======================================
Sat, 14 Dec 2013 - Debian 7.3 released
======================================
=========================================================================
[Date: Sat, 14 Dec 2013 10:16:49 +0000] [ftpmaster: Archive Administrator]
Removed the following packages from stable:
linky | 3.0.0-4 | source
xul-ext-linky | 3.0.0-4 | all
Closed bugs: 730707
------------------- Reason -------------------
RoM; licensing issues
----------------------------------------------
=========================================================================
=========================================================================
[Date: Sat, 14 Dec 2013 10:17:26 +0000] [ftpmaster: Archive Administrator]
Removed the following packages from stable:
iceweasel-linky | 3.0.0-2 | source, all
Closed bugs: 730708
------------------- Reason -------------------
RoM; licensing issues
----------------------------------------------
=========================================================================
apt (0.9.7.9+deb7u1) wheezy; urgency=low
.
* Non-maintainer upload.
* Apply patch for large .debs (Closes: #725483)
Thanks Mark Hymers for the patch, Vincent Sanders for
the review
* Apply patch for strict multi-arch checking in single-architecture
environments (Closes: #723586)
apt-listbugs (0.1.8+deb7u1) stable; urgency=low
.
* adopted standard Ruby library Tempfile for HTML bug lists too, thus
dropping the ad-hoc HtmlTempfile (CVE-2013-6049)
base-files (7.1wheezy3) stable; urgency=low
.
* Changed /etc/debian_version to 7.3, for Debian 7.3 point release.
bootchart (0.10~svn407-4.1~deb7u1) wheezy; urgency=low
.
* Non-maintainer upload.
* Rebuild for wheezy.
.
bootchart (0.10~svn407-4.1) unstable; urgency=low
.
* Non-maintainer upload.
* Fix the upgrade path lenny (bootchart 0.10~svn407-3) => squeeze (bootchart
0.10~svn407-3 from lenny because bootchart was not included in squeeze) =>
wheezy. The initscript from 0.10~svn407-3 prevents migration to dependency
based boot sequencing causing a sysv-rc upgrade failure.
Add bootchart.preinst to replace the problematic "rmnologin" use in the
ancient /etc/init.d/bootchart because it is impossible to ensure the new
bootchart is already configured (which would replace the old initscript)
at the time sysv-rc gets configured. (Closes: #717495)
* Bump Debian revision to -4.1 to restore installability after recent
initscripts having Breaks: bootchart (<< 0.10~svn407-4).
chromium-browser (31.0.1650.63-1~deb7u1) stable-security; urgency=high
.
* New upstream stable release:
- Medium CVE-2013-6634: Session fixation in sync related to 302 redirects.
Credit to Andrey Labunets.
- High CVE-2013-6635: Use-after-free in editing. Credit to cloudfuzzer.
- Medium CVE-2013-6636: Address bar spoofing related to modal dialogs.
Credit to Bas Venis.
- CVE-2013-6637: Various fixes from internal audits, fuzzing and other
initiatives.
- Medium CVE-2013-6638: Buffer overflow in v8. This issue was fixed in v8
version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
- High CVE-2013-6639: Out of bounds write in v8. This issue was fixed in v8
version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
- Medium CVE-2013-6640: Out of bounds read in v8. This issue was fixed in
v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
chromium-browser (31.0.1650.57-1) unstable; urgency=medium
.
* New upstream stable release:
- Medium-Critical CVE-2013-2931: Various fixes from internal audits,
fuzzing and other initiatives.
- Medium CVE-2013-6621: Use after free related to speech input elements.
Credit to Khalil Zhani.
- High CVE-2013-6622: Use after free related to media elements. Credit to
cloudfuzzer.
- High CVE-2013-6623: Out of bounds read in SVG. Credit to miaubiz.
- High CVE-2013-6624: Use after free related to тАЬidтАЭ attribute strings.
Credit to Jon Butler.
- High CVE-2013-6625: Use after free in DOM ranges. Credit to cloudfuzzer.
- Low CVE-2013-6626: Address bar spoofing related to interstitial warnings.
Credit to Chamal de Silva.
- High CVE-2013-6627: Out of bounds read in HTTP parsing. Credit to
skylined.
- Medium CVE-2013-6628: Issue with certificates not being checked during
TLS renegotiation. Credit to Antoine Delignat-Lavaud and Karthikeyan
Bhargavan from Prosecco of INRIA Paris.
- Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and
libjpeg-turbo. Credit to Michal Zalewski of Google.
- Medium CVE-2013-6630: Read of uninitialized memory in libjpeg-turbo.
Credit to Michal Zalewski of Google.
- High CVE-2013-6631: Use after free in libjingle. Credit to Patrik H├╢glund
of the Chromium project.
- Critical CVE-2013-6632: Multiple memory corruption issues. Credit to
Pinkie Pie.
* Disable promos by default (closes: #634101).
* Set WANT_TESTS=0 if WANT_TESTS=1 fails (closes: #589654).
* Maintain window ordering when new tabs are opened (closes: #725350).
* Install chromium-inspector files to /usr/share instead of /usr/lib.
* Don't remove third party libraries from the upstream tarball.
* Remove non-default compression selections from debian/rules.
* Build with breakpad crash reporting.
* Fix some lintian warnings.
chromium-browser (31.0.1650.57-1~deb7u1) stable-security; urgency=high
.
* New upstream stable release:
- Medium-Critical CVE-2013-2931: Various fixes from internal audits,
fuzzing and other initiatives.
- Medium CVE-2013-6621: Use after free related to speech input elements.
Credit to Khalil Zhani.
- High CVE-2013-6622: Use after free related to media elements. Credit to
cloudfuzzer.
- High CVE-2013-6623: Out of bounds read in SVG. Credit to miaubiz.
- High CVE-2013-6624: Use after free related to тАЬidтАЭ attribute strings.
Credit to Jon Butler.
- High CVE-2013-6625: Use after free in DOM ranges. Credit to cloudfuzzer.
- Low CVE-2013-6626: Address bar spoofing related to interstitial warnings.
Credit to Chamal de Silva.
- High CVE-2013-6627: Out of bounds read in HTTP parsing. Credit to
skylined.
- Medium CVE-2013-6628: Issue with certificates not being checked during
TLS renegotiation. Credit to Antoine Delignat-Lavaud and Karthikeyan
Bhargavan from Prosecco of INRIA Paris.
- Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and
libjpeg-turbo. Credit to Michal Zalewski of Google.
- Medium CVE-2013-6630: Read of uninitialized memory in libjpeg-turbo.
Credit to Michal Zalewski of Google.
- High CVE-2013-6631: Use after free in libjingle. Credit to Patrik H├╢glund
of the Chromium project.
- Critical CVE-2013-6632: Multiple memory corruption issues. Credit to
Pinkie Pie.
chromium-browser (30.0.1599.101-3) unstable; urgency=medium
.
* Fix sandbox installation path (closes: #728823).
chromium-browser (30.0.1599.101-2) unstable; urgency=medium
.
* Use system zlib.
* Remove arm patches.
* Update lintian overrides.
* Remove an unsafe symlink.
* Remove icu build dependency.
* Support poststript printing (closes: #717722).
* Use fonts-ipafont instead of ttf-kochi (closes: #725800).
chromium-browser (30.0.1599.101-1) unstable; urgency=low
.
[ Giuseppe Iuculano ]
* New stable release:
- High CVE-2013-2925: Use after free in XHR. Credit to Atte Kettunen of
OUSPG.
- High CVE-2013-2926: Use after free in editing. Credit to
cloudfuzzer.
- High CVE-2013-2927: Use after free in forms. Credit to
cloudfuzzer.
- CVE-2013-2928: Various fixes from internal audits, fuzzing and other
initiatives.
- Medium CVE-2013-2906: Races in Web Audio.
Credit to Atte Kettunen of OUSPG.
- Medium CVE-2013-2907: Out of bounds read in Window.prototype object.
Credit to Boris Zbarsky.
- Medium CVE-2013-2908: Address bar spoofing related to the "204
No Content" status code. Credit to Chamal de Silva.
- High CVE-2013-2909: Use after free in inline-block
rendering. Credit to Atte Kettunen of OUSPG.
- Medium CVE-2013-2910: Use-after-free in Web Audio. Credit to
Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
- High CVE-2013-2911: Use-after-free in XSLT. Credit to Atte
Kettunen of OUSPG.
- High CVE-2013-2912: Use-after-free in PPAPI. Credit to Chamal
de Silva and 41.w4r10r(at)garage4hackers.com.
- High CVE-2013-2913: Use-after-free in XML document parsing.
Credit to cloudfuzzer.
- High CVE-2013-2914: Use after free in the Windows color
chooser dialog. Credit to Khalil Zhani.
- Low CVE-2013-2915: Address bar spoofing via a malformed scheme.
Credit to Wander Groeneveld.
- High CVE-2013-2916: Address bar spoofing related to the "204
No ContentтАЭ status code. Credit to Masato Kinugawa.
- Medium CVE-2013-2917: Out of bounds read in Web Audio. Credit
to Byoungyoung Lee and Tielei Wang of Georgia Tech Information
Security Center (GTISC).
- High CVE-2013-2918: Use-after-free in DOM. Credit to
Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
- High CVE-2013-2919: Memory corruption in V8. Credit to Adam
Haile of Concrete Data.
- Medium CVE-2013-2920: Out of bounds read in URL parsing. Credit to
Atte Kettunen of OUSPG.
- High CVE-2013-2921: Use-after-free in resource loader. Credit
to Byoungyoung Lee and Tielei Wang of Georgia Tech Information
Security Center (GTISC).
- High CVE-2013-2922: Use-after-free in template element. Credit
to Jon Butler.
- CVE-2013-2923: Various fixes from internal audits, fuzzing and other
initiatives (Chrome 30).
- Medium CVE-2013-2924: Use-after-free in ICU. Upstream bug here.
.
* [6651f1c] Added chrpath to build-depends
* [3c88b20] Refreshed Patches for version 30
* [743a0a6] Make default of third-party cookies the most secure for users.
Thanks to Chad Miller
* [9507f07] Do not install remoting_locales/en-US.pak
* [64b895b] Move chrome_sandbox to chrome-sandbox, chromium reads that file
.
[ Shawn Landden ]
* [6d027f1] rules: dpkg compresses .deb files with xz by default now
.
[ Michael Gilbert ]
* [18341ce] add some TODO tasks
chromium-browser (30.0.1599.101-1~deb7u1) stable-security; urgency=high
.
* New stable release:
- High CVE-2013-2925: Use after free in XHR. Credit to Atte Kettunen of
OUSPG.
- High CVE-2013-2926: Use after free in editing. Credit to
cloudfuzzer.
- High CVE-2013-2927: Use after free in forms. Credit to
cloudfuzzer.
- CVE-2013-2928: Various fixes from internal audits, fuzzing and other
initiatives.
- Medium CVE-2013-2906: Races in Web Audio.
Credit to Atte Kettunen of OUSPG.
- Medium CVE-2013-2907: Out of bounds read in Window.prototype object.
Credit to Boris Zbarsky.
- Medium CVE-2013-2908: Address bar spoofing related to the "204
No Content" status code. Credit to Chamal de Silva.
- High CVE-2013-2909: Use after free in inline-block
rendering. Credit to Atte Kettunen of OUSPG.
- Medium CVE-2013-2910: Use-after-free in Web Audio. Credit to
Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
- High CVE-2013-2911: Use-after-free in XSLT. Credit to Atte
Kettunen of OUSPG.
- High CVE-2013-2912: Use-after-free in PPAPI. Credit to Chamal
de Silva and 41.w4r10r(at)garage4hackers.com.
- High CVE-2013-2913: Use-after-free in XML document parsing.
Credit to cloudfuzzer.
- High CVE-2013-2914: Use after free in the Windows color
chooser dialog. Credit to Khalil Zhani.
- Low CVE-2013-2915: Address bar spoofing via a malformed scheme.
Credit to Wander Groeneveld.
- High CVE-2013-2916: Address bar spoofing related to the "204
No ContentтАЭ status code. Credit to Masato Kinugawa.
- Medium CVE-2013-2917: Out of bounds read in Web Audio. Credit
to Byoungyoung Lee and Tielei Wang of Georgia Tech Information
Security Center (GTISC).
- High CVE-2013-2918: Use-after-free in DOM. Credit to
Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
- High CVE-2013-2919: Memory corruption in V8. Credit to Adam
Haile of Concrete Data.
- Medium CVE-2013-2920: Out of bounds read in URL parsing. Credit to
Atte Kettunen of OUSPG.
- High CVE-2013-2921: Use-after-free in resource loader. Credit
to Byoungyoung Lee and Tielei Wang of Georgia Tech Information
Security Center (GTISC).
- High CVE-2013-2922: Use-after-free in template element. Credit
to Jon Butler.
- CVE-2013-2923: Various fixes from internal audits, fuzzing and other
initiatives (Chrome 30).
- Medium CVE-2013-2924: Use-after-free in ICU. Upstream bug here.
chromium-browser (29.0.1547.57-3+exp1) experimental; urgency=low
.
[ Shawn Landden ]
* Enable arm support.
chromium-browser (29.0.1547.57-3) unstable; urgency=medium
.
* Drop transitional packages (closes: #684369).
* Fix another copyright file syntax error.
* Remove libav build dependencies.
* Fix lintian override syntax.
* Fix version control URL.
* Use system vpx.
chromium-browser (29.0.1547.57-2) unstable; urgency=medium
.
* Mark chromium-inspector as multi-arch: foreign (closes: #695229).
* Use system libpng (closes: #699918).
* Fix copyright file syntax error.
* Drop implicit g++ dependency.
* Add some lintian overrides.
* Update my email address.
* Remove unsafe symlink.
chromium-browser (29.0.1547.57-1) unstable; urgency=medium
.
[ Michael Gilbert ]
* New upstream stable release:
- High CVE-2013-2900: Incomplete path sanitization in file handling. Credit
to Krystian Bigaj.
- Low CVE-2013-2905: Information leak via overly broad permissions on
shared memory files. Credit to Christian Jaeger.
- High CVE-2013-2901: Integer overflow in ANGLE. Credit to Alex Chapman.
- High CVE-2013-2902: Use after free in XSLT. Credit to cloudfuzzer.
- High CVE-2013-2903: Use after free in media element. Credit to
cloudfuzzer.
- High CVE-2013-2904: Use after free in document parsing. Credit to
cloudfuzzer.
- CVE-2013-2887: Various fixes from internal audits, fuzzing and other
initiatives (Chrome 29).
* Remove unused webkit layout tests (closes: 720446).
* Use source package name for get-orig-source rule.
* Remove gfdl documentation (closes: #708860).
* Build-depend on git.
.
[ Shawn Landden ]
* New standards version.
* Use canonical VCS url.
* Always use system includes rather than ones of a chroot.
curl (7.26.0-1+wheezy6) stable-security; urgency=low
.
* Disable host verification too when using the --insecure option
(Closes: #729965)
curl (7.26.0-1+wheezy5) stable-security; urgency=high
.
* Fix OpenSSL checking of a certificate CN or SAN name field when the
digital signature verification is turned off as per CVE-2013-4545
http://curl.haxx.se/docs/adv_20131115.html * Set urgency=high accordingly
darktable (1.0.4-1+deb7u2) wheezy; urgency=low
.
* Port libraw commit c4e374ea. This one commit is a fix for two bugs.
- CVE-2013-1438 (Closes: #721233).
- CVE-2013-1439 (Closes: #721339).
debian-installer-netboot-images (20130613+deb7u1.b1) wheezy; urgency=low
.
* Update to 20130613+deb7u1+b1 images, from proposed-updates.
distro-info-data (0.17~deb7u1) stable; urgency=low
.
* Add Ubuntu 14.04, Trusty Tahr. (Closes: #726696, 727020)
distro-info-data (0.16) unstable; urgency=low
.
* Correct current Debian testing series from experimental to jessie.
* Correct release date of Debian 7.0 "Wheezy".
drupal7 (7.14-2+deb7u1) wheezy-security; urgency=high
.
* Backported fixes from version 7.24 addresing several security
vulnerabilities (SA-CORE-2013-003), including:
* Multiple vulnerabilities due to optimistic cross-site request forgery
protection (Form API validation) (CVE-2013-6385)
* Multiple vulnerabilities due to weakness in pseudorandom number
generation using mt_rand() (Form API, OpenID and random password
generation - Drupal 6 and 7) (CVE-2013-6386)
* Code execution prevention (Files directory .htaccess for Apache -
(security hardening)
* Access bypass (Security token validation)
Treating as security hardening
* Cross-site scripting (Image module) (CVE-2013-6387).
* Cross-site scripting (Color module) (CVE-2013-6388).
* Open redirect (Overlay module) (CVE-2013-6389).
drupal7 (7.14-2+deb7u1~bpo60+1) squeeze-backports; urgency=high
.
* Backported fixes from version 7.24 addresing several security
vulnerabilities (SA-CORE-2013-003), including:
* Multiple vulnerabilities due to optimistic cross-site request forgery
protection (Form API validation) (CVE-2013-6385)
* Multiple vulnerabilities due to weakness in pseudorandom number
generation using mt_rand() (Form API, OpenID and random password
generation - Drupal 6 and 7) (CVE-2013-6386)
* Code execution prevention (Files directory .htaccess for Apache -
(security hardening)
* Access bypass (Security token validation)
Treating as security hardening
* Cross-site scripting (Image module) (CVE-2013-6387).
* Cross-site scripting (Color module) (CVE-2013-6388).
* Open redirect (Overlay module) (CVE-2013-6389).
ejabberd (2.1.10-4+deb7u1) stable-security; urgency=low
.
[ Konstantin Khomoutov ]
* Add patch fixing parsing of optional parameters in SCRAM SHA-1 headers
(closes: #705613, thanks to Stephen R├╢ttger for both writing the
original patch and backporting it to 2.1.10).
* Explain the "fqdn" configuration file option which has to be used
in certain setups for the SCRAM-SHA-1 to work with complying clients.
Mention this fact in the NEWS file. (Closes: #706590)
* Add upstream patch fixing incorrect escaping of a single quote character
in SQL queries generated by the ODBC storage backend (closes: #708151,
thanks to Vladislav Chugunov).
* Add upstream patches disabling SSLv2 and weak cyphers in TLS driver
(closes: #724992).
* Add patch (extracted from upstream) which fixes rendering of angle
brackets in plain-text MUC logs (closes: #724994).
expat (2.1.0-1+deb7u1) wheezy; urgency=low
.
[ Matthias Klose ]
* Don't ship the pkgconfig file in lib64expat1-dev. Closes: #706932.
.
[ Laszlo Boszormenyi (GCS) ]
* New maintainer (closes: #660681).
fcitx-cloudpinyin (0.2.2-1+deb7u1) wheezy; urgency=low
.
* Go with Google by default, original default isn't available anymore.
firebird2.5 (2.5.2.26540.ds4-1~deb7u1) stable; urgency=low
.
* rebuild for stable update in wheezy
* fix typo in 2.5.2.26540.ds4-1 changelog entry
* out/crash-create-db-restricted.patch: point to upstream commit
.
firebird2.5 (2.5.2.26540.ds4-1) unstable; urgency=low
.
* Official 2.5.2 release
+ CORE-3912: segfault in superclassic (Closes: #693192)
+ Restored the on-disk-structure compatibility with 2.5.1 index keys
(Closes: #693193)
+ Fixed broken (working as no-op) sweep in SuperServer (Closes: #693195)
+ CORE-3902: Derived fields may not be optimized via an index
(Closes: #693196)
+ CORE-3895: High memory usage when PSQL code SELECT's from stored
procedure which modified some data (Closes: #693202)
+ CORE-3238: GEN_UUID returns a non-RFC-4122-compliant UUID
(Closes: #693207)
+ CORE-3887: CHAR_TO_UUID and UUID_TO_CHAR works different in big endian
architectures (Closes: #693209)
+ Enabled per-table runtime stats for sweeper
+ Changes not concerning Debian
- CORE-3786: Hangs on MacOSX 10.7 (Lion) on DB create after reboot
- CORE-3911: API entrypoints Bopen and BLOB_open are not visible on Darwin
- CORE-3740: SELECT using IN list with >413 elements causes crash on Mac
(stack overflow with default stack size)
- CORE-3740: optimisation bug in GCC on Darwin
.
* Update debian/copyright (two new files, no licensing changes)
* Add NEWS.Debian about incompatible fix in charтЖФUUID conversion functions
.
* drop patches included in the upstream release:
+ upstream/r54702-cve-2012-5529.patch
+ upstream/r57728-cve-2013-2429.patch
* refresh separate-file-and-sem-perms.patch to apply cleanly
.
* Patches taken from upstream SVN
+ r57516r57773-gbak-y-redirection.patch
make gbak -y work with redirection again (regression from 2.5.1)
http://tracker.firebirdsql.org/browse/CORE-3995 + r57707r57710-lots-autonomous-trx-leaks-crash.patch
fix engine crash/memory leak with many autonomous transactions (remote
crash/memory leak)
http://tracker.firebirdsql.org/browse/CORE-3908 + r57349-bad-trn-num-logged-during-sweep.patch
fix invalid transaction counters logged during sweep (trivial fix)
http://tracker.firebirdsql.org/browse/CORE-3978 + r57714r57716-fix-isql-edit-command.patch
fix isql's edit command broken in 2.5.2 (regression from 2.5.1)
http://tracker.firebirdsql.org/browse/CORE-3990 + r58004-crash-converting-overscaled-numeric-to-string.patch
fix engine crash while converting an overscaled numeric to a string
(remote crash)
http://tracker.firebirdsql.org/browse/CORE-4093 + r57795-crash-storing-long-incompressible-data.patch
fix bugcheck/corruption when storing long uncompressible data (possible
db corruption)
http://tracker.firebirdsql.org/browse/CORE-4036 * add out/crash-create-db-restricted.patch
fixes a server crash when attempting creation of a database outside of
allowed paths with firebrd.conf setting of 'DatabaseAccess' other than
'Full'
gnome-settings-daemon (3.4.2+git20121218.7c1322-3+deb7u3) wheezy; urgency=low
.
* 10_smaller_syndaemon_timeout.patch: drop patch, which is no longer
related to what it is supposed to do, and makes syndaemon almost
useless.
gnupg (1.4.12-7+deb7u2) wheezy-security; urgency=high
.
* Apply upstream patch to fix infinite recursion in the
compressed packet parser (CVE-2013-4402, closes: #725439).
* Apply upstream patch to fix treating no-usage-permitted
keys as all-usages-permitted (CVE-2013-4351, closes: #722722).
gnupg2 (2.0.19-2+deb7u1) wheezy-security; urgency=high
.
* debian/patches/{03-cve-2013-4402_p1.diff,04-cve-2013-4402_p2.diff}:
Fix for CVE-2013-4402, "infinite recursion in the compressed packet
parser". (Closes: #725433)
* debian/patches/05-cve-2013-4351.diff: Fix for CVE-2013-4351, "treats
no-usage-permitted keys as all-usages-permitted". (Closes: #722724)
gtk+3.0 (3.4.2-7) stable; urgency=low
.
[ Rapha├лl Geissert ]
* Workaround new behaviour of librsvg (which implemented an origin
policy) by loading the file icon via a data: URI.
iceweasel (17.0.10esr-1~deb7u1) stable-security; urgency=low
.
* New upstream release.
* Fixes for mfsa2013-{93,95-96,98,100-101}, also known as
CVE-2013-5590, CVE-2013-5604, CVE-2013-5595, CVE-2013-5597,
CVE-2013-5599, CVE-2013-5600, CVE-2013-5602.
icu (4.8.1.1-12+deb7u1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cve-2013-2924: use-after-free issue in csrucode.cpp.
iftop (1.0~pre2-4~deb7u2) stable; urgency=low
.
* Rebuild for Wheezy.
* Apply only the required changes to fix bug #677141, #726549 and
#693754. Revert commits b881f79, 66bb584.
iftop (1.0~pre2-4~deb7u1) stable; urgency=low
.
* Rebuild for Wheezy.
* Apply only the required changes to fix bug #677141, #726549 and
#693754. Revert commits b881f79, 66bb584.
intel-microcode (1.20130906.1) stable; urgency=high
.
* New upstream microcode data file 20130906
+ Updated Microcodes:
sig 0x000306c3, pf mask 0x32, 2013-08-07, rev 0x0016, size 20480
sig 0x00040651, pf mask 0x72, 2013-08-08, rev 0x0016, size 19456
+ Updated Microcodes (recently removed):
sig 0x000106e4, pf mask 0x09, 2013-07-01, rev 0x0003, size 6144
* This microcode release *likely* fixes the security issues addressed by
the 20130808 update for signature 0x106e4 (Xeon EC3500/EC5500/LC3500/
LC5500, Jasper Forest core), which was missing from the 20130808 update
* upstream changelog: trim down, sunrise now at 20080220, the first
microcode pack with a license that allows redistribution
* cpu-signatures.txt: Xeon nocona cores are 64-bit, ship for amd64 arch
(closes: #722048)
* source: remove superseded upstream data file: 20130808
intel-microcode (1.20130808.2) unstable; urgency=high
.
* Reupload with high severity. This microcode update has been documented
by Intel to fix a severe security issue (refer to LP bug 1212497);
This update is known to fix several nasty errata on 3rd-gen and
4th-gen Core i3/i5/i7, and Xeon 5500 and later, including but not
limited to:
+ AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging
may cause system crash
+ AAK170/BT246: The upper 32 bits of CR3 may be incorrectly used
with 32-bit paging
* Erratum AAK167/BT248 is nasty: "If a logical processor has EPT (Extended
Page Tables) enabled, is using 32-bit PAE paging, and accesses the
virtual-APIC page then a complex sequence of internal processor
micro-architectural events may cause an incorrect address translation or
machine check on either logical processor. This erratum may result in
unexpected faults, an uncorrectable TLB error logged in
IA32_MCi_STATUS.MCACOD (bits [15:0]), a guest or hypervisor crash, or
other unpredictable system behavior"
intel-microcode (1.20130808.1) unstable; urgency=low
.
* New upstream microcode data file 20130808
+ New Microcodes:
sig 0x000306c3, pf mask 0x32, 2013-07-02, rev 0x0012, size 19456
sig 0x000306e4, pf mask 0xed, 2013-06-13, rev 0x0415, size 11264
sig 0x000306e6, pf mask 0xed, 2013-06-19, rev 0x0600, size 11264
sig 0x00040651, pf mask 0x72, 2013-07-02, rev 0x0015, size 18432
+ Updated Microcodes (removed in the past):
sig 0x000106a5, pf mask 0x03, 2013-06-21, rev 0x0019, size 10240
+ Updated Microcodes:
sig 0x000106a4, pf mask 0x03, 2013-06-21, rev 0x0012, size 14336
sig 0x000106e5, pf mask 0x13, 2013-07-01, rev 0x0006, size 7168
sig 0x00020652, pf mask 0x12, 2013-06-26, rev 0x000e, size 8192
sig 0x00020655, pf mask 0x92, 2013-06-28, rev 0x0004, size 3072
sig 0x000206a7, pf mask 0x12, 2013-06-12, rev 0x0029, size 10240
sig 0x000206d7, pf mask 0x6d, 2013-06-17, rev 0x0710, size 17408
sig 0x000206f2, pf mask 0x05, 2013-06-18, rev 0x0037, size 13312
sig 0x000306a9, pf mask 0x12, 2013-06-13, rev 0x0019, size 12288
+ Removed Microcodes:
sig 0x000106e4, pf mask 0x09, 2010-03-08, rev 0x0002, size 5120
* Remove from the source package an unused upstream microcode bundle,
which has been completely superseded by later bundles:
microcode-20130222.dat
kfreebsd-9 (9.0-10+deb70.5) stable; urgency=low
.
* Disable 101_nullfs_vsock.diff. (Closes: #718888)
kfreebsd-9 (9.0-10+deb70.4) wheezy-security; urgency=high
.
* Team upload.
* Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:12 / CVE-2013-5691:
ifioctl credential checks missing (Closes: #722338)
* Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:13 / CVE-2013-5710:
nullfs hardlinks across mounts (Closes: #722337)
libapache2-mod-fcgid (1:2.3.6-1.2+deb7u1) wheezy-security; urgency=high
.
* Fix CVE-2013-4365: heap buffer overwrite. (Closes: #725942)
- Add debian/patches/40_CVE-2013-4365.dpatch
libdatetime-timezone-perl (1:1.58-1+2013h) stable-proposed-updates; urgency=low
.
* Update to version(s 2013g and) 2013h of the Olson database.
libguestfs (1:1.18.1-1+deb7u3) stable; urgency=low
.
* Added fix for CVE-2013-4419: insecure temporary directory handling for
remote guestfish
libhttp-body-perl (1.11-1+deb7u1) wheezy-security; urgency=high
.
* Team upload.
* Add CVE-2013-4407.patch patch.
CVE-2013-4407: An attacker able to upload files to a service that uses
HTTP::Body::Multipart could execute commands on the server.
(Closes: #721634)
libnet-server-perl (2.006-1+deb7u1) wheezy; urgency=low
.
* Team upload.
* Add fix-use-of-uninitialized-value-in-pattern-match.patch.
Fixes use of uninitialized value in pattern match.
This in particular affects munin-nodes under wheezy. Logs are spammed
with entries: "Use of uninitialized value in pattern match (m//) at
/usr/share/perl5/Net/Server.pm line 600.". (Closes: #693320)
libnet-smtp-tls-butmaintained-perl (0.17-1+deb7u1) wheezy; urgency=low
.
* Team upload.
* Add fix-misuse-of-IO-Socket-SSL.patch.
Fixes misuse of IO::Socket::SSL in the SSL_version argument (wrong
syntax). This causes the errors like "invalid SSL_version specified at
/usr/share/perl5/IO/Socket/SSL.pm line 332". (Closes: #728248)
* Update (build-)dependency for IO::Socket::SSL.
Update Build-Depends-Indep and Depends on libio-socket-ssl-perl to
explicitly require at least 1.76 to guarantee to work when applied the
patch for #728248.
librsvg (2.36.1-2) stable; urgency=low
.
[ Rapha├лl Geissert ]
* Fix CVE-2013-1881: disable loading of external entities.
Closes: #724741.
.
[ Josselin Mouette ]
* Break libgtk-3-0 (<< 3.4.2-7) which uses the anti-feature that is
disabled by the security fix.
libxml2 (2.8.0+dfsg1-7+nmu2) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cve-2013-2877: out-of-bounds read when handling documents that end
abruptly.
lighttpd (1.4.31-4+deb7u2) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix regression introduced by fix for cve-2013-4508, related to client
certificates and SNI. Closes: #729555, #729480
lighttpd (1.4.31-4+deb7u1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cve-2013-4508: ssl cipher suites issue.
* Fix cve-2013-4559: setuid privilege escalation issue.
* Fix cve-2013-4560: use-after-free in fam.
links2 (2.7-1+deb7u1) wheezy-security; urgency=high
.
* Add patch against integer overflow in graphics mode (CVE-2013-6050)
lua-sql (2.3.0-1+build0) wheezy; urgency=low
.
* Non-maintainer upload.
* No-change sourceful upload to restore multiarch co-installability of
lua-sql-* by clearing binNMU state.
meep-lam4 (1.1.1-10~deb7u1) wheezy; urgency=low
.
* upload to wheezy; Closes: #711767 in stable
meep-mpi-default (1.1.1-10~deb7u1) wheezy; urgency=low
.
* upload to wheezy; Closes: #711765 in stable
meep-mpich2 (1.1.1-10~deb7u1) wheezy; urgency=low
.
* upload to wheezy; Closes: #711768 in stable
meep-openmpi (1.1.1-9~deb7u1) wheezy; urgency=low
.
* upload to wheezy; Closes: #711766 in stable
multipath-tools (0.4.9+git0.4dfdaf2b-7~deb7u2) stable-proposed-updates; urgency=low
.
* Non-maintainer upload.
* Restore "dmsetup export" workaround for Debian.
The hunk using /lib/udev/dmsetup_env to gather device-mapper information
needed was lost in the -7 Debian revision upload. Restore the udev rule
based on the upstream one.
Revert copying of kpartx/kpartx.rules from upstream sources.
(Closes: #726296, #726311)
nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low
.
* Backport the following changes to wheezy:
* [cd50049] Add missing check command in initscript (Closes: #680615)
* [77c9d0e] Fix typo in initscript
* [a2c78a1] Stop status.cgi from listing unauthorized hosts and services in servicegroup view (CVE-2013-2214)
Thanks to Jonas Meurer for the report and the patch (Closes: #714171)
* [51fb59b] Backport upstream r1953 to fix downtime retention across restarts.
Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356)
nas (1.9.3-5wheezy1) stable-security; urgency=high
.
* Fixes for various long-standing security issues found by Hamid
Zamani <me@hamidx9.ir>. Closes: #720287
+ Validate the port offset of nasd to fix a potential buffer overflow
(CVE-2013-4256)
+ Use better string functions to guard against heap overflows
(CVE-2013-4257)
+ Sanity-check the TCP_DEVICE environment variable to remove a format
string bug (CVE-2013-4258)
nbd (1:3.2-4~deb7u4) stable-security; urgency=low
.
* Cherry-pick df890c99337a255979e608d71f42401c0cddd5e0 from git HEAD
to fix parsing of authfile files.
nbd (1:3.2-4~deb7u4~bpo60+1) squeeze-backports; urgency=low
.
* Re-upload to squeeze-backports.
nginx (1.2.1-2.2+wheezy2) stable-security; urgency=high
.
* debian/patches/fix-CVE-2013-4547.patch:
+ Proper backtracking after space in a request line.
See: CVE:2013-4547 for more details.
nsd3 (3.2.12-3+deb7u1) unstable; urgency=low
.
* Add $network to Required-Start (Closes: #694930)
nss (2:3.14.5-1) stable-security; urgency=low
.
* New upstream release.
- Fixes CVE-2013-5605.
nss (2:3.14.4-1) stable-security; urgency=low
.
* New upstream release.
- Fixes CVE-2013-1739. Closes: #726473.
openjpeg (1.3+dfsg-4.7) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2013-6052: information leak.
* Fix CVE-2013-6045: multiple heap buffer overflows.
* Fix CVE-2013-6054: a heap buffer overflow.
* Fix CVE-2013-1447: multiple crashers.
openttd (1.2.1-3) wheezy; urgency=high
.
* [81d0ce5] Fix CVE-2013-6411 (Denial of service using forcefully
crashed aircrafts). See
http://security.openttd.org/en/CVE-2013-6411 for details.
* [b9207a4] Exclude debian/gpb.conf from the source package
polarssl (1.2.9-1~deb7u1) stable-security; urgency=low
.
* New upstream release
- Fixes CVE-2013-5914 CVE-2013-5915 (Closes: #725359)
polarssl (1.2.9-1~deb6u1) oldstable-security; urgency=low
.
* New upstream release
- Fixes CVE-2013-5914 CVE-2013-5915 (Closes: #725359)
polarssl (1.2.8-2) unstable; urgency=low
.
* Activate HAVEGE config option manually, needed since 1.2.8
polarssl (1.2.8-1) unstable; urgency=low
.
* New upstream release
polarssl (1.2.7-1) unstable; urgency=low
.
* New upstream release
polarssl (1.2.6-1) experimental; urgency=low
.
* New upstream release
* debian/control: Standards-Version: 3.9.4
polarssl (1.2.5-1) experimental; urgency=low
.
* New upstream release (Closes: #699887)
* Fixes CVE-2013-0169: Lucky 13 TLS protocol timing flaw
(Including CVE-2013-1621 and CVE-2013-1622)
polarssl (1.2.4-1) experimental; urgency=low
.
* New upstream release
polarssl (1.2.3-1) experimental; urgency=low
.
* New upstream release
polarssl (1.2.2-1) experimental; urgency=low
.
* New upstream release
polarssl (1.2.0-1) experimental; urgency=low
.
* New upstream release
* debian/control: Build-Depends: debhelper (>= 9) (debian/compat also)
postgresql-8.4 (8.4.19-0wheezy1) stable; urgency=low
.
* New upstream bug fix release. No effective changes for PL/Perl, the
version must just be higher than the one in squeeze, as usual.
postgresql-8.4 (8.4.19-0squeeze1) oldstable; urgency=low
.
* New upstream bug fix release:
- Fix "VACUUM"'s tests to see whether it can update relfrozenxid
In some cases "VACUUM" (either manual or autovacuum) could
incorrectly advance a table's relfrozenxid value, allowing tuples
to escape freezing, causing those rows to become invisible once
2^31 transactions have elapsed. The probability of data loss is
fairly low since multiple incorrect advancements would need to
happen before actual loss occurs, but it's not zero. Users
upgrading from release 8.4.8 or earlier are not affected, but all
later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all
tables in all databases while having vacuum_freeze_table_age set to
zero. This will fix any latent corruption but will not be able to
fix all pre-existing data errors. However, an installation can be
presumed safe after performing this vacuuming if it has executed
fewer than 2^31 update transactions in its lifetime (check this
with SELECT txid_current() < 2^31).
- See HISTORY/changelog.gz for details about other bug fixes.
postgresql-8.4 (8.4.18-0wheezy1) stable; urgency=low
.
* New upstream bug fix release. No effective changes for PL/Perl, the
version must just be higher than the one in squeeze, as usual.
postgresql-8.4 (8.4.18-0squeeze1) oldstable; urgency=low
.
* New upstream bug fix release. See HISTORY/changelog.gz for details.
(No security or critical issues this time.)
postgresql-9.1 (9.1.11-0wheezy1) stable; urgency=low
.
* New upstream bug fix release:
- Fix "VACUUM"'s tests to see whether it can update relfrozenxid
In some cases "VACUUM" (either manual or autovacuum) could
incorrectly advance a table's relfrozenxid value, allowing tuples
to escape freezing, causing those rows to become invisible once
2^31 transactions have elapsed. The probability of data loss is
fairly low since multiple incorrect advancements would need to
happen before actual loss occurs, but it's not zero. Users
upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected,
but all later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all
tables in all databases while having vacuum_freeze_table_age set to
zero. This will fix any latent corruption but will not be able to
fix all pre-existing data errors. However, an installation can be
presumed safe after performing this vacuuming if it has executed
fewer than 2^31 update transactions in its lifetime (check this
with SELECT txid_current() < 2^31).
.
- Fix initialization of "pg_clog" and "pg_subtrans" during hot
standby startup
This bug can cause data loss on standby servers at the moment they
start to accept hot-standby queries, by marking committed
transactions as uncommitted. The likelihood of such corruption is
small unless, at the time of standby startup, the primary server
has executed many updating transactions since its last checkpoint.
Symptoms include missing rows, rows that should have been deleted
being still visible, and obsolete versions of updated rows being
still visible alongside their newer versions.
This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and
9.0.14. Standby servers that have only been running earlier
releases are not at risk. It's recommended that standby servers
that have ever run any of the buggy releases be re-cloned from the
primary (e.g., with a new base backup) after upgrading.
.
- See HISTORY/changelog.gz for details about other bug fixes.
postgresql-9.1 (9.1.10-1) unstable; urgency=low
.
* New upstream bug fix release. See changelog.gz for details.
* Drop 00git-perl5.18.patch, applied upstream.
* Add 04-config-update.patch: Refresh config.{guess,sub} to latest version
for enabling ports, in particular arm64 and the upcoming ppc64el.
postgresql-9.1 (9.1.10-0wheezy1) stable; urgency=low
.
* New upstream bug fix release. See HISTORY/changelog.gz for details.
(No security or critical issues this time.)
postgresql-9.1 (9.1.9-5) unstable; urgency=low
.
[ Christoph Berg ]
* Pull 82b0102650cf85268145a46f0ab488bacf6599a1 from upstream head to better
support VPATH builds of PGXS modules, and make the install targets depend
on installdirs.
.
[ Martin Pitt ]
* debian/rules: Still build the client-side libraries on Ubuntu.
postgresql-9.1 (9.1.9-4) unstable; urgency=low
.
* debian/rules: Ignore test suite failures on hurd (unimplemented
semaphores) and kfreebsd-* (PL tests known to fail).
postgresql-9.1 (9.1.9-3) unstable; urgency=low
.
[ Martin Pitt ]
* debian/rules: Support multi-arch locations of {tcl,tk}-config.
* debian/rules: Don't build with kerberos and LDAP support for
DEB_STAGE=stage1 to aid with bootstrapping.
* debian/tests/control: Add missing net-tools dependency (for ifconfig).
* Add 00git-aarch64.patch: Add ARM64 (aarch64) support to s_lock.h.
Backported from upstream git.
* debian/rules: Call dh with --parallel.
* Add 00git-perl5.18.patch: Adjust PL/Perl test cases to also work for Perl
5.18. Backported from upstream 9.1 stable branch.
* debian/rules: Don't build client-side libraries unless we have a pgdg
version, as these are built by -9.3 now.
.
[ Christoph Berg ]
* Pull 6697aa2bc25c83b88d6165340348a31328c35de6 from upstream head to
better support VPATH builds of PGXS modules.
* debian/rules, 60-pg_regress_socketdir: Remove the temporary patches from
pg_regress, and teach pg_regress to support unix socket dirs in --host.
Use a random port number as well.
* debian/rules: Use "make check-world" to run the regression tests. Thanks
to Peter Eisentraut for the suggestion.
* 61-extra_regress_opts: Add EXTRA_REGRESS_OPTS in Makefile.global(.in) and
in src/interfaces/ecpg/test/Makefile.
postgresql-9.1 (9.1.9-2) unstable; urgency=low
.
* debian/copyright: Fix syntax errors.
* debian/rules: Build with -fno-aggressive-loop-optimizations with gcc 4.8
to avoid generating bad code due to the broken usage of variable-length
arrays. This is fixed properly in 9.2, but the patch does not backport
well. (Closes: #701340)
python-crypto (2.6-4+deb7u3) wheezy-security; urgency=low
.
* debian/patches/CVE-2013-1445.patch: Disable multiprocessing tests on
kfreebsd-* completely since Python 2.6 and 2.7 report different errors if
multiprocessing is not working.
quagga (0.99.22.4-1+wheezy1) stable-security; urgency=high
.
* SECURITY:
CVE-2013-6051 - a bug in Quagga 0.99.21 that could let bgpd crash on
receiving normal, valid BGP updates. Closes: #730513
.
quagga (0.99.22.4-1) unstable; urgency=high
.
* SECURITY:
"ospfd: CVE-2013-2236, stack overrun in apiserver
.
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
.
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered."
Closes: #726724
.
* New upstream release
- ospfd: protect vs. VU#229804 (malformed Router-LSA)
(Quagga is said to be non-vulnerable but still adds some protection)
.
quagga (0.99.22.1-2) unstable; urgency=low
.
* Added autopkgtests (thanks to Yolanda Robla). Closes: #710147
* Added "status" command to init script (thanks to James Andrewartha).
Closes: #690013
* Added "libsnmp-dev" to Build-Deps. There not needed for the official
builds but for people who compile Quagga themselves to activate the
SNMP feature (which for licence reasons cannot be done by Debian).
Thanks to Ben Winslow). Closes: #694852
* Changed watchquagga_options to an array so that quotes can finally
be used as expected. Closes: #681088
* Fixed bug that prevented restarting only the watchquagga daemon
(thanks to Harald Kappe). Closes: #687124
.
quagga (0.99.22.1-1) unstable; urgency=low
.
* New upstream release
- ospfd restore nexthop IP for p2p interfaces
- ospfd: fix LSA initialization for build without opaque LSA
- ripd: correctly redistribute ifindex routes (BZ#664)
- bgpd: fix lost passwords of grouped neighbors
* Removed 91_ld_as_needed.diff as it was found in the upstream source.
.
quagga (0.99.22-1) unstable; urgency=low
.
* New upstream release.
- [bgpd] The semantics of default-originate route-map have changed.
The route-map is now used to advertise the default route conditionally.
The old behaviour which allowed to set attributes on the originated
default route is no longer supported.
- [bgpd] this version of bgpd implements draft-idr-error-handling. This was
added in 0.99.21 and may not be desirable. If you need a version
without this behaviour, please use 0.99.20.1. There will be a
runtime configuration switch for this in future versions.
- [isisd] is in "beta" state.
- [ospf6d] is in "alpha/experimental" state
- More changes are documented in the upstream changelog!
* debian/watch: Adjusted to new savannah.gnu.org site, thanks to Bart
Martens.
* debian/patches/99_CVE-2012-1820_bgp_capability_orf.diff removed as its
in the changelog.
* debian/patches/99_distribute_list.diff removed as its in the changelog.
* debian/patches/10_doc__Makefiles__makeinfo-force.diff removed as it
was just for Debian woody.
quagga (0.99.22.4-1) unstable; urgency=high
.
* SECURITY:
"ospfd: CVE-2013-2236, stack overrun in apiserver
.
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
.
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered."
Closes: #726724
.
* New upstream release
- ospfd: protect vs. VU#229804 (malformed Router-LSA)
(Quagga is said to be non-vulnerable but still adds some protection)
quagga (0.99.22.1-2) unstable; urgency=low
.
* Added autopkgtests (thanks to Yolanda Robla). Closes: #710147
* Added "status" command to init script (thanks to James Andrewartha).
Closes: #690013
* Added "libsnmp-dev" to Build-Deps. There not needed for the official
builds but for people who compile Quagga themselves to activate the
SNMP feature (which for licence reasons cannot be done by Debian).
Thanks to Ben Winslow). Closes: #694852
* Changed watchquagga_options to an array so that quotes can finally
be used as expected. Closes: #681088
* Fixed bug that prevented restarting only the watchquagga daemon
(thanks to Harald Kappe). Closes: #687124
quagga (0.99.22.1-1) unstable; urgency=low
.
* New upstream release
- ospfd restore nexthop IP for p2p interfaces
- ospfd: fix LSA initialization for build without opaque LSA
- ripd: correctly redistribute ifindex routes (BZ#664)
- bgpd: fix lost passwords of grouped neighbors
* Removed 91_ld_as_needed.diff as it was found in the upstream source.
quagga (0.99.22-1) unstable; urgency=low
.
* New upstream release.
- [bgpd] The semantics of default-originate route-map have changed.
The route-map is now used to advertise the default route conditionally.
The old behaviour which allowed to set attributes on the originated
default route is no longer supported.
- [bgpd] this version of bgpd implements draft-idr-error-handling. This was
added in 0.99.21 and may not be desirable. If you need a version
without this behaviour, please use 0.99.20.1. There will be a
runtime configuration switch for this in future versions.
- [isisd] is in "beta" state.
- [ospf6d] is in "alpha/experimental" state
- More changes are documented in the upstream changelog!
* debian/watch: Adjusted to new savannah.gnu.org site, thanks to Bart
Martens.
* debian/patches/99_CVE-2012-1820_bgp_capability_orf.diff removed as its
in the changelog.
* debian/patches/99_distribute_list.diff removed as its in the changelog.
* debian/patches/10_doc__Makefiles__makeinfo-force.diff removed as it
was just for Debian woody.
quagga (0.99.21-4+wheezy2) stable-security; urgency=high
.
* Applied a patch that fixes the following security issue:
"ospfd: CVE-2013-2236, stack overrun in apiserver
.
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option"
Closes: #726724
roundcube (0.7.2-9+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2013-6172.patch patch.
CVE-2013-6172: An attacker can overwrite configuration settings
using user preferences. This can result in random file access,
manipulated SQL queries and even code execution. (Closes: #727668)
rtkit (0.10-2+wheezy1) stable; urgency=high
.
* Fix CVE-2013-4326:
- pass uid of caller to polkit, otherwise we force polkit to look up
the uid itself in /proc, which is racy if they execve() a setuid
binary (Closes: #723714)
ruby-passenger (3.0.13debian-1+deb7u1) wheezy; urgency=low
.
* Fix CVE-2013-2119 and CVE-2013-4136: insecure tmp files usage.
(Closes: #710351, #717176)
- Backport upstream commits in CVE-2013-2119.patch and CVE-2013-4136.patch
ruby1.8 (1.8.7.358-7.1+deb7u1) stable-security; urgency=high
.
[ Rapha├лl Hertzog ]
* debian/patches/CVE-2013-4164.patch: New patch to fix
heap overflow in floating point parsing (Closes: #730189)
Thanks to Moritz Muehlenhoff for the patch.
.
[ Antonio Terceiro ]
* debian/patches/CVE-2013-4073: fix regression that introduced syntax errors
in test/openssl/test_ssl.rb, breaking the execution of the test suite
during the package build.
ruby1.8 (1.8.7.358-7.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add CVE-2013-4073.patch patch.
CVE-2013-4073: Fix hostname check bypassing vulnerability in SSL client.
(Closes: #714541)
ruby1.9.1 (1.9.3.194-8.1+deb7u2) stable-security; urgency=low
.
[ Rapha├лl Hertzog ]
* debian/patches/CVE-2013-4164.patch: add upstream patch to fix heap
overflow in floating point parsing. Closes: #730178
ruby1.9.1 (1.9.3.194-8.1+deb7u1) stable-security; urgency=low
.
* debian/patches/CVE-2013-2065.patch: add upstream patch to fix object taint
bypassing in libraries to handle native code through dlopen().
* debian/patches/CVE-2013-4073.patch: fix hostname check bypassing
vulnerability in SSL client. Thanks to Salvatore Bonaccorso.
Closes: #714543
scikit-learn (0.11.0-2+deb7u1) wheezy; urgency=low
.
[ Andreas Beckmann ]
* Non-maintainer upload.
* Backport fix for #709056 to wheezy.
.
[ Yaroslav Halchenko ]
* debian/control
- move joblib to Depends from Recommends (Closes: #709056)
smplayer (0.8.0-1+deb7u1) stable; urgency=low
.
* Team upload.
* Don't append -fontconfig to the command line options for Mplayer2
to prevent crash at startup. (Closes: #723707)
spip (2.1.17-1+deb7u2) wheezy-security; urgency=high
.
* Fix upstream version in previous changelog entry
* Backport patches from 2.1.24
- Fix CSRF on logout
- Fix XSS on author page
* Update security screen to 1.1.8
- Avoid PHP injection in $connect
* Update displayed version
starpu (1.0.1+dfsg-1) wheezy; urgency=low
.
* Rebuild orig tarball without NVIDIA proprietary source code
(Closes: Bug#724919).
starpu (1.0.1-4) unstable; urgency=low
.
* patches/binding: Backport upstream change to fix binding on CPU near GPUs,
and for combined workers.
* patches/bashism: Backport upstream change to fix bashism.
(Closes: Bug#690935).
* patches/automake-Werror: Fix automake warnings (Closes: Bug#713335).
starpu-contrib (1.0.1+dfsg-1) wheezy; urgency=low
.
* Rebuild orig tarball without NVIDIA proprietary source code
(Closes: Bug#724919).
starpu-contrib (1.0.1-4) unstable; urgency=low
.
* patches/binding: Backport upstream change to fix binding on CPU near GPUs,
and for combined workers.
* patches/bashism: Backport upstream change to fix bashism.
(Closes: Bug#690935).
* patches/automake-Werror: Fix automake warnings (Closes: Bug#713335).
strongswan (4.5.2-1.5+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* debian/patches
- CVE-2013-6075 added, fix remote denial of service and authorization
bypass.
strongswan (4.5.2-1.5+deb7u2~bpo60+1) squeeze-backports; urgency=high
.
* Rebuild for squeeze-backports.
* debian/control: Add myself to Uploaders.
.
strongswan (4.5.2-1.5+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* debian/patches
- CVE-2013-6075 added, fix remote denial of service and authorization
bypass.
.
strongswan (4.5.2-1.5+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* debian/patches:
- 0001-Check-return-value-of-ECDSA_Verify-correctly added. Fix ECDSA
signature verification when using openssl plugin (CVE-2013-2944).
.
strongswan (4.5.2-1.5) unstable; urgency=low
.
* Non-maintainer upload.
* Fix "package must not include /var/lock/subsys":
don't ship /var/lock/subsys but create it in the init script.
(Closes: #667764)
sup-mail (0.12.1+git20120407.aaa852f-1+deb7u1) wheezy-security; urgency=high
.
* Fix remote code injection when viewing attachments, CVE-2013-4478 and
CVE-2013-4479 (Closes: #728232)
systemd (44-11+deb7u4) stable-security; urgency=low
.
* Fix CVE-2013-4327, CVE-2013-4391 and CVE-2013-4394
(starting with +deb7u4 due to problems with debsrc3-related build
problems, removed sing├Гle-debian-patch optio)
torque (2.4.16+dfsg-1+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add fix-FTBFS-on-kfreebsd.patch patch.
Fix FTBFS on kfreebsd-{amd64,i386} due to use of deprecated header
<nlist.h>. Switch to use <bsd/nlist.h>. (Closes: #725870)
* Add CVE-2013-4495.patch patch.
CVE-2013-4495: the pbs_server daemon would pass some user-input data to
popen() in order to send an email allowing remote privilege escalation.
(Closes: #729333)
torque (2.4.16+dfsg-1+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2013-4319.patch.
CVE-2013-4319: remote arbitrary command execution as root on cluster
by a non-priviledged user who is able to run jobs or login to a node
which runs pbs_server or pbs_mon. (Closes: #722306)
tryton-client (2.2.3-1+deb7u1) stable-security; urgency=high
.
* Adding 04-sanitize-file-extension.patch.
This patch sanitizes correctly the file extension of temporary files
received by the server (s.
https://bugs.tryton.org/issue3446).
typo3-src (4.5.19+dfsg1-5+wheezy1) wheezy-security; urgency=medium
.
* Added patch for TYPO3-CORE-SA-2013-002. (Closes: #720194)
- change flash audio player to new version 2.0.4.6
- Import of sources of 2.0.4.6 of 1pixelout audio player from
http://subversion.assembla.com/svn/1pixelout/audio-player/tags/2.0.4.6 - Changed audio player license (GPL-2 -> MIT)
* Set patch level version to -pl.4.5.29.
tzdata (2013h-0wheezy1) stable; urgency=low
.
* New upstream version.
tzdata (2013d-1) unstable; urgency=low
.
* New upstream version.
usemod-wiki (1.0.5-1+deb7u1) stable; urgency=low
.
* Update hardcoded cookie expiration date from 2013 to 2025. Thanks to
Andrew Bezella for the patch. (Closes: #726762)
wireshark (1.8.2-5wheezy7) wheezy-security; urgency=high
.
* security fixes from Wireshark 1.8.11:
- The IEEE 802.15.4 dissector could crash. (CVE-2013-6336)
- The NBAP dissector could crash. Discovered by Laurent Butti.
(CVE-2013-6337)
- The SIP dissector could crash.
(CVE-2013-6338)
- The TCP dissector could crash. (CVE-2013-6340)
xfce4-weather-plugin (0.7.4-4) wheezy; urgency=low
.
* debian/patches:
- 01_uri_change added, update weather.com API URI. closes: #727628
xorg-server (2:1.12.4-6+deb7u1) stable-security; urgency=low
.
* CVE-2013-4396
