[ddh-sys] apt-listchanges: changelogs for less

root root op ddh.nl
Za mei 26 12:26:12 CEST 2012

apache2 (2.2.9-10+lenny12) lenny-security; urgency=high

  * Prevent unintended pattern expansion in some reverse proxy
    configurations by strictly validating the request-URI. Fixes
    CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
  * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
    privilege escalation.
  * CVE-2012-0031: Fix client process being able to crash parent process
    during shutdown.
  * CVE-2012-0053: Fix an issue in code 400 error responses that could expose
    "httpOnly" cookies.

 -- Stefan Fritsch <sf op debian.org>  Sun, 05 Feb 2012 21:56:02 +0100

cups (1.3.8-1+lenny10) oldstable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * debian/patches:
    - str3867 added, fix an infinite loop / heap-based buffer overflow in the
      gif_read_lzw() function (CVE-2011-2896)
    - str3914 added, complete the fix for the previous issue (CVE-2011-3170).

 -- Yves-Alexis Perez <yves-alexis.perez op ssi.gouv.fr>  Mon, 28 Nov 2011 15:07:53 +0100

krb5 (1.6.dfsg.4~beta1-5lenny7) lenny-security; urgency=high

  * Apply patch from FreeBSD to fix CVE-2011-4862

 -- Florian Weimer <fw op deneb.enyo.de>  Mon, 26 Dec 2011 11:35:59 +0100

libxml2 (2.6.32.dfsg-5+lenny5) oldstable-security; urgency=high

  * Security update.
  * parser.c: Fix an allocation error when copying entities.
    CVE-2011-3919. Closes: #656377.
  * parser.c: Make sure parser returns when getting a Stop order.
  * encoding.c: Fix off by one error. CVE-2011-0216. Closes: 652352.
  * xpath.c: Fix for undefined namespaces.
    CVE-2011-2834. Closes: 643648.

 -- Aron Xu <aron op debian.org>  Tue, 24 Jan 2012 06:04:56 +0800

openssl (0.9.8g-15+lenny16) lenny-security; urgency=low

  * Fix CVE-2012-0050.

 -- Kurt Roeckx <kurt op roeckx.be>  Wed, 18 Jan 2012 21:38:40 +0100

openssl (0.9.8g-15+lenny15) lenny-security; urgency=low

  * Fix CVE-2011-4354 (Closes: #650621)
  * Fix CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4619
    and CVE-2011-4577
  * Send alert instead of assertion failure for incorrectly formatted DTLS
    fragments.  (Closes: #645805)

 -- Kurt Roeckx <kurt op roeckx.be>  Sat, 14 Jan 2012 16:53:11 +0100

openssl (0.9.8g-15+lenny14) lenny-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Block Malaysian's Digicert Sdn. Bhd. certificates by marking them
    as revoked.

 -- Raphael Geissert <geissert op debian.org>  Sun, 06 Nov 2011 12:16:21 -0600

openssl (0.9.8g-15+lenny13) lenny; urgency=low

  * Non-maintainer upload by the Security Team.
  * Fix CVE-2011-3210: SSL memory handling for (EC)DH ciphersuites

 -- Raphael Geissert <geissert op debian.org>  Fri, 23 Sep 2011 23:49:25 -0500

openssl (0.9.8g-15+lenny12) lenny-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * debian/rules: prevent the build system from adding noise to the
    package's .diff file.
  * Block DigiNotar certificates
  * Fix CVE-2011-1945: timing attacks against ECDHE_ECDSA makes it
    easier to determine private keys.

 -- Raphael Geissert <geissert op debian.org>  Mon, 12 Sep 2011 19:58:54 -0500

php5 (5.2.6.dfsg.1-1+lenny16) oldstable-security; urgency=low

  * Fix UMR in php_register_variable_ex (pull from upstream SVN)

 -- Ondřej Surý <ondrej op debian.org>  Fri, 03 Feb 2012 09:01:31 +0100

php5 (5.2.6.dfsg.1-1+lenny15) oldstable-security; urgency=low

  * CVE-2012-0057: Pull complete fix including setting the default
  * Include zend_ini.h in xsltprocessor.c (Closes: #658087)

 -- Ondřej Surý <ondrej op debian.org>  Tue, 31 Jan 2012 11:11:08 +0100

php5 (5.2.6.dfsg.1-1+lenny14) oldstable-security; urgency=high

  * Refresh quilt patches to apply cleanly on current sources
  * CVE-2011-4566: integer overflow in exif_process_IFD_TAG() may
    lead to DoS or arbitrary memory disclosure
  * CVE-2011-4885: hash table collisions CPU usage DoS (oCERT-2011-003)
  * CVE-2012-0057: XSLT file writing vulnerability (Closes: #656308)

 -- Ondřej Surý <ondrej op debian.org>  Mon, 23 Jan 2012 12:39:02 +0100

t1lib (5.1.2-3+lenny1) oldstable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * debian/patches:
    - CVE-2010-2642 added, fix heap-based buffer overflow first found in
      evince but applicable to the embedded afmparse library found in t1lib
      too. Fixes CVE-2011-0433 too on the same patch.
    - CVE-2011-0764 added, fix arbitrary code execution by only using ppoints
      when it is a valid pointer.                               closes: #652996
      This fixes CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554
  * format-string added, fix a format string error IfTrace0 macro and another
    in T1_SubfsetFont().

 -- Yves-Alexis Perez <corsac op debian.org>  Sat, 14 Jan 2012 21:55:47 +0100

acpid (1.0.8-1lenny4) oldstable-security; urgency=low

  * Rebuild to workaround expired buildd keys

 -- Moritz <jmm op debian.org>  Tue, 06 Dec 2011 19:23:10 +0000

acpid (1.0.8-1lenny3) oldstable-security; urgency=low

  * Applied upstream patch to set umask to 0077 for scripts run by acpid.

 -- Michael Meskes <meskes op debian.org>  Tue, 02 Aug 2011 19:09:07 +0200

apr (1.2.12-5+lenny5) oldstable; urgency=low

  * Disable robust pthread mutexes on alpha, arm, and armel. This fixes build
    problems on buildds running newer Linux kernels.

 -- Stefan Fritsch <sf op debian.org>  Mon, 16 Jan 2012 15:45:55 +0100

aptitude ( oldstable; urgency=low

  * Non-maintainer upload.
  * Backport of 0009-fix-symlink-attack:
    Fix a potential symlink attack that could occur if a user
    with no home directory edited and saved the package hierarchy
    definitions. (Closes: #612034)

 -- Jonathan Wiltshire <jmw op debian.org>  Wed, 10 Aug 2011 23:30:04 +0100

base-files (5lenny11) oldstable; urgency=low

  * Bump version in /etc/debian_version to "5.0.10".

 -- Santiago Vila <sanvila op debian.org>  Thu, 16 Feb 2012 20:49:38 +0100

base-files (5lenny10) oldstable; urgency=low

  * Bump version in /etc/debian_version to "5.0.9".
  * Target distribution changed to "oldstable", as stable is now squeeze.

 -- Santiago Vila <sanvila op debian.org>  Thu, 08 Sep 2011 12:22:38 +0200

freetype (2.3.7-2+lenny8) oldstable-security; urgency=low

  * Non-maintainer upload by the Security Team.
  * Fix CVE-2011-3439: vulnerability in CID-keyed Type 1 fonts.

 -- Michael Gilbert <michael.s.gilbert op gmail.com>  Fri, 18 Nov 2011 06:46:24 +0000

freetype (2.3.7-2+lenny7) oldstable-security; urgency=low

  * Non-maintainer upload by the Security Team.
  * CVE-2011-3256

 -- Moritz Muehlenhoff <jmm op debian.org>  Mon, 24 Oct 2011 16:53:23 +0000

klibc (1.5.12-2lenny1) oldstable; urgency=low

  * ipconfig: Escape DHCP options. (CVE-2011-1930)

 -- maximilian attems <maks op debian.org>  Wed, 01 Jun 2011 10:20:28 +0200

openldap (2.4.11-1+lenny2.1) oldstable; urgency=low

  * Non-maintainer upload.
  * Backport security fixes: (Closes: #617606)
    - CVE-2011-1024 Authentication bypass in back-ldap
    - CVE-2011-1081 DoS in modrdn operation

 -- Jonathan Wiltshire <jmw op debian.org>  Mon, 25 Jul 2011 13:40:32 +0100

postgresql-8.3 (8.3.17-0lenny1) oldstable; urgency=low

  * New upstream bug fix release:
    - Fix bugs in information_schema.referential_constraints view.
      This view was being insufficiently careful about matching the
      foreign-key constraint to the depended-on primary or unique key
      constraint. That could result in failure to show a foreign key
      constraint at all, or showing it multiple times, or claiming that
      it depends on a different constraint than the one it really does.
      Since the view definition is installed by initdb, merely upgrading
      will not fix the problem. If you need to fix this in an existing
      installation, you can (as a superuser) drop the information_schema
      schema then re-create it by sourcing
      "SHAREDIR/information_schema.sql". (Run pg_config --sharedir if
      you're uncertain where "SHAREDIR" is.) This must be repeated in
      each database to be fixed.
    - Fix TOAST-related data corruption during CREATE TABLE dest AS
      SELECT - FROM src or INSERT INTO dest SELECT * FROM src.
      If a table has been modified by "ALTER TABLE ADD COLUMN", attempts
      to copy its data verbatim to another table could produce corrupt
      results in certain corner cases. The problem can only manifest in
      this precise form in 8.4 and later, but we patched earlier versions
      as well in case there are other code paths that could trigger the
      same bug.
    - Fix race condition during toast table access from stale syscache
      entries. The typical symptom was transient errors like "missing chunk
      number 0 for toast value NNNNN in pg_toast_2619", where the cited toast
      table would always belong to a system catalog.
    - Make DatumGetInetP() unpack inet datums that have a 1-byte header,
      and add a new macro, DatumGetInetPP(), that does not.
    - Improve locale support in money type's input and output.
      Aside from not supporting all standard lc_monetary formatting
      options, the input and output functions were inconsistent, meaning
      there were locales in which dumped money values could not be
    - Don't let transform_null_equals affect CASE foo WHEN NULL ...
    - Change foreign-key trigger creation order to better support
      self-referential foreign keys.
    - Avoid floating-point underflow while tracking buffer allocation
    - Preserve blank lines within commands in psql's command history.
      The former behavior could cause problems if an empty line was
      removed from within a string literal, for example.
    - Fix pg_dump to dump user-defined casts between auto-generated
      types, such as table rowtypes.
    - Use the preferred version of xsubpp to build PL/Perl, not
      necessarily the operating system's main copy.
    - Fix incorrect coding in "contrib/dict_int" and "contrib/dict_xsyn".
    - Honor query cancel interrupts promptly in pgstatindex().
    - Ensure VPATH builds properly install all server header files.
    - Shorten file names reported in verbose error messages.
      Regular builds have always reported just the name of the C file
      containing the error message call, but VPATH builds formerly
      reported an absolute path name.

 -- Martin Pitt <mpitt op debian.org>  Sat, 03 Dec 2011 17:18:08 +0100

postgresql-8.3 (8.3.16-0lenny1) oldstable-security; urgency=low

  * New upstream bug fix release 8.3.15:
    - Disallow including a composite type in itself.
      This prevents scenarios wherein the server could recurse infinitely
      while processing the composite type. While there are some possible
      uses for such a structure, they don't seem compelling enough to
      justify the effort required to make sure it always works safely.
    - Avoid potential deadlock during catalog cache initialization.
      In some cases the cache loading code would acquire share lock on a
      system index before locking the index's catalog. This could
      deadlock against processes trying to acquire exclusive locks in the
      other, more standard order.
    - Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling
      when there was a concurrent update to the target tuple.
      This bug has been observed to result in intermittent "cannot
      extract system attribute from virtual tuple" failures while trying
      to do UPDATE RETURNING ctid. There is a very small probability of
      more serious errors, such as generating incorrect index entries for
      the updated tuple.
    - Disallow "DROP TABLE" when there are pending deferred trigger
      events for the table. Formerly the "DROP" would go through, leading to
      "could not open relation with OID nnn" errors when the triggers were
      eventually fired.
    - Fix PL/Python memory leak involving array slices.
    - Fix pg_restore to cope with long lines (over 1KB) in TOC files.
    - Put in more safeguards against crashing due to division-by-zero
      with overly enthusiastic compiler optimization.
  * New upstream bug fix release 8.3.16:
    - Fix bugs in indexing of in-doubt HOT-updated tuples.
      These bugs could result in index corruption after reindexing a
      system catalog. They are not believed to affect user indexes.
    - Fix multiple bugs in GiST index page split processing.
      The probability of occurrence was low, but these could lead to
      index corruption.
    - Fix possible buffer overrun in tsvector_concat().
      The function could underestimate the amount of memory needed for
      its result, leading to server crashes.
    - Fix crash in xml_recv when processing a "standalone" parameter.
    - Avoid possibly accessing off the end of memory in "ANALYZE" and in
      SJIS-2004 encoding conversion.
      This fixes some very-low-probability server crash scenarios.
    - Fix race condition in relcache init file invalidation.
      There was a window wherein a new backend process could read a stale
      init file but miss the inval messages that would tell it the data
      is stale. The result would be bizarre failures in catalog accesses,
      typically "could not read block 0 in file ..." later during
    - Fix memory leak at end of a GiST index scan.
      Commands that perform many separate GiST index scans, such as
      verification of a new GiST-based exclusion constraint on a table
      already containing many rows, could transiently require large
      amounts of memory due to this leak.
    - Fix performance problem when constructing a large, lossy bitmap.
    - Fix array- and path-creating functions to ensure padding bytes are
      zeroes. This avoids some situations where the planner will think that
      semantically-equal constants are not equal, resulting in poor
    - Fix dump bug for VALUES in a view.
    - Disallow SELECT FOR UPDATE/SHARE on sequences.
      This operation doesn't work as expected and can lead to failures.
    - Defend against integer overflow when computing size of a hash table.
    - Fix cases where "CLUSTER" might attempt to access already-removed
      TOAST data.
    - Fix portability bugs in use of credentials control messages for
      "peer" authentication.
    - Fix SSPI login when multiple roundtrips are required.
      The typical symptom of this problem was "The function requested is
      not supported" errors during SSPI login.
    - Fix typo in pg_srand48 seed initialization.
      This led to failure to use all bits of the provided seed. This
      function is not used on most platforms (only those without
      srandom), and the potential security exposure from a
      less-random-than-expected seed seems minimal in any case.
    - Avoid integer overflow when the sum of LIMIT and OFFSET values
      exceeds 2^63.
    - Add overflow checks to int4 and int8 versions of generate_series().
    - Fix trailing-zero removal in to_char(). In a format with FM and no digit
      positions after the decimal point, zeroes to the left of the decimal
      point could be removed incorrectly.
    - Fix pg_size_pretty() to avoid overflow for inputs close to 2^63.
    - Fix psql's counting of script file line numbers during COPY from a
      different file.
    - Fix pg_restore's direct-to-database mode for
      pg_restore could emit incorrect commands when restoring directly to
      a database server from an archive file that had been made with
      standard_conforming_strings set to on.
    - Fix write-past-buffer-end and memory leak in libpq's LDAP service
      lookup code.
    - In libpq, avoid failures when using nonblocking I/O and an SSL
    - Improve libpq's handling of failures during connection startup.
      In particular, the response to a server report of fork() failure
      during SSL connection startup is now saner.
    - Improve libpq's error reporting for SSL failures.
    - Make ecpglib write double values with 15 digits precision.
    - In ecpglib, be sure LC_NUMERIC setting is restored after an error.
    - Apply upstream fix for blowfish signed-character bug
      "contrib/pg_crypto"'s blowfish encryption code could give wrong
      results on platforms where char is signed (which is most), leading
      to encrypted passwords being weaker than they should be.
    - Fix memory leak in "contrib/seg".
    - Fix pgstatindex() to give consistent results for empty indexes.
    - Allow building with perl 5.14 (Alex Hunsaker)
  * Drop 00cvs-unregister-ssl-callbacks.patch, upstream now.

 -- Martin Pitt <mpitt op debian.org>  Sun, 25 Sep 2011 13:40:58 +0200

proftpd-dfsg (1.3.1-17lenny9) oldstable-security; urgency=low

  * Missed the second part of the #3624, now added to avoid segfaulting.
    (closes: #648922)

 -- Francesco Paolo Lovergine <frankie op debian.org>  Wed, 16 Nov 2011 10:50:20 +0100

proftpd-dfsg (1.3.1-17lenny8) oldstable-security; urgency=low

  * Changed libpam-dev virtual pkg build-dep in libpam0g-dev due to new
    package resolver used in old-stable.

 -- Francesco Paolo Lovergine <frankie op debian.org>  Tue, 15 Nov 2011 13:56:04 +0100

proftpd-dfsg (1.3.1-17lenny7) oldstable-security; urgency=low

  * Security fix: 3624.dpatch.
    This patch fixes the issue by causing mod_tls to clear the buffers of any
    data received from the client, once the SSL/TLS handshake has succeeded.

 -- Francesco Paolo Lovergine <frankie op debian.org>  Mon, 21 Mar 2011 23:09:43 +0100

tzdata (2011k-0lenny1) oldstable; urgency=low

  * New upstream release:
    - Update DST rules for Ukraine.  Closes: #642232.
    - Update DST rules for Belarus.  Closes: #641846.

 -- Aurelien Jarno <aurel32 op debian.org>  Mon, 26 Sep 2011 20:48:25 +0200

tzdata (2011j-0lenny1) oldstable; urgency=low

  * New upstream release.

 -- Aurelien Jarno <aurel32 op debian.org>  Fri, 23 Sep 2011 18:58:05 +0200

tzdata (2011h-0lenny1) oldstable; urgency=low

  * New upstream release.

 -- Aurelien Jarno <aurel32 op debian.org>  Sun, 21 Aug 2011 19:36:26 +0200

tzdata (2011d-0lenny1) oldstable; urgency=low

  * New upstream release .
    - Contains Turkish DST change.

 -- Aurelien Jarno <aurel32 op debian.org>  Wed, 23 Mar 2011 23:34:21 +0100

tzdata (2011c-0lenny1) oldstable; urgency=low

  * New upstream release.
    - Contains Chilean DST change.  closes: #617331.

 -- Clint Adams <clint op debian.org>  Fri, 11 Mar 2011 14:59:53 -0500

Meer informatie over de ddh-sys maillijst