[ddh-sys] apt-listchanges: changelogs for less

root root op ddh.nl
Wo Okt 6 13:04:10 CEST 2010

apache2 (2.2.9-10+lenny8) stable; urgency=low

  * Add missing psmisc dependency for killall used in the init script.
    Closes: #568542
  * Fix potential memory leaks related to the usage of apr_brigade_destroy().

 -- Stefan Fritsch <sf op debian.org>  Mon, 19 Apr 2010 21:17:33 +0200

apache2 (2.2.9-10+lenny7) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2010-0408: denial of service via crafted request in mod_proxy_ajp
  * Fixed CVE-2010-0434: information disclosure via improper handling of
    headers in subrequests

 -- Giuseppe Iuculano <iuculano op debian.org>  Sun, 28 Mar 2010 17:50:02 +0200

apr-util (1.2.12+dfsg-8+lenny5) stable-security; urgency=high

  * CVE-2010-1623: Fix denial of service vulnerability through memory
    consumption in apr_brigade_split_line()

 -- Stefan Fritsch <sf op debian.org>  Thu, 30 Sep 2010 17:09:37 +0200

bind9 (1:9.6.ESV.R1+dfsg-0+lenny2) stable-security; urgency=medium

  * Use old location of the PID files.  Closes: #585004.
  * Log warning if openssl.cnf is not readable.

 -- Florian Weimer <fw op deneb.enyo.de>  Wed, 09 Jun 2010 06:53:48 +0200

bind9 (1:9.6.ESV.R1+dfsg-0+lenny1) stable-security; urgency=high

  * New upstream version: BIND 9.6-ESV-R1.
  * Restore Debian-specific feature patches.

 -- Florian Weimer <fw op deneb.enyo.de>  Sun, 23 May 2010 14:45:30 +0200

bind9 (1:9.6.ESV+dfsg-0+lenny1) stable-security; urgency=high

  * New upstream version: BIND 9.6-ESV.

 -- Florian Weimer <fw op deneb.enyo.de>  Sun, 16 May 2010 19:43:10 +0200

bzip2 (1.0.5-1+lenny1) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * CVE-2010-0405: Fix integer overflow.

 -- Stefan Fritsch <sf op debian.org>  Mon, 16 Aug 2010 18:42:38 +0200

freetype (2.3.7-2+lenny4) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * fix CVE-2010-3311: integer overflow which can lead to a heap overflow in

 -- Stefan Fritsch <sf op debian.org>  Tue, 28 Sep 2010 15:46:35 +0200

freetype (2.3.7-2+lenny3) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * CVE-2010-1797: Multiple stack-based buffer overflows
  * CVE-2010-2541: Buffer overflow in the ftmulti demo program
  * CVE-2010-2805: denial of service or possibly execute arbitrary code via a
    crafted font file
  * CVE-2010-2806: heap-based buffer overflow
  * CVE-2010-2807: denial of service or possibly execute arbitrary code via a
    crafted font file
  * CVE-2010-2808: Buffer overflow
  * CVE-2010-3053: denial of service (application crash) via a crafted BDF
    font file

 -- Giuseppe Iuculano <iuculano op debian.org>  Sun, 05 Sep 2010 14:51:39 +0200

freetype (2.3.7-2+lenny2) stable-security; urgency=high

  * CVE-2010-2497 freetype integer underflow #30082 #30083
  * CVE-2010-2498 freetype invalid free #30106
  * CVE-2010-2499 freetype buffer overflow #30248 #30249
  * CVE-2010-2500 freetype integer overflow #30263
  * CVE-2010-2519 freetype heap buffer overflow #30306
  * CVE-2010-2520 freetype invalid realloc #30361
  * CVE-2010-XXXX freetype demos buffer overflows #30054

 -- Moritz Muehlenhoff <jmm op debian.org>  Tue, 13 Jul 2010 19:56:44 +0200

iputils (3:20071127-1+lenny1) stable; urgency=high

  * Fix CVE-2010-2529 - resource consumption triggered by specially
    crafted ICMP echo reply

 -- Noah Meyerhans <noahm op debian.org>  Sat, 24 Jul 2010 09:48:00 -0700

krb5 (1.6.dfsg.4~beta1-5lenny4) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2010-1321: GSS API null pointer dereference.

 -- Sebastien Delafond <seb op debian.org>  Thu, 20 May 2010 11:42:49 +0200

libapache2-mod-perl2 (2.0.4-5+lenny1) stable; urgency=high

  * add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796)
    Patch taken from r760926 of upstream SVN.
    Closes: #567635

 -- Damyan Ivanov <dmn op debian.org>  Sun, 31 Jan 2010 08:40:19 +0200

libpng (1.2.27-2+lenny4) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2010-1205: Buffer overflow in pngpread.c (Closes: #587670)
  * Fixed CVE-2010-2249: Memory leak in pngrutil.c

 -- Giuseppe Iuculano <iuculano op debian.org>  Sat, 17 Jul 2010 12:03:12 +0200

linux-2.6 (2.6.26-25lenny1) stable-security; urgency=high

  * irda: Correctly clean up self->ias_obj on irda_bind() failure.
  * compat: Make compat_alloc_user_space() incorporate the access_ok()
  * ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
  * xfs: prevent reading uninitialized stack memory (CVE-2010-3078)
  * ecryptfs: Bugfix for error related to ecryptfs_hash_buckets (CVE-2010-2492)

 -- dann frazier <dannf op debian.org>  Thu, 16 Sep 2010 09:38:09 -0600

linux-2.6 (2.6.26-25) stable; urgency=high

  [ Ben Hutchings ]
  * pid_ns: Ensure that child_reaper is always valid (Closes: #570350)
  * [xen] Fix deadlock in timer interrupt, thanks to Zdenek Salvet
    (Closes: #534880)
  * e1000e: Add support for 82567LM-4, 82567LM-3, 82567LF-3 and 82583V
    controllers (Closes: #512546)

  [ Moritz Muehlenhoff ]
  * parport: quickfix the proc registration bug (Closes: #588672);
    ignore ABI changes in parport and parport_pc

  [ dann frazier ]
  * Add guard page for stacks that grow up, an additional fix for
  * mm: make stack guard page logic use vm_prev pointer, an additional
    fix for CVE-2010-2240
  * net sched: fix some kernel memory leaks (CVE-2010-2942)
  * jfs: don't allow os2 xattr namespace overlap with others (CVE-2010-2946)

 -- dann frazier <dannf op debian.org>  Sun, 29 Aug 2010 23:12:06 -0600

linux-2.6 (2.6.26-24lenny1) stable-security; urgency=high

  * cifs: Fix a kernel BUG with remote OS/2 server (CVE-2010-2248)
  * Fix race in tty_fasync() properly (CVE-2009-4895)
  * xfs: prevent swapext from operating on write-only files (CVE-2010-2226)
  * nfsd4: bug in read_buf (CVE-2010-2521)
  * GFS2: rename causes kernel Oops (CVE-2010-2798)
  * exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
    regression due to fix for CVE-2010-0307)
  * can: add limit for nframes and clean up signed/unsigned variables
  * mm: keep a guard page below a grow-down stack segment (CVE-2010-2240)
  * drm: stop information leak of old kernel stack (CVE-2010-2803)
  * ext4: fix integer overflows in ext4_ext_{in_cache,get_blocks}

 -- dann frazier <dannf op debian.org>  Wed, 18 Aug 2010 17:56:34 -0600

linux-2.6 (2.6.26-24) stable; urgency=high

  [ Ben Hutchings ]
  * usbhid: Reduce the race condition between disconnect and ioctl
    (Closes: #511892)
  * r8169: Fix MDIO timing (Closes: #583139)
  * [x86] Restore automatic update of LILO on kernel installation, upgrade
    or removal (Closes: #505609)

 -- dann frazier <dannf op debian.org>  Sun, 20 Jun 2010 13:54:25 -0600

linux-2.6 (2.6.26-23) stable; urgency=high

  [ dann frazier ]
  * x86: check boundary in setup_node_bootmem() (Closes: 569704)
  * sunxvr500: Ignore secondary output PCI devices (Closes: #580422)
  * sctp: fix append error cause to ERROR chunk correctly
    (a further fix for CVE-2010-1173)
  * nsfd: fix vm overcommit crash (CVE-2008-7256, CVE-2010-1643)
  * GFS2: Fix permissions checking for setflags ioctl() (CVE-2010-1641)
  * GFS2: Fix writing to non-page aligned gfs2_quota structures (CVE-2010-1436)
  [ Ben Hutchings ]
  * [sparc64] Fix definition of VMEMMAP_SIZE (Closes: #509202)
  * megaraid_sas: Version and documentation update (Closes: #547183)
  * bnx2: Fix lost MSI-X problem on 5709 NICs (Closes: #581001)
  * raid456: Fix two bugs in handling of degraded states (Closes: #581392)
    - Prevent reshaping of doubly-degraded RAID4
    - Enable error-correction on singly-degraded RAID6
  * r8169: fix broken register writes (Closes: #407217, #573007)
  * [i386] Disable use of NOPL instruction in alternatives (Closes: #463606)
  * virtio_blk: don't bounce highmem requests (Closes: #584217)

  [ maximilian attems ]
  * openvz: printk_cpu have to be "cleared" in __vprintk (v2)
    (closes: #573460)
  * openvz: Fix "Bad throughput of TCP connection after live migration"
    (closes: #500145)
  * ub: incorrect skb is charged in tcp_send_synack.

  [ Aurelien Jarno ]
  * mips/swarm: fix boot from IDE based media (Sebastian Andrzej Siewior)
    (closes: #466977).
  * backport mips/swarm: fix M3 TLB exception handler.
  * backport MIPS FPU emulator: allow Cause bits of FCSR to be writeable
    by ctc1. (closes: #580602).

 -- dann frazier <dannf op debian.org>  Fri, 11 Jun 2010 19:40:17 -0600

linux-2.6 (2.6.26-22lenny1) stable-security; urgency=high

  [ dann frazier ]
  * USB: usbfs: only copy the actual data received (CVE-2010-1083)
  * GFS2: Skip check for mandatory locks when unlocking (CVE-2010-0727)
  * Bluetooth: Fix potential bad memory access with sysfs files (CVE-2010-1084)
  * dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered
    by an invalid Payload Pointer (CVE-2010-1086)
  * NFS: Fix an Oops when truncating a file (CVE-2010-1087)
  * fix LOOKUP_FOLLOW on automount "symlinks" (CVE-2010-1088)
  * tty: release_one_tty() forgets to put pids (CVE-2010-1162)
  * tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
  * sctp: Fix skb_over_panic resulting from multiple invalid parameter
    errors (CVE-2010-1173)
  * sparc64: Fix sun4u execute bit check in TSB I-TLB load (CVE-2010-1451)
  * KEYS: find_keyring_by_name() can gain access to a freed keyring
  * [powerpc] KGDB: don't needlessly skip PAGE_USER test for Fsl booke
    Note: KGDB is not currently enabled in debian builds (CVE-2010-1446)

  [ Ben Hutchings ]
  * [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed
    due to fix for CVE-2010-0298; considered obsolete by upstream)
  * r8169: Increase default RX buffer size to avoid RX scattering bug

 -- dann frazier <dannf op debian.org>  Sun, 09 May 2010 23:22:44 -0600

linux-2.6 (2.6.26-22) stable; urgency=high

  [ maximilian attems ]
  * [openvz] 1f7db8e checkpointing shared memory fails. (closes: #562891)
  * [openvz] 1a6d795 Fix cfq related oops. (closes: #562892)
  * [openvz] ddbec37 inotify: unblock umounting. (closes: #513537)
  * ALSA: cs4232: fix crash during chip PNP detection. (closes: #529697)
  * matroxfb: fix problems with display stability. (closes: #479652)
  * [openvz] [UBC]: Endless loop in __sk_stream_wait_memory.
    (closes: #542633)

  [ Moritz Muehlenhoff ]
  * Fix deadlock in saa7134-empress driver (Closes: #499671)
  * x86, vmi: TSC going backwards check in vmi clocksource (Closes: #524521)
  * ipv6: fix run pending DAD when interface becomes ready (Closes: #508460)
  * ata_piix: IDE Mode SATA patch for Intel Ibex Peak DeviceIDs (Closes: #5571533)

  [ Ben Hutchings ]
  * via-velocity: Give RX descriptors to the NIC later on open or MTU change
    (Closes: #508527)
  * Add atl1c driver for Atheros AR8131 and AR8132 Ethernet controllers
    (Closes: #562694)
  * dmfe/tulip: Let dmfe handle DM910x except for SPARC on-board chips
    (Closes: #515533)
  * x86: Increase MIN_GAP to include randomized stack (Closes: #559035)
  * bnx2: Add PCI IDs for Broadcom 5716 and 5716S (Closes: #565353)
  * bnx2: Fix several crash bugs (Closes: #565960)
  * audit: Fix memory management bugs (Closes: #562815)
    - fix braindamage in audit_tree.c untag_chunk()
    - fix more leaks in audit_tree.c tag_chunk()
  * megaraid_sas: Fix I/O and shutdown sequencing bugs (Closes: #568345)
  * megaraid_sas: Add support for MegaRAID SAS 9260 and other PCIe gen2
    controllers (Closes: #547183)
  * postinst: Fix pattern-matching for 'do_bootloader' configuration option
    (Closes: #568317)
  * yealink: Reliably kill URBs, fixing potential deadlock (Closes: #570532)
  * qla2xxx: Disable MSI/MSI-X on some chips or as selected by module parameter
    (Closes: #572322)
    - MSI is disabled on QLA24xx chips other than QLA2432 (MSI-X already was)
    - MSI-X is disabled if qlx2enablemsix=2
    - MSI and MSI-X are disabled if qlx2enablemsix=0
  * Adjust fix for #524542 to avoid changing ABI

  [ dann frazier ]
  * Add be2net driver (Closes: #570428)
  * Fix issues with tsc clocksource on VMWare (Closes: #524542)

  [ Ian Campbell ]
  * [xen/x86] Use correct form of PHYSDEVOP_map_pirq hypercall to prevent crash
    when trying to use MSI in domain 0 (Closes: #571603)

 -- dann frazier <dannf op debian.org>  Tue, 09 Mar 2010 09:52:09 -0700

lvm2 (2.02.39-8) stable-security; urgency=high

  * CVE-2010-2526: Fix insecure communication between lvm2 and clvmd.
   (Closes: #591204)

 -- Bastian Blank <waldi op debian.org>  Thu, 19 Aug 2010 16:19:35 +0200

mysql-dfsg-5.0 (5.0.51a-24+lenny4) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2010-1626: allows local users to delete the data and index files
    of another user's MyISAM table via a symlink attack in conjunction with the
    DROP TABLE command (Closes: #584400)
  * Fixed CVE-2010-1848: Multiple insufficient table name checks
  * Fixed CVE-2010-1849: DoS through oversized packets
  * Fixed CVE-2010-1850: Table name buffer overflow

 -- Giuseppe Iuculano <iuculano op debian.org>  Fri, 04 Jun 2010 17:08:45 +0200

openldap (2.4.11-1+lenny2) stable-security; urgency=high

  * Fixes CVE-2010-0211 and CVE-2010-0212

 -- Matthijs Mohlmann <matthijs op cacholong.nl>  Fri, 23 Jul 2010 22:31:35 +0200

php5 (5.2.6.dfsg.1-1+lenny9) stable-security; urgency=high

  * Fix CVE-2010-1917: stack consumption on the fnmatch() function
  * Fix CVE-2010-2225: use-after-free in the SplObjectStorage
  * Fix MOPS-2010-60: arbitrary session variables injection

 -- Raphael Geissert <geissert op debian.org>  Tue, 03 Aug 2010 21:37:14 -0400

phpmyadmin (4: stable-security; urgency=high

  * Fixed wrong displaying of number of returned rows.
  * Actually apply security patches added in previous upload.

 -- Michal Čihař <nijel op debian.org>  Tue, 31 Aug 2010 09:57:54 +0200

phpmyadmin (4: stable-security; urgency=high

  * Upload to stable to fix security issues.
  * Various XSS issues [CVE-2010-3056].
  * Unsafe code generation in setup script [CVE-2010-3055].

 -- Michal Čihař <nijel op debian.org>  Fri, 20 Aug 2010 15:18:17 +0200

phpmyadmin (4: stable-security; urgency=high

  * Upload to stable to fix security issues.
  * Unserialize called on untrusted data [CVE-2009-4605].
  * Predictable temporary file names [CVE-2008-7252].
  * May create tempdir with unsafe permissions [CVE-2008-7251].

 -- Thijs Kinkhorst <thijs op debian.org>  Sat, 17 Apr 2010 13:55:41 +0200

postgresql-8.3 (8.3.11-0lenny1) stable-security; urgency=high

  * New upstream security/bug fix release:
    - Enforce restrictions in plperl using an opmask applied to the whole
      interpreter, instead of using "Safe.pm".
      Recent developments have convinced us that "Safe.pm" is too
      insecure to rely on for making plperl trustable. This change
      removes use of "Safe.pm" altogether, in favor of using a separate
      interpreter with an opcode mask that is always applied. Pleasant
      side effects of the change include that it is now possible to use
      Perl's strict pragma in a natural way in plperl, and that Perl's $a
      and $b variables work as expected in sort routines, and that
      function compilation is significantly faster. (CVE-2010-1169)
    - Prevent PL/Tcl from executing untrustworthy code from pltcl_modules.
      PL/Tcl's feature for autoloading Tcl code from a database table
      could be exploited for trojan-horse attacks, because there was no
      restriction on who could create or insert into that table. This
      change disables the feature unless pltcl_modules is owned by a
      superuser. (However, the permissions on the table are not checked,
      so installations that really need a less-than-secure modules table
      can still grant suitable privileges to trusted non-superusers.)
      Also, prevent loading code into the unrestricted "normal" Tcl
      interpreter unless we are really going to execute a pltclu
      function. (CVE-2010-1170)
    - Fix possible crash if a cache reset message is received during
      rebuild of a relcache entry.
      This error was introduced in 8.3.10 while fixing a related failure.
    - Apply per-function GUC settings while running the language
      validator for the function.
      This avoids failures if the function's code is invalid without the
      setting; an example is that SQL functions may not parse if the
      search_path is not correct.
    - Do not allow an unprivileged user to reset superuser-only parameter
      Previously, if an unprivileged user ran ALTER USER ... RESET ALL
      for himself, or ALTER DATABASE ... RESET ALL for a database he
      owns, this would remove all special parameter settings for the user
      or database, even ones that are only supposed to be changeable by a
      superuser. Now, the "ALTER" will only remove the parameters that
      the user has permission to change.
    - Avoid possible crash during backend shutdown if shutdown occurs
      when a CONTEXT addition would be made to log entries.
      In some cases the context-printing function would fail because the
      current transaction had already been rolled back when it came time
      to print a log message.
    - Ensure the archiver process responds to changes in archive_command
      as soon as possible.
    - Update pl/perl's "ppport.h" for modern Perl versions.
    - Fix assorted memory leaks in pl/python.
    - Prevent infinite recursion in psql when expanding a variable that
      refers to itself.
    - Fix psql's \copy to not add spaces around a dot within \copy
      (select ...).
      Addition of spaces around the decimal point in a numeric literal
      would result in a syntax error.
    - Fix unnecessary "GIN indexes do not support whole-index scans"
      errors for unsatisfiable queries using "contrib/intarray" operators.
    - Ensure that "contrib/pgstattuple" functions respond to cancel
      interrupts promptly.

 -- Martin Pitt <mpitt op debian.org>  Sat, 15 May 2010 12:47:43 +0200

postgresql-8.3 (8.3.10-0lenny1) stable; urgency=low

  * New upstream bug fix release:
    - Add new configuration parameter ssl_renegotiation_limit to control
      how often we do session key renegotiation for an SSL connection.
      This can be set to zero to disable renegotiation completely, which
      may be required if a broken SSL library is used. In particular,
      some vendors are shipping stopgap patches for CVE-2009-3555 that
      cause renegotiation attempts to fail.
    - Fix possible deadlock during backend startup.
    - Fix possible crashes due to not handling errors during relcache
      reload cleanly.
    - Fix possible crash due to use of dangling pointer to a cached plan.
    - Fix possible crashes when trying to recover from a failure in
      subtransaction start.
    - Fix server memory leak associated with use of savepoints and a
      client encoding different from server's encoding.
    - Fix incorrect WAL data emitted during end-of-recovery cleanup of a
      GIST index page split.
      This would result in index corruption, or even more likely an error
      during WAL replay, if we were unlucky enough to crash during
      end-of-recovery cleanup after having completed an incomplete GIST
    - Make substring() for bit types treat any negative length as meaning
      "all the rest of the string".
      The previous coding treated only -1 that way, and would produce an
      invalid result value for other negative values, possibly leading to
      a crash (CVE-2010-0442). (Closes: #567058)
    - Fix integer-to-bit-string conversions to handle the first
      fractional byte correctly when the output bit width is wider than
      the given integer by something other than a multiple of 8 bits.
    - Fix some cases of pathologically slow regular expression matching.
    - Fix assorted crashes in xml processing caused by sloppy memory
      This is a back-patch of changes first applied in 8.4. The 8.3 code
      was known buggy, but the new code was sufficiently different to not
      want to back-patch it until it had gotten some field testing.
    - Fix bug with trying to update a field of an element of a
      composite-type array column.
    - Fix the STOP WAL LOCATION entry in backup history files to report
      the next WAL segment's name when the end location is exactly at a
      segment boundary.
    - Fix some more cases of temporary-file leakage.
      This corrects a problem introduced in the previous minor release.
      One case that failed is when a plpgsql function returning set is
      called within another function's exception handler.
    - Improve constraint exclusion processing of boolean-variable cases,
      in particular make it possible to exclude a partition that has a
      "bool_column = false" constraint.
    - When reading "pg_hba.conf" and related files, do not treat
      @something as a file inclusion request if the @ appears inside
      quote marks; also, never treat @ by itself as a file inclusion
      This prevents erratic behavior if a role or database name starts
      with @. If you need to include a file whose path name contains
      spaces, you can still do so, but you must write @"/path to/file"
      rather than putting the quotes around the whole construct.
    - Prevent infinite loop on some platforms if a directory is named as
      an inclusion target in "pg_hba.conf" and related files.
    - Fix possible infinite loop if SSL_read or SSL_write fails without
      setting errno.
      This is reportedly possible with some Windows versions of openssl.
    - Disallow GSSAPI authentication on local connections, since it
      requires a hostname to function correctly.
    - Make ecpg report the proper SQLSTATE if the connection disappears.
    - Fix psql's numericlocale option to not format strings it shouldn't
      in latex and troff output formats.
    - Make psql return the correct exit status (3) when ON_ERROR_STOP and
      --single-transaction are both specified and an error occurs during
      the implied "COMMIT".
    - Fix plpgsql failure in one case where a composite column is set to
    - Fix possible failure when calling PL/Perl functions from PL/PerlU
      or vice versa.
    - Add volatile markings in PL/Python to avoid possible
      compiler-specific misbehavior.
    - Ensure PL/Tcl initializes the Tcl interpreter fully.
      The only known symptom of this oversight is that the Tcl clock
      command misbehaves if using Tcl 8.5 or later.
    - Prevent crash in "contrib/dblink" when too many key columns are
      specified to a dblink_build_sql_- function.
    - Allow zero-dimensional arrays in "contrib/ltree" operations.
      This case was formerly rejected as an error, but it's more
      convenient to treat it the same as a zero-element array. In
      particular this avoids unnecessary failures when an ltree operation
      is applied to the result of ARRAY(SELECT ...) and the sub-select
      returns no rows.
    - Fix assorted crashes in "contrib/xml2" caused by sloppy memory
  * Add 00cvs-unregister-ssl-callbacks.patch: Properly unregister OpenSSL
    callbacks when libpq is done with it's connection. Thanks Ondřej Surý for
    the backport! (Closes: #411982, LP: #63141)

 -- Martin Pitt <mpitt op debian.org>  Sat, 13 Mar 2010 16:33:15 +0100

tar (1.20-1+lenny1) stable; urgency=high

  * back-port security issue from 1.23 as per CVE-2010-0624, that basically
    amounts to replacing the included rmt source with a fresher version taken
    from paxutils

 -- Bdale Garbee <bdale op gag.com>  Wed, 10 Mar 2010 16:20:35 -0700

tiff (3.8.2-11.3) stable-security; urgency=high

  * CVE-2010-1411

 -- Moritz Muehlenhoff <jmm op debian.org>  Mon, 02 Aug 2010 05:33:40 +0000

w3m (0.5.2-2+lenny1) stable; urgency=high

  * debian/patches/60_check-null-cn.patch: Patch to check for null bytes
    in CN/subjAltName, provided by Ludwig Nussel. [CVE-2010-2074]

 -- Tatsuya Kinoshita <tats op debian.org>  Sat, 03 Jul 2010 20:53:06 +0900

wget (1.11.4-2+lenny2) stable-security; urgency=high

  * Do not use server-provided file names by default
  * Fix harmless user-after-free bug in http_atotm()

 -- Florian Weimer <fw op deneb.enyo.de>  Sun, 16 May 2010 16:32:14 +0200

zonecheck (2.0.4-13lenny1) stable-security; urgency=high

  * Fixed CVE-2010-2052: XSS security bug in the CGI (Debian bug #583290).

 -- Sebastien Delafond <seb op debian.org>  Wed, 02 Jun 2010 08:41:39 +0200

apr (1.2.12-5+lenny2) stable; urgency=low

  * Set FD_CLOEXEC flag on file descriptors. Not doing so caused Apache httpd
    modules which do not use the apr API for executing other processes to leak
    file descriptors to the called processes. In some setups, this could cause
    security issues and/or problems with Apache failing to restart. This issue
    affected mod_php (but not mod_cgi). Closes: #366124

 -- Stefan Fritsch <sf op debian.org>  Tue, 01 Jun 2010 23:11:19 +0200

apt ( stable; urgency=low

  [ David Kalnischkies ]
  * ftparchive/writer.cc:
    - remove 999 chars Files rewrite limit (Closes: #577759)

 -- Michael Vogt <mvo op debian.org>  Wed, 12 May 2010 17:32:00 +0200

base-files (5lenny7) stable; urgency=low

  * Bump version in /etc/debian_version to "5.0.6".

 -- Santiago Vila <sanvila op debian.org>  Mon, 30 Aug 2010 03:32:00 +0200

base-files (5lenny6) stable; urgency=low

  * Bump version in /etc/debian_version to "5.0.5".

 -- Santiago Vila <sanvila op debian.org>  Fri, 18 Jun 2010 17:12:38 +0200

cpio (2.9-13lenny1) stable; urgency=low

  * Backport fix for rmt_read__ buffer overflow (CVE-2010-0624).

 -- Clint Adams <schizo op debian.org>  Thu, 11 Mar 2010 20:33:59 -0500

debian-archive-keyring (2010.08.28~lenny1) stable; urgency=low

  * Team upload.
  * Upload to stable.
  * Use SHA1 checksums instead of SHA256, due to jetring missing support
    for the stronger ones.

 -- Philipp Kern <pkern op debian.org>  Sun, 29 Aug 2010 13:33:10 +0200

debian-archive-keyring (2010.08.28) unstable; urgency=low

  * Team upload.
  * Add Debian Archive Automatic Signing Key (6.0/squeeze) (ID: 473041FA).
  * Convert keyring generation to jetring.

 -- Philipp Kern <pkern op debian.org>  Sat, 28 Aug 2010 23:17:21 +0200

debian-archive-keyring (2010.08.15) unstable; urgency=low

  * Team upload.
  * Add Squeeze Stable Release Key (ID: B98321F9).  (Closes: #540890)
  * Add a DEBIAN/md5sums file to the non-udeb package.  (Closes: #534934)
  * Move to debian-archive-removed-keys.gpg:
    - Debian Archive Automatic Signing Key (4.0/etch)
    - Etch Stable Release Key
    - Debian-Volatile Archive Automatic Signing Key (4.0/etch)

 -- Philipp Kern <pkern op debian.org>  Sun, 15 Aug 2010 22:59:38 +0200

dpkg (1.14.29+b1) stable-security; urgency=low

  * Binary-only non-maintainer upload for i386; no source changes.
  * Rebuild with libbz2-dev 1.0.5-1+lenny1 for CVE-2010-0405

 -- i386 Build Daemon (murphy) <buildd_i386-murphy op buildd.debian.org>  Tue, 24 Aug 2010 19:55:38 +0000

glibc (2.7-18lenny4) stable-security; urgency=low

  * Add patches/alpha/submitted-rtld-fPIC.diff to fix FTBFS on alpha
    due to the changes introduced by patches/any/cvs-ld-elf.diff.

 -- Aurelien Jarno <aurel32 op debian.org>  Sun, 06 Jun 2010 00:54:37 +0200

glibc (2.7-18lenny3) stable-security; urgency=low

  * patches/any/cvs-strfmon.diff: fix integer overflows in the
    strfmon implementation (CVE-2008-1391, CVE-2009-4880).
  * patches/any/cvs-strfmon_l.diff: fix integer overflows in the 
    strfmon_l implementation (CVE-2009-4881).
  * patches/any/cvs-mntent.diff: fix mntent newline processing error 
    (CVE-2010-0296).  Closes: bug#583908.
  * patches/any/cvs-ld-elf.diff: fix integer signedness error in ld.so

 -- Aurelien Jarno <aurel32 op debian.org>  Fri, 04 Jun 2010 20:24:46 +0200

gtk+2.0 (2.12.12-1~lenny2) stable-proposed-updates; urgency=low

  * 096_cups_mainloop_events.patch: stolen upstream. Fixes a very nasty 
    bug that prevents printing big documents. GNOME #591846, LP #359975.

 -- Josselin Mouette <joss op debian.org>  Mon, 01 Feb 2010 15:19:03 +0100

libwww-perl (5.813-1+lenny2) stable; urgency=low

  * CVE-2010-2253: Apply upstream patch to lwp-download to reject downloads to
    filenames suggested by the server that start with a . (dot) character.
    commit id of upstream patch: f97f339f552666ef79cdd2cf2a44032cf206bb6e

 -- Ansgar Burchardt <ansgar op 43-1.org>  Mon, 30 Aug 2010 01:29:12 +0900

libwww-perl (5.813-1+lenny1) stable; urgency=low

  * Fix incorrect use of redo. (Closes: #591462)

 -- Ansgar Burchardt <ansgar op 43-1.org>  Sat, 07 Aug 2010 08:20:19 +0900

libxext (2:1.0.4-2) stable; urgency=low

  * Cherry-pick two fixes from upstream:
    - Allocate the right size in XSyncListSystemCounters
    - XAllocID must only be called with the Display lock held
      (closes: #569104)

 -- Julien Cristau <jcristau op debian.org>  Thu, 11 Feb 2010 12:58:30 +0100

mailman (1:2.1.11-11+lenny1) stable-proposed-updates; urgency=low

  * Disable 32_MIME_fixup.patch. This has meanwhile been addressed
    differently by upstream, and now has the effect of adding a
    second Mime-Version header to some types of message. This in
    turn is a trigger to some SPAM filters to ban the message.
    (Closes: #581988, #310180).

 -- Thijs Kinkhorst <thijs op debian.org>  Mon, 17 May 2010 22:51:56 +0200

nano (2.0.7-5) stable; urgency=low

  * The "No me preocupa nada, como Juan sin miedo, porque nada temo"
  * Backport two minor security fixes from upcoming 2.0.10 and 2.2.4:
    - CVE-2010-1160: symlink attack.
    - CVE-2010-1161: change of ownership of arbitrary files.

 -- Jordi Mallach <jordi op debian.org>  Mon, 26 Apr 2010 13:41:39 +0200

nfs-utils (1:1.1.2-6lenny2) stable; urgency=low

  * Update maintainers and uploaders to match unstable
  * Fix test for NFS kernel server support in init script (Closes: #550153)

 -- Ben Hutchings <ben op decadent.org.uk>  Sun, 18 Apr 2010 12:31:00 +0100

openssl (0.9.8g-15+lenny8) stable-security; urgency=low

  * Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)

 -- Kurt Roeckx <kurt op roeckx.be>  Thu, 26 Aug 2010 19:49:39 +0200

openssl (0.9.8g-15+lenny7) stable-security; urgency=low

  * Check return type of bn_wexpand().  Fixes CVE-2009-3245 
    (Closes: #575433)

 -- Kurt Roeckx <kurt op roeckx.be>  Mon, 07 Jun 2010 20:30:01 +0200

pango1.0 (1.20.5-6) stable; urgency=low

  * Rename CVE-2010-0421.patch to 23_CVE-2010-0421.patch.
  * 24_harfbuzz_crash.patch: patch from upstream. Fixes a crash when 
    passing invalid Unicode sequences.

 -- Josselin Mouette <joss op debian.org>  Sat, 19 Jun 2010 14:01:19 +0200

python-support (0.8.4lenny2) stable; urgency=low

  * update-python-modules:
    + Force umask to 022. Thanks to Matt Kraai for the patch.
      Closes: #567811.

 -- Josselin Mouette <joss op debian.org>  Wed, 24 Feb 2010 19:36:15 +0100

tzdata (2010j-0lenny1) stable; urgency=low

  * New upstream release.
    - Drop russia-2010.diff.

 -- Clint Adams <schizo op debian.org>  Wed, 02 Jun 2010 13:30:32 -0400

tzdata (2010f-0lenny1) stable; urgency=low

  * New upstream release.
  * Add russia-2010.diff to fix last-minute Russian timezone
    changes.  closes: #574919.

 -- Clint Adams <schizo op debian.org>  Fri, 26 Mar 2010 08:55:38 -0400

tzdata (2010d-0lenny1) stable; urgency=low

  * New upstream release.
    - Adjusts Chile 2010 DST dates.  closes: #572715.

 -- Clint Adams <schizo op debian.org>  Mon, 08 Mar 2010 16:55:09 -0500

usbutils (0.73-10lenny2) stable; urgency=low

  * Update usb.ids:
    - Fix 16c0:05dc entry.  Closes: bug#582460.
    - Add Logitech Nano receiver (046d:c526) and fix 046d:c52b.  Closes:
  * Update README.Debian to reflect the new way to submit new usb.ids

 -- Aurelien Jarno <aurel32 op debian.org>  Thu, 17 Jun 2010 20:14:10 +0200

More information about the ddh-sys mailing list