[ddh-sys] apt-listchanges: changelogs for less
root
root op ddh.nl
Wo Okt 6 13:04:10 CEST 2010
apache2 (2.2.9-10+lenny8) stable; urgency=low
* Add missing psmisc dependency for killall used in the init script.
Closes: #568542
* Fix potential memory leaks related to the usage of apr_brigade_destroy().
-- Stefan Fritsch <sf op debian.org> Mon, 19 Apr 2010 21:17:33 +0200
apache2 (2.2.9-10+lenny7) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-0408: denial of service via crafted request in mod_proxy_ajp
* Fixed CVE-2010-0434: information disclosure via improper handling of
headers in subrequests
-- Giuseppe Iuculano <iuculano op debian.org> Sun, 28 Mar 2010 17:50:02 +0200
apr-util (1.2.12+dfsg-8+lenny5) stable-security; urgency=high
* CVE-2010-1623: Fix denial of service vulnerability through memory
consumption in apr_brigade_split_line()
-- Stefan Fritsch <sf op debian.org> Thu, 30 Sep 2010 17:09:37 +0200
bind9 (1:9.6.ESV.R1+dfsg-0+lenny2) stable-security; urgency=medium
* Use old location of the PID files. Closes: #585004.
* Log warning if openssl.cnf is not readable.
-- Florian Weimer <fw op deneb.enyo.de> Wed, 09 Jun 2010 06:53:48 +0200
bind9 (1:9.6.ESV.R1+dfsg-0+lenny1) stable-security; urgency=high
* New upstream version: BIND 9.6-ESV-R1.
* Restore Debian-specific feature patches.
-- Florian Weimer <fw op deneb.enyo.de> Sun, 23 May 2010 14:45:30 +0200
bind9 (1:9.6.ESV+dfsg-0+lenny1) stable-security; urgency=high
* New upstream version: BIND 9.6-ESV.
-- Florian Weimer <fw op deneb.enyo.de> Sun, 16 May 2010 19:43:10 +0200
bzip2 (1.0.5-1+lenny1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2010-0405: Fix integer overflow.
-- Stefan Fritsch <sf op debian.org> Mon, 16 Aug 2010 18:42:38 +0200
freetype (2.3.7-2+lenny4) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* fix CVE-2010-3311: integer overflow which can lead to a heap overflow in
libXft
-- Stefan Fritsch <sf op debian.org> Tue, 28 Sep 2010 15:46:35 +0200
freetype (2.3.7-2+lenny3) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2010-1797: Multiple stack-based buffer overflows
* CVE-2010-2541: Buffer overflow in the ftmulti demo program
* CVE-2010-2805: denial of service or possibly execute arbitrary code via a
crafted font file
* CVE-2010-2806: heap-based buffer overflow
* CVE-2010-2807: denial of service or possibly execute arbitrary code via a
crafted font file
* CVE-2010-2808: Buffer overflow
* CVE-2010-3053: denial of service (application crash) via a crafted BDF
font file
-- Giuseppe Iuculano <iuculano op debian.org> Sun, 05 Sep 2010 14:51:39 +0200
freetype (2.3.7-2+lenny2) stable-security; urgency=high
* CVE-2010-2497 freetype integer underflow #30082 #30083
* CVE-2010-2498 freetype invalid free #30106
* CVE-2010-2499 freetype buffer overflow #30248 #30249
* CVE-2010-2500 freetype integer overflow #30263
* CVE-2010-2519 freetype heap buffer overflow #30306
* CVE-2010-2520 freetype invalid realloc #30361
* CVE-2010-XXXX freetype demos buffer overflows #30054
-- Moritz Muehlenhoff <jmm op debian.org> Tue, 13 Jul 2010 19:56:44 +0200
iputils (3:20071127-1+lenny1) stable; urgency=high
* Fix CVE-2010-2529 - resource consumption triggered by specially
crafted ICMP echo reply
-- Noah Meyerhans <noahm op debian.org> Sat, 24 Jul 2010 09:48:00 -0700
krb5 (1.6.dfsg.4~beta1-5lenny4) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-1321: GSS API null pointer dereference.
-- Sebastien Delafond <seb op debian.org> Thu, 20 May 2010 11:42:49 +0200
libapache2-mod-perl2 (2.0.4-5+lenny1) stable; urgency=high
* add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796)
Patch taken from r760926 of upstream SVN.
Closes: #567635
-- Damyan Ivanov <dmn op debian.org> Sun, 31 Jan 2010 08:40:19 +0200
libpng (1.2.27-2+lenny4) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-1205: Buffer overflow in pngpread.c (Closes: #587670)
* Fixed CVE-2010-2249: Memory leak in pngrutil.c
-- Giuseppe Iuculano <iuculano op debian.org> Sat, 17 Jul 2010 12:03:12 +0200
linux-2.6 (2.6.26-25lenny1) stable-security; urgency=high
* irda: Correctly clean up self->ias_obj on irda_bind() failure.
(CVE-2010-2954)
* compat: Make compat_alloc_user_space() incorporate the access_ok()
(CVE-2010-3081)
* ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
(CVE-2010-3080)
* xfs: prevent reading uninitialized stack memory (CVE-2010-3078)
* ecryptfs: Bugfix for error related to ecryptfs_hash_buckets (CVE-2010-2492)
-- dann frazier <dannf op debian.org> Thu, 16 Sep 2010 09:38:09 -0600
linux-2.6 (2.6.26-25) stable; urgency=high
[ Ben Hutchings ]
* pid_ns: Ensure that child_reaper is always valid (Closes: #570350)
* [xen] Fix deadlock in timer interrupt, thanks to Zdenek Salvet
(Closes: #534880)
* e1000e: Add support for 82567LM-4, 82567LM-3, 82567LF-3 and 82583V
controllers (Closes: #512546)
[ Moritz Muehlenhoff ]
* parport: quickfix the proc registration bug (Closes: #588672);
ignore ABI changes in parport and parport_pc
[ dann frazier ]
* Add guard page for stacks that grow up, an additional fix for
CVE-2010-2240
* mm: make stack guard page logic use vm_prev pointer, an additional
fix for CVE-2010-2240
* net sched: fix some kernel memory leaks (CVE-2010-2942)
* jfs: don't allow os2 xattr namespace overlap with others (CVE-2010-2946)
-- dann frazier <dannf op debian.org> Sun, 29 Aug 2010 23:12:06 -0600
linux-2.6 (2.6.26-24lenny1) stable-security; urgency=high
* cifs: Fix a kernel BUG with remote OS/2 server (CVE-2010-2248)
* Fix race in tty_fasync() properly (CVE-2009-4895)
* xfs: prevent swapext from operating on write-only files (CVE-2010-2226)
* nfsd4: bug in read_buf (CVE-2010-2521)
* GFS2: rename causes kernel Oops (CVE-2010-2798)
* exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
regression due to fix for CVE-2010-0307)
* can: add limit for nframes and clean up signed/unsigned variables
(CVE-REQUESTED)
* mm: keep a guard page below a grow-down stack segment (CVE-2010-2240)
* drm: stop information leak of old kernel stack (CVE-2010-2803)
* ext4: fix integer overflows in ext4_ext_{in_cache,get_blocks}
(CVE-2010-3015)
-- dann frazier <dannf op debian.org> Wed, 18 Aug 2010 17:56:34 -0600
linux-2.6 (2.6.26-24) stable; urgency=high
[ Ben Hutchings ]
* usbhid: Reduce the race condition between disconnect and ioctl
(Closes: #511892)
* r8169: Fix MDIO timing (Closes: #583139)
* [x86] Restore automatic update of LILO on kernel installation, upgrade
or removal (Closes: #505609)
-- dann frazier <dannf op debian.org> Sun, 20 Jun 2010 13:54:25 -0600
linux-2.6 (2.6.26-23) stable; urgency=high
[ dann frazier ]
* x86: check boundary in setup_node_bootmem() (Closes: 569704)
* sunxvr500: Ignore secondary output PCI devices (Closes: #580422)
* sctp: fix append error cause to ERROR chunk correctly
(a further fix for CVE-2010-1173)
* nsfd: fix vm overcommit crash (CVE-2008-7256, CVE-2010-1643)
* GFS2: Fix permissions checking for setflags ioctl() (CVE-2010-1641)
* GFS2: Fix writing to non-page aligned gfs2_quota structures (CVE-2010-1436)
[ Ben Hutchings ]
* [sparc64] Fix definition of VMEMMAP_SIZE (Closes: #509202)
* megaraid_sas: Version and documentation update (Closes: #547183)
* bnx2: Fix lost MSI-X problem on 5709 NICs (Closes: #581001)
* raid456: Fix two bugs in handling of degraded states (Closes: #581392)
- Prevent reshaping of doubly-degraded RAID4
- Enable error-correction on singly-degraded RAID6
* r8169: fix broken register writes (Closes: #407217, #573007)
* [i386] Disable use of NOPL instruction in alternatives (Closes: #463606)
* virtio_blk: don't bounce highmem requests (Closes: #584217)
[ maximilian attems ]
* openvz: printk_cpu have to be "cleared" in __vprintk (v2)
(closes: #573460)
* openvz: Fix "Bad throughput of TCP connection after live migration"
(closes: #500145)
* ub: incorrect skb is charged in tcp_send_synack.
[ Aurelien Jarno ]
* mips/swarm: fix boot from IDE based media (Sebastian Andrzej Siewior)
(closes: #466977).
* backport mips/swarm: fix M3 TLB exception handler.
* backport MIPS FPU emulator: allow Cause bits of FCSR to be writeable
by ctc1. (closes: #580602).
-- dann frazier <dannf op debian.org> Fri, 11 Jun 2010 19:40:17 -0600
linux-2.6 (2.6.26-22lenny1) stable-security; urgency=high
[ dann frazier ]
* USB: usbfs: only copy the actual data received (CVE-2010-1083)
* GFS2: Skip check for mandatory locks when unlocking (CVE-2010-0727)
* Bluetooth: Fix potential bad memory access with sysfs files (CVE-2010-1084)
* dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered
by an invalid Payload Pointer (CVE-2010-1086)
* NFS: Fix an Oops when truncating a file (CVE-2010-1087)
* fix LOOKUP_FOLLOW on automount "symlinks" (CVE-2010-1088)
* tty: release_one_tty() forgets to put pids (CVE-2010-1162)
* tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
* sctp: Fix skb_over_panic resulting from multiple invalid parameter
errors (CVE-2010-1173)
* sparc64: Fix sun4u execute bit check in TSB I-TLB load (CVE-2010-1451)
* KEYS: find_keyring_by_name() can gain access to a freed keyring
(CVE-2010-1437)
* [powerpc] KGDB: don't needlessly skip PAGE_USER test for Fsl booke
Note: KGDB is not currently enabled in debian builds (CVE-2010-1446)
[ Ben Hutchings ]
* [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed
due to fix for CVE-2010-0298; considered obsolete by upstream)
* r8169: Increase default RX buffer size to avoid RX scattering bug
(CVE-2009-4537)
-- dann frazier <dannf op debian.org> Sun, 09 May 2010 23:22:44 -0600
linux-2.6 (2.6.26-22) stable; urgency=high
[ maximilian attems ]
* [openvz] 1f7db8e checkpointing shared memory fails. (closes: #562891)
* [openvz] 1a6d795 Fix cfq related oops. (closes: #562892)
* [openvz] ddbec37 inotify: unblock umounting. (closes: #513537)
* ALSA: cs4232: fix crash during chip PNP detection. (closes: #529697)
* matroxfb: fix problems with display stability. (closes: #479652)
* [openvz] [UBC]: Endless loop in __sk_stream_wait_memory.
(closes: #542633)
[ Moritz Muehlenhoff ]
* Fix deadlock in saa7134-empress driver (Closes: #499671)
* x86, vmi: TSC going backwards check in vmi clocksource (Closes: #524521)
* ipv6: fix run pending DAD when interface becomes ready (Closes: #508460)
* ata_piix: IDE Mode SATA patch for Intel Ibex Peak DeviceIDs (Closes: #5571533)
[ Ben Hutchings ]
* via-velocity: Give RX descriptors to the NIC later on open or MTU change
(Closes: #508527)
* Add atl1c driver for Atheros AR8131 and AR8132 Ethernet controllers
(Closes: #562694)
* dmfe/tulip: Let dmfe handle DM910x except for SPARC on-board chips
(Closes: #515533)
* x86: Increase MIN_GAP to include randomized stack (Closes: #559035)
* bnx2: Add PCI IDs for Broadcom 5716 and 5716S (Closes: #565353)
* bnx2: Fix several crash bugs (Closes: #565960)
* audit: Fix memory management bugs (Closes: #562815)
- fix braindamage in audit_tree.c untag_chunk()
- fix more leaks in audit_tree.c tag_chunk()
* megaraid_sas: Fix I/O and shutdown sequencing bugs (Closes: #568345)
* megaraid_sas: Add support for MegaRAID SAS 9260 and other PCIe gen2
controllers (Closes: #547183)
* postinst: Fix pattern-matching for 'do_bootloader' configuration option
(Closes: #568317)
* yealink: Reliably kill URBs, fixing potential deadlock (Closes: #570532)
* qla2xxx: Disable MSI/MSI-X on some chips or as selected by module parameter
(Closes: #572322)
- MSI is disabled on QLA24xx chips other than QLA2432 (MSI-X already was)
- MSI-X is disabled if qlx2enablemsix=2
- MSI and MSI-X are disabled if qlx2enablemsix=0
* Adjust fix for #524542 to avoid changing ABI
[ dann frazier ]
* Add be2net driver (Closes: #570428)
* Fix issues with tsc clocksource on VMWare (Closes: #524542)
[ Ian Campbell ]
* [xen/x86] Use correct form of PHYSDEVOP_map_pirq hypercall to prevent crash
when trying to use MSI in domain 0 (Closes: #571603)
-- dann frazier <dannf op debian.org> Tue, 09 Mar 2010 09:52:09 -0700
lvm2 (2.02.39-8) stable-security; urgency=high
* CVE-2010-2526: Fix insecure communication between lvm2 and clvmd.
(Closes: #591204)
-- Bastian Blank <waldi op debian.org> Thu, 19 Aug 2010 16:19:35 +0200
mysql-dfsg-5.0 (5.0.51a-24+lenny4) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-1626: allows local users to delete the data and index files
of another user's MyISAM table via a symlink attack in conjunction with the
DROP TABLE command (Closes: #584400)
* Fixed CVE-2010-1848: Multiple insufficient table name checks
* Fixed CVE-2010-1849: DoS through oversized packets
* Fixed CVE-2010-1850: Table name buffer overflow
-- Giuseppe Iuculano <iuculano op debian.org> Fri, 04 Jun 2010 17:08:45 +0200
openldap (2.4.11-1+lenny2) stable-security; urgency=high
* Fixes CVE-2010-0211 and CVE-2010-0212
-- Matthijs Mohlmann <matthijs op cacholong.nl> Fri, 23 Jul 2010 22:31:35 +0200
php5 (5.2.6.dfsg.1-1+lenny9) stable-security; urgency=high
* Fix CVE-2010-1917: stack consumption on the fnmatch() function
* Fix CVE-2010-2225: use-after-free in the SplObjectStorage
unserializer
* Fix MOPS-2010-60: arbitrary session variables injection
-- Raphael Geissert <geissert op debian.org> Tue, 03 Aug 2010 21:37:14 -0400
phpmyadmin (4:2.11.8.1-5+lenny6) stable-security; urgency=high
* Fixed wrong displaying of number of returned rows.
* Actually apply security patches added in previous upload.
-- Michal Čihař <nijel op debian.org> Tue, 31 Aug 2010 09:57:54 +0200
phpmyadmin (4:2.11.8.1-5+lenny5) stable-security; urgency=high
* Upload to stable to fix security issues.
* Various XSS issues [CVE-2010-3056].
* Unsafe code generation in setup script [CVE-2010-3055].
-- Michal Čihař <nijel op debian.org> Fri, 20 Aug 2010 15:18:17 +0200
phpmyadmin (4:2.11.8.1-5+lenny4) stable-security; urgency=high
* Upload to stable to fix security issues.
* Unserialize called on untrusted data [CVE-2009-4605].
* Predictable temporary file names [CVE-2008-7252].
* May create tempdir with unsafe permissions [CVE-2008-7251].
-- Thijs Kinkhorst <thijs op debian.org> Sat, 17 Apr 2010 13:55:41 +0200
postgresql-8.3 (8.3.11-0lenny1) stable-security; urgency=high
* New upstream security/bug fix release:
- Enforce restrictions in plperl using an opmask applied to the whole
interpreter, instead of using "Safe.pm".
Recent developments have convinced us that "Safe.pm" is too
insecure to rely on for making plperl trustable. This change
removes use of "Safe.pm" altogether, in favor of using a separate
interpreter with an opcode mask that is always applied. Pleasant
side effects of the change include that it is now possible to use
Perl's strict pragma in a natural way in plperl, and that Perl's $a
and $b variables work as expected in sort routines, and that
function compilation is significantly faster. (CVE-2010-1169)
- Prevent PL/Tcl from executing untrustworthy code from pltcl_modules.
PL/Tcl's feature for autoloading Tcl code from a database table
could be exploited for trojan-horse attacks, because there was no
restriction on who could create or insert into that table. This
change disables the feature unless pltcl_modules is owned by a
superuser. (However, the permissions on the table are not checked,
so installations that really need a less-than-secure modules table
can still grant suitable privileges to trusted non-superusers.)
Also, prevent loading code into the unrestricted "normal" Tcl
interpreter unless we are really going to execute a pltclu
function. (CVE-2010-1170)
- Fix possible crash if a cache reset message is received during
rebuild of a relcache entry.
This error was introduced in 8.3.10 while fixing a related failure.
- Apply per-function GUC settings while running the language
validator for the function.
This avoids failures if the function's code is invalid without the
setting; an example is that SQL functions may not parse if the
search_path is not correct.
- Do not allow an unprivileged user to reset superuser-only parameter
settings.
Previously, if an unprivileged user ran ALTER USER ... RESET ALL
for himself, or ALTER DATABASE ... RESET ALL for a database he
owns, this would remove all special parameter settings for the user
or database, even ones that are only supposed to be changeable by a
superuser. Now, the "ALTER" will only remove the parameters that
the user has permission to change.
- Avoid possible crash during backend shutdown if shutdown occurs
when a CONTEXT addition would be made to log entries.
In some cases the context-printing function would fail because the
current transaction had already been rolled back when it came time
to print a log message.
- Ensure the archiver process responds to changes in archive_command
as soon as possible.
- Update pl/perl's "ppport.h" for modern Perl versions.
- Fix assorted memory leaks in pl/python.
- Prevent infinite recursion in psql when expanding a variable that
refers to itself.
- Fix psql's \copy to not add spaces around a dot within \copy
(select ...).
Addition of spaces around the decimal point in a numeric literal
would result in a syntax error.
- Fix unnecessary "GIN indexes do not support whole-index scans"
errors for unsatisfiable queries using "contrib/intarray" operators.
- Ensure that "contrib/pgstattuple" functions respond to cancel
interrupts promptly.
-- Martin Pitt <mpitt op debian.org> Sat, 15 May 2010 12:47:43 +0200
postgresql-8.3 (8.3.10-0lenny1) stable; urgency=low
* New upstream bug fix release:
- Add new configuration parameter ssl_renegotiation_limit to control
how often we do session key renegotiation for an SSL connection.
This can be set to zero to disable renegotiation completely, which
may be required if a broken SSL library is used. In particular,
some vendors are shipping stopgap patches for CVE-2009-3555 that
cause renegotiation attempts to fail.
- Fix possible deadlock during backend startup.
- Fix possible crashes due to not handling errors during relcache
reload cleanly.
- Fix possible crash due to use of dangling pointer to a cached plan.
- Fix possible crashes when trying to recover from a failure in
subtransaction start.
- Fix server memory leak associated with use of savepoints and a
client encoding different from server's encoding.
- Fix incorrect WAL data emitted during end-of-recovery cleanup of a
GIST index page split.
This would result in index corruption, or even more likely an error
during WAL replay, if we were unlucky enough to crash during
end-of-recovery cleanup after having completed an incomplete GIST
insertion.
- Make substring() for bit types treat any negative length as meaning
"all the rest of the string".
The previous coding treated only -1 that way, and would produce an
invalid result value for other negative values, possibly leading to
a crash (CVE-2010-0442). (Closes: #567058)
- Fix integer-to-bit-string conversions to handle the first
fractional byte correctly when the output bit width is wider than
the given integer by something other than a multiple of 8 bits.
- Fix some cases of pathologically slow regular expression matching.
- Fix assorted crashes in xml processing caused by sloppy memory
management.
This is a back-patch of changes first applied in 8.4. The 8.3 code
was known buggy, but the new code was sufficiently different to not
want to back-patch it until it had gotten some field testing.
- Fix bug with trying to update a field of an element of a
composite-type array column.
- Fix the STOP WAL LOCATION entry in backup history files to report
the next WAL segment's name when the end location is exactly at a
segment boundary.
- Fix some more cases of temporary-file leakage.
This corrects a problem introduced in the previous minor release.
One case that failed is when a plpgsql function returning set is
called within another function's exception handler.
- Improve constraint exclusion processing of boolean-variable cases,
in particular make it possible to exclude a partition that has a
"bool_column = false" constraint.
- When reading "pg_hba.conf" and related files, do not treat
@something as a file inclusion request if the @ appears inside
quote marks; also, never treat @ by itself as a file inclusion
request.
This prevents erratic behavior if a role or database name starts
with @. If you need to include a file whose path name contains
spaces, you can still do so, but you must write @"/path to/file"
rather than putting the quotes around the whole construct.
- Prevent infinite loop on some platforms if a directory is named as
an inclusion target in "pg_hba.conf" and related files.
- Fix possible infinite loop if SSL_read or SSL_write fails without
setting errno.
This is reportedly possible with some Windows versions of openssl.
- Disallow GSSAPI authentication on local connections, since it
requires a hostname to function correctly.
- Make ecpg report the proper SQLSTATE if the connection disappears.
- Fix psql's numericlocale option to not format strings it shouldn't
in latex and troff output formats.
- Make psql return the correct exit status (3) when ON_ERROR_STOP and
--single-transaction are both specified and an error occurs during
the implied "COMMIT".
- Fix plpgsql failure in one case where a composite column is set to
NULL.
- Fix possible failure when calling PL/Perl functions from PL/PerlU
or vice versa.
- Add volatile markings in PL/Python to avoid possible
compiler-specific misbehavior.
- Ensure PL/Tcl initializes the Tcl interpreter fully.
The only known symptom of this oversight is that the Tcl clock
command misbehaves if using Tcl 8.5 or later.
- Prevent crash in "contrib/dblink" when too many key columns are
specified to a dblink_build_sql_- function.
- Allow zero-dimensional arrays in "contrib/ltree" operations.
This case was formerly rejected as an error, but it's more
convenient to treat it the same as a zero-element array. In
particular this avoids unnecessary failures when an ltree operation
is applied to the result of ARRAY(SELECT ...) and the sub-select
returns no rows.
- Fix assorted crashes in "contrib/xml2" caused by sloppy memory
management.
* Add 00cvs-unregister-ssl-callbacks.patch: Properly unregister OpenSSL
callbacks when libpq is done with it's connection. Thanks Ondřej Surý for
the backport! (Closes: #411982, LP: #63141)
-- Martin Pitt <mpitt op debian.org> Sat, 13 Mar 2010 16:33:15 +0100
tar (1.20-1+lenny1) stable; urgency=high
* back-port security issue from 1.23 as per CVE-2010-0624, that basically
amounts to replacing the included rmt source with a fresher version taken
from paxutils
-- Bdale Garbee <bdale op gag.com> Wed, 10 Mar 2010 16:20:35 -0700
tiff (3.8.2-11.3) stable-security; urgency=high
* CVE-2010-1411
-- Moritz Muehlenhoff <jmm op debian.org> Mon, 02 Aug 2010 05:33:40 +0000
w3m (0.5.2-2+lenny1) stable; urgency=high
* debian/patches/60_check-null-cn.patch: Patch to check for null bytes
in CN/subjAltName, provided by Ludwig Nussel. [CVE-2010-2074]
-- Tatsuya Kinoshita <tats op debian.org> Sat, 03 Jul 2010 20:53:06 +0900
wget (1.11.4-2+lenny2) stable-security; urgency=high
* Do not use server-provided file names by default
* Fix harmless user-after-free bug in http_atotm()
-- Florian Weimer <fw op deneb.enyo.de> Sun, 16 May 2010 16:32:14 +0200
zonecheck (2.0.4-13lenny1) stable-security; urgency=high
* Fixed CVE-2010-2052: XSS security bug in the CGI (Debian bug #583290).
-- Sebastien Delafond <seb op debian.org> Wed, 02 Jun 2010 08:41:39 +0200
apr (1.2.12-5+lenny2) stable; urgency=low
* Set FD_CLOEXEC flag on file descriptors. Not doing so caused Apache httpd
modules which do not use the apr API for executing other processes to leak
file descriptors to the called processes. In some setups, this could cause
security issues and/or problems with Apache failing to restart. This issue
affected mod_php (but not mod_cgi). Closes: #366124
-- Stefan Fritsch <sf op debian.org> Tue, 01 Jun 2010 23:11:19 +0200
apt (0.7.20.2+lenny2) stable; urgency=low
[ David Kalnischkies ]
* ftparchive/writer.cc:
- remove 999 chars Files rewrite limit (Closes: #577759)
-- Michael Vogt <mvo op debian.org> Wed, 12 May 2010 17:32:00 +0200
base-files (5lenny7) stable; urgency=low
* Bump version in /etc/debian_version to "5.0.6".
-- Santiago Vila <sanvila op debian.org> Mon, 30 Aug 2010 03:32:00 +0200
base-files (5lenny6) stable; urgency=low
* Bump version in /etc/debian_version to "5.0.5".
-- Santiago Vila <sanvila op debian.org> Fri, 18 Jun 2010 17:12:38 +0200
cpio (2.9-13lenny1) stable; urgency=low
* Backport fix for rmt_read__ buffer overflow (CVE-2010-0624).
-- Clint Adams <schizo op debian.org> Thu, 11 Mar 2010 20:33:59 -0500
debian-archive-keyring (2010.08.28~lenny1) stable; urgency=low
* Team upload.
* Upload to stable.
* Use SHA1 checksums instead of SHA256, due to jetring missing support
for the stronger ones.
-- Philipp Kern <pkern op debian.org> Sun, 29 Aug 2010 13:33:10 +0200
debian-archive-keyring (2010.08.28) unstable; urgency=low
* Team upload.
* Add Debian Archive Automatic Signing Key (6.0/squeeze) (ID: 473041FA).
* Convert keyring generation to jetring.
-- Philipp Kern <pkern op debian.org> Sat, 28 Aug 2010 23:17:21 +0200
debian-archive-keyring (2010.08.15) unstable; urgency=low
* Team upload.
* Add Squeeze Stable Release Key (ID: B98321F9). (Closes: #540890)
* Add a DEBIAN/md5sums file to the non-udeb package. (Closes: #534934)
* Move to debian-archive-removed-keys.gpg:
- Debian Archive Automatic Signing Key (4.0/etch)
- Etch Stable Release Key
- Debian-Volatile Archive Automatic Signing Key (4.0/etch)
-- Philipp Kern <pkern op debian.org> Sun, 15 Aug 2010 22:59:38 +0200
dpkg (1.14.29+b1) stable-security; urgency=low
* Binary-only non-maintainer upload for i386; no source changes.
* Rebuild with libbz2-dev 1.0.5-1+lenny1 for CVE-2010-0405
-- i386 Build Daemon (murphy) <buildd_i386-murphy op buildd.debian.org> Tue, 24 Aug 2010 19:55:38 +0000
glibc (2.7-18lenny4) stable-security; urgency=low
* Add patches/alpha/submitted-rtld-fPIC.diff to fix FTBFS on alpha
due to the changes introduced by patches/any/cvs-ld-elf.diff.
-- Aurelien Jarno <aurel32 op debian.org> Sun, 06 Jun 2010 00:54:37 +0200
glibc (2.7-18lenny3) stable-security; urgency=low
* patches/any/cvs-strfmon.diff: fix integer overflows in the
strfmon implementation (CVE-2008-1391, CVE-2009-4880).
* patches/any/cvs-strfmon_l.diff: fix integer overflows in the
strfmon_l implementation (CVE-2009-4881).
* patches/any/cvs-mntent.diff: fix mntent newline processing error
(CVE-2010-0296). Closes: bug#583908.
* patches/any/cvs-ld-elf.diff: fix integer signedness error in ld.so
(CVE-2010-0830).
-- Aurelien Jarno <aurel32 op debian.org> Fri, 04 Jun 2010 20:24:46 +0200
gtk+2.0 (2.12.12-1~lenny2) stable-proposed-updates; urgency=low
* 096_cups_mainloop_events.patch: stolen upstream. Fixes a very nasty
bug that prevents printing big documents. GNOME #591846, LP #359975.
-- Josselin Mouette <joss op debian.org> Mon, 01 Feb 2010 15:19:03 +0100
libwww-perl (5.813-1+lenny2) stable; urgency=low
* CVE-2010-2253: Apply upstream patch to lwp-download to reject downloads to
filenames suggested by the server that start with a . (dot) character.
commit id of upstream patch: f97f339f552666ef79cdd2cf2a44032cf206bb6e
-- Ansgar Burchardt <ansgar op 43-1.org> Mon, 30 Aug 2010 01:29:12 +0900
libwww-perl (5.813-1+lenny1) stable; urgency=low
* Fix incorrect use of redo. (Closes: #591462)
-- Ansgar Burchardt <ansgar op 43-1.org> Sat, 07 Aug 2010 08:20:19 +0900
libxext (2:1.0.4-2) stable; urgency=low
* Cherry-pick two fixes from upstream:
- Allocate the right size in XSyncListSystemCounters
(http://bugs.freedesktop.org/show_bug.cgi?id=17774)
- XAllocID must only be called with the Display lock held
(closes: #569104)
-- Julien Cristau <jcristau op debian.org> Thu, 11 Feb 2010 12:58:30 +0100
mailman (1:2.1.11-11+lenny1) stable-proposed-updates; urgency=low
* Disable 32_MIME_fixup.patch. This has meanwhile been addressed
differently by upstream, and now has the effect of adding a
second Mime-Version header to some types of message. This in
turn is a trigger to some SPAM filters to ban the message.
(Closes: #581988, #310180).
-- Thijs Kinkhorst <thijs op debian.org> Mon, 17 May 2010 22:51:56 +0200
nano (2.0.7-5) stable; urgency=low
* The "No me preocupa nada, como Juan sin miedo, porque nada temo"
release.
* Backport two minor security fixes from upcoming 2.0.10 and 2.2.4:
- CVE-2010-1160: symlink attack.
- CVE-2010-1161: change of ownership of arbitrary files.
-- Jordi Mallach <jordi op debian.org> Mon, 26 Apr 2010 13:41:39 +0200
nfs-utils (1:1.1.2-6lenny2) stable; urgency=low
* Update maintainers and uploaders to match unstable
* Fix test for NFS kernel server support in init script (Closes: #550153)
-- Ben Hutchings <ben op decadent.org.uk> Sun, 18 Apr 2010 12:31:00 +0100
openssl (0.9.8g-15+lenny8) stable-security; urgency=low
* Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)
-- Kurt Roeckx <kurt op roeckx.be> Thu, 26 Aug 2010 19:49:39 +0200
openssl (0.9.8g-15+lenny7) stable-security; urgency=low
* Check return type of bn_wexpand(). Fixes CVE-2009-3245
(Closes: #575433)
-- Kurt Roeckx <kurt op roeckx.be> Mon, 07 Jun 2010 20:30:01 +0200
pango1.0 (1.20.5-6) stable; urgency=low
* Rename CVE-2010-0421.patch to 23_CVE-2010-0421.patch.
* 24_harfbuzz_crash.patch: patch from upstream. Fixes a crash when
passing invalid Unicode sequences.
-- Josselin Mouette <joss op debian.org> Sat, 19 Jun 2010 14:01:19 +0200
python-support (0.8.4lenny2) stable; urgency=low
* update-python-modules:
+ Force umask to 022. Thanks to Matt Kraai for the patch.
Closes: #567811.
-- Josselin Mouette <joss op debian.org> Wed, 24 Feb 2010 19:36:15 +0100
tzdata (2010j-0lenny1) stable; urgency=low
* New upstream release.
- Drop russia-2010.diff.
-- Clint Adams <schizo op debian.org> Wed, 02 Jun 2010 13:30:32 -0400
tzdata (2010f-0lenny1) stable; urgency=low
* New upstream release.
* Add russia-2010.diff to fix last-minute Russian timezone
changes. closes: #574919.
-- Clint Adams <schizo op debian.org> Fri, 26 Mar 2010 08:55:38 -0400
tzdata (2010d-0lenny1) stable; urgency=low
* New upstream release.
- Adjusts Chile 2010 DST dates. closes: #572715.
-- Clint Adams <schizo op debian.org> Mon, 08 Mar 2010 16:55:09 -0500
usbutils (0.73-10lenny2) stable; urgency=low
* Update usb.ids:
- Fix 16c0:05dc entry. Closes: bug#582460.
- Add Logitech Nano receiver (046d:c526) and fix 046d:c52b. Closes:
bug#573734.
* Update README.Debian to reflect the new way to submit new usb.ids
entries.
-- Aurelien Jarno <aurel32 op debian.org> Thu, 17 Jun 2010 20:14:10 +0200
More information about the ddh-sys
mailing list