_override (CVE-2017-12146) * nl80211: check for the required netlink attributes presence (CVE-2017-12153) * [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154) * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051) * tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (CVE-2017-14106) * Sanitize 'move_pages()' permission checks (CVE-2017-14140) * video: fbdev: aty: do not leak uninitialized padding in clk to userspace (CVE-2017-14156) * xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present (CVE-2017-14340) * scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (CVE-2017-14489) * packet: Don't write vnet header beyond end of buffer (CVE-2017-14497) * Bluetooth: Properly check L2CAP config option output buffer length (CVE-2017-1000251) (Closes: #875881) * [x86] KVM: VMX: Do not BUG() on out-of-bounds guest IRQ (CVE-2017-1000252) . linux (4.9.30-2+deb9u3) stretch-security; urgency=high . * [x86] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() (CVE-2017-7346) * rxrpc: Fix several cases where a padded len isn't checked in ticket decode (CVE-2017-7482) * brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541) * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542) * [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605) * drm/virtio: don't leak bo on drm_gem_object_init failure (CVE-2017-10810) * xen-blkback: don't leak stack data via response ring (CVE-2017-10911) * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176) * fs/exec.c: account for argv/envp pointers (CVE-2017-1000365) * dentry name snapshots (CVE-2017-7533) linux (4.9.30-2+deb9u3) stretch-security; urgency=high . * [x86] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() (CVE-2017-7346) * rxrpc: Fix several cases where a padded len isn't checked in ticket decode (CVE-2017-7482) * brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541) * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542) * [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605) * drm/virtio: don't leak bo on drm_gem_object_init failure (CVE-2017-10810) * xen-blkback: don't leak stack data via response ring (CVE-2017-10911) * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176) * fs/exec.c: account for argv/envp pointers (CVE-2017-1000365) * dentry name snapshots (CVE-2017-7533) linux-latest (80+deb9u2) stretch; urgency=medium . * Update to 4.9.0-4 mailman (1:2.1.23-1+deb9u1) stretch; urgency=medium . * Fixed broken dependencies in SpamAssassin.py (Closes: #838288). Thanks Stephen Rothwell for the patch. mariadb-10.1 (10.1.26-0+deb9u1) stretch-security; urgency=high . * New upstream version 10.1.26. Includes fixes for the following security vulnerabilities: - CVE-2017-3636 - CVE-2017-3641 - CVE-2017-3653 * Explicitly add dh_systemd_start snippets to mariadb-server-10.1 because it's all messed up with different name for sysvinit ('mysql') and systemd ('mariadb') (Closes: #865870) * gbp.conf: Ignore upstream debian/ directory when importing upstream tarball * Refresh patches on top of MariaDB 10.1.26 mariadb-10.1 (10.1.25-1) unstable; urgency=medium . * New upstream version 10.1.25 * Update quilt patches on top of mariadb-10.1.25 release * Explicitly add dh_systemd_start snippets to mariadb-server-10.1 because it's all messed up with different name for sysvinit ('mysql') and systemd ('mariadb') (Closes: #865870) * Don't disable PIE, it's enabled by upstream anyway (Closes: #865737) * Add default socket location for client (Closes: #864662) mariadb-10.1 (10.1.24-6) unstable; urgency=medium . * Run invoke-rc.d mysql maintscript snippets only when running under sysvinit (Closes: #864593) mariadb-10.1 (10.1.24-5) unstable; urgency=medium . * Add @SYSTEMD_EXECSTARTPOST@ replacement token to mariadb@.service, so the /var/run/mysqld directory is created even for multi-server setup (Closes: #865083) mariadb-10.1 (10.1.24-4) unstable; urgency=medium . [ James Cowgill ] * Disable jemalloc on mips*. (Closes: #864340) * Update C11 atomics to have correct semantics (Closes: #864774) . [ Ondřej Surý ] * Refresh patches after C11 atomics patch update * Merge mytop script improvements from src:mytop package (Original patches by Philipp Matthias Hahn, Werner Detter, Olaf van der Spek, and Steffen Zieger) (Closes: #864762) . [ Svante Signell ] * Fix FTBFS on Debian GNU/Hurd (Closes: #861166) mariadb-10.1 (10.1.24-3) unstable; urgency=medium . * Team upload. * Add mips-innobase-atomic.patch, fixing FTBFS on 32-bit mips*, thanks to James Cowgill. (Closes: #864298) mariadb-10.1 (10.1.24-2) unstable; urgency=medium . * Add Breaks: cqrlog (<< 1.9.0-5~) to ensure correct upgrade order (Closes: #864159) mariadb-10.1 (10.1.24-1) unstable; urgency=medium . * New upstream version 10.1.24, includes fixes for the following high-priority regression fixes: + MDEV-11842: Fail to insert on a table where a field has no default + MDEV-12075: innodb_use_fallocate does not work in MariaDB Server 10.1.21 * Refresh patches on top of MariaDB 10.1.24 * Fix FTBFS in tests: Add cracklib-runtime to Build-Depends mate-power-manager (1.16.2-1+deb9u1) stretch; urgency=medium . [ Martin Wimpress ] * debian/patches: + Add 0001_do_not_abort_on_unknown_DBus_signal_name.patch. (Closes: #870121). mate-themes (3.22.11-1+deb9u1) stretch; urgency=medium . * debian/patches: + Add 0001_BlackMATE_change-menuitem-accelerator-font-color_b471395.patch and 0002_BlackMATE_fix-font-color-in-url-bar-of-google- chrome_bb1f13b.patch. Fix URL bar's font color in Google Chrome. (Closes: #864618). mate-tweak (16.10.5-1+deb9u1) stretch; urgency=medium . * debian/control: + Add D (mate-tweak): python3-gi. (Closes: #867976). mbedtls (2.4.2-1+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-14032: If optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. (Closes: #873557) mbedtls (2.4.2-1+deb9u1~bpo8+1) jessie-backports; urgency=high . * Rebuild for jessie-backports. . mbedtls (2.4.2-1+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-14032: If optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. (Closes: #873557) mercurial (4.0-1+deb9u1) stretch-security; urgency=high . * CVE-2017-1000116: command injection on clients through malicious ssh URLs * CVE-2017-1000115: path traversal via symlink * CVE-2017-9462: protect against malicious 'hg serve --stdio' invocations ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium . * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels for various crash bugs in the tic library and the tic binary (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113). * Backport termcap-format fix from the 20170715 patchlevel, repairing a regression from the above security fixes (see #868266). * Cherry-pick upstream fixes from the 20170826 patchlevel for more crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734, Closes: #873723). * Cherry-pick upstream fixes from the 20170902 patchlevel to fix another crash bug in the tic program (CVE-2017-13733, Closes: #873746). newsbeuter (2.9-5+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Work around shell code in podcast names (CVE-2017-14500) Remote code execution in podbeuter. (Closes: #876004) newsbeuter (2.9-5+deb9u1) stretch-security; urgency=high . * Fix RCE vulnerability on bookmark. (CVE-2017-12904) node-brace-expansion (1.1.6-1+deb9u1) stretch; urgency=medium . * Fix regular expression denial of service issue (Closes: 862712) node-dateformat (1.0.11-3+deb9u1) stretch; urgency=medium . [ Pirate Praveen ] * Set TZ=UTC for tests to fix FTBFS (Closes: #863934) ntp (1:4.2.8p10+dfsg-3+deb9u1) stretch; urgency=medium . * Build and install /usr/bin/sntp (Closes: #793837) sntp (the successor of ntpdate as general purpose NTP client) has been accidentally included in Jessie, dropped after Jessie, reintroduced too late for Stretch and is now included in Buster. Fix regression by building sntp and shipping it in ntp:any nvidia-graphics-drivers (375.82-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-graphics-drivers (375.82-1) unstable; urgency=high . * New upstream long lived branch release 375.82 (2017-07-24). * Fixed CVE-2017-6257, CVE-2017-6259. (Closes: #869783) - Fix a bug with GLX_EXT_buffer_age where incorrect buffer age values would be reported for SLI AFR configurations. In such configurations buffer age may now be greater than 3, the previous maximum buffer age. - Fixed a bug that could cause hanging and Xids when performing RandR transforms with Overlay and SLI enabled. - Extended the information reported by the NVIDIA Xinerama X extension to report PRIME displays in addition to directly-connected displays. - Fixed a bug that caused HDMI audio devices to appear or disappear inconsistently when HDMI devices were hotplugged or unplugged. - Fixed a bug that could cause driver errors when setting modes on X screens running at Depth 8 or Depth 15. - Added support for the following GPUs: GeForce GTX 1080 with Max-Q Design, GeForce GTX 1070 with Max-Q Design, GeForce GTX 1060 with Max-Q Design. - Fixed a bug that could cause intermittent kernel panics when running with PRIME Sync. - Fixed a bug that caused a kernel panic when hotplugging HDMI displays on some Zotac mini PCs. . [ Andreas Beckmann ] * nvidia-kernel-dkms: Honor parallel setting from dkms. (Closes: #864639) * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze). * Switch watch URL from ftp:// to https://. (Closes: #868815) . [ Luca Boccassi ] * Add support for buster in nvidia-detect. (Closes: #866126) * Update symbols files. nvidia-graphics-drivers (375.82-1~deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers (375.82-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-graphics-drivers (375.82-1) unstable; urgency=high . * New upstream long lived branch release 375.82 (2017-07-24). * Fixed CVE-2017-6257, CVE-2017-6259. (Closes: #869783) - Fix a bug with GLX_EXT_buffer_age where incorrect buffer age values would be reported for SLI AFR configurations. In such configurations buffer age may now be greater than 3, the previous maximum buffer age. - Fixed a bug that could cause hanging and Xids when performing RandR transforms with Overlay and SLI enabled. - Extended the information reported by the NVIDIA Xinerama X extension to report PRIME displays in addition to directly-connected displays. - Fixed a bug that caused HDMI audio devices to appear or disappear inconsistently when HDMI devices were hotplugged or unplugged. - Fixed a bug that could cause driver errors when setting modes on X screens running at Depth 8 or Depth 15. - Added support for the following GPUs: GeForce GTX 1080 with Max-Q Design, GeForce GTX 1070 with Max-Q Design, GeForce GTX 1060 with Max-Q Design. - Fixed a bug that could cause intermittent kernel panics when running with PRIME Sync. - Fixed a bug that caused a kernel panic when hotplugging HDMI displays on some Zotac mini PCs. . [ Andreas Beckmann ] * nvidia-kernel-dkms: Honor parallel setting from dkms. (Closes: #864639) * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze). * Switch watch URL from ftp:// to https://. (Closes: #868815) . [ Luca Boccassi ] * Add support for buster in nvidia-detect. (Closes: #866126) * Update symbols files. . nvidia-graphics-drivers (375.66-2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-graphics-drivers (375.66-2) unstable; urgency=medium . [ Andreas Beckmann ] * nvidia-vulkan-common: Add Conflicts: libgl1-nvidia-glx as a workaround for #864477 (wrong library referenced in nvidia_icd.json in non-GLVND setups). * nvidia-legacy-check.preinst: Verbose debug output can be enabled by setting DEBUG_NVIDIA_LEGACY_CHECK=yes in the environment. * nvidia-legacy-check: Bump Pre-Depends: nvidia-installer-cleanup to (>= 20151021) for smoother upgrades from jessie. (See: #864775) * Clean up upstream changelog entries. . [ Luca Boccassi ] * nvidia-driver.README.Debian: Add notes about GLVND vs non-GLVND flavours. nvidia-graphics-drivers (375.66-2) unstable; urgency=medium . [ Andreas Beckmann ] * nvidia-vulkan-common: Add Conflicts: libgl1-nvidia-glx as a workaround for #864477 (wrong library referenced in nvidia_icd.json in non-GLVND setups). * nvidia-legacy-check.preinst: Verbose debug output can be enabled by setting DEBUG_NVIDIA_LEGACY_CHECK=yes in the environment. * nvidia-legacy-check: Bump Pre-Depends: nvidia-installer-cleanup to (>= 20151021) for smoother upgrades from jessie. (See: #864775) * Clean up upstream changelog entries. . [ Luca Boccassi ] * nvidia-driver.README.Debian: Add notes about GLVND vs non-GLVND flavours. open-vm-tools (2:10.1.5-5055683-4+deb9u1) stretch; urgency=medium . * [dec8df6] Upstream fix for CVE-2015-5191 (Closes: #869633) * [ff10dcb] Update gbp.conf for stretch. open-vm-tools (2:10.1.5-5055683-4+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * Adding debian/gbp.conf for jessie-backports. * Revert "Stay with libssl1.0 for now." opendkim (2.11.0~alpha-10+deb9u1) stretch; urgency=medium . * Update opendkim service file so that /etc/opendkim.conf is used (Closes: #864162) * Start as root and drop privileges in opendkim so proper key file ownership works correctly * Add new options to /etc/opendkim.conf to match the above service file changes * Add an item in opendkim.NEWS to explain the changes * Correct the previous opendkim.NEWS item (to match the change in 2.11.0~alpha-10) openjdk-8 (8u141-b15-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security openldap (2.4.44+dfsg-5+deb9u1) stretch; urgency=medium . * Relax the dependency of libldap-2.4-2 on libldap-common to also permit later versions. (Closes: #860774) * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until the underlying kernel bug #866122 is fixed. * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719) * Import upstream patch to avoid reading the value of the LDAP_OPT_X_TLS_REQUIRE_CERT option from previously freed memory. (ITS#8385) (Closes: #820244) * Import upstream patch to fix potential endless replication loop in a multi-master delta-syncrepl scenario with 3 or more nodes. (ITS#8432) (Closes: #868753) * Import upstream patches to fix memory corruption caused by calling sasl_client_init() multiple times and possibly concurrently. (ITS#8648) (Closes: #860947) openvpn (2.4.0-6+deb9u2) stretch; urgency=medium . * Fix broken reconnect on connection loss due to wrong push digest calculation. Thanks to Patrick Matthäi for testing (Closes: #863110) osinfo-db (0.20170811-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch osinfo-db (0.20170707-2) unstable; urgency=medium . * [c821b78] debian: switch to archive URLs for stretch osinfo-db (0.20170707-1) unstable; urgency=medium . * [1428d41] New upstream version 0.20170707 * [1f875ee] Run make check during * [a906220] Drop all patches - all appplied upstream osinfo-db (0.20170225-3) unstable; urgency=medium . * [c058963] Update Jessie DVD links. * [745d2f5] Add Debian Stretch (Closes: #864923) pcb-rnd (1.1.4-2) stable; urgency=high . * security patch from upstream to eliminate execution of code from a maliciously formed design file perl (5.24.1-3+deb9u2) stretch-security; urgency=high . * Update upstream base.pm no-dot-in-inc fix patch description. * [SECURITY] CVE-2017-12837: Fix a heap buffer overflow in regular expression compiler. (Closes: #875596) * [SECURITY] CVE-2017-12883: Fix a buffer over-read in regular expression parser. (Closes: #875597) postfix (3.1.6-0+deb9u1) stretch; urgency=medium . [Wietse Venema] . * New Upstream 3.1.5 - Compatibility fix (introduced: Postfix 3.1): some Milter applications do not recognize macros sent as {name} when macros have single-character names. Postfix now sends such macros without {} as it has done historically. Viktor Dukhovni. File: milter/milter.c. - Safety net: append a null byte to vstring buffers, so that C-style string operations won't scribble past the end. File: vstring.c. - Workaround (introduced: Postfix 3.0 20140718): prevent MIME downgrade of Postfix-generated message/delivery status. It's supposed to be 7bit, therefore quoted-printable encoding is not expected. Problem reported by Griff. File: bounce/bounce_notify_util.c. * New Upstream 3.1.6 - Security: Berkeley DB 2 and later try to read settings from a file DB_CONFIG in the current directory. This undocumented feature may introduce undisclosed vulnerabilities resulting in privilege escalation with Postfix set-gid programs (postdrop, postqueue) before they chdir to the Postfix queue directory, and with the postmap and postalias commands depending on whether the user's current directory is writable by other users. This fix does not change Postfix behavior for Berkeley DB < 3, but reduces file create performance for Berkeley DB 3 .. 4.6. File: util/dict_db.c. Closes: #864942 . [Scott Kitterman] . * Refresh debian/patches/11_postmap_update.diff * Use full path to main.cf in postfix-instance-generator. Closes: #873957 postgresql-9.6 (9.6.4-0+deb9u1) stretch-security; urgency=high . * New upstream security release. . + Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. See the release notes for instructions for applying the fix to existing database clusters. (CVE-2017-7547; extends fix for CVE-2017-7484) + Disallow empty passwords in all password-based authentication methods. (CVE-2017-7546) + Make lo_put() check for UPDATE privilege on the target large object. (CVE-2017-7548) . * Remove debian/patches/s390x-fpic, implemented upstream. postgresql-9.6 (9.6.3-4) unstable; urgency=medium . * 69db3b0c: Fix hstore_plperlu test failure. (Closes: #865020) * On regression test failure, show newest three log files instead of relying on file age = 0 min. pyjwt (1.4.2-1+deb9u1) stretch-security; urgency=medium . * CVE-2017-11424 python-pampy (1.8.2-1+deb9u1) stretch; urgency=medium . [ Ondřej Nový ] * debian/control: + Fix typo in D (python3-pampy): Change ${python:Depends} to ${python3:Depends}. Spotted by Adrian Bunk. (Closes: #867447). qemu (1:2.8+dfsg-6+deb9u2) stretch-security; urgency=high . * actually apply the nbd server patches, not only include in debian/patches/ Really closes: #865755, CVE-2017-9524 * slirp-check-len-against-dhcp-options-array-end-CVE-2017-11434.patch Closes: #869171, CVE-2017-11434 * exec-use-qemu_ram_ptr_length-to-access-guest-ram-CVE-2017-11334.patch Closes: #869173, CVE-2017-11334 * usb-redir-fix-stack-overflow-in-usbredir_log_data-CVE-2017-10806.patch Closes: #867751, CVE-2017-10806 * add reference to #869706 to xen-disk-don-t-leak-stack-data-via-response-ring-CVE-2017-10911.patch * disable xhci recursive calls fix for now, as it causes instant crash (xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch) Reopens: #864219, CVE-2017-9375 Closes: #869945 qemu (1:2.8+dfsg-6+deb9u1) stretch-security; urgency=high . * net-e1000e-fix-an-infinite-loop-issue-CVE-2017-9310.patch Closes: #863840, CVE-2017-9310 * usb-ohci-fix-error-return-code-in-servicing-iso-td-CVE-2017-9330.patch Closes: #863943, CVE-2017-9330 * ide-ahci-call-cleanup-function-in-ahci-unit-CVE-2017-9373.patch Closes: #864216, CVE-2017-9373 * xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch Closes: #864219, CVE-2017-9375 * usb-ehci-fix-memory-leak-in-ehci-CVE-2017-9374.patch Closes: #864568, CVE-2017-9374 * nbd-ignore-SIGPIPE-CVE-2017-10664.patch Closes: #866674, CVE-2017-10664 * nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch Closes: #865755, CVE-2017-9524 * xen-disk-don-t-leak-stack-data-via-response-ring-CVE-2017-10911.patch Closes: CVE-2017-10911 request-tracker4 (4.4.1-3+deb9u3) stretch; urgency=medium . * Fix regression in previous security release where incorrect SHA256 passwords could trigger an error ruby-gnome2 (3.1.0-1+deb9u1) stretch; urgency=medium . * Team upload. . [ HIGUCHI Daisuke (VDR dai) ] * ruby-{gdk3,gtksourceview2,pango,poppler}: Add missing dependencies (Closes: #874365). ruby-mixlib-archive (0.2.0-1+deb9u1) stretch-security; urgency=high . * Prevent directory traversal attack CVE-2017-1000026 (Closes: #868572) ruby-rack-cors (0.4.0-1+deb9u1) stretch-security; urgency=medium . * CVE-2017-11173 ruby2.3 (2.3.3-1+deb9u1) stretch-security; urgency=high . * Fix arbitrary heap exposure problem in the JSON library (Closes: #873906) [CVE-2017-14064] - Backported for Ruby 2.3 by Hiroshi SHIBATA https://bugs.ruby-lang.org/issues/13853 * Fix multiple security vulnerabilities in Rubygems (Closes: #873802) - Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins. [CVE-2017-0902] - Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix. [CVE-2017-0899] - Fix a DOS vulernerability in the query command. Discovered by Yusuke Endoh, fix by Samuel Giddins. [CVE-2017-0900] - Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins. [CVE-2017-0901] * Fix SMTP comment injection (Closes: #864860) Patch by Shugo Maeda [CVE-2015-9096] * Fix IV Reuse in GCM Mode (Closes: #842432) Patch by Kazuki Yamaguchi [CVE-2016-7798] samba (2:4.5.12+dfsg-2) stretch; urgency=high . * This is a security release in order to address the following defects: - CVE-2017-12150: Some code path don't enforce smb signing, when they should - CVE-2017-12151: Keep required encryption across SMB3 dfs redirects - CVE-2017-12163: Server memory information leak over SMB1 samba (2:4.5.12+dfsg-1) stretch; urgency=medium . * gbp.conf: change debian-branch to stretch * New upstream version - Remove CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch, merged - Remove CVE-2017-7494.patch, merged - Fix "Non-kerberos logins fails on winbind 4.X when krb5_auth is configured in PAM" (Closes: #739768) * Stability fixes backported from sid: - Properly quote subshell invocation in samba-common.preinst (Closes: #771689) - Fix typo s/DESTIDR/DESTDIR/ in d/rules - sysv: Use --pidfile in addition to --exec to avoid matching daemons in containers (Closes: #810794) - Fix libpam-winbind.prerm to be multiarch-safe (Closes: #647430) - Add missing logrotate for /var/log/samba/log.samba (Closes: #803924) - Fix outdated DNS Root servers (Closes: #865406) - Fix logrotate for /var/log/samba/log.samba to send SIGHUP to all processes of the service (systemd only) - Fix samba.logrotate (Thanks Thomas A. Reim) samba (2:4.5.8+dfsg-2+deb9u1) stretch-security; urgency=high . * This is a security release in order to address the following defect: - CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation (Closes: #868209) smplayer (16.11.0~ds0-1+deb9u1) stretch; urgency=high . * Merge from upstream fix connections to youtube. (Closes: #869411) speech-dispatcher (0.8.6-4+deb9u1) stretch; urgency=medium . * patches/spd-conf: Fix spd-conf (Closes: #860898). strongswan (5.5.1-4+deb9u1) stretch-security; urgency=medium . * debian/patches: - CVE-2017-11185 added, fix insufficient input validation in gmp plugin which could lead to denial of service (CVE-2017-11185) - convert CVE-2017-9022_insufficient_input_validation_gmp_plugin and CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser to the UNIX file format. subversion (1.9.5-1+deb9u1) stretch-security; urgency=high . * patches/CVE-2017-9800: Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url supervisor (3.3.1-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Disable object traversal in XML-RPC dispatch (CVE-2017-11610) (Closes: #870187) suricata (3.2.1-1+deb9u1) stretch; urgency=medium . * [c1260ec] suricata: add patch "asn1/der: limit recursion" swift (2.10.2-1~deb9u1) stretch; urgency=medium . * New upstream stable release * Removed patches applied upstream: - Quarantine_malformed_database_schema_SQLite_errors.patch - For_any_part_only_one_replica_can_move_in_a_rebalance.patch - FTBFS_i386.patch tbdialout (1.7.2-1+deb9u1) stretch; urgency=medium . * Include leading plus symbol with tel: URI scheme. (Closes: #865961) * Remove Dm-Upload-Allowed. * Add missing detalls to debian/copyright * Update watch file. tcpdump (4.9.2-1~deb9u1) stretch-security; urgency=high . * New upstream release, fixing 90 new CVEs. See the upstream changelog for the full list (closes: #867718, #873804, #873805, #873806). tcpdump (4.9.2-1~deb8u1) jessie-security; urgency=high . * New upstream release, fixing 90 new CVEs. See the upstream changelog for the full list (closes: #867718, #873804, #873805, #873806). tcpdump (4.9.1-3) unstable; urgency=high . * Cherry-pick three upstream commits to fix the following: + CVE-2017-11541: buffer over-read in safeputs() (closes: #873804) + CVE-2017-11542: buffer over-read in pimv1_print() (closes: #873805) + CVE-2017-11543: buffer overflow in sliplink_print() (closes: #873806) * Urgency high due to security fixes. tcpdump (4.9.1-2) unstable; urgency=medium . * Disable IKEv2 test which mysteriously fails on ppc64el (closes: #873377). tcpdump (4.9.1-1) unstable; urgency=medium . * New upstream release, fixes CVE-2017-11108 (closes: #867718). * Bump Standards-Version to 4.1.0. * debian/watch: add pgpsigurlmangle option. * Add upstream signing key in debian/upstream. tcpdump (4.9.0-3) unstable; urgency=medium . [ intrigeri ] * Include AppArmor profile from Ubuntu (closes: #866682). . [ Romain Francoise ] * Bump Standards-Version to 4.0.0. tiny-initramfs (0.1-4~deb9u1) stretch; urgency=medium . * Add Depends: cpio to tiny-initramfs-core. (Closes: #869668) tomcat8 (8.5.14-1+deb9u2) stretch-security; urgency=high . * Team upload. * Fix CVE-2017-7674: The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. * Fix CVE-2017-7675: The HTTP/2 implementation bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL. topal (75-2.1+deb9u1) stretch; urgency=medium . * Fix misuse of sed character class syntax which stops topal working. (Closes: #870825.) torsocks (2.2.0-1+deb9u1) stretch; urgency=medium . * Fix-check_addr-to-return-either-0-or-1.patch: new patch, from upstream maint-0.2.x branch, to fix a serious bug reported many times upstream and to me (privately) since the Stretch release (http://bugs.torproject.org/20871). * Adjust debian/gbp.conf to ease working on our Git branch dedicated to Stretch. trace-cmd (2.6-0.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix segfault while processing certain trace files (Closes: #867440). unbound (1.6.0-3+deb9u1) stretch; urgency=high . * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes installs between sep11 and oct11 2017." * debian/control: unbound: Add versioned dependency on dns-root-data (>= 2017072601~) for KSK-2017 in RFC 5011 state VALID. unknown-horizons (2017.1+ds-2+deb9u1) stretch; urgency=medium . * Team upload. * Add 1000-icon-mem-leak.patch and fix a memory leak. Thanks to Petter Reinholdtsen for the report and testing and LinuxDonald for the patch. (Closes: #871037) up-imapproxy (1.2.8~svn20161210-2+deb9u1) stretch; urgency=medium . * Correct the service file. Thanks to Marc Dequènes (Duck) (Closes: 868150) * Move the pidfile to /run varnish (5.0.0-7+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Correctly handle bogusly large chunk sizes. This fixes a denial of service attack vector where bogusly large chunk sizes in requests could be used to force restarts of the Varnish server. vim (2:8.0.0197-4+deb9u1) stretch; urgency=medium . * Backport upstream patches to fix CVE-2017-11109 (Closes: #867720) + 8.0.0703: Illegal memory access with empty :doau command + 8.0.0706: Crash when cancelling the cmdline window in Ex mode + 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands waagent (2.2.14-1~deb9u1) stretch; urgency=medium . * Upload to stretch. waagent (2.2.14-1~deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. waagent (2.2.12-3) unstable; urgency=medium . * Revert waagent2.0 handling. * Add Vcs source entries. * Add minimal mirror selection for apt sources.list. waagent (2.2.12-2) unstable; urgency=medium . * Install waagent2.0 in /usr/lib. * Disable byte-code writing in extentions handlers. waagent (2.2.12-1) unstable; urgency=medium . * New upstream version. webkit2gtk (2.16.6-0+deb9u1) stretch; urgency=medium . * Team upload. * New upstream security and bugfix release. * Fixes these security issues reported in WSA-2017-0005 and WSA-2017-0006: + CVE-2017-2538, CVE-2017-7052 (fixed in 2.16.4) + CVE-2017-7018, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7039, CVE-2017-7046, CVE-2017-7048, CVE-2017-7055, CVE-2017-7056, CVE-2017-7061, CVE-2017-7064 (fixed in 2.16.6). * Add debian/patches/fix-ftbfs-m68k.patch: + Fix FTBFS in m68k (Closes: #868126). webkit2gtk (2.16.5-1) unstable; urgency=medium . * New upstream release (Closes: #865772). webkit2gtk (2.16.5-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . webkit2gtk (2.16.5-1) unstable; urgency=medium . * New upstream release (Closes: #865772). . webkit2gtk (2.16.4-1) unstable; urgency=high . * New upstream release. + This fixes CVE-2017-2538. webkit2gtk (2.16.5-1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy. * debian/control: + Build using libgeoclue-dev instead of libgeoclue-2-dev. . webkit2gtk (2.16.5-1) unstable; urgency=medium . * New upstream release (Closes: #865772). . webkit2gtk (2.16.4-1) unstable; urgency=high . * New upstream release. + This fixes CVE-2017-2538. webkit2gtk (2.16.4-1) unstable; urgency=high . * New upstream release. + This fixes CVE-2017-2538. whois (5.2.17~deb9u1) stretch; urgency=high . * Rebuilt for stretch. (Closes: #869920) whois (5.2.16) unstable; urgency=medium . * Fixed parsing of 6to4 addresses broken in 5.2.15. * Updated the .do TLD server. * Updated the list of new gTLDs. wordpress-shibboleth (1.4-2+deb9u1) stretch-security; urgency=high . * [CVE-2017-14313]: Fix XSS in login form (Closes: #874416) wordpress-shibboleth (1.4-2+deb8u1) jessie-security; urgency=high . * [CVE-2017-14313]: Fix XSS in login form (Closes: #874416) wrk (4.0.2-2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . wrk (4.0.2-2) unstable; urgency=medium . [ Christos Trochalakis ] * Modify previous mips FTBFS patch rendering wrk unusable in all architectures. Thanks to Rinat Ibragimov (Closes: #855118) * Fix build on mips architectures (Closes: #801881) xen (4.8.1-1+deb9u3) stretch-security; urgency=high . * Security fixes for XSA-226 CVE-2017-12135 XSA-227 CVE-2017-12137 XSA-228 CVE-2017-12136 XSA-230 CVE-2017-12855 XSA-235 (no CVE yet) * Adjust changelog entry for 4.8.1-1+deb9u2 to record that XSA-225 fix was indeed included. * Security fix for XSA-229 not included as that bug is in Linux, not Xen. * Security fixes for XSA-231..234 inc. not inclued as still embargoed. xen (4.8.1-1+deb9u2) stretch-security; urgency=high . * Security fixes for XSA-216 XSA-217 XSA-218 XSA-219 XSA-220 XSA-221 XSA-222 XSA-223 XSA-224 xfonts-ayu (1:1.7a-1+deb9u1) stable-proposed-updates; urgency=low . * debian/rules - fix regression instroduced in 1:1.7a-1, wildcards evaluation is too early and as a result, bold and italic was not produced (Closes: #870320) Thanks to Takeshi Soejima xkeyboard-config (2.19-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Revert blacklisting of Indic layouts (Closes: #865316) Now Indic keyboards can be selected from list of available keyboard layouts like in previous stable releases. This was reverted upstream as well. yadm (1.06-1+deb9u1) stretch; urgency=high . * Backport for CVE-2017-11353. ====================================== Sat, 22 Jul 2017 - Debian 9.1 released ====================================== ========================================================================= [Date: Sat, 22 Jul 2017 07:58:35 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: aiccu | 20070115-17 | source aiccu | 20070115-17+b1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 864783 ------------------- Reason ------------------- RoM; useless since shutdown of SixXS ---------------------------------------------- ========================================================================= 3dchess (0.8.1-19+deb9u1) stretch; urgency=medium . * Team upload. * Add wasteful-CPU-consumption.patch. The game always consumed 100 % CPU resources due to a missing sleep call in its main loop. (Closes: #866378) adwaita-icon-theme (3.22.0-1+deb9u1) stretch; urgency=medium . * debian/patches/01_fix_send-to-symbolic.patch: Fix malformed send-to-symbolic icon (Closes: #838961) anope (2.0.4-1+deb9u1) stretch; urgency=medium . * Correct Recommends typo tranport -> transport to stop Exim taking over from already-installed MTAs (Closes: #864668) apache2 (2.4.25-3+deb9u1) stretch-security; urgency=high . * Backport security fixes from 2.4.26: * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw() * CVE-2017-3169: mod_ssl NULL pointer dereference * CVE-2017-7668: Buffer overrun in ap_find_token() * CVE-2017-7679: mod_mime buffer overread * CVE-2017-7659: mod_http2 NULL pointer dereference apt (1.4.7) stretch; urgency=medium . * New release with important fixes up to 1.5~beta1; also see LP: #1702326 . [ Robert Luberda ] * fix a "critical" typo in old changelog entry (Closes: 866358) . [ David Kalnischkies ] * test suite/travis CI: ignore profiling warning in progress lines * use port from SRV record instead of initial port . [ Julian Andres Klode ] * Reset failure reason when connection was successful, so later errors are reported as such and not as "connection failure" warnings. * debian/gbp.conf: Set debian-branch to 1.4.y * http: A response with Content-Length: 0 has no content, so don't try to read it - it will either timeout or the server closes the connection. * travis CI: Migrate to Docker avogadro (1.2.0-1+deb9u1) stretch; urgency=medium . [ Anton Gladky ] * Update eigen3 patches, pull them from upstream. (Closes: #865085) base-files (9.9+deb9u1) stable; urgency=low . * Change /etc/debian_version to 9.1, for Debian 9.1 point release. bind9 (1:9.10.3.dfsg.P4-12.3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches: - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses CVE-2017-3142: error in TSIG authentication can permit unauthorized zone transfers. An attacker may be able to circumvent TSIG authentication of AXFR and Notify requests. CVE-2017-3143: error in TSIG authentication can permit unauthorized dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) signature for a dynamic update. c-ares (1.12.0-1+deb9u1) stretch; urgency=medium . * Add patch for CVE-2017-1000381 (Closes: #865360) debian-edu-doc (1.921~20170603+deb9u1) stretch; urgency=medium . [ Holger Levsen ] * Update Debian Edu Stretch manual from the wiki. . [ Wolfgang Schweer ] * Update Debian Edu Stretch manual from the wiki. . [ Stretch Manual translation updates ] * Polish: Stanisław Krukowski. * Simplified Chinese: Ma Yong. * German: Wolfgang Schweer. * Norwegian Bokmål: Petter Reinholdtsen. * Italian: Claudio Carboncini. * Dutch: Frans Spiesschaert. debian-installer (20170615+deb9u1) stretch; urgency=medium . * Enable proposed-updates for the stretch stable branch. debian-installer-netboot-images (20170615+deb9u1) stretch; urgency=medium . * Update to 20170615+deb9u1 images, from stretch-proposed-updates debsecan (0.4.19~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch devscripts (2.17.6+deb9u1) stretch; urgency=medium . [ Mattia Rizzolo ] * debchange: + Target stretch-backports with --bpo. Closes: #867662 + Support $codename{,-{proposed-updates,security}} as well. Closes: #789587 * bts: + Add patch from Samuel Thibault to add support for the new 'a11y' tag. Closes: #867416 dgit (3.11~deb9u1) stretch; urgency=high . * Rebuild and upload to stretch. . dgit (3.11) unstable; urgency=high . Important bugfixes to dgit: * Fix rpush+buildinfo: Transfer buildinfos for signing. Closes:#867693. * Cope if the archive server sends an HTTP redirect, by passing -L to curl. Closes:#867185,#867309. * Cope with newer git which hates --local outside a tree. Closes:#865863. * rpush: Honour local git config from build host working tree. * Tolerate compressor terminating with SIGPIPE. Closes:#857694. * Honour more pre-tree git config options in our private trees sharing the user's object store. In particular, core.sharedRepository. Prompted by #867603. * Clone multisuite works even without --no-rm-on-error. Closes:#867434. * Work if "git init" does not create $GIT/info. Closes:#858054. * Actually understand foo,-security (!) Closes:#867189. . Important bugfixes to other components: * dgit-badcommit-fixup: Honour core.sharedRepository. Closes:#867603. * infrastructure: Cope with new git-receive-pack which has quarantine feature: ie, work around #867702. . Test suite: * Cope with git restricting ext:: protocols. * multisuite: Test clone without --rm-on-error. dovecot (1:2.2.27-3+deb9u1) stretch; urgency=medium . * [8b8226f] Fix fts-solr: escape {} chars when sending queries (Closes: #865945) * [a97cdab] Add basic usage DEP-8 tests, performing end-to-end testing using LDA, IMAP and POP3. drupal7 (7.52-2+deb9u1) stretch-security; urgency=high . * Backported from 7.56: SA-CORE-2017-003: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users. (CVE-2017-6922) (Closes: #865498) dwarfutils (20161124-1+deb9u1) stretch; urgency=medium . * Add patch 02-fix-CVE-2017-9052.patch to fix CVE-2017-9052 and CVE-2017-9055 (Closes: #864064). * Add patch 03-fix-CVE-2017-9053.patch to fix CVE-2017-9053. * Add patch 04-fix-CVE-2017-9054.patch to fix CVE-2017-9054. * Add patch 05-fix-CVE-2017-9998.patch to fix CVE-2017-9998 (Closes: #866968). evince (3.22.1-3+deb9u1) stretch-security; urgency=medium . * CVE-2017-1000083 exim4 (4.89-2+deb9u1) stretch-security; urgency=medium . * CVE-2017-100369 exim4 (4.89-2+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * b-d on libmysqlclient-dev | libmysqlclient15-dev instead of default-libmysqlclient-dev. . exim4 (4.89-2+deb9u1) stretch-security; urgency=medium . * CVE-2017-100369 . exim4 (4.89-2) unstable; urgency=medium . * Revert addition of header "# pidfile: /var/run/exim4/exim.pid" to initscript (#844178). It breaks when the initscript does not start a daemon but only runs update-exim4.conf. (inetd or QUEUERUNNER='nodaemon'). Closes: #860317 * When reporting bugs also attach /etc/default/exim4 by default. flatpak (0.8.5-2+deb9u1) stretch-security; urgency=high . * d/p/Ensure-we-don-t-install-world-writable-dirs-or-setuid-fil.patch: Patch from upstream stable release 0.8.7. Prevent deploying files with inappropriate permissions (world-writable, setuid, etc.) (Closes: #865413) * d/p/dir-Ensure-.local-share-flatpak-is-0700.patch: Patch from upstream stable release 0.8.7. Make ~/.local/share/flatpak private to user to defend against app vendors that might have released files with inappropriate permissions in the past flatpak (0.8.5-2+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Backport to jessie - debian/gbp.conf: adjust for this branch - debian/control: (build-)depend on libgtk-3-bin, not gtk-update-icon-cache - d/p/debian/Try-gtk-3.0-version-of-the-icon-cache-utility-first.patch: try to use gtk-update-icon-cache-3.0 before gtk-update-icon-cache - d/p/backport/*.patch, d/control: Relax GLib dependency to 2.42 . flatpak (0.8.5-2+deb9u1) stretch-security; urgency=high . * d/p/Ensure-we-don-t-install-world-writable-dirs-or-setuid-fil.patch: Patch from upstream stable release 0.8.7. Prevent deploying files with inappropriate permissions (world-writable, setuid, etc.) (Closes: #865413) * d/p/dir-Ensure-.local-share-flatpak-is-0700.patch: Patch from upstream stable release 0.8.7. Make ~/.local/share/flatpak private to user to defend against app vendors that might have released files with inappropriate permissions in the past . flatpak (0.8.5-2) unstable; urgency=medium . * flatpak Recommends xdg-desktop-portal-gtk | xdg-desktop-portal-backend, so that sandboxed apps can communicate with the outside world (Closes: #861068) fpc (3.0.0+dfsg-11+deb9u1) stretch; urgency=medium . * Fix "[fp-units-rtl-3.0.0] Incorrect conversion from local time to UTC". Backported fix from 3.0.2 (Closes: #864148) galternatives (0.13.5+nmu4+deb9u1) stretch; urgency=medium . * Adopt and switch maintainer information. * Fix the bug which causes properties window blank. Closes: #325172 geolinks (0.2.0-1+deb9u1) stretch; urgency=medium . * Team upload. * Update branch in gbp.conf & Vcs-Git URL. * Fix dependencies for Python 3 package. (closes: #867405) glibc (2.24-11+deb9u1) stretch-security; urgency=medium . * debian/patches/any/local-CVE-2017-1000366-rtld-LD_AUDIT.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_LIBRARY_PATH.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_PRELOAD.diff: add patches to protect the dynamic linker against stack clashes (CVE-2017-1000366). * debian/patches/any/cvs-vectorized-strcspn-guards.diff: patch backported from upstream to allow usage of strcspn in ld.so. * debian/patches/any/cvs-hwcap-AT_SECURE.diff: patch backported from upstream to disable HWCAP for AT_SECURE programs. gnats (4.1.0-3+deb9u1) stretch; urgency=medium . * QA upload. * gnats-user.postrm: Do not fail to purge if /var/lib/gnats/gnats-db is not empty. (Closes: #661015) gnats (4.1.0-3+deb8u1) jessie; urgency=medium . * QA upload. * gnats-user.postrm: Do not fail to purge if /var/lib/gnats/gnats-db is not empty. (Closes: #661015) gnome-settings-daemon (3.22.2-2+deb9u2) stretch; urgency=medium . * d/p/keyboard-Only-add-the-us-layout-if-the-system-config.patch: Do not add the "US" keyboard layout by default for new users, for some reasons, this keyboard was prefered over the system configured one on the first login. (Closes: #859268) gnome-settings-daemon (3.22.2-2+deb9u1) stretch; urgency=medium . * Remove debian/gnome-settings-daemon.gsettings-override to remember the NumLock state between sessions by default (Closes: #649587) gnuplot (5.0.5+dfsg1-6+deb9u1) stretch; urgency=high . * [02931b6] Fix memory corruption vulnerability. CVE-2017-9670. (Closes: #864901) gnutls28 (3.5.8-5+deb9u2) stretch; urgency=medium . * 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and decryption on aarch64. Closes: #867581 gnutls28 (3.5.8-5+deb9u1) stretch-security; urgency=high . * 36_CVE-2017-7507_*.patch: Pulled from 3.5.13, fix crash upon receiving well-formed status_request extension. GNUTLS-SA-2017-4/CVE-2017-7507 Closes: #864560 * Upload is identical to 3.5.8-6 except for the version number. grub-installer (1.140+deb9u1) stretch; urgency=medium . * Apply another patch by Hideki Yamane to fix support for systems with a large number of disks, since the regression fix in the previous upload was incomplete (Closes: #839894). heimdal (7.1.0+dfsg-13+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation (Closes: #868208) intel-microcode (3.20170707.1~deb9u1) stretch; urgency=medium . * Rebuild for stretch (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 intel-microcode (3.20170707.1~deb8u1) jessie; urgency=high . * Upload to jessie (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 . intel-microcode (3.20170511.1) unstable; urgency=medium . * New upstream microcode datafile 20170511 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + This release fixes undisclosed errata on the desktop, mobile and server processor models from the Haswell, Broadwell, and Skylake families, including even the high-end multi-socket server Xeons + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and similar) on several processor families + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + Likely fix serious or critical Skylake errata: SKL138/144, SKL137/145, SLK149 * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, either this erratum is very-low-hitting, or gcc/clang/icc/msvc won't usually issue the affected opcode pattern and it ends up being rare. SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" * source: remove unneeded intel-ucode/ directory Since release 20170511, upstream ships the microcodes both in .dat format, and as Linux-style split /lib/firmware/intel-ucode files. It is simpler to just use the .dat format file for now, so remove the intel-ucode/ directory. Note: before removal, it was verified that there were no discrepancies between the two microcode sets (.dat and intel-ucode/) * source: remove superseded upstream data file: 20161104 intel-microcode (3.20170707.1~bpo9+1) stretch-backports; urgency=high . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 intel-microcode (3.20170707.1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes). . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 irssi (1.0.2-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix dcc_request where addr is NULL (CVE-2017-9468) (Closes: #864400) * Fix oob read of one byte in get_file_params_count{,_resume} (CVE-2017-9469) (Closes: #864400) jabberd2 (2.4.0-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fixed offered SASL mechanism check (CVE-2017-10807) Thanks to Sergey Korobitsin for the report. (Closes: #867032) jython (2.5.3-16+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2016-4000: (Closes: #864859) Unsafe deserialization may lead to arbitrary code execution. knot (2.4.0-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches: - 0001-tsig-move-signature-validity-period-check-after-the- added, fix TSIG signature validation bypass (CVE-2017-11104) closes: #865678 libclamunrar (0.99-3+deb9u1) stretch; urgency=medium . * Team upload. . [ Sebastian Andrzej Siewior ] * Cherry pick fix for arbitrary memory write. CVE-2012-6706 (Closes: #867223). libgcrypt20 (1.7.6-2+deb9u1) stretch-security; urgency=high . * 31_CVE-2017-752*.patch from upstream 1.7.8 release: Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see . [CVE-2017-7526] libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium . * Add security patches (Closes: #867579). - up8: Out-of-bounds read while loading a malfomed PLM file. - up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file. libopenmpt (0.2.7386~beta20.3-3+deb9u1) stretch; urgency=medium . * Add various security patches (Closes: #864195). - up1: Division by zero in temp calculation. - up2: Infinite loop with cyclic plugin routing. - up3: Excessive CPU consumption on malformed DMF and MDL files. - up5: Excessive CPU consumption on malformed AMS files. - up6: Invalid memory read when applying NNAs to effect plugins. libquicktime (2:1.2.4-10+deb9u1) stretch; urgency=medium . * Fix CVE-2017-9122 to CVE-2017-9128, patch from 1.2.4-11 in unstable (Closes: #864664) linux (4.9.30-2+deb9u2) stretch-security; urgency=high . * Revert changes in version 4.9.30-2+deb9u1 (Closes: #865303) * mm: larger stack guard gap, between vmas (CVE-2017-1000364) * mm: fix new crash in unmapped_area_topdown() linux (4.9.30-2+deb9u2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports: - Revert "[x86] psmouse: Enable MOUSE_PS2_VMMOUSE", which breaks xserver-xorg-input-vmmouse and several metapackages in jessie - Revert changes to use gcc-6 compiler, not found in jessie - Change ABI number to 0.bpo.3 - Revert changes to flex and asciidoc build-dependencies - linux-image-dbg: Revert changes to packaging of debug symbols - Revert "enable `perf data' support" as libbabeltrace is not available - [mips*] Disable RELOCATABLE and RANDOMIZE_BASE. . linux (4.9.30-2+deb9u2) stretch-security; urgency=high . * Revert changes in version 4.9.30-2+deb9u1 (Closes: #865303) * mm: larger stack guard gap, between vmas (CVE-2017-1000364) * mm: fix new crash in unmapped_area_topdown() linux (4.9.30-2+deb9u1) stretch-security; urgency=high . * mm: enlarge stack guard gap (CVE-2017-1000364) * mm: allow to configure stack gap size * mm, proc: cap the stack gap for unpopulated growing vmas * mm, proc: drop priv parameter from is_stack * mm: do not collapse stack gap into THP * fold me "mm: allow to configure stack gap size" linux-latest (80+deb9u1) stretch; urgency=medium . * Revert changes to debug symbol meta-packages (Closes: #866691) nagios-nrpe (3.0.1-3+deb9u1) stretch; urgency=medium . * Update branch in gbp.conf & Vcs-Git URL. * Fix 11_reproducible_dh.h.patch to not leave USE_SSL_DH undefined. Thanks to Johan Carlquist for pointing out this issue. * Re-enable SSL support by default. Compatibility with older versions has been fixed. nginx (1.10.3-1+deb9u1) stretch-security; urgency=high . * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109) nginx (1.10.3-1+deb9u1~bpo8+2) jessie-backports; urgency=medium . * Rebuild on a jessie box. . nginx (1.10.3-1+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * Build against openssl 1.0.2 enabling ALPN support for http/2. * Fix PIE issues for jessie. * Disable ec-x25519 test. . nginx (1.10.3-1+deb9u1) stretch-security; urgency=high . * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109) nginx (1.10.3-1+deb9u1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * Build against openssl 1.0.2 enabling ALPN support for http/2. * Fix PIE issues for jessie. * Disable ec-x25519 test. . nginx (1.10.3-1+deb9u1) stretch-security; urgency=high . * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109) nvidia-graphics-drivers (375.66-2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. octave-ocs (0.1.5-2+deb9u1) stretch; urgency=medium . * d/p/set_nonarch_path_for_pkg_add: refresh for this upstream version. Fixes loading of package functions into Octave path. (Closes: #865282) open-iscsi (2.0.874-3~deb9u1) stretch; urgency=medium . * [8de3092] udeb: don't update initramfs when iSCSI is not used. (Closes: #863435) openssh (1:7.4p1-10+deb9u1) stretch; urgency=medium . * Fix incoming compression statistics (thanks, Russell Coker; closes: #797964). openstack-debian-images (1.20~deb9u1) stretch-proposed-updates; urgency=medium . * Also add security updates for non wheezy/jessie. * Update debian/gbp.conf to use debian/stretch as packaging branch. openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high . * SECURITY UPDATE: (Closes: #865480) - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a crash for invalid input data. - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks. openvpn (2.4.0-6+deb9u1~bpo8+1) jessie-backports; urgency=high . * Rebuild for jessie-backports. - change build-dep: libssl1.0-dev to libssl-dev . openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high . * SECURITY UPDATE: (Closes: #865480) - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a crash for invalid input data. - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks. os-prober (1.76~deb9u1) stretch; urgency=medium . * Rebuild for stretch. osinfo-db (0.20170225-3~deb9u1) stretch; urgency=medium . * [17d85a0] Adjust gbp.conf for stretch otrs2 (5.0.16-1+deb9u1) stretch-security; urgency=high . * Add patch 15-CVE-2017-9324: This fixes OSA-2017-03, also known as CVE-2017-9324: An attacker with agent permission is capable by opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. Closes: #864319 partman-base (191+deb9u1) stretch; urgency=medium . [ Karsten Merker ] * For systems that are known to have their boot firmware on an mmcblk device, protect the firmware area on all mmcblk devices (and not only on mmcblk0) from being clobbered during guided partitioning and add missing whitespace to the corresponding log output. (Closes: #854822) pdns-recursor (4.0.4-1+deb9u1) stretch; urgency=medium . * Add new root trust anchor KSK-2017 to embedded root trust list. (Closes: #866112) perl (5.24.1-3+deb9u1) stretch; urgency=medium . * Backport various Getopt-Long fixes from upstream 2.49..2.51. (Closes: #855532, #864544) * Backport upstream patch fixing regexp "Malformed UTF-8 character" crashes. (Closes: #864782) * Apply upstream base.pm no-dot-in-inc fix (from 5.24.2-RC1) (Closes: #867170) phpunit (5.4.6-2~deb9u1) stretch; urgency=high . * Team upload * Upload previous fix to Stretch . phpunit (5.4.6-2) unstable; urgency=high . * Team upload * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841] (Closes: #866200) protozero (1.5.1-1+deb9u1) stretch; urgency=medium . * Update branch in gbp.conf & Vcs-Git URL. * Include upstream patch to fix data_view equality operator. This fixes a rather embarrassing bug in the equality operator of the data_view class. The equality operator is actually never used in the protozero code itself, but users of protozero might use it. This is a serious bug that could lead to buffer overrun type problems. pulseaudio (10.0-1+deb9u1) stretch; urgency=medium . [ Balint Reczey ] * Removing myself from Uploaders. I made a few changes to the package when it badly needed help but now it is well maintained and I haven't contributed to it for years. Thanks to everyone in the packaging team and everyone who improved the package! . [ Scott Leggett ] * Move AGPL-3 text into copyright file (Closes: #863082) pykde4 (4:4.14.3-2+deb9u1) stable; urgency=medium . * Team upload. * Drop bindings for plasma webview bindings: No longer functional due to QtWebKit being dropped from PyQt4 and obsolete (Closes: #865861) - Add debian/patches/no_webview_webkit.patch - Drop libqtwebkit-dev from build-depends python-colorlog (2.10.0-1+deb9u1) stretch; urgency=medium . * Fix python3 dependencies (Closes: #867422) python-imaplib2 (2.55-1+deb9u1) stretch; urgency=medium . * Fix typo that resulted in missing dependencies for python3-imaplib2. Thanks to Adrian Bunk for reporting this (Closes: #867437) python-plumbum (1.6.2-1+deb9u1) stretch; urgency=medium . * Fix python3 dependencies (Closes: #867449) qgis (2.14.11+dfsg-3+deb9u1) stretch; urgency=medium . * Add Breaks/Replaces to python-qgis-common for qgis_customwidgets.py move. (closes: #864695) request-tracker4 (4.4.1-3+deb9u2) stretch; urgency=medium . * Handle configuration permissions correctly following RT_SiteConfig.d changes (Closes: #862426) request-tracker4 (4.4.1-3+deb9u1) stretch-security; urgency=high . * Fix multiple security issues: - [CVE-2017-5943] CSRF verification token information leak - [CVE-2016-6127] XSS in file uploads - [CVE-2017-5361] Timing side-channel vulnerability in password verification - [CVE-2017-5944] Remote code execution in dashboard interface - Add check for incorrect RestrictLoginReferrer configuration setting * Work around a DoS vulnerability in Email::Address (CVE-2015-7686) retext (6.0.2-2+deb9u1) stretch; urgency=medium . * Backport upstream fix for crash in XSettings code (closes: #863640). * Backport upstream patch to fix syntax in appdata XML file. rkhunter (1.4.2-6+deb9u1) stable; urgency=high . * Disable remote updates to fix CVE-2017-7480 and prevent bugs like it in the future (closes: #765895, #866677) socat (1.7.3.1-2+deb9u1) stretch; urgency=medium . * Backport upstream fix for SIGSEGV and other signals could lead to a 100% CPU loop. spice (0.12.8-2.1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7506: Possible buffer overflow via invalid monitor configurations spip (3.1.4-3~deb9u1) stretch-security; urgency=high . * Upload previous fixes to Stretch * Update previous changelog entry with CVE and bug report . spip (3.1.4-3) unstable; urgency=high . * Track Stretch * Backport security fix from 3.1.6 - Execution of arbitrary code [CVE-2017-9736] (Closes: #864921) * Update security screen to 1.3.2 squashfs-tools (1:4.3-3+deb9u1) stretch; urgency=medium . * Backport patch to fix rare race in fragment waiting in filesystem finalisation. * Backport fix for 2GB-limit of the is_fragment(...) function (closes: #788185). systemd (232-25+deb9u1) stretch; urgency=medium . [ Dimitri John Ledkov ] * Fix out-of-bounds write in systemd-resolved. CVE-2017-9445 (Closes: #866147, LP: #1695546) . [ Michael Biebl ] * Be truly quiet in systemctl -q is-enabled (Closes: #866579) * Improve RLIMIT_NOFILE handling. Use /proc/sys/fs/nr_open to find the current limit of open files compiled into the kernel instead of using a hard-coded value of 65536 for RLIMIT_NOFILE. (Closes: #865449) . [ Nicolas Braud-Santoni ] * debian/extra/rules: Use updated U2F ruleset. This ruleset comes from Yubico's libu2f-host. (Closes: #824532) thermald (1.5.4-2.1) stretch; urgency=medium . * add Broadwell-GT3E and Kabylake support (Closes: #864707) - upstream fix 405dcc0a6 ("Add Kabylake and Broadwell-GT processor models") tiff (4.0.8-2+deb9u1) stretch-security; urgency=high . * Backport security fixes: - CVE-2017-9936, memory leak in error code path of JBIGDecode() (closes: #866113), - prevent out of memory in gtTileContig() on corrupted files, - CVE-2017-10688, assertion failure in TIFFWriteDirectoryTagCheckedXXXX() (closes: #866611). * Add required _TIFFReadEncodedStripAndAllocBuffer@LIBTIFF_4.0 symbol to the libtiff5 package. tomcat8 (8.5.14-1+deb9u1) stretch-security; urgency=high . * Team upload. * Fixed CVE-2017-5664: Static error pages can be overwritten if the DefaultServlet is configured to permit writes (Closes: #864447) tor (0.2.9.11-1~deb9u1) stretch-security; urgency=high . * Get fix for CVE-2017-0376 into stretch via -security. tor (0.2.9.11-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. * Build-depend on dh-apparmor version >= 2.10.95, which is in backports, to avoid running into Bug #822349. undertow (1.4.8-1+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-2666 and CVE-2017-2670: - CVE-2017-2666: Prevent HTTP smuggling attacks by making sure messages do not contain invalid headers. - CVE-2017-2670: Fix possible DoS attack. The websocket non clean close can cause IO thread to get stuck in a loop. (Closes: #864405) unrar-nonfree (1:5.3.2-1+deb9u1) stretch; urgency=medium . * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters. - Backported from 5.5.5 - CVE-2012-6706 - Closes: #865461 win32-loader (0.8.3+deb9u1) stretch; urgency=medium . * Drop bz2 compression for source * Replace all mirror urls with deb.debian.org xorg-server (2:1.19.2-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-10971: stack buffer overflow in X Event structures handling (Closes: #867492) * CVE-2017-10972: information leak due to an uninitialized stack area when swapping endianess. (Closes: #867492) ========================================= Sat, 17 Jun 2017 - Debian 9.0 released =========================================