[ddh-sys] apt-listchanges: changelogs for less
root
root op ddh.nl
Za mei 26 12:26:12 CEST 2012
apache2 (2.2.9-10+lenny12) lenny-security; urgency=high
* Prevent unintended pattern expansion in some reverse proxy
configurations by strictly validating the request-URI. Fixes
CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
* CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
privilege escalation.
* CVE-2012-0031: Fix client process being able to crash parent process
during shutdown.
* CVE-2012-0053: Fix an issue in code 400 error responses that could expose
"httpOnly" cookies.
-- Stefan Fritsch <sf op debian.org> Sun, 05 Feb 2012 21:56:02 +0100
cups (1.3.8-1+lenny10) oldstable-security; urgency=high
* Non-maintainer upload by the Security Team.
* debian/patches:
- str3867 added, fix an infinite loop / heap-based buffer overflow in the
gif_read_lzw() function (CVE-2011-2896)
- str3914 added, complete the fix for the previous issue (CVE-2011-3170).
-- Yves-Alexis Perez <yves-alexis.perez op ssi.gouv.fr> Mon, 28 Nov 2011 15:07:53 +0100
krb5 (1.6.dfsg.4~beta1-5lenny7) lenny-security; urgency=high
* Apply patch from FreeBSD to fix CVE-2011-4862
-- Florian Weimer <fw op deneb.enyo.de> Mon, 26 Dec 2011 11:35:59 +0100
libxml2 (2.6.32.dfsg-5+lenny5) oldstable-security; urgency=high
* Security update.
* parser.c: Fix an allocation error when copying entities.
CVE-2011-3919. Closes: #656377.
* parser.c: Make sure parser returns when getting a Stop order.
CVE-2011-3905.
* encoding.c: Fix off by one error. CVE-2011-0216. Closes: 652352.
* xpath.c: Fix for undefined namespaces.
CVE-2011-2834. Closes: 643648.
-- Aron Xu <aron op debian.org> Tue, 24 Jan 2012 06:04:56 +0800
openssl (0.9.8g-15+lenny16) lenny-security; urgency=low
* Fix CVE-2012-0050.
-- Kurt Roeckx <kurt op roeckx.be> Wed, 18 Jan 2012 21:38:40 +0100
openssl (0.9.8g-15+lenny15) lenny-security; urgency=low
* Fix CVE-2011-4354 (Closes: #650621)
* Fix CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4619
and CVE-2011-4577
* Send alert instead of assertion failure for incorrectly formatted DTLS
fragments. (Closes: #645805)
-- Kurt Roeckx <kurt op roeckx.be> Sat, 14 Jan 2012 16:53:11 +0100
openssl (0.9.8g-15+lenny14) lenny-security; urgency=high
* Non-maintainer upload by the Security Team.
* Block Malaysian's Digicert Sdn. Bhd. certificates by marking them
as revoked.
-- Raphael Geissert <geissert op debian.org> Sun, 06 Nov 2011 12:16:21 -0600
openssl (0.9.8g-15+lenny13) lenny; urgency=low
* Non-maintainer upload by the Security Team.
* Fix CVE-2011-3210: SSL memory handling for (EC)DH ciphersuites
-- Raphael Geissert <geissert op debian.org> Fri, 23 Sep 2011 23:49:25 -0500
openssl (0.9.8g-15+lenny12) lenny-security; urgency=high
* Non-maintainer upload by the Security Team.
* debian/rules: prevent the build system from adding noise to the
package's .diff file.
* Block DigiNotar certificates
* Fix CVE-2011-1945: timing attacks against ECDHE_ECDSA makes it
easier to determine private keys.
-- Raphael Geissert <geissert op debian.org> Mon, 12 Sep 2011 19:58:54 -0500
php5 (5.2.6.dfsg.1-1+lenny16) oldstable-security; urgency=low
* Fix UMR in php_register_variable_ex (pull from upstream SVN)
-- Ondřej Surý <ondrej op debian.org> Fri, 03 Feb 2012 09:01:31 +0100
php5 (5.2.6.dfsg.1-1+lenny15) oldstable-security; urgency=low
* CVE-2012-0057: Pull complete fix including setting the default
* Include zend_ini.h in xsltprocessor.c (Closes: #658087)
-- Ondřej Surý <ondrej op debian.org> Tue, 31 Jan 2012 11:11:08 +0100
php5 (5.2.6.dfsg.1-1+lenny14) oldstable-security; urgency=high
* Refresh quilt patches to apply cleanly on current sources
* CVE-2011-4566: integer overflow in exif_process_IFD_TAG() may
lead to DoS or arbitrary memory disclosure
* CVE-2011-4885: hash table collisions CPU usage DoS (oCERT-2011-003)
* CVE-2012-0057: XSLT file writing vulnerability (Closes: #656308)
-- Ondřej Surý <ondrej op debian.org> Mon, 23 Jan 2012 12:39:02 +0100
t1lib (5.1.2-3+lenny1) oldstable-security; urgency=high
* Non-maintainer upload by the Security Team.
* debian/patches:
- CVE-2010-2642 added, fix heap-based buffer overflow first found in
evince but applicable to the embedded afmparse library found in t1lib
too. Fixes CVE-2011-0433 too on the same patch.
- CVE-2011-0764 added, fix arbitrary code execution by only using ppoints
when it is a valid pointer. closes: #652996
This fixes CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554
* format-string added, fix a format string error IfTrace0 macro and another
in T1_SubfsetFont().
-- Yves-Alexis Perez <corsac op debian.org> Sat, 14 Jan 2012 21:55:47 +0100
acpid (1.0.8-1lenny4) oldstable-security; urgency=low
* Rebuild to workaround expired buildd keys
-- Moritz <jmm op debian.org> Tue, 06 Dec 2011 19:23:10 +0000
acpid (1.0.8-1lenny3) oldstable-security; urgency=low
* Applied upstream patch to set umask to 0077 for scripts run by acpid.
-- Michael Meskes <meskes op debian.org> Tue, 02 Aug 2011 19:09:07 +0200
apr (1.2.12-5+lenny5) oldstable; urgency=low
* Disable robust pthread mutexes on alpha, arm, and armel. This fixes build
problems on buildds running newer Linux kernels.
-- Stefan Fritsch <sf op debian.org> Mon, 16 Jan 2012 15:45:55 +0100
aptitude (0.4.11.11-1~lenny2) oldstable; urgency=low
* Non-maintainer upload.
* Backport of 0009-fix-symlink-attack:
Fix a potential symlink attack that could occur if a user
with no home directory edited and saved the package hierarchy
definitions. (Closes: #612034)
-- Jonathan Wiltshire <jmw op debian.org> Wed, 10 Aug 2011 23:30:04 +0100
base-files (5lenny11) oldstable; urgency=low
* Bump version in /etc/debian_version to "5.0.10".
-- Santiago Vila <sanvila op debian.org> Thu, 16 Feb 2012 20:49:38 +0100
base-files (5lenny10) oldstable; urgency=low
* Bump version in /etc/debian_version to "5.0.9".
* Target distribution changed to "oldstable", as stable is now squeeze.
-- Santiago Vila <sanvila op debian.org> Thu, 08 Sep 2011 12:22:38 +0200
freetype (2.3.7-2+lenny8) oldstable-security; urgency=low
* Non-maintainer upload by the Security Team.
* Fix CVE-2011-3439: vulnerability in CID-keyed Type 1 fonts.
-- Michael Gilbert <michael.s.gilbert op gmail.com> Fri, 18 Nov 2011 06:46:24 +0000
freetype (2.3.7-2+lenny7) oldstable-security; urgency=low
* Non-maintainer upload by the Security Team.
* CVE-2011-3256
-- Moritz Muehlenhoff <jmm op debian.org> Mon, 24 Oct 2011 16:53:23 +0000
klibc (1.5.12-2lenny1) oldstable; urgency=low
* ipconfig: Escape DHCP options. (CVE-2011-1930)
-- maximilian attems <maks op debian.org> Wed, 01 Jun 2011 10:20:28 +0200
openldap (2.4.11-1+lenny2.1) oldstable; urgency=low
* Non-maintainer upload.
* Backport security fixes: (Closes: #617606)
- CVE-2011-1024 Authentication bypass in back-ldap
- CVE-2011-1081 DoS in modrdn operation
-- Jonathan Wiltshire <jmw op debian.org> Mon, 25 Jul 2011 13:40:32 +0100
postgresql-8.3 (8.3.17-0lenny1) oldstable; urgency=low
* New upstream bug fix release:
- Fix bugs in information_schema.referential_constraints view.
This view was being insufficiently careful about matching the
foreign-key constraint to the depended-on primary or unique key
constraint. That could result in failure to show a foreign key
constraint at all, or showing it multiple times, or claiming that
it depends on a different constraint than the one it really does.
Since the view definition is installed by initdb, merely upgrading
will not fix the problem. If you need to fix this in an existing
installation, you can (as a superuser) drop the information_schema
schema then re-create it by sourcing
"SHAREDIR/information_schema.sql". (Run pg_config --sharedir if
you're uncertain where "SHAREDIR" is.) This must be repeated in
each database to be fixed.
- Fix TOAST-related data corruption during CREATE TABLE dest AS
SELECT - FROM src or INSERT INTO dest SELECT * FROM src.
If a table has been modified by "ALTER TABLE ADD COLUMN", attempts
to copy its data verbatim to another table could produce corrupt
results in certain corner cases. The problem can only manifest in
this precise form in 8.4 and later, but we patched earlier versions
as well in case there are other code paths that could trigger the
same bug.
- Fix race condition during toast table access from stale syscache
entries. The typical symptom was transient errors like "missing chunk
number 0 for toast value NNNNN in pg_toast_2619", where the cited toast
table would always belong to a system catalog.
- Make DatumGetInetP() unpack inet datums that have a 1-byte header,
and add a new macro, DatumGetInetPP(), that does not.
- Improve locale support in money type's input and output.
Aside from not supporting all standard lc_monetary formatting
options, the input and output functions were inconsistent, meaning
there were locales in which dumped money values could not be
re-read.
- Don't let transform_null_equals affect CASE foo WHEN NULL ...
constructs.
- Change foreign-key trigger creation order to better support
self-referential foreign keys.
- Avoid floating-point underflow while tracking buffer allocation
rate.
- Preserve blank lines within commands in psql's command history.
The former behavior could cause problems if an empty line was
removed from within a string literal, for example.
- Fix pg_dump to dump user-defined casts between auto-generated
types, such as table rowtypes.
- Use the preferred version of xsubpp to build PL/Perl, not
necessarily the operating system's main copy.
- Fix incorrect coding in "contrib/dict_int" and "contrib/dict_xsyn".
- Honor query cancel interrupts promptly in pgstatindex().
- Ensure VPATH builds properly install all server header files.
- Shorten file names reported in verbose error messages.
Regular builds have always reported just the name of the C file
containing the error message call, but VPATH builds formerly
reported an absolute path name.
-- Martin Pitt <mpitt op debian.org> Sat, 03 Dec 2011 17:18:08 +0100
postgresql-8.3 (8.3.16-0lenny1) oldstable-security; urgency=low
* New upstream bug fix release 8.3.15:
- Disallow including a composite type in itself.
This prevents scenarios wherein the server could recurse infinitely
while processing the composite type. While there are some possible
uses for such a structure, they don't seem compelling enough to
justify the effort required to make sure it always works safely.
- Avoid potential deadlock during catalog cache initialization.
In some cases the cache loading code would acquire share lock on a
system index before locking the index's catalog. This could
deadlock against processes trying to acquire exclusive locks in the
other, more standard order.
- Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling
when there was a concurrent update to the target tuple.
This bug has been observed to result in intermittent "cannot
extract system attribute from virtual tuple" failures while trying
to do UPDATE RETURNING ctid. There is a very small probability of
more serious errors, such as generating incorrect index entries for
the updated tuple.
- Disallow "DROP TABLE" when there are pending deferred trigger
events for the table. Formerly the "DROP" would go through, leading to
"could not open relation with OID nnn" errors when the triggers were
eventually fired.
- Fix PL/Python memory leak involving array slices.
- Fix pg_restore to cope with long lines (over 1KB) in TOC files.
- Put in more safeguards against crashing due to division-by-zero
with overly enthusiastic compiler optimization.
* New upstream bug fix release 8.3.16:
- Fix bugs in indexing of in-doubt HOT-updated tuples.
These bugs could result in index corruption after reindexing a
system catalog. They are not believed to affect user indexes.
- Fix multiple bugs in GiST index page split processing.
The probability of occurrence was low, but these could lead to
index corruption.
- Fix possible buffer overrun in tsvector_concat().
The function could underestimate the amount of memory needed for
its result, leading to server crashes.
- Fix crash in xml_recv when processing a "standalone" parameter.
- Avoid possibly accessing off the end of memory in "ANALYZE" and in
SJIS-2004 encoding conversion.
This fixes some very-low-probability server crash scenarios.
- Fix race condition in relcache init file invalidation.
There was a window wherein a new backend process could read a stale
init file but miss the inval messages that would tell it the data
is stale. The result would be bizarre failures in catalog accesses,
typically "could not read block 0 in file ..." later during
startup.
- Fix memory leak at end of a GiST index scan.
Commands that perform many separate GiST index scans, such as
verification of a new GiST-based exclusion constraint on a table
already containing many rows, could transiently require large
amounts of memory due to this leak.
- Fix performance problem when constructing a large, lossy bitmap.
- Fix array- and path-creating functions to ensure padding bytes are
zeroes. This avoids some situations where the planner will think that
semantically-equal constants are not equal, resulting in poor
optimization.
- Fix dump bug for VALUES in a view.
- Disallow SELECT FOR UPDATE/SHARE on sequences.
This operation doesn't work as expected and can lead to failures.
- Defend against integer overflow when computing size of a hash table.
- Fix cases where "CLUSTER" might attempt to access already-removed
TOAST data.
- Fix portability bugs in use of credentials control messages for
"peer" authentication.
- Fix SSPI login when multiple roundtrips are required.
The typical symptom of this problem was "The function requested is
not supported" errors during SSPI login.
- Fix typo in pg_srand48 seed initialization.
This led to failure to use all bits of the provided seed. This
function is not used on most platforms (only those without
srandom), and the potential security exposure from a
less-random-than-expected seed seems minimal in any case.
- Avoid integer overflow when the sum of LIMIT and OFFSET values
exceeds 2^63.
- Add overflow checks to int4 and int8 versions of generate_series().
- Fix trailing-zero removal in to_char(). In a format with FM and no digit
positions after the decimal point, zeroes to the left of the decimal
point could be removed incorrectly.
- Fix pg_size_pretty() to avoid overflow for inputs close to 2^63.
- Fix psql's counting of script file line numbers during COPY from a
different file.
- Fix pg_restore's direct-to-database mode for
standard_conforming_strings.
pg_restore could emit incorrect commands when restoring directly to
a database server from an archive file that had been made with
standard_conforming_strings set to on.
- Fix write-past-buffer-end and memory leak in libpq's LDAP service
lookup code.
- In libpq, avoid failures when using nonblocking I/O and an SSL
connection.
- Improve libpq's handling of failures during connection startup.
In particular, the response to a server report of fork() failure
during SSL connection startup is now saner.
- Improve libpq's error reporting for SSL failures.
- Make ecpglib write double values with 15 digits precision.
- In ecpglib, be sure LC_NUMERIC setting is restored after an error.
- Apply upstream fix for blowfish signed-character bug
(CVE-2011-2483).
"contrib/pg_crypto"'s blowfish encryption code could give wrong
results on platforms where char is signed (which is most), leading
to encrypted passwords being weaker than they should be.
- Fix memory leak in "contrib/seg".
- Fix pgstatindex() to give consistent results for empty indexes.
- Allow building with perl 5.14 (Alex Hunsaker)
* Drop 00cvs-unregister-ssl-callbacks.patch, upstream now.
-- Martin Pitt <mpitt op debian.org> Sun, 25 Sep 2011 13:40:58 +0200
proftpd-dfsg (1.3.1-17lenny9) oldstable-security; urgency=low
* Missed the second part of the #3624, now added to avoid segfaulting.
(closes: #648922)
-- Francesco Paolo Lovergine <frankie op debian.org> Wed, 16 Nov 2011 10:50:20 +0100
proftpd-dfsg (1.3.1-17lenny8) oldstable-security; urgency=low
* Changed libpam-dev virtual pkg build-dep in libpam0g-dev due to new
package resolver used in old-stable.
-- Francesco Paolo Lovergine <frankie op debian.org> Tue, 15 Nov 2011 13:56:04 +0100
proftpd-dfsg (1.3.1-17lenny7) oldstable-security; urgency=low
* Security fix: 3624.dpatch.
This patch fixes the issue by causing mod_tls to clear the buffers of any
data received from the client, once the SSL/TLS handshake has succeeded.
-- Francesco Paolo Lovergine <frankie op debian.org> Mon, 21 Mar 2011 23:09:43 +0100
tzdata (2011k-0lenny1) oldstable; urgency=low
* New upstream release:
- Update DST rules for Ukraine. Closes: #642232.
- Update DST rules for Belarus. Closes: #641846.
-- Aurelien Jarno <aurel32 op debian.org> Mon, 26 Sep 2011 20:48:25 +0200
tzdata (2011j-0lenny1) oldstable; urgency=low
* New upstream release.
-- Aurelien Jarno <aurel32 op debian.org> Fri, 23 Sep 2011 18:58:05 +0200
tzdata (2011h-0lenny1) oldstable; urgency=low
* New upstream release.
-- Aurelien Jarno <aurel32 op debian.org> Sun, 21 Aug 2011 19:36:26 +0200
tzdata (2011d-0lenny1) oldstable; urgency=low
* New upstream release .
- Contains Turkish DST change.
-- Aurelien Jarno <aurel32 op debian.org> Wed, 23 Mar 2011 23:34:21 +0100
tzdata (2011c-0lenny1) oldstable; urgency=low
* New upstream release.
- Contains Chilean DST change. closes: #617331.
-- Clint Adams <clint op debian.org> Fri, 11 Mar 2011 14:59:53 -0500
Meer informatie over de ddh-sys
maillijst