====================================== Sat, 23 Jun 2018 - Debian 8.11 released ====================================== ========================================================================= [Date: Sat, 23 Jun 2018 08:47:20 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: electrum | 1.9.8-4 | source, all python-electrum | 1.9.8-4 | all Closed bugs: 887415 ------------------- Reason ------------------- RoM; unable to connect ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 08:50:39 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: jirc | 1.0-1 | source, all Closed bugs: 891346 ------------------- Reason ------------------- RoQA; broken with jessie libpoe-filter-xml-perl ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 08:51:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: dolibarr | 3.5.5+dfsg1-1+deb8u1 | source, all Closed bugs: 892770 ------------------- Reason ------------------- RoM; too much work to maintain it properly in Debian ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 08:52:57 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: nvidia-graphics-modules | 340.102+3.16.0+1 | source nvidia-kernel-3.16.0-4-586 | 340.102+1+1+3.16.43-1 | i386 nvidia-kernel-3.16.0-4-686-pae | 340.102+1+1+3.16.43-1 | i386 nvidia-kernel-3.16.0-4-amd64 | 340.102+1+1+3.16.43-1 | amd64, i386 nvidia-kernel-486 | 340.102+3.16.0+1 | i386 nvidia-kernel-586 | 340.102+3.16.0+1 | i386 nvidia-kernel-686-pae | 340.102+3.16.0+1 | i386 nvidia-kernel-amd64 | 340.102+3.16.0+1 | amd64, i386 nvidia-kernel-dummy | 340.102+3.16.0+1 | amd64 Closed bugs: 894123 ------------------- Reason ------------------- RoQA; license problem; incompatible with current kernel ABI ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 08:54:12 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: openstreetmap-client | 14.03.1~ds0-1 | source, all Closed bugs: 835873 ------------------- Reason ------------------- RoM; broken ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 08:55:13 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: redmine | 3.0~20140825-8~deb8u4 | source, all redmine-mysql | 3.0~20140825-8~deb8u4 | all redmine-pgsql | 3.0~20140825-8~deb8u4 | all redmine-sqlite | 3.0~20140825-8~deb8u4 | all Closed bugs: 897613 ------------------- Reason ------------------- RoST; no longer security supported ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 08:57:39 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: redmine-plugin-pretend | 0.0.2+git20130821-3 | source, all Closed bugs: 901478 ------------------- Reason ------------------- RoST; depends on to-be-removed redmine ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 08:59:04 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: redmine-plugin-recaptcha | 0.1.0+git20121018-3 | all redmine-recaptcha | 0.1.0+git20121018-3 | source Closed bugs: 901479 ------------------- Reason ------------------- RoST; depends on to-be-removed redmine ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:04:25 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: youtube-dl | 2014.08.05-1+deb8u1 | source, all Closed bugs: 833865 ------------------- Reason ------------------- RoQA; too difficult to keep current ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:13:20 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: acpi-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 ata-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 btrfs-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 cdrom-core-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 core-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 crc-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 crypto-dm-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 crypto-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 efi-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 event-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 ext4-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 fat-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 fb-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 firewire-core-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 fuse-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 hyperv-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 i2c-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 input-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 isofs-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 jfs-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 kernel-image-3.16.0-4-amd64-di | 3.16.51-3 | amd64 linux-headers-3.16.0-4-all-amd64 | 3.16.51-3 | amd64 linux-image-3.16.0-4-amd64-dbg | 3.16.51-3 | amd64 loop-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 md-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 mmc-core-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 mmc-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 mouse-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 multipath-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 nbd-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 nic-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 nic-pcmcia-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 nic-shared-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 nic-usb-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 nic-wireless-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 ntfs-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 pata-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 pcmcia-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 pcmcia-storage-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 ppp-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 sata-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 scsi-common-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 scsi-core-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 scsi-extra-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 scsi-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 serial-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 sound-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 speakup-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 squashfs-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 udf-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 uinput-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 usb-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 usb-serial-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 usb-storage-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 xfs-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:16:51 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: virtio-modules-3.16.0-4-amd64-di | 3.16.51-3 | amd64 xen-linux-system-3.16.0-4-amd64 | 3.16.51-3 | amd64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:17:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: linux-headers-3.16.0-4-all | 3.16.51-3 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x linux-headers-3.16.0-4-common | 3.16.51-3 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:17:18 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: linux-compiler-gcc-4.8-x86 | 3.16.51-3 | amd64, i386 linux-headers-3.16.0-4-amd64 | 3.16.51-3 | amd64, i386 linux-image-3.16.0-4-amd64 | 3.16.51-3 | amd64, i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:17:24 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: ata-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 btrfs-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 cdrom-core-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 core-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 crc-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 crypto-dm-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 crypto-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 efi-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 event-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 ext4-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 fat-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 fuse-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 input-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 isofs-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 jfs-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 kernel-image-3.16.0-4-arm64-di | 3.16.51-3 | arm64 linux-headers-3.16.0-4-all-arm64 | 3.16.51-3 | arm64 linux-headers-3.16.0-4-arm64 | 3.16.51-3 | arm64 linux-image-3.16.0-4-arm64 | 3.16.51-3 | arm64 linux-image-3.16.0-4-arm64-dbg | 3.16.51-3 | arm64 loop-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 md-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 mmc-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 multipath-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 nbd-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 nic-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 nic-shared-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 nic-usb-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 nic-wireless-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 ppp-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 sata-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 scsi-core-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 scsi-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 squashfs-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 udf-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 uinput-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 usb-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 usb-storage-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 virtio-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 xfs-modules-3.16.0-4-arm64-di | 3.16.51-3 | arm64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:17:32 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: btrfs-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel btrfs-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel btrfs-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel cdrom-core-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel cdrom-core-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel cdrom-core-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel core-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel core-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel core-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel crc-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel crc-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel crc-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel crypto-dm-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel crypto-dm-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel crypto-dm-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel crypto-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel crypto-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel crypto-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel event-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel event-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel ext4-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel ext4-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel ext4-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel fat-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel fat-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel fat-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel fb-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel fuse-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel fuse-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel fuse-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel input-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel ipv6-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel isofs-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel isofs-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel isofs-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel jffs2-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel jfs-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel jfs-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel kernel-image-3.16.0-4-kirkwood-di | 3.16.51-3 | armel kernel-image-3.16.0-4-orion5x-di | 3.16.51-3 | armel kernel-image-3.16.0-4-versatile-di | 3.16.51-3 | armel leds-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel linux-headers-3.16.0-4-all-armel | 3.16.51-3 | armel linux-headers-3.16.0-4-ixp4xx | 3.16.51-3 | armel linux-headers-3.16.0-4-kirkwood | 3.16.51-3 | armel linux-headers-3.16.0-4-orion5x | 3.16.51-3 | armel linux-headers-3.16.0-4-versatile | 3.16.51-3 | armel linux-image-3.16.0-4-ixp4xx | 3.16.51-3 | armel linux-image-3.16.0-4-kirkwood | 3.16.51-3 | armel linux-image-3.16.0-4-orion5x | 3.16.51-3 | armel linux-image-3.16.0-4-versatile | 3.16.51-3 | armel loop-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel loop-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel loop-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel md-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel md-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel md-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel minix-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel minix-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel mmc-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel mouse-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel multipath-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel multipath-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel multipath-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel nbd-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel nbd-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel nbd-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel nic-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel nic-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel nic-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel nic-shared-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel nic-shared-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel nic-shared-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel nic-usb-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel nic-usb-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel nic-usb-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel ppp-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel ppp-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel ppp-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel sata-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel sata-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel sata-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel scsi-common-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel scsi-core-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel scsi-core-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel scsi-core-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel squashfs-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel squashfs-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel squashfs-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel udf-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel udf-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel udf-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel uinput-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel usb-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel usb-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel usb-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel usb-serial-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel usb-serial-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel usb-serial-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel usb-storage-modules-3.16.0-4-kirkwood-di | 3.16.51-3 | armel usb-storage-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel usb-storage-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel virtio-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel zlib-modules-3.16.0-4-orion5x-di | 3.16.51-3 | armel zlib-modules-3.16.0-4-versatile-di | 3.16.51-3 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:17:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: ata-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf btrfs-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf core-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf crc-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf crypto-dm-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf crypto-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf event-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf ext4-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf fat-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf fb-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf fuse-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf input-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf isofs-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf jfs-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf kernel-image-3.16.0-4-armmp-di | 3.16.51-3 | armhf linux-headers-3.16.0-4-all-armhf | 3.16.51-3 | armhf linux-headers-3.16.0-4-armmp | 3.16.51-3 | armhf linux-headers-3.16.0-4-armmp-lpae | 3.16.51-3 | armhf linux-image-3.16.0-4-armmp | 3.16.51-3 | armhf linux-image-3.16.0-4-armmp-lpae | 3.16.51-3 | armhf loop-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf md-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf mmc-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf mtd-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf multipath-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf nbd-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf nic-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf nic-shared-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf nic-usb-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf nic-wireless-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf pata-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf ppp-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf sata-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf scsi-core-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf scsi-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf squashfs-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf udf-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf uinput-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf usb-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf usb-storage-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf virtio-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf zlib-modules-3.16.0-4-armmp-di | 3.16.51-3 | armhf ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:17:45 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: acpi-modules-3.16.0-4-586-di | 3.16.51-3 | i386 acpi-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 ata-modules-3.16.0-4-586-di | 3.16.51-3 | i386 ata-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 btrfs-modules-3.16.0-4-586-di | 3.16.51-3 | i386 btrfs-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 cdrom-core-modules-3.16.0-4-586-di | 3.16.51-3 | i386 cdrom-core-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 core-modules-3.16.0-4-586-di | 3.16.51-3 | i386 core-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 crc-modules-3.16.0-4-586-di | 3.16.51-3 | i386 crc-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 crypto-dm-modules-3.16.0-4-586-di | 3.16.51-3 | i386 crypto-dm-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 crypto-modules-3.16.0-4-586-di | 3.16.51-3 | i386 crypto-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 efi-modules-3.16.0-4-586-di | 3.16.51-3 | i386 efi-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 event-modules-3.16.0-4-586-di | 3.16.51-3 | i386 event-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 ext4-modules-3.16.0-4-586-di | 3.16.51-3 | i386 ext4-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 fat-modules-3.16.0-4-586-di | 3.16.51-3 | i386 fat-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 fb-modules-3.16.0-4-586-di | 3.16.51-3 | i386 fb-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 firewire-core-modules-3.16.0-4-586-di | 3.16.51-3 | i386 firewire-core-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 fuse-modules-3.16.0-4-586-di | 3.16.51-3 | i386 fuse-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 hyperv-modules-3.16.0-4-586-di | 3.16.51-3 | i386 hyperv-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 i2c-modules-3.16.0-4-586-di | 3.16.51-3 | i386 i2c-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 input-modules-3.16.0-4-586-di | 3.16.51-3 | i386 input-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 isofs-modules-3.16.0-4-586-di | 3.16.51-3 | i386 isofs-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 jfs-modules-3.16.0-4-586-di | 3.16.51-3 | i386 jfs-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 kernel-image-3.16.0-4-586-di | 3.16.51-3 | i386 kernel-image-3.16.0-4-686-pae-di | 3.16.51-3 | i386 linux-headers-3.16.0-4-586 | 3.16.51-3 | i386 linux-headers-3.16.0-4-686-pae | 3.16.51-3 | i386 linux-headers-3.16.0-4-all-i386 | 3.16.51-3 | i386 linux-image-3.16.0-4-586 | 3.16.51-3 | i386 linux-image-3.16.0-4-686-pae | 3.16.51-3 | i386 linux-image-3.16.0-4-686-pae-dbg | 3.16.51-3 | i386 loop-modules-3.16.0-4-586-di | 3.16.51-3 | i386 loop-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 md-modules-3.16.0-4-586-di | 3.16.51-3 | i386 md-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 mmc-core-modules-3.16.0-4-586-di | 3.16.51-3 | i386 mmc-core-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 mmc-modules-3.16.0-4-586-di | 3.16.51-3 | i386 mmc-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 mouse-modules-3.16.0-4-586-di | 3.16.51-3 | i386 mouse-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 multipath-modules-3.16.0-4-586-di | 3.16.51-3 | i386 multipath-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 nbd-modules-3.16.0-4-586-di | 3.16.51-3 | i386 nbd-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 nic-modules-3.16.0-4-586-di | 3.16.51-3 | i386 nic-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 nic-pcmcia-modules-3.16.0-4-586-di | 3.16.51-3 | i386 nic-pcmcia-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 nic-shared-modules-3.16.0-4-586-di | 3.16.51-3 | i386 nic-shared-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 nic-usb-modules-3.16.0-4-586-di | 3.16.51-3 | i386 nic-usb-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 nic-wireless-modules-3.16.0-4-586-di | 3.16.51-3 | i386 nic-wireless-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 ntfs-modules-3.16.0-4-586-di | 3.16.51-3 | i386 ntfs-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 pata-modules-3.16.0-4-586-di | 3.16.51-3 | i386 pata-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 pcmcia-modules-3.16.0-4-586-di | 3.16.51-3 | i386 pcmcia-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 pcmcia-storage-modules-3.16.0-4-586-di | 3.16.51-3 | i386 pcmcia-storage-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 ppp-modules-3.16.0-4-586-di | 3.16.51-3 | i386 ppp-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 sata-modules-3.16.0-4-586-di | 3.16.51-3 | i386 sata-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 scsi-common-modules-3.16.0-4-586-di | 3.16.51-3 | i386 scsi-common-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 scsi-core-modules-3.16.0-4-586-di | 3.16.51-3 | i386 scsi-core-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 scsi-extra-modules-3.16.0-4-586-di | 3.16.51-3 | i386 scsi-extra-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 scsi-modules-3.16.0-4-586-di | 3.16.51-3 | i386 scsi-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 serial-modules-3.16.0-4-586-di | 3.16.51-3 | i386 serial-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 sound-modules-3.16.0-4-586-di | 3.16.51-3 | i386 sound-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 speakup-modules-3.16.0-4-586-di | 3.16.51-3 | i386 speakup-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 squashfs-modules-3.16.0-4-586-di | 3.16.51-3 | i386 squashfs-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 udf-modules-3.16.0-4-586-di | 3.16.51-3 | i386 udf-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 uinput-modules-3.16.0-4-586-di | 3.16.51-3 | i386 uinput-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 usb-modules-3.16.0-4-586-di | 3.16.51-3 | i386 usb-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 usb-serial-modules-3.16.0-4-586-di | 3.16.51-3 | i386 usb-serial-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 usb-storage-modules-3.16.0-4-586-di | 3.16.51-3 | i386 usb-storage-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 virtio-modules-3.16.0-4-586-di | 3.16.51-3 | i386 virtio-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 xfs-modules-3.16.0-4-586-di | 3.16.51-3 | i386 xfs-modules-3.16.0-4-686-pae-di | 3.16.51-3 | i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:17:51 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: affs-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips btrfs-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips btrfs-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips btrfs-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips cdrom-core-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips crc-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips crc-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips crc-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips crypto-dm-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips crypto-dm-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips crypto-dm-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips crypto-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips crypto-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips crypto-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips event-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips fat-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips fuse-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips fuse-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips fuse-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips hfs-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips input-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips isofs-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips isofs-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips isofs-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips jfs-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips jfs-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips jfs-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips kernel-image-3.16.0-4-octeon-di | 3.16.51-3 | mips kernel-image-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips kernel-image-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips linux-headers-3.16.0-4-all-mips | 3.16.51-3 | mips linux-headers-3.16.0-4-octeon | 3.16.51-3 | mips linux-headers-3.16.0-4-r4k-ip22 | 3.16.51-3 | mips linux-headers-3.16.0-4-r5k-ip32 | 3.16.51-3 | mips linux-image-3.16.0-4-octeon | 3.16.51-3 | mips linux-image-3.16.0-4-r4k-ip22 | 3.16.51-3 | mips linux-image-3.16.0-4-r5k-ip32 | 3.16.51-3 | mips loop-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips loop-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips loop-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips md-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips md-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips md-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips minix-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips multipath-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips multipath-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips multipath-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips nbd-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips nbd-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips nbd-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips nic-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips nic-shared-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips nic-shared-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips nic-shared-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips nic-usb-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips nic-wireless-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips ntfs-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips pata-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips ppp-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips rtc-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips sata-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips scsi-common-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips scsi-core-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips scsi-extra-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips scsi-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips sound-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips squashfs-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips squashfs-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips squashfs-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips udf-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips udf-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips udf-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips usb-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips usb-serial-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips usb-storage-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips virtio-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips xfs-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips xfs-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips xfs-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips zlib-modules-3.16.0-4-octeon-di | 3.16.51-3 | mips zlib-modules-3.16.0-4-r4k-ip22-di | 3.16.51-3 | mips zlib-modules-3.16.0-4-r5k-ip32-di | 3.16.51-3 | mips ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:18:03 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: affs-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel affs-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel ata-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel btrfs-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel btrfs-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel cdrom-core-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel cdrom-core-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel crc-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel crc-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel crypto-dm-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel crypto-dm-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel crypto-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel crypto-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel event-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel event-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel fat-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel fat-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel fuse-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel fuse-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel hfs-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel hfs-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel i2c-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel i2c-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel input-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel input-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel isofs-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel isofs-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel jfs-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel jfs-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel kernel-image-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel kernel-image-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel linux-headers-3.16.0-4-4kc-malta | 3.16.51-3 | mips, mipsel linux-headers-3.16.0-4-5kc-malta | 3.16.51-3 | mips, mipsel linux-headers-3.16.0-4-sb1-bcm91250a | 3.16.51-3 | mips, mipsel linux-image-3.16.0-4-4kc-malta | 3.16.51-3 | mips, mipsel linux-image-3.16.0-4-5kc-malta | 3.16.51-3 | mips, mipsel linux-image-3.16.0-4-sb1-bcm91250a | 3.16.51-3 | mips, mipsel loop-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel loop-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel md-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel md-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel minix-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel minix-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel mmc-core-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel mmc-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel mouse-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel multipath-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel multipath-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel nbd-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel nbd-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel nic-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel nic-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel nic-shared-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel nic-shared-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel nic-usb-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel nic-usb-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel nic-wireless-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel nic-wireless-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel ntfs-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel ntfs-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel pata-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel pata-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel ppp-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel ppp-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel rtc-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel sata-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel sata-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel scsi-common-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel scsi-common-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel scsi-core-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel scsi-core-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel scsi-extra-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel scsi-extra-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel scsi-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel scsi-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel sound-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel sound-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel squashfs-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel squashfs-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel udf-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel udf-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel usb-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel usb-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel usb-serial-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel usb-serial-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel usb-storage-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel usb-storage-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel virtio-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel virtio-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel xfs-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel xfs-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel zlib-modules-3.16.0-4-4kc-malta-di | 3.16.51-3 | mips, mipsel zlib-modules-3.16.0-4-sb1-bcm91250a-di | 3.16.51-3 | mips, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:18:11 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: affs-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel affs-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel affs-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel affs-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel affs-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel affs-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel affs-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel affs-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel ata-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel ata-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel ata-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel ata-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel ata-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel ata-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel ata-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel btrfs-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel btrfs-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel btrfs-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel btrfs-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel btrfs-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel btrfs-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel btrfs-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel btrfs-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel cdrom-core-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel cdrom-core-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel cdrom-core-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel cdrom-core-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel cdrom-core-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel cdrom-core-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel cdrom-core-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel cdrom-core-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel crc-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel crc-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel crc-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel crc-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel crc-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel crc-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel crc-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel crc-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel crypto-dm-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel crypto-dm-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel crypto-dm-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel crypto-dm-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel crypto-dm-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel crypto-dm-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel crypto-dm-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel crypto-dm-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel crypto-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel crypto-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel crypto-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel crypto-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel crypto-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel crypto-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel crypto-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel crypto-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel event-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel event-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel event-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel event-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel event-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel event-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel event-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel event-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel fat-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel fat-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel fat-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel fat-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel fat-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel fat-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel fat-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel fat-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel firewire-core-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel firewire-core-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel firewire-core-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel firewire-core-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel firewire-core-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel firewire-core-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel fuse-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel fuse-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel fuse-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel fuse-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel fuse-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel fuse-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel fuse-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel fuse-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel hfs-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel hfs-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel hfs-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel hfs-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel hfs-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel hfs-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel hfs-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel hfs-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel i2c-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel i2c-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel input-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel input-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel input-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel input-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel input-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel input-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel input-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel input-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel isofs-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel isofs-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel isofs-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel isofs-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel isofs-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel isofs-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel isofs-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel isofs-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel jfs-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel jfs-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel jfs-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel jfs-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel jfs-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel jfs-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel jfs-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel jfs-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel kernel-image-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel kernel-image-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel kernel-image-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel kernel-image-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel kernel-image-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel kernel-image-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel kernel-image-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel kernel-image-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel linux-headers-3.16.0-4-all-mipsel | 3.16.51-3 | mipsel linux-headers-3.16.0-4-loongson-2e | 3.16.51-3 | mipsel linux-headers-3.16.0-4-loongson-2f | 3.16.51-3 | mipsel linux-headers-3.16.0-4-loongson-3 | 3.16.51-3 | mipsel linux-headers-3.16.0-5-4kc-malta | 3.16.51-3+deb8u1 | mipsel linux-headers-3.16.0-5-5kc-malta | 3.16.51-3+deb8u1 | mipsel linux-headers-3.16.0-5-all-mipsel | 3.16.51-3+deb8u1 | mipsel linux-headers-3.16.0-5-loongson-2e | 3.16.51-3+deb8u1 | mipsel linux-headers-3.16.0-5-loongson-2f | 3.16.51-3+deb8u1 | mipsel linux-headers-3.16.0-5-loongson-3 | 3.16.51-3+deb8u1 | mipsel linux-headers-3.16.0-5-sb1-bcm91250a | 3.16.51-3+deb8u1 | mipsel linux-image-3.16.0-4-loongson-2e | 3.16.51-3 | mipsel linux-image-3.16.0-4-loongson-2f | 3.16.51-3 | mipsel linux-image-3.16.0-4-loongson-3 | 3.16.51-3 | mipsel linux-image-3.16.0-5-4kc-malta | 3.16.51-3+deb8u1 | mipsel linux-image-3.16.0-5-5kc-malta | 3.16.51-3+deb8u1 | mipsel linux-image-3.16.0-5-loongson-2e | 3.16.51-3+deb8u1 | mipsel linux-image-3.16.0-5-loongson-2f | 3.16.51-3+deb8u1 | mipsel linux-image-3.16.0-5-loongson-3 | 3.16.51-3+deb8u1 | mipsel linux-image-3.16.0-5-sb1-bcm91250a | 3.16.51-3+deb8u1 | mipsel loop-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel loop-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel loop-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel loop-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel loop-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel loop-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel loop-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel loop-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel md-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel md-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel md-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel md-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel md-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel md-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel md-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel md-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel minix-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel minix-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel minix-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel minix-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel minix-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel minix-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel minix-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel minix-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel mmc-core-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel mmc-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel mouse-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel multipath-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel multipath-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel multipath-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel multipath-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel multipath-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel multipath-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel multipath-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel multipath-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel nbd-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel nbd-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel nbd-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel nbd-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel nbd-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel nbd-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel nbd-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel nbd-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel nfs-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel nfs-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel nfs-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel nfs-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel nfs-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel nfs-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel nic-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel nic-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel nic-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel nic-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel nic-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel nic-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel nic-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel nic-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel nic-shared-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel nic-shared-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel nic-shared-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel nic-shared-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel nic-shared-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel nic-shared-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel nic-shared-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel nic-shared-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel nic-usb-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel nic-usb-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel nic-usb-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel nic-usb-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel nic-usb-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel nic-usb-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel nic-usb-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel nic-usb-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel nic-wireless-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel nic-wireless-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel nic-wireless-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel nic-wireless-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel nic-wireless-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel nic-wireless-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel nic-wireless-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel nic-wireless-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel ntfs-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel ntfs-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel ntfs-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel ntfs-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel ntfs-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel ntfs-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel ntfs-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel ntfs-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel pata-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel pata-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel pata-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel pata-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel pata-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel pata-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel pata-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel pata-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel ppp-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel ppp-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel ppp-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel ppp-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel ppp-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel ppp-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel ppp-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel ppp-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel rtc-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel sata-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel sata-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel sata-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel sata-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel sata-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel sata-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel sata-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel sata-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel scsi-common-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel scsi-common-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel scsi-common-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel scsi-common-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel scsi-common-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel scsi-common-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel scsi-common-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel scsi-common-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel scsi-core-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel scsi-core-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel scsi-core-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel scsi-core-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel scsi-core-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel scsi-core-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel scsi-core-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel scsi-core-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel scsi-extra-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel scsi-extra-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel scsi-extra-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel scsi-extra-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel scsi-extra-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel scsi-extra-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel scsi-extra-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel scsi-extra-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel scsi-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel scsi-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel scsi-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel scsi-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel scsi-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel scsi-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel scsi-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel scsi-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel sound-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel sound-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel sound-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel sound-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel sound-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel sound-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel sound-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel sound-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel speakup-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel speakup-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel speakup-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel speakup-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel speakup-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel speakup-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel squashfs-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel squashfs-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel squashfs-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel squashfs-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel squashfs-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel squashfs-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel squashfs-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel squashfs-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel udf-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel udf-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel udf-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel udf-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel udf-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel udf-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel udf-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel udf-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel usb-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel usb-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel usb-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel usb-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel usb-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel usb-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel usb-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel usb-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel usb-serial-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel usb-serial-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel usb-serial-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel usb-serial-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel usb-serial-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel usb-serial-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel usb-serial-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel usb-serial-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel usb-storage-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel usb-storage-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel usb-storage-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel usb-storage-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel usb-storage-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel usb-storage-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel usb-storage-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel usb-storage-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel virtio-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel virtio-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel virtio-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel virtio-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel virtio-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel virtio-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel virtio-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel virtio-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel xfs-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel xfs-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel xfs-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel xfs-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel xfs-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel xfs-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel xfs-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel xfs-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel zlib-modules-3.16.0-4-loongson-2e-di | 3.16.51-3 | mipsel zlib-modules-3.16.0-4-loongson-2f-di | 3.16.51-3 | mipsel zlib-modules-3.16.0-4-loongson-3-di | 3.16.51-3 | mipsel zlib-modules-3.16.0-5-4kc-malta-di | 3.16.51-3+deb8u1 | mipsel zlib-modules-3.16.0-5-loongson-2e-di | 3.16.51-3+deb8u1 | mipsel zlib-modules-3.16.0-5-loongson-2f-di | 3.16.51-3+deb8u1 | mipsel zlib-modules-3.16.0-5-loongson-3-di | 3.16.51-3+deb8u1 | mipsel zlib-modules-3.16.0-5-sb1-bcm91250a-di | 3.16.51-3+deb8u1 | mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:18:25 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: linux-headers-3.16.0-5-all | 3.16.51-3+deb8u1 | mipsel, ppc64el, s390x linux-headers-3.16.0-5-common | 3.16.51-3+deb8u1 | mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:18:32 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: affs-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc affs-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc ata-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc ata-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc btrfs-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc btrfs-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc cdrom-core-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc cdrom-core-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc core-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc core-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc crc-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc crc-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc crypto-dm-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc crypto-dm-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc crypto-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc crypto-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc event-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc event-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc ext4-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc ext4-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc fancontrol-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc fat-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc fat-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc fb-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc firewire-core-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc firewire-core-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc fuse-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc fuse-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc hfs-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc hfs-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc hypervisor-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc input-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc input-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc isofs-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc isofs-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc jfs-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc jfs-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc kernel-image-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc kernel-image-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc linux-headers-3.16.0-4-all-powerpc | 3.16.51-3 | powerpc linux-headers-3.16.0-4-powerpc | 3.16.51-3 | powerpc linux-headers-3.16.0-4-powerpc-smp | 3.16.51-3 | powerpc linux-headers-3.16.0-4-powerpc64 | 3.16.51-3 | powerpc linux-image-3.16.0-4-powerpc | 3.16.51-3 | powerpc linux-image-3.16.0-4-powerpc-smp | 3.16.51-3 | powerpc linux-image-3.16.0-4-powerpc64 | 3.16.51-3 | powerpc loop-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc loop-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc md-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc md-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc mouse-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc mouse-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc multipath-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc multipath-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc nbd-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc nbd-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc nic-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc nic-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc nic-pcmcia-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc nic-pcmcia-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc nic-shared-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc nic-shared-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc pata-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc pata-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc pcmcia-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc pcmcia-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc pcmcia-storage-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc pcmcia-storage-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc ppp-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc ppp-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc sata-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc sata-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc scsi-common-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc scsi-common-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc scsi-core-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc scsi-core-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc scsi-extra-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc scsi-extra-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc scsi-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc scsi-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc serial-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc serial-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc squashfs-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc squashfs-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc udf-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc udf-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc uinput-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc uinput-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc usb-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc usb-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc usb-serial-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc usb-serial-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc usb-storage-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc usb-storage-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc virtio-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc virtio-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc xfs-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc xfs-modules-3.16.0-4-powerpc64-di | 3.16.51-3 | powerpc zlib-modules-3.16.0-4-powerpc-di | 3.16.51-3 | powerpc ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:18:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: ata-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el ata-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el btrfs-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el btrfs-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el cdrom-core-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el cdrom-core-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el core-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el core-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el crc-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el crc-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el crypto-dm-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el crypto-dm-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el crypto-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el crypto-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el event-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el event-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el ext4-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el ext4-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el fancontrol-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el fancontrol-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el fat-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el fat-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el firewire-core-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el firewire-core-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el fuse-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el fuse-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el hypervisor-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el hypervisor-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el input-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el input-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el isofs-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el isofs-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el jfs-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el jfs-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el kernel-image-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el kernel-image-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el linux-headers-3.16.0-4-all-ppc64el | 3.16.51-3 | ppc64el linux-headers-3.16.0-4-powerpc64le | 3.16.51-3 | ppc64el linux-headers-3.16.0-5-all-ppc64el | 3.16.51-3+deb8u1 | ppc64el linux-headers-3.16.0-5-powerpc64le | 3.16.51-3+deb8u1 | ppc64el linux-image-3.16.0-4-powerpc64le | 3.16.51-3 | ppc64el linux-image-3.16.0-5-powerpc64le | 3.16.51-3+deb8u1 | ppc64el loop-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el loop-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el md-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el md-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el mouse-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el mouse-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el multipath-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el multipath-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el nbd-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el nbd-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el nic-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el nic-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el nic-shared-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el nic-shared-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el ppp-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el ppp-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el sata-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el sata-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el scsi-common-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el scsi-common-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el scsi-core-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el scsi-core-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el scsi-extra-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el scsi-extra-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el scsi-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el scsi-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el serial-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el serial-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el squashfs-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el squashfs-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el udf-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el udf-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el uinput-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el uinput-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el usb-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el usb-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el usb-serial-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el usb-serial-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el usb-storage-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el usb-storage-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el virtio-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el virtio-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el xfs-modules-3.16.0-4-powerpc64le-di | 3.16.51-3 | ppc64el xfs-modules-3.16.0-5-powerpc64le-di | 3.16.51-3+deb8u1 | ppc64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 23 Jun 2018 09:18:44 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: core-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x core-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x crypto-dm-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x crypto-dm-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x crypto-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x crypto-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x dasd-extra-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x dasd-extra-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x dasd-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x dasd-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x ext4-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x ext4-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x fat-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x fat-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x fuse-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x fuse-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x kernel-image-3.16.0-4-s390x-di | 3.16.51-3 | s390x kernel-image-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x linux-headers-3.16.0-4-all-s390x | 3.16.51-3 | s390x linux-headers-3.16.0-4-s390x | 3.16.51-3 | s390x linux-headers-3.16.0-5-all-s390x | 3.16.51-3+deb8u1 | s390x linux-headers-3.16.0-5-s390x | 3.16.51-3+deb8u1 | s390x linux-image-3.16.0-4-s390x | 3.16.51-3 | s390x linux-image-3.16.0-4-s390x-dbg | 3.16.51-3 | s390x linux-image-3.16.0-5-s390x | 3.16.51-3+deb8u1 | s390x linux-image-3.16.0-5-s390x-dbg | 3.16.51-3+deb8u1 | s390x md-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x md-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x multipath-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x multipath-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x nbd-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x nbd-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x nic-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x nic-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x scsi-core-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x scsi-core-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x scsi-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x scsi-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x virtio-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x virtio-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x xfs-modules-3.16.0-4-s390x-di | 3.16.51-3 | s390x xfs-modules-3.16.0-5-s390x-di | 3.16.51-3+deb8u1 | s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= adminer (3.3.3-1+deb8u1) jessie; urgency=high . * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated to arbitrary systems and ports which could bypass external firewalls to identify internal hosts and/or perform port scanning of other servers. (Closes: #893668) apache2 (2.4.10-10+deb8u12) jessie-security; urgency=medium . * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap when using too small Accept-Language values. * CVE-2017-15715: bypass with a trailing newline in the file name. Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive 'RegexDefaultOptions'. * CVE-2018-1283: Tampering of mod_session data for CGI applications. * CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request * CVE-2018-1303: Possible out of bound read in mod_cache_socache * CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation asterisk (1:11.13.1~dfsg-2+deb8u5) jessie-security; urgency=medium . * CVE-2017-17090 / /AST-2017-013: memory leak from chan_skinny (Closes: #883342). * Note: advisories AST-2017-009 - AST-2017-012 do not apply to asterisk 11 (Closes: #881257, #881256). awstats (7.2+dfsg-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix traversal flaw in the handling of the "config" and "migrate" parameters (CVE-2017-1000501) (Closes: #885835) base-files (8+deb8u11) oldstable; urgency=medium . * Changed /etc/debian_version to 8.11, for Debian 8.11 point release. batik (1.7+dfsg-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2017-5662: XXE information disclosure. (Closes: #860566) * Fix CVE-2018-8013: information disclosure when deserializing a subclass of AbstractDocument. (Closes: #899374) beep (1.3-3+deb8u1) jessie-security; urgency=medium . * CVE-2018-0492 bind9 (1:9.9.5.dfsg-9+deb8u15) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Addresses could be referenced after being freed in resolver.c, causing an assertion failure. (CVE-2017-3145) blktrace (1.0.5-1+deb8u1) jessie; urgency=high . * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695) bwm-ng (0.6-3.1+deb8u1) jessie; urgency=medium . * d/rules: pass --without-libstatgrab, thanks to Mr Parked and Tiago Rocha for the help (closes: #855215, LP: #1502593). clamav (0.100.0+dfsg-0+deb8u1) jessie; urgency=medium . [ Sebastian Andrzej Siewior ] * New upstream release. - remove various documentation files including Changelog from the file list because they are no longer included in upstream archive. - update symbol file * Don't replace config file with sample config after debconf gets disabled (in milter and daemon (Closes: #870253). * Add bytecode.c(l|v)d to log clamav-freshclam.logcheck.ignore.server. Patch by Václav Ovsík (Closes: #868766). * Disable the freshclam service if changed to `manual' mode so it does not start again after system reboot with systemd (Closes: #881780). * Drop "demime = *" from Debian.README for clamav, this option is deprecated and will be removed from exim (Closes: #881634). * Point Vcs-* tags to salsa. . [ Scott Kitterman ] * Update README.Debian to describe how to disable apparmor for clamav-daemon and clamav-freshclam (Closes: #884707) clamav (0.100.0~beta+dfsg-2) unstable; urgency=medium . * Switch to pcre2 which is newer (Closes: #891195). * Cherry pick patches referenced in bb#11973 and bb#11980 to fix CVE-2018-0202. * Use compat level 11. clamav (0.100.0~beta+dfsg-1) unstable; urgency=medium . [ Scott Kitterman ] * Only create clamav user during clamav-base install if it does not exist (LP: #121872) - Thanks to Shane Williams for the patch * Add lintian override for clamav-freshclam: duplicate-updaterc.d-calls-in- postinst clamav-freshclam * New upstream beta release * Bump standards-version to 4.1.3 without further change * Update README.Debian to describe how to disable apparmor for clamav-daemon and clamav-freshclam (Closes: #884707) . [ Sebastian Andrzej Siewior ] * Point Vcs-* tags to salsa. clamav (0.99.4+dfsg-1+deb9u1) stretch; urgency=medium . * Update to upstream 0.99.4: Fixes for CVE: CVE-2018-1000085, CVE-2018-0202. * Update the gpg signing key (the old DSA expired). * Update version of private symbols due to version change. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. clamav (0.99.4+dfsg-1+deb8u1) jessie; urgency=medium . * Update to upstream 0.99.4: Fixes for CVE: CVE-2018-1000085, CVE-2018-0202. * Update the gpg signing key (the old DSA expired). * Update version of private symbols due to version change. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. clamav (0.99.3~snapshot20170704+dfsg-1) experimental; urgency=medium . * Update to upstream snapshot (commit 144ef69462427b63a650294257c892b047601aac): - add config options - boost symbol file - drop applied patches: - Allow-M-suffix-for-PCREMaxFileSize.patch - bb11549-fix-temp-file-cleanup-issue.patch - clamav_add_private_fts_implementation.patch - drop-AllowSupplementaryGroups-option-and-make-it-def.patch - fix-ssize_t-size_t-off_t-printf-modifier.patch - libclamav-use-libmspack.patch - make_it_compile_against_openssl_1_1_0.patch - add new ones: - fts-no-use-AC_TRY_RUN.patch - clamsubmit-add-JSON-libs-to-clamsubmit.patch clamav (0.99.3~beta2+dfsg-1) unstable; urgency=medium . * Update upstream's signing gpg key * Update to beta2: - freshclam does not complain that clamav is outdated (Closes: #873401). clamav (0.99.3~beta1+dfsg-4) unstable; urgency=medium . * Ignore errors from update-rc.d in freshclam postins (Closes: #882323). * Drop dh-systemd & autoreconf from B-D. clamav (0.99.3~beta1+dfsg-3) unstable; urgency=medium . * Drop "demime = *" from Debian.README for clamav, this option is gone from exim (Closes: #881634). * Use "ucf" instead "ucp" in clamav-milter's postinst. * Disable LLVM support due to 3.8 removal (Closes: #873401). * Disable the freshclam service if changed to `manual' mode so it does start again after system reboot with systemd (Closes: #881780). * Bump standards version to 4.1.1 without further change. * Allow to build as non root user. * Update dh compat level 10 clamav (0.99.3~beta1+dfsg-2) unstable; urgency=medium . * Build again against system's libmspack (dropped by accident) (Closes: #872594). * Don't replace config file with sample config after debconf gets disabled (in milter and daemon (Closes: #870253). * Update standards to 4.0.1 - use invoke-rc.d instead of /etc/init.d. - drop priority extra from clamav-milter. * Add bytecode.c(l|v)d to log clamav-freshclam.logcheck.ignore.server. Patch by Václav Ovsík (Closes: #868766). clamav (0.99.3~beta1+dfsg-1) unstable; urgency=medium . * Upload to unstable * update to official beta1 release: - drop fts-no-use-AC_TRY_RUN.patch, applied upstream. clamav (0.99.2+dfsg-6+deb9u1) stretch; urgency=medium . * Apply security patches from 0.99.3 (Closes: #888484): - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420, CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. clamav (0.99.2+dfsg-6) unstable; urgency=medium . * Fix detection of curl. Patch by Reiner Herrmann (Closes: #852894). clamav (0.99.2+dfsg-5) unstable; urgency=medium . [ Andreas Cadhalpun ] * Add patches to support LLVM 3.7-3.9. * Re-enable llvm support. * Update embedded-library lintian override for multiarch locations. * Update standards version to 3.9.8. (no changes needed) * Mark clamav-docs and clamav-testfiles as Multi-Arch foreign and libclamav7 as same. * Fix spelling errors in the debian files. (Closes: #825055) * Remove unused package-contains-timestamped-gzip lintian-override. * Fix wildcard-matches-nothing-in-dep5-copyright lintian warning. . [ Sebastian Andrzej Siewior ] * Remove clamav-daemon.service.d on purge (Closes: #842074). * Fix FTCBFS: Annotate interpreter dependencies with :native. Patch by Helmut Grohne (Closes: #844066). * Drop bc from B-D, it seems we no longer need it. * Cherry-pick patch from bb11549 to fix a temp file cleanup issue (Closes: #824196). clamav (0.99.2+dfsg-4) unstable; urgency=medium . * Remove Stephen Gran as Uploader and thank you for your work (Closes: #838405). * Drop llvm supported for now. The bytecode will be interpreted by clamav instead of llvm's JIT - there is loss in functionality. It will come back once we llvm support again (Closes: #839850). clamav (0.99.2+dfsg-3) unstable; urgency=medium . * BD on dh-strip-nondeterminism. * get it compiled against openssl 1.1.0 (Closes: #828083). * Drop support for clamav-daemon.socket. Should avoid restart loops if clamd crashes on start (via OOM for instance). (Closes: #824042). clamav (0.99.2+dfsg-2) unstable; urgency=medium . * Ensure the users of PRIVATE symbols (clamd + freshclam) do not fall behind a upstream version (Closes: #824485). clamav (0.99.2+dfsg-1) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * also remove bytecode.cld on purge * Update to new upstream release 0.99.2 * Drop AllowSupplementaryGroups option which is default now (Closes: #822445). * Let the LSB init script have more consistent output. Patch by Guillem Jover (Closes: #823074). clamav (0.99.2+dfsg-0+deb8u3) jessie; urgency=medium . * Apply security patches from 0.99.3 (Closes: #888484): - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420, CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. * Cherry-pick patch from bb11549 to fix a temp file cleanup issue (Closes: #824196). curl (7.38.0-4+deb8u11) jessie-security; urgency=high . * Fix heap buffer over-read when parsing bad RTSP headers as per CVE-2018-1000301 https://curl.haxx.se/docs/adv_2018-b138.html curl (7.38.0-4+deb8u10) jessie-security; urgency=high . * Fix NIL byte out of bounds write due to FTP path trickery as per CVE-2018-1000120 https://curl.haxx.se/docs/adv_2018-9cd6.html * Fix LDAP NULL pointer dereference as per CVE-2018-1000121 https://curl.haxx.se/docs/adv_2018-97a2.html * Fix RTSP RTP buffer over-read as per CVE-2018-1000122 https://curl.haxx.se/docs/adv_2018-b047.html curl (7.38.0-4+deb8u9) jessie-security; urgency=high . * Fix HTTP authentication leak in redirects as per CVE-2018-1000007 https://curl.haxx.se/docs/adv_2018-b3bf.html debian-installer (20150422+deb8u5) jessie; urgency=medium . * Bump Linux kernel ABI from 3.16.0-4 to 3.16.0-6 debian-installer-netboot-images (20150422+deb8u5) jessie; urgency=medium . * 20150422+deb8u5 images, from jessie-proposed-updates debian-security-support (2018.01.29~deb8u1) oldstable-proposed-updates; urgency=medium . * Rebuild for jessie debian-security-support (2017.06.02) unstable; urgency=medium . [ Moritz Muehlenhoff ] * Remove acidbase entry from security-support-limited, it's been removed and is no longer present in any currently supported suite * Mark trn as unsupported in jessie, it got removed in 8.6 * Mark sogo as unsupported in jessie, it got removed in 8.7 * Mark dotclear as unsupported in jessie, it got removed in 8.7 . [ Raphaël Hertzog ] * Mark autotrace as unsupported in wheezy. . [ Chris Lamb ] * Mark ioquake3 as unsupported in wheezy. . [ Guido Günther ] * Mark freebsd-* as unsupported in wheezy. * Mark cgiemail as unsupported in jessie, it got removed in 8.8. * Mark owncloud as unsupported in jessie, it got removed in 8.8. * Mark owncloud-app as unsupported in jessie, it got removed in 8.8. * d/control: Use https Git URL dh-make-perl (0.84-2+deb8u1) jessie; urgency=medium . [ Manfred Stock ] * Support Contents files without header. Current versions of the Contents files in the Debian archive don't seem to contain a header anymore, which kind-of breaks the parser, as it only processed lines after the line matched by the regular expression ^FILE\s+LOCATION. Since the regular expression which is used to parse the file column of the Contents files looks robust enough, it seems like this check can be dropped. . Closes: #851848 dns-root-data (2017072601~deb8u2) jessie; urgency=medium . [ Ondřej Surý ] * Update IANA DNSSEC files to 2017-02-02 versions * Strip the GPG verification (IANA doesn't provide it anymore) * Rewrite DS creation check (Closes: #877683) . [ Daniel Kahn Gillmor ] * added myself to uploaders dovecot (1:2.2.13-12~deb8u4) jessie-security; urgency=high . * [eb6eab8] Fix CVE-2017-14461: rfc822_parse_domain information leak (Closes: #891819) * [df2ccf9] Fix CVE-2017-15130: TLS SNI config lookups are inefficient and can be used for DoS (Closes: #891820) + Use dh-autoreconf, as src/Makefile.in needs to be regenerated. Also disable dovecot_name.patch, since it changes dovecot's banner in conjunction with dh_autoreconf. * [292742f] Fix CVE-2017-15132: memory leak on aborted SASL auth (Closes: #888432) * [3e2ccd1] Add myself to Uploaders drupal7 (7.32-1+deb8u12) jessie-security; urgency=high . * Move repository from Alioth to Salsa; update Vcs-Git and Vcs-Browser accordingly * SA-CORE-2018-004: Fix remote code execution vulnerability (CVE-2018- 7602) (Closes: #896701) drupal7 (7.32-1+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * SA-CORE-2018-002: Fix remote code execution vulnerability (CVE-2018-7600) (Closes: #894259) drupal7 (7.32-1+deb8u10) jessie-security; urgency=high . * Fixes multiple security vulnerabilities, grouped under Drupal's SA-CORE-2018-001 (CVEs yet unassigned): - External link injection on 404 pages when linking to the current page (Closes: #891154) - jQuery vulnerability with untrusted domains (Closes: #891153) - Private file access bypass (Closes: #891152) - JavaScript cross-site scripting prevention is incomplete (Closes: #891150) enigmail (2:1.9.9-1~deb8u1) jessie-security; urgency=high . * Rebuild for jessie-security . enigmail (2:1.9.9-1) unstable; urgency=medium . * new upstream release * Standards-Version: bump to 4.1.2 (no changes needed) * drop patch already upstreamed * debian/changelog: drop trailing whitespace . enigmail (2:1.9.8.3-1) unstable; urgency=medium . * New upstream release * Standards-Version: bump to 4.1.1 (no changes needed) . enigmail (2:1.9.8.2-2) unstable; urgency=medium . * fix memoryhole protected header force-display part . enigmail (2:1.9.8.2-1) unstable; urgency=medium . * New upstream bugfix release * refresh patches * clean up debian/copyright * clean up licensing in About dialog box (from upstream) * Standards-Version: bump to 4.1.0 (no changes needed) enigmail (2:1.9.8.3-1) unstable; urgency=medium . * New upstream release * Standards-Version: bump to 4.1.1 (no changes needed) enigmail (2:1.9.8.2-2) unstable; urgency=medium . * fix memoryhole protected header force-display part enigmail (2:1.9.8.2-1) unstable; urgency=medium . * New upstream bugfix release * refresh patches * clean up debian/copyright * clean up licensing in About dialog box (from upstream) * Standards-Version: bump to 4.1.0 (no changes needed) enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.8.1-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security (Closes: #869774) . enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.8-1) unstable; urgency=medium . * New upstream release. * Standards-Version to 4.0.0 (no changes needed) * use dpkg/pkg-info.mk instead of dpkg-parsechangelog * use wrap-and-sort -ast erlang (1:17.3-dfsg-4+deb8u2) jessie-security; urgency=high . * Applied a patch from the upstream which fixes CVE-2017-1000385 vulnerability (TLS server vunlerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery ot MITM attack). exim4 (4.84.2-2+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix base64d() buffer size (CVE-2018-6789) (Closes: #890000) faad2 (2.7-8+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2017-9218, CVE-2017-9219, CVE-2017-9220, CVE-2017-9221, CVE-2017-9222, CVE-2017-9223, CVE-2017-9253, CVE-2017-9254, CVE-2017-9255, CVE-2017-9256, CVE-2017-9257. Various issues were discovered in faad2, a fast audio decoder, that could cause a denial of service (large loop and CPU consumption) via a crafted mp4 file. (Closes: #889915) file (1:5.22+15-2+deb8u4) oldstable; urgency=high . * Avoid reading past the end of buffer. Closes: #901351 [CVE-2018-10360] firefox-esr (52.8.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-14, also known as CVE-2018-6126. . * debian/control*: Update Maintainer and Vcs fields, moving off alioth. Closes: #899509 . firefox-esr (52.8.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-12, also known as CVE-2018-5183, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, CVE-2018-5150. . firefox-esr (52.7.3esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.8.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-12, also known as CVE-2018-5183, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, CVE-2018-5150. firefox-esr (52.8.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-12, also known as CVE-2018-5183, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, CVE-2018-5150. . firefox-esr (52.7.3esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.8.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-12, also known as CVE-2018-5183, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, CVE-2018-5150. . firefox-esr (52.7.3esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.7.3esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. firefox-esr (52.7.3esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.7.3esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.7.2esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. firefox-esr (52.7.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.7.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.7.1esr-1) unstable; urgency=medium . * New upstream release. - Fixes search engines in Italian locale. firefox-esr (52.7.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.7.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. firefox-esr (52.7.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.7.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.6.0esr-2) unstable; urgency=medium . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.6.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. * Fixes FTBFS with glibc >= 2.26. Closes: #887778. firefox-esr (52.6.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.5.3esr-1) unstable; urgency=medium . * New upstream release. firefox-esr (52.5.2esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.5.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. . firefox-esr (52.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. . firefox-esr (52.5.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. freeplane (1.3.12-1+deb8u1) jessie-security; urgency=high . * Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was affected by a XML External Entity (XXE) vulnerability in its mindmap loader that could compromise a user's machine by opening a specially crafted mind map file. (Closes: #893663) freerdp (1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) jessie-security; urgency=high . [ Bernhard Miklautz ] * debian/patches: + Add fix for CVE-2017-2834, CVE-2017-2835, CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839 (Closes: #869880) freexl (1.0.0g-1+deb8u5) jessie-security; urgency=high . * Add upstream patch to fix various heap-buffer-overflows. - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547879 - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST https://bugzilla.redhat.com/show_bug.cgi?id=1547883 - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547885 - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547889 - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547892 gcc-4.9 (4.9.2-10+deb8u1) jessie-security; urgency=medium . * Backport of retpoline support by HJ Lu gdk-pixbuf (2.31.1-2+deb8u7) jessie-security; urgency=medium . * CVE-2017-1000422 ghostscript (9.06~dfsg-2+deb8u7) jessie; urgency=medium . * Non-maintainer upload. * Segfault with fuzzing file in gxht_thresh_image_init * Buffer overflow in fill_threshold_buffer (CVE-2016-10317) (Closes: #860869) * pdfwrite - Guard against trying to output an infinite number (CVE-2018-10194) (Closes: #896069) gifsicle (1.86-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Closes: CVE-2017-1000421 gimp (2.8.14-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Out of bounds read / heap overflow in TGA importer (CVE-2017-17786) (Closes: #884862) * plug-ins: TGA 16-bit RGB (without alpha bit) is also valid * Heap buffer overflow in PSP importer (CVE-2017-17789) (Closes: #884837) * heap overread in gbr parser / load_image (CVE-2017-17784) (Closes: #884925) * heap overread in psp importer (CVE-2017-17787) (Closes: #884927) * Heap overflow while parsing FLI files (CVE-2017-17785) (Closes: #884836) * buffer overread in XCF parser if version field has no null terminator (CVE-2017-17788) (Closes: #885347) git (1:2.1.4-2.1+deb8u6) jessie-security; urgency=high . * Fix CVE-2018-11235, arbitrary code execution via submodule names in .gitmodules file: - submodule: verify submodule names as paths - fsck: drop inode-sorting code - fsck: simplify ".git" check - fsck: fsck blob data - fsck: detect gitmodules files - fsck: check .gitmodules content - fsck: call fsck_finish after fscking objects - unpack-objects: call fsck_finish after fscking objects - index-pack: check .gitmodules files with --strict * Fix CVE-2018-11233, out-of-bounds read when validating NTFS paths: - is_ntfs_dotgit: use a size_t for traversing string * Do not allow .gitmodules to be a symlink: - is_hfs_dotgit: loosen over-eager match of \u{..47} - is_hfs_dotgit: match other .git* files - is_ntfs_dotgit: match other .git* files - is_{hfs,ntfs}_dotgitmodules: add tests - skip_prefix: add case-insensitive variant - verify_path: drop clever fallthrough - verify_dotfile: mention case-insensitivity in comment - update-index: stat updated files earlier - verify_path: disallow .gitmodules symlinks - fsck: complain when .gitmodules is a symlink . Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for discovering and reporting these vulnerabilities and to Jeff King and Johannes Schindelin for fixing them. . * Prevent "git apply" without --index from escaping the current directory (compare GNU patch's CVE-2015-1196): - apply: reject input that touches outside the working area - apply: do not read from the filesystem under --index - apply: do not read from beyond a symbolic link - apply: do not touch a file beyond a symbolic link . Thanks to Josh Boyer for reporting this vulnerability and Junio C Hamano for fixing it. git-annex (5.20141125+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL (Closes: #873088) gnupg (1.4.18-7+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * gpg: Sanitize diagnostic with the original file name (CVE-2018-12020) gnupg2 (2.0.26-6+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * gpg: Sanitize diagnostic with the original file name (CVE-2018-12020) graphicsmagick (1.3.20-3+deb8u2) jessie-security; urgency=high . * Fix CVE-2015-8808: denial of service (uninitialized memory access) via a crafted GIF file. * Fix CVE-2016-2317: segmentation violation when reading SVG files (closes: #814732). * Fix CVE-2016-2318: make SVG path and other primitive parsing more robust. * Fix CVE-2016-5240: endless loop problem caused by negative stroke-dasharray arguments. * Fix CVE-2016-3714: remove delegates support for Gnuplot files. * Fix CVE-2016-3715: remove undocumented "TMP" magick prefix. * Fix CVE-2016-5118: remove support for reading input from a shell command, or writing output to a shell command (closes: #825800). * Fix CVE-2016-7996: possible heap overflow of colormap in Q8 build. * Fix CVE-2016-7997: correctly flip image->blob and rotated_image->blob. * Fix CVE-2016-8682: stack-based buffer overflow in ReadSCTImage (sct.c). * Fix CVE-2016-8684: memory allocation failure in MagickMalloc (memory.c). * Fix CVE-2016-8683: memory allocation failure in ReadPCXImage (pcx.c). * Fix CVE-2016-7800: unsigned underflow leading to heap overflow when parsing 8BIM chunk. * Fix CVE-2016-9830: memory allocation failure in MagickRealloc (closes: #847055). * Add new MagickGetToken@Base symbol to libgraphicsmagick3. gunicorn (19.0-1+deb8u1) jessie-security; urgency=high . * CVE-2018-1000164: Fix an issue where CRLF sequences in HTTP headers could result in an attacker tricking the server into returning arbitrary HTTP headers. (Closes: #896548) icedove (1:52.3.0-4~deb8u2) jessie-security; urgency=medium . [ Guido Günther ] * [6214253] Simplify endianess selection for ICU icedove (1:52.3.0-4~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security * [7f05741] debian/control: be more relaxed on Breaks for enigmail * [72e63f8] debian/mozconfig.default: stay on GTK2 toolkit for Jessie (Closes: #871438, #870719) icedove (1:52.3.0-3) unstable; urgency=medium . [ Carsten Schoenert ] * [c08f005] rebuild patch queue from patch-queue branch * [f658cab] debian/rules: enable verbose build for ICU icedove (1:52.3.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [d544a01] debian/rules: correct icu build sequence icedove (1:52.3.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [8e852be] New upstream version 52.3.0 Fixed CVE issues in upstream version 52.0 (MFSA 2017-20) CVE-2017-7800: Use-after-free in WebSockets during disconnection CVE-2017-7801: Use-after-free with marquee during window resizing CVE-2017-7809: Use-after-free while deleting attached editor DOM node CVE-2017-7784: Use-after-free with image observers CVE-2017-7802: Use-after-free resizing image elements CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM CVE-2017-7786: Buffer overflow while painting non-displayable SVG CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements CVE-2017-7787: Same-origin policy bypass with iframes through page reloads CVE-2017-7807: Domain hijacking through AppCache fallback CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections CVE-2017-7803: CSP containing 'sandbox' improperly applied CVE-2017-7779: Memory safety bugs fixed in Firefox 55, Firefox ESR 52.3, and Thunderbird 52.3 * [0b7243b] debian/rules: build icudt5*.dat on our own if needed If we need to use the internal sources of ICU (triggered by using --with-system-icu) we need to build the platform depended file icudt*[b,l].dat before we can call the configure run. This is needed as Mozilla only ships a precompiled little endian version of the file icudt*.dat and all platforms with big endianness are failing later due issues related to the wrong endianness. * [1964469] debian/mozconfig.default: enable i18n on big endian * [6b58ac5] debian/control: increase Standards-Version to 4.0.1 * [e59cf81] rebuild patch queue from patch-queue branch removed patche(s) (applied upstream): - fixes/Bug-1308908-Compare-the-whole-accessible-name-when-checki.patch updated/refreshed patches (no changes): - porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch . [ Simon Deziel ] * [a574010] apparmor/usr.bin.thunderbird: small update to avoid noise icedove (1:52.2.1-5) unstable; urgency=high . [ Carsten Schoenert ] * [133a574] Use gcc-6 and g++-6 due broken GUI with GCC-7 The usage of the GCC-7 suite introduces a broken GUI currently that make using thunderbird mostly impossible. (Closes: #871629) * [3ebacd1] d/rules: use DEB_* variables for entries from changelog By using variables that are prepared by dpkg we don't need to manually search for dates and versions. etc. * [52c2b83] d/copyright: MPL-1.1 and MPL-2.0 now provided by common-licenses Since policy 4.0.0 the two Mozilla related licenses are included and don't need to be added extra. * [3f37967] adjust X-Debian-Homepage to existing Thunderbird page * [41b5c03] debian/control: increase Standards-Version to 4.0.0 * [e3c3994] mozconfig.default: use proper disabled options * [2d4b846] debian/control: increase Breaks for enigmail version (Closes: #869789) . [ John Paul Adrian Glaubitz ] * [4879401] sh4: disable option --disable-pie (Closes: #867553) . [ Carsten Schoenert ] * [2646f3f] autpkgtests: disable the idlTest.sh test case icedove (1:52.2.1-4) unstable; urgency=medium . [ Guido Günther ] * [04de899] Don't use different profile folder for jessie and wheezy . [ Carsten Schoenert ] * [692d3ce] rebuild patch queue from patch-queue branch (Closes: #867013) added patch (provided by Adrian): - porting-alpha/FTBFS-alpha-adjust-some-source-to-prevent-build-issues.patch removed patch: - porting-hurd/FTBFS-hurd-adding-GNU-to-the-configure-platform-detection.patch (wrong approach, the Python wrapper around configure isn't yet smart enough) . [ John Paul Adrian Glaubitz ] * [5153ce2] mips: final fixups to prevent FTBFS icedove (1:52.2.1-3) unstable; urgency=medium . [ John Paul Adrian Glaubitz ] * [99b323a] d/mozconfig.default: fixups for --without-intl-api icedove (1:52.2.1-2) unstable; urgency=medium . [ Carsten Schoenert ] * [e8ce299] disabling ICU support on some big endian systems This hack should enable at least successful building of all RC platforms and needs to be solved in a not such agressive way without loosing ICU support on the problematic platforms. Thanks John Paul Adrian Glaubitz for catching the root of the issue. * [a66e812] rebuild patch queue from patch-queue branch Adding a small needed fix for getting mips* out od FTBFS. Also GNU/Hurd should pass the configure script now. icedove (1:52.2.1-1) unstable; urgency=medium . [ Guido Günther ] * [4e87d6b] d/rules: Make sure DIST is not passed on to configure . [ Carsten Schoenert ] * [35b84ef] rebuild patch queue from patch-queue branch added patches: - porting-mips/Fix-CPU_ARCH-test-for-libjpeg-on-mips.patch - porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch (Closes: #864974) * [c818874] New upstream version 52.2.1 (Closes: #861840) * [8c776c9] Icedove2Thunderbird: add opt out for dialogue pop-up (Closes: #860381) icedove (1:52.2.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [9ebc11d] mozconfig.default: remove configure option '--disable-methodjit' on armel This options isn't alive any more and was forgotten to removed on the previous upload. [ Simon Deziel ] * [d8e5d42] usr.bin.thunderbird: merge gpg(1) and gpg2 subprofiles (Closes: #859179) * [f18884e] usr.bin.thunderbird: allow accessing gpgconf in gpg subprofile * [e73afbb] usr.bin.thunderbird: allow accessing any gpg2keys providers . [ Carsten Schoenert ] * [066ddb9] mozconfig.default: switch back to internal libjpeg Going back and using the libjpeg library that's shipped by Mozilla, the system library probably provoking broken builds on various platforms. As we prepare the uploads for (old-)stable-security we need to use the internal libjpeg library at all. * [ff92bfa] rebuild patch queue from patch-queue branch modified patches: - porting-m68k/Add-m68k-support-to-Thunderbird.patch - porting-sh4/Add-sh4-support-to-Thunderbird.patch (Closes: #859271, #859508) * [0a89f76] New upstream version 52.2.0 Fixed CVE issues in upstream version 52.0 (MFSA 2017-17) CVE-2017-5472: Use-after-free using destroyed node when regenerating trees CVE-2017-7749: Use-after-free during docshell reloading CVE-2017-7750: Use-after-free with track elements CVE-2017-7751: Use-after-free with content viewer listeners CVE-2017-7752: Use-after-free with IME input CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors CVE-2017-7757: Use-after-free in IndexedDB CVE-2017-7778: Vulnerabilities in the Graphite 2 library CVE-2017-7758: Out-of-bounds read in Opus encoder CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52 * [e03380e] rebuild patch queue from patch-queue branch modified patch: - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch icedove (1:52.1.1-1) experimental; urgency=medium . [ Guido Günther ] * [db8d0db] Tighten meta package dependencies Be more strict on depends and add a version to all related Thunderbird specific packages. * [defb689] Copy-edit thunderbird-wrapper-helper.sh * [54b35d4] Allow one to override the location of the wrapper-helper Make $TB_HELPER more flexible and give the variable a default value, so a user can override it with it's own. * [a187364] dh-exec: avoid multiple spaces around filenames * [a85bc7a] thunderbird-wrapper: robustness when sourcing helper * [eee56ab] Drop replaces on packages no longer in any release . [ Carsten Schoenert ] * [1d85980] rebuild patch queue from patch-queue branch added patches: - porting-mk68/Add-m68k-support-to-Thunderbird.patch - porting-sparc64/Add-sparc64-support-to-Thunderbird.patch (Closes: #859151, #859271) * [2717849] tb-wrapper: call thunderbird starting with exec (Closes: #858100) * [8afa31b] d/gbp.conf: adjust upstream branch to new ESR version * [43d2e70] New upstream version 52.1.1 Fixed CVE issues in upstream version 52.0 (MFSA 2017-09) CVE-2017-5413: Segmentation fault during bidirectional operations CVE-2017-5414: File picker can choose incorrect default directory CVE-2017-5416: Null dereference crash in HttpChannel CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses CVE-2017-5419: Repeated authentication prompts lead to DOS attack CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports CVE-2017-5421: Print preview spoofing CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52 Fixed CVE issues in upstream version 52.1.0 (MFSA 2017-13) CVE-2017-5433: Use-after-free in SMIL animation functions CVE-2017-5435: Use-after-free during transaction processing in the editor CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2 CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS CVE-2017-5459: Buffer overflow in WebGL CVE-2017-5466: Origin confusion when reloading isolated data:text/html URLs CVE-2017-5434: Use-after-free during focus handling CVE-2017-5432: Use-after-free in text input selection CVE-2017-5460: Use-after-free in frame selection CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing CVE-2017-5441: Use-after-free with selection during scroll events CVE-2017-5442: Use-after-free during style changes CVE-2017-5464: Memory corruption with accessibility and DOM manipulation CVE-2017-5443: Out-of-bounds write during BinHex decoding CVE-2017-5444: Buffer overflow while parsing application/http-index-format contents CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data CVE-2017-5447: Out-of-bounds read during glyph processing CVE-2017-5465: Out-of-bounds read in ConvolvePixel CVE-2016-10196: Vulnerabilities in Libevent library CVE-2017-5454: Sandbox escape allowing file system read access through file picker CVE-2017-5469: Potential Buffer overflow in flex-generated code CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content CVE-2017-5449: Crash during bidirectional unicode manipulation with animation CVE-2017-5451: Addressbar spoofing with onblur event CVE-2017-5462: DRBG flaw in NSS CVE-2017-5467: Memory corruption when drawing Skia content CVE-2017-5430: Memory safety bugs fixed in Firefox 53, Firefox ESR 52.1, Thunderbird 52.1 CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, Firefox ESR 52.1, and Thunderbird 52.1 (Closes: #855344, #495372, #861480, #682208, #698244, #859909, #857593, #837771) * [de561ef] rebuild patch queue from patch-queue branch added patches: - debian-hacks/Allow-to-override-ICU_DATA_FILE-from-the-environment.patch - debian-hacks/Build-against-system-libjsoncpp.patch - debian-hacks/Don-t-build-testing-suites-and-stuff.patch - debian-hacks/Force-use-the-i686-rust-target.patch - fixes/Bug-1308908-Compare-the-whole-accessible-name-when-checki.patch (Closes: #826325) - porting-sh4/Add-sh4-support-to-Thunderbird.patch (Closes: #859508) removed patches (obsoleted by upstream changes): - debian-hacks/Don-t-build-example-component.patch - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - fixes/Bug-1245076-Don-t-include-mozalloc.h-from-the-cstdlib-wra.patch - fixes/Bug-1273020-Add-missing-null-checks-in-ApplicationAccessi.patch - fixes/Bug-1277295-Remove-obsolete-reference-to-storage-service-.patch - fixes/Bug-1340724-fix-SMTP-server-name-output-in-SMTP-logging.-.patch - fixes/Bug-497488-Implement-verify-mode-in-the-subscribe-dialog-.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit-1.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit.patch - porting-arm64/Bug-1091515-Don-t-set-64KB-page-size-on-aarch64.-r-glandi.patch - porting-kfreebsd-hurd/CrossProcessMutex.h-fix-build-on-kfreebsd-and-GNU-hurd.patch - porting-kfreebsd-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - porting-kfreebsd-hurd/correcting-file-inclusion-for-kfreebsd-and-hurd.patch - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch - porting-mips/libyuv_disable-mips-assembly-for-MIPS64.patch - porting-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch - porting-sparc64/Add-sparc64-support-to-Thunderbird.patch (unclear state, will be added later again) - porting/Add-xptcall-support-for-SH4-processors.patch (Closes: #859362) - debian-hacks/Move-profile.patch modified or adjusted patches: - debian-hacks/changing-the-default-search-engine.patch - debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch - icedove-l10n/disable-extension-update-extension-is-managed-by-apt.patch --> icedove-l10n/thunderbird-l10n-disable-external-extension-update.patch (renamed to and modified due new languages) - icedove/fix-installdir.patch --> debian-hacks/Thunderbird-fix-installdir-for-icons.patch * [684ad58] d/source.filter: update due upstream changes * [d005649] debian/control: modify various B-D * [7a8a98d] debian/rules: add some extra C*FLAGS Adding '-fno-lifetime-dse' to not enable dead store elimination of objects within their lifetime, some parts of the source is relying on the persistent values of such objects. Some other distributions as Ubuntu, Fedora and Arch e.g. use this flag too (at least with ESR52) to prevent possible segfaults. * [56f8f4b] debian/rules: adding hack to preserve correct config.status * [fb500a6] mozconfig.default: remove no longer existing options * [c9a3e60] mozconfig.default: some minor adjustments to configure options * [f584857] mozconfig.default: enable GTK3 theme explicit (Closes: #857593) * [3cbe1fb] debian/control: add packages for *-dsb language * [8317735] debian/control: add packages for *-hsb language * [39d90c1] debian/control: add packages for *-kab language * [82b4f50] debian/control: add missing packages for *-ast language * [0edde96] debian/rules: include also l10n folder with 3 characters * [47f17a4] lintian-overrides: modify the list for the js files to ignore * [8872d34] debian/copyright: update after upstream changes * [6755547] mozconfig.default: use some internal libraries Use libicu-dev, libnspr4-dev, libnss3-dev, libsqlite3-dev from shipped source as Stretch versions not recent enough. * [5b04b32] thunderbird.install: pick up icu*.dat if around * [edf24d7] debian/control: mark thunderbird-dbg as Multi-Arch: same * [5d5392b] apparmor/usr.bin.thunderbird: update for version 52 (cherry-picked from upstream) (Closes: #859179) * [f49ad79] apparmor/usr.bin.thunderbird: grant access to commonly used locations (cherry-picked from upstream) * [510fd6f] debian/rules: install lightning-l10n files into correct place * [d70ade4] lightning-l10n: adjust min/max version for ESR 52 cycle With the new ESR version tweaking the extension version of l10n packages for lightning > 52.0 and < 52.*. * [c0dd18f] debian/rules: install icudt5*.dat file more flexible * [b5136f7] autopkg: improve the output of idlTest.sh * [7ac04f6] autopkg: add extra test icudatfileTest.sh . [ Christoph Goehre ] * [13f5178] lintian-overrides: we build against internal nspr and nss * [56bbf23] rebuild patch queue from patch-queue branch added patches: - porting-sparc64/Add-sparc64-support-to-Thunderbird.patch (Closes: #859151) modified patches: - porting-mk68/Add-m68k-support-to-Thunderbird.patch -> porting-m68k/Add-m68k-support-to-Thunderbird.patch (renamed) * [6a7ef60] tests/idlTest.sh: remove duplicated 'done' output * [42bf8e1] debian/rules: remove duplicate .so files in thunderbird-dev * [5dc08bc] tests/soSymlinkTest.sh: check for symlinked .so files icedove (1:45.8.0-3) unstable; urgency=medium . [ Carsten Schoenert ] * [d923505] AppArmor: be more flexible on profile folders (Closes: #858735, #858737) * [1e04099] tb-wrapper: use readlink also on ${ID_PROFILE_FOLDER} (Closes: #858771) * [9f6b771] tb-wrapper: correct check for -dbg package (Closes: #858804) * [8b5271a] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1273020-Add-missing-null-checks-in-ApplicationAccessi.patch icu (52.1-8+deb8u7) jessie-security; urgency=high . * Backport upstream security fix for CVE-2017-15422: Persian calendar integer overflow (closes: #892766). imagemagick (8:6.8.9.9-5+deb8u12) jessie-security; urgency=high . * Non-maintainer upload. * Fix the following security vulnerabilities: - CVE-2017-10995: heap-based buffer over-read and application crash via a crafted MNG image. (Closes: #867748) - CVE-2017-11533: heap-based buffer over-read in the WriteUILImage() function in coders/uil.c. (Closes: #869834) - CVE-2017-11535: heap-based buffer over-read in the WritePSImage() function in coders/ps.c. (Closes: #869827) - CVE-2017-11639: heap-based buffer over-read in the WriteCIPImage() function in coders/cip.c. (Closes: #870065) - CVE-2017-13143: ReadMATImage function in coders/mat.c uses uninitialized data, which might allow remote attackers to obtain sensitive information from process memory. (Closes: #870012) - CVE-2017-17504: heap-based buffer over-read. (Closes: #885340) - CVE-2017-17879: heap-based buffer over-read in ReadOneMNGImage in coders/png.c. (Closes: #885125) - CVE-2018-5248: heap-based buffer over-read in coders/sixel.c in the ReadSIXELImage function. (Closes: #886588) intel-microcode (3.20180425.1~deb8u1) jessie; urgency=medium . * Upload to Debian jessie (no changes) * RELEASE MANAGER INFORMATION: This update deploys the microcode side fix for CVE-2017-5715 (Spectre v2). On the more recent processors, it also fixes other unspecified errata. This microcode update pack has been extensively tested in Debian unstable, testing, strech-backports and jessie-backports. It has been extensively deployed by other distributions to their stable branches without causing any issues, with one notable exception (a distro-specific kernel bug, already fixed by that distro). . intel-microcode (3.20180425.1) unstable; urgency=medium . * New upstream microcode data file 20180425 (closes: #897443, #895878) + Updated Microcodes: sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + Note that sig 0x000604f1 has been blacklisted from late-loading since Debian release 3.20171117.1. * source: remove undesired list files from microcode directories * source: switch to microcode-.d/ since Intel dropped .dat support. . intel-microcode (3.20180312.1) unstable; urgency=medium . * New upstream microcode data file 20180312 (closes: #886367) + New Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake + Missing production updates: + Broadwell-E/EX Xeons (sig 0x406f1) + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, Gemini Lake, Denverton * Update past changelog entries with new information: Intel already had all necessary semanthics in LFENCE, so the Spectre-related Intel microcode changes did not need to enhance LFENCE. * debian/control: update Vcs-* fields for the move to salsa.debian.org . intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical . * Revert to release 20171117, as per Intel instructions issued to the public in 2018-01-22 (closes: #886998) * This effectively removes IBRS/IBPB/STIPB microcode support for Spectre variant 2 mitigation. . intel-microcode (3.20180108.1) unstable; urgency=high . * New upstream microcode data file 20180108 (closes: #886367) + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715) + Very likely fixes several other errata on some of the processors * supplementary-ucode-CVE-2017-5715.d/: remove. + Downgraded microcodes: sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + Recall related to bug #886998 * source: remove superseded upstream data file: 20171117 * README.Debian, copyright: update download URLs (closes: #886368) . intel-microcode (3.20171215.1) unstable; urgency=high . * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) New upstream microcodes to partially address CVE-2017-5715 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 * Implements IBRS and IBPB support via new MSR (Spectre variant 2 mitigation, indirect branches). Support is exposed through cpuid(7).EDX. . intel-microcode (3.20171117.1) unstable; urgency=medium . * New upstream microcode data file 20171117 + New Microcodes: sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + Updated Microcodes: sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 * source: remove superseded upstream data file: 20170707. * source: remove unneeded intel-ucode/ directory for 20171117. * debian/control: bump standards version to 4.1.1 (no changes) * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. * README.source: fix IUC_EXCLUDE example and minor issues. * Makefile, README.souce: support loading ucode from directories. * debian/rules: switch to dh mode (debhelper v9) * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late loading. intel-microcode (3.20180425.1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20180425.1) unstable; urgency=medium . * New upstream microcode data file 20180425 (closes: #897443, #895878) + Updated Microcodes: sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + Note that sig 0x000604f1 has been blacklisted from late-loading since Debian release 3.20171117.1. * source: remove undesired list files from microcode directories * source: switch to microcode-.d/ since Intel dropped .dat support. intel-microcode (3.20180425.1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes) . intel-microcode (3.20180425.1) unstable; urgency=medium . * New upstream microcode data file 20180425 (closes: #897443, #895878) + Updated Microcodes: sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + Note that sig 0x000604f1 has been blacklisted from late-loading since Debian release 3.20171117.1. * source: remove undesired list files from microcode directories * source: switch to microcode-.d/ since Intel dropped .dat support. intel-microcode (3.20180312.1) unstable; urgency=medium . * New upstream microcode data file 20180312 (closes: #886367) + New Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake + Missing production updates: + Broadwell-E/EX Xeons (sig 0x406f1) + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, Gemini Lake, Denverton * Update past changelog entries with new information: Intel already had all necessary semanthics in LFENCE, so the Spectre-related Intel microcode changes did not need to enhance LFENCE. * debian/control: update Vcs-* fields for the move to salsa.debian.org intel-microcode (3.20180312.1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20180312.1) unstable; urgency=medium . * New upstream microcode data file 20180312 (closes: #886367) + New Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake + Missing production updates: + Broadwell-E/EX Xeons (sig 0x406f1) + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, Gemini Lake, Denverton * Update past changelog entries with new information: Intel already had all necessary semanthics in LFENCE, so the Spectre-related Intel microcode changes did not need to enhance LFENCE. * debian/control: update Vcs-* fields for the move to salsa.debian.org . intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical . * Revert to release 20171117, as per Intel instructions issued to the public in 2018-01-22 (closes: #886998) * This effectively removes IBRS/IBPB/STIPB microcode support for Spectre variant 2 mitigation. . intel-microcode (3.20180108.1) unstable; urgency=high . * New upstream microcode data file 20180108 (closes: #886367) + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715) + Very likely fixes several other errata on some of the processors * supplementary-ucode-CVE-2017-5715.d/: remove. + Downgraded microcodes: sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + Recall related to bug #886998 * source: remove superseded upstream data file: 20171117 * README.Debian, copyright: update download URLs (closes: #886368) . intel-microcode (3.20171215.1) unstable; urgency=high . * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) New upstream microcodes to partially address CVE-2017-5715 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 * Implements IBRS and IBPB support via new MSR (Spectre variant 2 mitigation, indirect branches). Support is exposed through cpuid(7).EDX. intel-microcode (3.20180312.1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes) . intel-microcode (3.20180312.1) unstable; urgency=medium . * New upstream microcode data file 20180312 (closes: #886367) + New Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake + Missing production updates: + Broadwell-E/EX Xeons (sig 0x406f1) + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, Gemini Lake, Denverton * Update past changelog entries with new information: Intel already had all necessary semanthics in LFENCE, so the Spectre-related Intel microcode changes did not need to enhance LFENCE. * debian/control: update Vcs-* fields for the move to salsa.debian.org . intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical . * Revert to release 20171117, as per Intel instructions issued to the public in 2018-01-22 (closes: #886998) * This effectively removes IBRS/IBPB/STIPB microcode support for Spectre variant 2 mitigation. . intel-microcode (3.20180108.1) unstable; urgency=high . * New upstream microcode data file 20180108 (closes: #886367) + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715) + Very likely fixes several other errata on some of the processors * supplementary-ucode-CVE-2017-5715.d/: remove. + Downgraded microcodes: sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + Recall related to bug #886998 * source: remove superseded upstream data file: 20171117 * README.Debian, copyright: update download URLs (closes: #886368) . intel-microcode (3.20171215.1) unstable; urgency=high . * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) New upstream microcodes to partially address CVE-2017-5715 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 * Implements IBRS and IBPB support via new MSR (Spectre variant 2 mitigation, indirect branches). Support is exposed through cpuid(7).EDX. intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical . * Revert to release 20171117, as per Intel instructions issued to the public in 2018-01-22 (closes: #886998) * This effectively removes IBRS/IBPB/STIPB microcode support for Spectre variant 2 mitigation. intel-microcode (3.20180108.1) unstable; urgency=high . * New upstream microcode data file 20180108 (closes: #886367) + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + Implements IBRS/IBPB support and enhances LFENCE: mitigation against Spectre (CVE-2017-5715) + Very likely fixes several other errata on some of the processors * supplementary-ucode-CVE-2017-5715.d/: remove. + Downgraded microcodes: sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + This removes IBRS/IBPB support for these two platforms when compared with the previous (and unofficial) release, 20171215. We don't know why Intel declined to include these microcode updates (as well as several others) in the release. * source: remove superseded upstream data file: 20171117 * README.Debian, copyright: update download URLs (closes: #886368) intel-microcode (3.20171215.1) unstable; urgency=high . * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) New upstream microcodes to partially address CVE-2017-5715 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 * Implements IBRS and IBPB support via new MSR (Spectre variant 2 mitigation, indirect branches). Support is exposed through cpuid(7).EDX. * LFENCE terminates all previous instructions (Spectre variant 2 mitigation, conditional branches). intel-microcode (3.20171117.1) unstable; urgency=medium . * New upstream microcode data file 20171117 + New Microcodes: sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + Updated Microcodes: sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 * source: remove superseded upstream data file: 20170707. * source: remove unneeded intel-ucode/ directory for 20171117. * debian/control: bump standards version to 4.1.1 (no changes) * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. * README.source: fix IUC_EXCLUDE example and minor issues. * Makefile, README.souce: support loading ucode from directories. * debian/rules: switch to dh mode (debhelper v9) * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late loading. intel-microcode (3.20171117.1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20171117.1) unstable; urgency=medium . * New upstream microcode data file 20171117 + New Microcodes: sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + Updated Microcodes: sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 * source: remove superseded upstream data file: 20170707. * source: remove unneeded intel-ucode/ directory for 20171117. * debian/control: bump standards version to 4.1.1 (no changes) * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. * README.source: fix IUC_EXCLUDE example and minor issues. * Makefile, README.souce: support loading ucode from directories. * debian/rules: switch to dh mode (debhelper v9) * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late loading. . intel-microcode (3.20170707.1~bpo9+1) stretch-backports; urgency=high . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 . intel-microcode (3.20170511.1) unstable; urgency=medium . * New upstream microcode datafile 20170511 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + This release fixes undisclosed errata on the desktop, mobile and server processor models from the Haswell, Broadwell, and Skylake families, including even the high-end multi-socket server Xeons + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and similar) on several processor families + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + Likely fix serious or critical Skylake errata: SKL138/144, SKL137/145, SLK149 * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, either this erratum is very-low-hitting, or gcc/clang/icc/msvc won't usually issue the affected opcode pattern and it ends up being rare. SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" * source: remove unneeded intel-ucode/ directory Since release 20170511, upstream ships the microcodes both in .dat format, and as Linux-style split /lib/firmware/intel-ucode files. It is simpler to just use the .dat format file for now, so remove the intel-ucode/ directory. Note: before removal, it was verified that there were no discrepancies between the two microcode sets (.dat and intel-ucode/) * source: remove superseded upstream data file: 20161104 . intel-microcode (3.20161104.1) unstable; urgency=medium . * New upstream microcode datafile 20161104 + New Microcodes: sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480 sig 0x00050664, pf_mask 0x10, 2016-06-02, rev 0xf00000a, size 21504 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2016-10-07, rev 0x0039, size 32768 sig 0x000406f1, pf_mask 0xef, 2016-10-07, rev 0xb00001f, size 25600 + Removed Microcodes: sig 0x000106e4, pf_mask 0x09, 2013-07-01, rev 0x0003, size 6144 + This update fixes critical errata on Broadwell-DE V2/Y0 (Xeon D-1500 family), including one that can crash VMWare ESXi 6 with #PF (VMWare KB2146388), and could affect Linux as well. This same issue was fixed for the E5v4 Xeons in release 20160607 + This update fixes undisclosed (and likely critical) errata on Broadwell-E Core i7-68xxK/69xxK/6950X, Broadwell-EP/EX B0/R0/M0 Xeon E5v4 and Xeon E7v4, and Haswell-EP Xeon E5v3 + This release deletes the microcode update for the Jasper Forest embedded Xeons (Xeon EC35xx/LC35xx/EC35xx/LC55xx), for undisclosed reasons. The deleted microcode is outdated when compared with the updates for the other Nehalem Xeons * Makefile: always exclude microcode sig 0x206c2 just in case Intel is quite clear in the Intel SA-00030 advisory text that recent revisions (0x14 and later?) of the 0x206c2 microcode updates must be installed along with updated SINIT ACM on vPro systems (i.e. through an UEFI/BIOS firmware update). This is a defensive change so that we don't ship such a microcode update in the future by mistake * source: remove partially superseded upstream data file: 20160714 * source: remove superseded upstream data file: 20101123 * changelog: replace "pf mask" with "pf_mask" * control, compat: switch debhelper compatibility level to 9 * control: bump standards-version, no changes required . intel-microcode (3.20160714.1) unstable; urgency=medium . * New upstream microcode datafile 20160714 + Updated Microcodes: sig 0x000306f4, pf mask 0x80, 2016-06-07, rev 0x000d, size 15360 sig 0x000406e3, pf mask 0xc0, 2016-06-22, rev 0x009e, size 97280 sig 0x000406f1, pf mask 0xef, 2016-06-06, rev 0xb00001d, size 25600 sig 0x000506e3, pf mask 0x36, 2016-06-22, rev 0x009e, size 97280 + This release hopefully fixes a hang when updating the microcode on some Skylake-U D-1/Skylake-Y D-1 (sig 0x406e3, pf 0x80) systems * source: remove superseded upstream data file: 20160607 . intel-microcode (3.20160607.2) unstable; urgency=low . * REMOVE microcode: sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 (closes: #828819) * The Core i7-6500U and m3-6Y30 processors (Skylake-UY D-1, sig=0x406e3, pf=0x80) may hang while attempting an early microcode update to revision 0x8a, apparently due to some sort of firmware dependency. On affected systems, the only way to avoid the issue is to get a firmware update that includes microcode revision 0x8a or later. At this time, there are reports of both sucessful and failed updates on the m3-6Y30, and only of failed updates on the i7-6500U. There are no reports about Skylake-U K-1 (pf=0x40). + WARNING: it is unsafe to use a system based on an Intel Skylake-U/Y processor with microcode earlier than revision 0x8a, due to several critical errata that cause unpredictable behavior, data corruption, and other problems. Users *must* update their firmware to get microcode 0x8a or newer, and keep it up-to-date. . intel-microcode (3.20160607.1) unstable; urgency=medium . * New upstream microcode data file 20160607 + New Microcodes: sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 sig 0x000406f1, pf mask 0xef, 2016-05-20, rev 0xb00001c, size 25600 sig 0x00050662, pf mask 0x10, 2015-12-12, rev 0x000f, size 28672 sig 0x000506e3, pf mask 0x36, 2016-04-06, rev 0x008a, size 96256 + Updated Microcodes: sig 0x000306c3, pf mask 0x32, 2016-03-16, rev 0x0020, size 22528 sig 0x000306d4, pf mask 0xc0, 2016-04-29, rev 0x0024, size 17408 sig 0x000306f2, pf mask 0x6f, 2016-03-28, rev 0x0038, size 32768 sig 0x000306f4, pf mask 0x80, 2016-02-11, rev 0x000a, size 15360 sig 0x00040651, pf mask 0x72, 2016-04-01, rev 0x001f, size 20480 sig 0x00040661, pf mask 0x32, 2016-04-01, rev 0x0016, size 24576 sig 0x00040671, pf mask 0x22, 2016-04-29, rev 0x0016, size 11264 * source: remove superseded upstream data file: 20151106. * control: change upstream URL to a search for "linux microcode" Unfortunately, many of the per-processor-model feeds have not been updated for microcode release 20160607. Switch to the general search page as the upstream URL. * README.Debian: fix duplicated word 'to' intel-microcode (3.20171117.1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes) . intel-microcode (3.20171117.1) unstable; urgency=medium . * New upstream microcode data file 20171117 + New Microcodes: sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + Updated Microcodes: sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 * source: remove superseded upstream data file: 20170707. * source: remove unneeded intel-ucode/ directory for 20171117. * debian/control: bump standards version to 4.1.1 (no changes) * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. * README.source: fix IUC_EXCLUDE example and minor issues. * Makefile, README.souce: support loading ucode from directories. * debian/rules: switch to dh mode (debhelper v9) * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late loading. intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 intel-microcode (3.20170707.1~deb9u1) stretch; urgency=medium . * Rebuild for stretch (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 isc-dhcp (4.3.1-6+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Plugs a socket descriptor leak in OMAPI (CVE-2017-3144) (Closes: #887413) * Corrected refcnt loss in option parsing (CVE-2018-5733) (Closes: #891785) * Correct buffer overrun in pretty_print_option (CVE-2018-5732) (Closes: #891786) isc-dhcp (4.3.1-6+deb8u2+kbsd8u1) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd jackson-databind (2.4.2-2+deb8u4) jessie-security; urgency=high . * Team upload. * Fix CVE-2018-7489: allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. (Closes: #891614) jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-17485 and CVE-2018-5968: Bybass of deserialization blackist to disallow unauthenticated remote code execution. These CVE exist due to an incomplete fix for CVE-2017-7525. (Closes: #888316, #888318) kamailio (4.2.0-2+deb8u3) jessie-security; urgency=medium . * fixes from upstream related to security issues CVE-2018-8828 https://www.kamailio.org/w/2018/03/kamailio-security-announcement-tmx-lcr/ lame (3.99.5+repack1-7+deb8u2) jessie; urgency=high . [ Fabian Greffrath ] . * Build the frontend with the sndfile io routines, RAW PCM and WAV can be read from stdin since at least 3.99.0 (Closes: #867725). - Add Build-Depends: libsndfile1-dev. . Addressed CVEs: CVE-2017-9872, CVE-2017-9871, CVE-2017-9870, CVE-2017-9869, CVE-2017-15046, CVE-2017-15045, CVE-2017-15018. ldap-account-manager (4.7.1-1+deb8u1) jessie-security; urgency=high . * XSS vulnerabilities CVE-2018-8763 libav (6:11.12-1~deb8u1) jessie-security; urgency=medium . * New upstream release. - smacker: add sanity check for length in smacker_decode_tree() (CVE-2017-16803) libdatetime-timezone-perl (1:1.75-2+2018e) jessie; urgency=medium . * Update to Olson database version 2018e. This update contains contemporary changes for North Korea. libdatetime-timezone-perl (1:1.75-2+2018d) jessie; urgency=medium . * Update to Olson database version 2018d. This update contains contemporary changes for Palestine and Casey Station. libdatetime-timezone-perl (1:1.75-2+2018b) jessie; urgency=medium . * Update to Olson database version 2018b. This update contains contemporary changes for São Tomé and Príncipe, Brazil, and Ireland. libextractor (1:1.3-2+deb8u1) jessie; urgency=medium . * Fix CVE-2017-15266, CVE-2017-15267, CVE-2017-15600, CVE-2017-15601, CVE-2017-15602, CVE-2017-15922 and CVE-2017-17440. Leon Zhao discovered several security vulnerabilities, NULL Pointer Dereferences, heap-based buffer overflows, integer signedness errors and out-of-bounds read that may lead to a denial-of-service (application crash) or have other unspecified impact. libipc-run-perl (0.92-1+deb8u1) jessie; urgency=medium . * Backport upstream patch to fix memory leak libmad (0.15.1b-8+deb8u1) jessie-security; urgency=high . * Properly check the size of the main data. The previous patch only checked that it could fit in the buffer, but didn't ensure there was actually enough room free in the buffer. This was assigned both CVE-2017-8372 and CVE-2017-8373, but they are really the same, just a different way to detect it. (Closes: #287519) * Rewrite patch to check the size of buffer. It now checks it before reading it instead of afterwards checking that we did read too much. This now also covers parsing the frame and layer3, not just layer 1 and 2. This was original reported in #508133. CVE-2017-8374 mentions a case in layer 3. librelp (1.2.7-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Stack-based buffer overflow in relpTcpChkPeerName function (CVE-2018-1000140) libreoffice (1:4.3.3-2+deb8u11) jessie-security; urgency=high . * debian/patches/CVE-2018-10119.diff, debian/patches/CVE-2018-10120.diff: as name says... libreoffice (1:4.3.3-2+deb8u10) jessie-security; urgency=high . * debian/patches/WEBSERVICE-only-http-and-https.diff: backport; as name says. fix for "Remote arbitrary file disclosure vulnerability via WEBSERVICE formula" (CVE-2018-1055 / CVE-2018-6871) * debian/patches/layout-footnote-use-after-free.diff: add; as name says. possible patch for iDefense V-mct3ei5wml libsdl2-image (2.0.0+dfsg-3+deb8u1) jessie-security; urgency=high . * Backport various security fixes: - CVE-2017-2887 - CVE-2017-12122 - CVE-2017-14440 - CVE-2017-14441 - CVE-2017-14442 - CVE-2017-14448 - CVE-2017-14449 - CVE-2017-14450 - CVE-2018-3837 - CVE-2018-3838 - CVE-2018-3839 libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high . * Switch gbp.conf to jessie * Rediff patches to avoid diff noise when using gbp-pq. * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor (Closes: #887700) * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent libvncserver (0.9.9+dfsg2-6.1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. (Closes: #894045) libvorbis (1.3.4-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent out-of-bounds write in codebook decoding (CVE-2018-5146) libvorbisidec (1.0.2+svn18153-1~deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent out-of-bounds write in codebook decoding (CVE-2018-5147) (Closes: #893132) libvpx (1.3.0-3+deb8u1) jessie-security; urgency=high . * Fix OOB caused by odd frame width (CVE-2017-13194) libxcursor (1:1.1.14-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix heap overflows when parsing malicious files (CVE-2017-16612) (Closes: #883792) libxml2 (2.9.1+dfsg1-5+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix XPath stack frame logic (CVE-2017-15412) (Closes: #883790) linux (3.16.56-1+deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * [mipsel] Apply the Loongson-3 part of "Respect the ISA level in FCSR handling" (fixes FTBFS) * tun: allow positive return values on dev_get_valid_name() call (Closes: #897427, regression in 3.16.56-1) * [x86] microcode: Fix accessing dis_ucode_ldr on 32-bit * [x86] microcode: Do not load when running on a hypervisor (Closes: #898067, regression in 3.16.56-1) * sctp: Fix mangled IPv4 addresses on a IPv6 listening socket (Closes: #898100, regression in 3.16.56-1) * [x86] traps: Enable DEBUG_STACK after cpu_init() for TRAP_DB/BP . [ Salvatore Bonaccorso ] * [x86] x86/entry/64: Don't use IST entry for #BP stack (CVE-2018-8897) * [x86] kvm: fix icebp instruction handling (CVE-2018-1087) linux (3.16.56-1) jessie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.52 - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD - cifs: check rsp for NULL before dereferencing in SMB2_open - HID: i2c-hid: allocate hid buffers for real worst case - spi: uapi: spidev: add missing ioctl header - scsi: lpfc: Don't return internal MBXERR_ERROR code from probe function - uwb: ensure that endpoint is interrupt - uwb: properly check kthread_run return value (CVE-2017-16526) - usb: Increase quirk delay for USB devices - xhci: fix finding correct bus_state structure for USB 3.1 hosts - usb: pci-quirks.c: Corrected timeout values used in handshake - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header - [s390*] mm: fix write access check in gup_huge_pmd() - gpio: acpi: work around false-positive -Wstring-overflow warning - tracing: Erase irqsoff trace with empty write - tracing: Fix trace_pipe behavior for instance traces - tcp: fastopen: fix on syn-data transmit failure - [powerpc*] sysrq: Fix oops whem ppmu is not registered - usb: gadget: dummy: fix nonsensical comparisons - cifs: release cifs root_cred after exit_cifs - cifs: release auth_key.response for reconnect. - SMB: Validate negotiate (to protect against downgrade) even if signing off - [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node() - net_sched: always reset qdisc backlog in qdisc_reset() - Input: uinput - avoid FF flush when destroying device - Input: uinput - avoid crash when sending FF request to device going away - usb-storage: fix bogus hardware error messages for ATA pass-thru devices - usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives - USB: gadgetfs: fix copy_to_user while holding spinlock - USB: gadgetfs: Fix crash caused by inadequate synchronization - USB: g_mass_storage: Fix deadlock when driver is unbound - IB/ocrdma: fix incorrect fall-through on switch statement - SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags - iio: core: Return error for failed read_reg - KEYS: fix cred refcount leak in request_key_auth_new() - KEYS: don't revoke uninstantiated key in request_key_auth_new() - KEYS: fix key refcount leak in keyctl_assume_authority() - KEYS: fix key refcount leak in keyctl_read_key() - KEYS: fix writing past end of user-supplied buffer in keyring_read() - KEYS: prevent creating a different user's keyrings - IB/mlx5: Fix the size parameter to find_first_bit - IB/mlx5: Simplify mlx5_ib_cont_pages - security/keys: properly zero out sensitive key material in big_key - PCI: Fix race condition with driver_override - Btrfs: fix incorrect {node,sector}size endianness from BTRFS_IOC_FS_INFO - btrfs: prevent to set invalid default subvolid - [x86] drm/i915/bios: ignore HDMI on port A - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit - l2tp: fix race condition in l2tp_tunnel_delete - netfilter: ipset: pernet ops must be unregistered last - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets - [arm64] Make sure SPsel is always set - Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" - USB: dummy-hcd: fix connection failures (wrong speed) - USB: dummy-hcd: fix infinite-loop resubmission bug - USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks - USB: dummy-hcd: Fix erroneous synchronization change - packet: only test po->has_vnet_hdr once in packet_snd - sched/sysctl: Check user input value of sysctl_sched_time_avg - [arm64] fault: Route pte translation faults via do_translation_fault - staging: iio: ade7759: fix signed extension bug on shift of a u8 - ipv4: fix broadcast packets reception - IPv4: early demux can return an error code - udp: perform source validation for mcast early demux - l2tp: fix l2tp_eth module loading - brcmfmac: Add length checks on firmware events - brcmfmac: Add check for short event packets - ALSA: usx2y: Suppress kernel warning at page allocation failures - scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP - mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function - mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long - lsm: fix smack_inode_removexattr and xattr_getsecurity memleak - nl80211: Define policy for packet pattern attributes - netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user - ALSA: seq: Fix copy_from_user() call inside lock - udp: fix bcast packet reception - workqueue: replace pool->manager_arb mutex with a flag - crypto: shash - Fix zero-length shash ahash digest crash - direct-io: Prevent NULL pointer access in submit_page_section - vfs: more bio_map_user_iov() leak fixes - USB: dummy-hcd: Fix deadlock caused by disconnect detection - usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options - ALSA: caiaq: Fix stray URB at probe error path - scsi: libiscsi: fix shifting of DID_REQUEUE host byte - [armhf] iommu/exynos: Remove initconst attribute to avoid potential kernel oops - [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit - [armhf] bus: mbus: fix window size calculation for 4GB windows - KEYS: encrypted: fix dereference of NULL user_key_payload - FS-Cache: fix dereference of NULL user_key_payload - lib/digsig: fix dereference of NULL user_key_payload - ecryptfs: fix dereference of NULL user_key_payload - [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap() - fs/mpage.c: fix mpage_writepage() for pages with buffers - l2tp: check ps->sock before running pppol2tp_session_ioctl() - net: enable interface alias removal via rtnl - tun: call dev_get_valid_name() before register_netdevice() - [s390*] scsi: zfcp: fix erp_action use-before-initialize in REC action trace - usb: xhci: Handle error condition in xhci_stop_device() - usb: cdc_acm: Add quirk for Elatec TWN3 - usb: quirks: add quirk for WORLDE MINI MIDI keyboard - ALSA: hda: Remove superfluous '-' added by printk conversion - [x86] microcode/intel: Disable late loading on model 79 - [armhf] Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen - usb: hub: Allow reset retry for USB2 devices on connect bounce - can: esd_usb2: Fix can_dlc value for received RTR, frames - can: gs_usb: fix busy loop if no more TX context is available - sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect - [armhf,arm64] KVM: set right LR register value for 32 bit guest when inject abort - [x86] cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't - [armel,armhf] 8715/1: add a private asm/unaligned.h - can: kvaser_usb: Correct return value in printout - fuse: fix READDIRPLUS skipping an entry - SMB: fix leak of validate negotiate info response buffer - SMB: fix validate negotiate info uninitialised memory use - net/unix: don't show information about sockets from other namespaces - xfrm: Clear sk_dst_cache when applying per-socket policy. - SMB3: Validate negotiate request must always be signed - ip6_gre: Reduce log level in ip6gre_err() to debug - ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err - sctp: fix a type cast warnings that causes a_rwnd gets the wrong value - [x86] uaccess, sched/preempt: Verify access_ok() context - workqueue: Fix NULL pointer dereference - l2tp: hold tunnel in pppol2tp_connect() - ALSA: timer: Add missing mutex lock for compat ioctls - ALSA: seq: Fix nested rwsem annotation for lockdep splat - [mips*] Fix CM region target definitions - macvtap: fix TUNSETSNDBUF values > 64k - tun/tap: sanitize TUNSETSNDBUF input - tcp: fix tcp_mtu_probe() vs highest_sack - KEYS: return full count in keyring_read() if buffer is too small - KEYS: trusted: sanitize all key material - KEYS: trusted: fix writing past end of buffer in trusted_read() - KEYS: fix out-of-bounds read during ASN.1 parsing - [arm64] fix dump_instr when PAN and UAO are in use - [arm64] ensure __dump_instr() checks addr_limit - ocfs2: fstrim: Fix start offset of first cluster group during fstrim - netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 - l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 - ALSA: timer: Protect the whole snd_timer_close() with open race - ALSA: timer: Limit max instances per timer - [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit - ALSA: seq: Avoid invalid lockdep class warning - ALSA: seq: Fix OSS sysex delivery in OSS emulation - [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context - KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] - rbd: use GFP_NOIO for parent stat and data requests - can: c_can: don't indicate triple sampling support for D_CAN - vlan: fix a use-after-free in vlan_device_event() - security: let security modules use PTRACE_MODE_* with bitmasks - ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock - mm: Add a user_ns owner to mm_struct and fix ptrace permission checks (CVE-2015-8709) - ptrace: Capture the ptracer's creds not PT_PTRACE_CAP - exec: Ensure mm->user_ns contains the execed files - ptrace: Don't allow accessing an undumpable mm - ptrace: Properly initialize ptracer_cred on fork https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.53 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.54 - [x86] drm: gma500: fix logic error - staging: lustre: ptlrpc: kfree used instead of kvfree - ipmi: fix unsigned long underflow - [s390*] runtime instrumention: fix possible memory corruption - rtc: interface: ignore expired timers when enqueuing new timers - rtc: set the alarm to the next expiring timer - usbip: tools: Install all headers needed for libusbip development - [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off - PCI/AER: Report non-fatal errors only to the affected endpoint - [x86] iommu/vt-d: Don't register bus-notifier under dmar_global_lock - ext4: fix interaction between i_size, fallocate, and delalloc after a crash - [x86] drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get() - [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel - p54: don't unregister leds when they are not initialized - USB: serial: garmin_gps: fix I/O after failed probe and remove - USB: serial: garmin_gps: fix memory leak on probe errors - media: rc: check for integer overflow - [x86] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state - USB: serial: metro-usb: stop I/O after failed open - bcache: check ca->alloc_thread initialized before wake up it - scsi: bfa: integer overflow in debugfs - IB/srpt: Do not accept invalid initiator port names - IB/srp: Avoid that a cable pull can trigger a kernel crash - tpm-dev-common: Reject too short writes - fs/9p: Compare qid.path in v9fs_test_inode - net/9p: Switch to wait_event_killable() - net: bcmgenet: enable loopback during UniMAC sw_reset - f2fs: expose some sectors to user in inline data or dentry case - mtd: nand: omap2: Fix subpage write - l2tp: ensure sessions are freed after their PPPOL2TP socket - l2tp: don't register sessions in l2tp_session_create() - l2tp: initialise l2tp_eth sessions before registering them - l2tp: protect sock pointer of struct pppol2tp_session with RCU - l2tp: initialise PPP sessions before registering them - btrfs: avoid null pointer dereference on fs_info when calling btrfs_crit - bcache: only permit to recovery read error when cache device is clean - USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update - [arm64] vdso: minor ABI fix for clock_getres - [arm64] vdso: fix clock_getres for 4GiB-aligned res - [armhf] media: omap_vout: Fix a possible null pointer dereference in omap_vout_open() - mtd: nand: Fix writing mtdoops to nand flash. - isofs: fix timestamps beyond 2027 - drm/ttm: once more fix ttm_buffer_object_transfer - drm/radeon: fix atombios on big endian - [armhf] clk: tegra: Fix cclk_lp divisor register - staging: rtl8188eu: avoid a null dereference on pmlmepriv - [x86] platform: sony-laptop: Fix error handling in sony_nc_setup_rfkill() - coda: fix 'kernel memory exposure attempt' in fsync - NFC: fix device-allocation error return - f2fs: remove redundant lines in allocate_data_block - Revert "f2fs: handle dirty segments inside refresh_sit_entry" - [powerpc*] pseries/vio: Dispose of virq mapping on vdevice unregister - [powerpc*] opal: Fix EBUSY bug in acquiring tokens - eCryptfs: use after free in ecryptfs_release_messaging() - [powerpc*] powernv/cpufreq: Fix the frequency read by /proc/cpuinfo - ACPI / APEI: Replace ioremap_page_range() with fixmap - ACPI / APEI: Remove ghes_ioremap_area - kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules - target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK - target/iscsi: Fix iSCSI task reassignment handling - iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref - iscsi-target: Fix non-immediate TMR reference leak - ima: fix hash algorithm initialization - USB: usbfs: compute urb->actual_length for isochronous - [mips*] Fix an n32 core file generation regset support regression - video: udlfb: Fix read EDID timeout - rt2x00usb: mark device removed when get ENOENT usb error - [s390*] fix transactional execution control register handling - dm: fix race between dm_get_from_kobject() and __dm_destroy() (CVE-2017-18203) - blktrace: Fix potential deadlock between delete & sysfs ops - blktrace: fix unlocked access to init/start-stop/teardown - IB/mlx5: Assign send CQ and recv CQ of UMR QP - IB/mlx4: Increase maximal message size under UD QP - [s390*] disassembler: increase show_code buffer size - sctp: Fixup v4mapped behaviour to comply with Sock API - sctp: fully initialize the IPv6 address in sctp_v6_to_addr() - net/sctp: Always set scope_id in sctp_inet6_skb_msgname - dm: discard support requires all targets in a table support discards - dm bufio: fix integer overflow when limiting maximum cache size - [x86] KVM: vmx: Inject #GP on invalid PAT CR - [x86] KVM: SVM: obey guest PAT - NFS: Avoid RCU usage in tracepoints - nfs: Fix ugly referral attributes - NFS: Fix typo in nomigration mount option - lib/int_sqrt: optimize small argument - autofs: don't fail mount for transient error - autofs: fix careless error in recent commit - nilfs2: fix race condition that causes file system corruption - route: update fnhe_expires for redirect when the fnhe exists - route: also update fnhe_genid when updating a route cache - nl80211: don't expose wdev->ssid for most interfaces - apparmor: ensure that undecidable profile attachments fail - [armhf] 8721/1: mm: dump: check hardware RO bit for LPAE - ALSA: timer: Remove kernel warning at compat ioctl error paths - ALSA: usb-audio: Add sanity checks to FE parser - ALSA: usb-audio: Fix potential out-of-bound access at parsing SU - ALSA: usb-audio: Add sanity checks in v2 clock parsers - [powerpc*] ixgbe: Fix skb list corruption on Power systems - i40e,ixgbevf,igbvf,igb,i40evf: Use smp_rmb rather than read_barrier_depends - netfilter: xt_TCPMSS: add more sanity tests on tcph->doff (CVE-2017-18017) - RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332) - RDS: null pointer dereference in rds_atomic_free_op (CVE-2018-5333) - ALSA: seq: Make ioctls race-free (CVE-2018-1000004) - usbip: fix NULL pointer dereference on errors - usbip: fix stub_rx: get_pipe() to validate endpoint number (CVE-2017-16912) - usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input (CVE-2017-16913) - usbip: prevent vhci_hcd driver from leaking a socket pointer address (CVE-2017-16911) - usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer (CVE-2017-16914) - cx231xx: Fix the max number of interfaces - [x86] vdso: Move the vvar area before the vdso text - [x86] pvclock: Really remove the sched notifier for cross-cpu migrations - [x86] vdso, pvclock: Simplify and speed up the vdso pvclock reader - [x86] vdso: Get pvclock data from the vvar VMA instead of the fixmap - [x86] Revert "x86: kvmclock: Disable use from vDSO if KPTI is enabled" - [x86] vdso: Remove pvclock fixmap machinery - kaiser: Set _PAGE_NX only if supported https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.55 - ALSA: seq: Fix regression by incorrect ioctl_mutex usages - [armhf] ASoC: twl4030: fix child-node lookup - [x86] KVM: Exit to user-mode on #UD intercept when emulator requires - [x86] KVM: emulator: Return to user-mode on L1 CPL=0 emulation failure - [x86] KVM: Don't re-execute instruction when not passing CR2 value - [x86] iommu/vt-d: Fix scatterlist offset handling - btrfs: clear space cache inode generation always - scsi: dma-mapping: always provide dma_get_cache_alignment - scsi: use dma_get_cache_alignment() as minimum DMA alignment - scsi: libsas: align sata_device's rps_resp on a cacheline - bcache: recover data from backing when data is clean - [armhf] ASoC: fsl_ssi: add AC'97 ops setting check and cleanup - [armhf] ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure - blktrace: fix trace mutex deadlock - [x86] drm/i915: Don't try indexed reads to alternate slave addresses - [x86] drm/i915: Prevent zero length "index" write - usb: gadget: don't dereference g until after it has been null checked - USB: usbfs: Filter flags passed in from user space - usb: host: fix incorrect updating of offset - USB: core: Add type-specific length check of BOS descriptors - usb: hub: Cycle HUB power when initialization fails - isa: Prevent NULL dereference in isa_bus driver callbacks - sctp: force the params with right types for sctp csum apis - net/packet: fix a race in packet_bind() and packet_notifier() - eeprom: at24: check at24_read/write arguments - [arm64] KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one - [armhf] KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one - quota: Check for register_shrinker() failure. - [armhf] mfd: twl4030-audio: Fix sibling-node lookup - [armhf] mfd: twl6040: Fix child-node lookup - ALSA: seq: Remove spurious WARN_ON() at timer check - media: dvb: i2c transfers over usb cannot be done from stack - can: kvaser_usb: free buf in error paths - can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() - can: kvaser_usb: ratelimit errors if incomplete messages are received - virtio: release virtio index when fail to device_register - xhci: Don't show incorrect WARN message about events for empty rings - usb: xhci: fix panic in xhci_free_virt_devices_depth_first - ext4: fix fdatasync(2) after fallocate(2) operation - ALSA: usb-audio: Fix out-of-bound error - ALSA: usb-audio: Add check return value for usb_string() - netfilter: xt_bpf: add overflow checks - batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq - dm mpath: simplify failure path of dm_multipath_init() - dm: fix various targets to dm_register_target after module __init resources created - [s390*] always save and restore all registers on context switch - net_sched: red: Avoid devision by zero - net_sched: red: Avoid illegal values - ALSA: pcm: prevent UAF in snd_pcm_info - [x86] PCI: Make broadcom_postcore_init() check acpi_disabled - [arm64] fpsimd: Prevent registers leaking from dead tasks - efi: Move some sysfs files to be read-only by root - btrfs: fix missing error return in btrfs_drop_snapshot - Btrfs: disable FUA if mounted with nobarrier - btrfs: Fix possible off-by-one in btrfs_search_path_in_tree - net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case - can: ems_usb: cancel urb on -EPIPE and -EPROTO - can: esd_usb2: cancel urb on -EPIPE and -EPROTO - can: kvaser_usb: cancel urb on -EPIPE and -EPROTO - can: usb_8dev: cancel urb on -EPIPE and -EPROTO - ASN.1: fix out-of-bounds read when parsing indefinite length item - ASN.1: check for error from ASN1_OP_END__ACT actions - lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string - X.509: reject invalid BIT STRING for subjectPublicKey - X.509: fix buffer overflow detection in sprint_oid() - 509: fix printing uninitialized stack memory when OID is empty - USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID - xhci: Don't add a virt_dev to the devs array before it's fully allocated - nl80211: fix nl80211_send_iface() error paths - ipv4: Use standard iovec primitive in raw_probe_proto_opt - ipv4: Avoid reading user iov twice after raw_probe_proto_opt - net: ipv4: fix for a race condition in raw_sendmsg - ext4: fix crash when a directory's i_size is too small - tcp md5sig: Use skb's saddr when replying to an incoming segment - [mips*] CPS: Fix r1 .set mt assembler warning - [mips*] clear MSACSR cause bits when handling MSA FP exception - [mips*] Clear [MSA]FPE CSR.Cause after notify_die() - [mips*] prevent FP context set via ptrace being discarded - [mips*] lose_fpu(): Disable FPU when MSA enabled - [mips*] Respect the FCSR exception mask for `si_code' - [mips*] Always clear FCSR cause bits after emulation - [mips*] Set `si_code' for SIGFPE signals sent from emulation too - [mips*] math-emu: Define IEEE 754-2008 feature control bits - [mips*] Respect the ISA level in FCSR handling - [mips*] Fix a preemption issue with thread's FPU defaults - [mips*] ptrace: Fix FP context restoration FCSR regression - [mips*] ptrace: Prevent writes to read-only FCSR bits - [mips*] MSA: bugfix - disable MSA correctly for new threads/processes. - [mips*] Fix FCSR Cause bit handling for correct SIGFPE issue - [mips*] ptrace: Preserve previous registers for short regset write - [mips*] Factor out NT_PRFPREG regset access helpers - [mips*] Guard against any partial write attempt with PTRACE_SETREGSET - [mips*] Fix an FCSR access API regression with NT_PRFPREG and MSA - [mips*] Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses - [powerpc*] perf: Dereference BHRB entries safely - [x86] KVM: Fix load RFLAGS w/o the fixed bit - ALSA: rawmidi: Avoid racy info ioctl via ctl device - kernel: make groups_sort calling a responsibility group_info allocators - nfsd: auth: Fix gid sorting when rootsquash enabled - posix-timer: Properly check sigevent->sigev_notify - [armhf,arm64] KVM: Fix HYP unmapping going off limits - PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() - ACPI: APEI / ERST: Fix missing error handling in erst_reader() - net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well. - net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks - ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU - xfrm: Reinject transport-mode packets through tasklet - usbip: vhci: stop printing kernel pointer addresses in messages - usbip: stub: stop printing kernel pointer addresses in messages - usbip: prevent leaking socket pointer address in messages - usbip: fix usbip bind writing random string after command in match_busid - net/mlx5: Fix misspelling in the error message and comment - net/mlx5: Cleanup IRQs in case of unload failure - net/mlx5: Stay in polling mode when command EQ destroy fails - [armhf] net: mvneta: clear interface link status on port disable - n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) - iw_cxgb4: Only validate the MSN for successful completions - sctp: Replace use of sockets_allocated with specified macro. - ring-buffer: Mask out the info bits when returning buffer page length - tracing: Fix crash when it fails to alloc ring buffer - tracing: Fix possible double free on failure of allocating trace buffer - nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() - af_key: fix buffer overread in verify_address_len() - af_key: fix buffer overread in parse_exthdrs() - fscache: Fix the default for fscache_maybe_release_page() - ALSA: pcm: Remove incorrect snd_BUG_ON() usages - IB/ipoib: Fix race condition in neigh creation - e1000e: Separate signaling for link check/link up - e1000e: Fix e1000_check_for_copper_link_ich8lan return value. - IB/srpt: Disable RDMA access by the initiator - can: gs_usb: fix return value of the "set_bittiming" callback - ALSA: pcm: Add missing error checks in OSS emulation plugin builder - usbip: remove kernel addresses from usb device and urb debug msgs - [armhf] net: stmmac: enable EEE in MII, GMII or RGMII only - kernel/acct.c: fix the acct->needcheck check in check_free_space() - mm/mprotect: add a cond_resched() inside change_pmd_range() - crypto: algapi - fix NULL dereference in crypto_remove_spawns() - xfrm: Use __skb_queue_tail in xfrm_trans_queue - [armhf] dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7 - [x86] alternatives: Add missing ' ' at end of ALTERNATIVE inline asm - ALSA: aloop: Release cable upon open error path - ALSA: aloop: Fix inconsistent format due to incomplete rule - ALSA: aloop: Fix racy hw constraints adjustment - [x86] microcode/intel: Extend BDW late-loading with a revision check - xfrm: Return error on unknown encap_type in init_state - ALSA: pcm: Abort properly at pending signal in OSS read/write loops - ALSA: pcm: Allow aborting mutex lock at OSS read/write loops - [armhf] mdio-sun4i: Fix a memory leak - [armhf] Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning - [armhf] Input: twl4030-vibra - fix sibling-node lookup - [armhf] Input: twl6040-vibra - fix DT node memory management - [armhf] Input: twl6040-vibra - fix child-node lookup - USB: fix usbmon BUG trigger - usb: udc: core: add device_del() call to error pathway - USB: Gadget core: fix inconsistency in the interface to usb_add_gadget_udc_release() - USB: UDC core: fix double-free in usb_add_gadget_udc_release - net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() - [powerpc*] Don't preempt_disable() in show_cpuinfo() - 8021q: fix a memory leak for VLAN 0 device - ALSA: pcm: Remove yet superfluous WARN_ON() - [x86] KVM: Add memory barrier on vmcs field lookup - [armhf] usb: misc: usb3503: make sure reset is low for at least 100us - futex: Prevent overflow by strengthen input validation (CVE-2018-6927) - nl80211: take RCU read lock when calling ieee80211_bss_get_ie() - mac80211_hwsim: validate number of different channels - cfg80211: check dev_set_name() return value - [arm64] KVM: Fix SMCCC handling of unimplemented SMC/HVC calls - sctp: use the right sk after waking up from wait_buf sleep - sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf - sctp: do not allow the v4 socket to bind a v4mapped v6 address - [x86] KVM: Check input paging mode when cs.l is set - [x86] KVM: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs() - dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 - dm btree: fix serious bug in btree_split_beneath() - i2c: core: decrease reference count of device node in i2c_unregister_device - i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA - net: fs_enet: do not call phy_stop() in interrupts - can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once - can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once - cfg80211: fix station info handling bugs - [x86] mce: Make machine check speculation protected - net: igmp: Use correct source address on IGMPv3 reports - net: igmp: fix source address check for IGMPv3 reports - pppoe: take ->needed_headroom of lower device into account on xmit - [x86] microcode/intel: Extend BDW late-loading further with LLC size check - dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state - hrtimer: Reset hrtimer cpu base proper on CPU hotplug - mac80211_hwsim: fix compiler warning on MIPS - blk-mq: fix race between timeout and freeing request (CVE-2015-9016) - v4l2-compat-ioctl32: fix sparse warnings - V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data copy-back - media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32 - media: v4l2-compat-ioctl32.c: add capabilities field to, v4l2_input32 - media: v4l2-ioctl.c: don't copy back the result for -ENOTTY - vb2: V4L2_BUF_FLAG_DONE is set after DQBUF - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 - media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type - media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors - media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic (CVE-2017-13166) - ACPI: sbshc: remove raw pointer from printk() message (CVE-2018-5750) - rds: Fix NULL pointer dereference in __rds_rdma_map (CVE-2018-7492) - [mips*] CPS: Fix MIPS_ISA_LEVEL_RAW fallout https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.56 - [x86] kvm: vmx: Scrub hardware GPRs at VM-exit - [x86] Documentation: Add PTI description - [x86] cpu: Factor out application of forced CPU caps - [x86] cpufeatures: Make CPU bugs sticky - [x86] cpufeatures: Add X86_BUG_CPU_INSECURE - [x86] pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN - [x86] cpufeatures: Add X86_BUG_SPECTRE_V[12] - [x86] cpu: Merge bugs.c and bugs_64.c - sysfs/cpu: Add vulnerability folder - [x86] cpu: Implement CPU vulnerabilites sysfs functions - [x86] alternatives: Guard NOPs optimization - [x86] alternatives: Fix ALTERNATIVE_2 padding generation properly - [x86] alternatives: Make optimize_nops() interrupt safe and synced - [x86] alternatives: Fix optimize_nops() checking - [x86] cpu/AMD: Make LFENCE a serializing instruction - [x86] cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC - [x86] asm: Make asm/alternative.h safe from assembly - kconfig.h: use __is_defined() to check if MODULE is defined - [x86] Clean up current_stack_pointer - [x86] asm: Use register variable to get stack pointer value - [x86] retpoline: Add initial retpoline support (partial mitigation of CVE-2017-5715) - [x86] spectre: Add boot time option to select Spectre v2 mitigation - [x86] retpoline/crypto: Convert crypto assembler indirect jumps - [x86] retpoline/entry: Convert entry assembler indirect jumps - [x86] retpoline/ftrace: Convert ftrace assembler indirect jumps - [x86] retpoline/hyperv: Convert assembler indirect jumps - [x86] retpoline/xen: Convert Xen hypercall indirect jumps - [x86] retpoline/checksum32: Convert assembler indirect jumps - [x86] retpoline/irq32: Convert assembler indirect jumps - [x86] retpoline: Fill return stack buffer on vmexit - [x86] retpoline: Remove compile time warning - [x86] retpoline: Add LFENCE to the retpoline/RSB filling RSB macros - [x86] retpoline: Introduce start/end markers of indirect thunk - [x86] kprobes: Blacklist indirect thunk functions for kprobes - [x86] kprobes: Disable optimizing on the function jumps to indirect thunk - [x86] pti: Document fix wrong index - [x86] retpoline: Optimize inline assembler for vmexit_fill_RSB - [x86] cpu/intel: Introduce macros for Intel family numbers - [x86] retpoline: Fill RSB on context switch for affected CPUs - [x86] cpu: Change type of x86_cache_size variable to unsigned int - [x86] KVM: Make indirect calls in emulator speculation safe - [x86] KVM: VMX: Make indirect call speculation safe - [x86] module/retpoline: Warn about missing retpoline in module - [x86] bugs: Drop one "mitigation" from dmesg - [x86] cpu/bugs: Make retpoline module warning conditional - [x86] spectre: Check CONFIG_RETPOLINE in command line parser - Documentation: Document array_index_nospec - array_index_nospec: Sanitize speculative array de-references (partial mitigation of CVE-2017-5753) - [x86] Implement array_index_mask_nospec - [x86] Introduce barrier_nospec - [x86] get_user: Use pointer masking to limit speculation - [x86] syscall: Sanitize syscall table de-references under speculation - vfs, fdtable: Prevent bounds-check bypass via speculative execution - nl80211: Sanitize array index in parse_txq_params - [x86] spectre: Report get_user mitigation for spectre_v1 - [x86] spectre: Fix spelling mistake: "vunerable"-> "vulnerable" - [x86] paravirt: Remove 'noreplace-paravirt' cmdline option - [x86] kvm: Update spectre-v1 mitigation - [x86] retpoline: Avoid retpolines for built-in __init functions - [x86] spectre: Simplify spectre_v2 command line parsing - [x86] cpufeatures: Clean up Spectre v2 related CPUID flags - [x86] spectre: Fix an error message - nospec: Move array_index_nospec() parameter checking into separate macro - nospec: Kill array_index_nospec_mask_check() - nospec: Include dependency - [x86] reorganize SMAP handling in user space accesses - [i386] fix SMAP in 32-bit environments - [x86] Introduce __uaccess_begin_nospec() and uaccess_try_nospec - [x86] usercopy: Replace open coded stac/clac with __uaccess_{begin, end} - [x86] uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec (partial mitigation of CVE-2017-5753) . [ Ben Hutchings ] * abiupdate.py: Use current config instead of downloading previous config * abiupdate.py: Add support for security mirrors * Revert "ptrace: being capable wrt a process requires mapped uids/gids", redundant with ptrace changes in 3.16.52 * Bump ABI to 6 * [x86] Compile with gcc-4.9 * [x86] Add versioned build-dependency on gcc-4.9 for retpoline support * [x86] linux-compiler-gcc-4.9-x86: Add versioned dependency on gcc-4.9 for retpoline support * [x86] linux-headers: Depend on linux-compiler-gcc-4.9-x86 and linux-kbuild versions with retpoline support * Bluetooth: hidp_connection_add() unsafe use of l2cap_pi() (CVE-2017-13220) * ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent (CVE-2017-18216) * scsi: libsas: direct call probe and destruct (CVE-2017-18232) * f2fs: fix a panic caused by NULL flush_cmd_control (CVE-2017-18241) * CIFS: Enable encryption during session setup phase (CVE-2018-1066) * netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets (CVE-2018-1068) * netfilter: ebtables: fix erroneous reject of last rule * ext4: fail ext4_iget for root directory if unallocated (CVE-2018-1092) * sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803) * ALSA: seq: Fix racy pool initializations (CVE-2018-7566) * ALSA: seq: Don't allow resizing pool in use * ALSA: seq: More protection for concurrent write and ioctl races * hugetlbfs: fix offset overflow in hugetlbfs mmap * hugetlbfs: check for pgoff value overflow (CVE-2018-7740) * scsi: libsas: fix memory leak in sas_smp_get_phy_events() (CVE-2018-7757) * [x86] MCE: Serialize sysfs changes (CVE-2018-7995) * drm: udl: Properly check framebuffer mmap offsets (CVE-2018-8781) * ncpfs: memory corruption in ncp_read_kernel() (CVE-2018-8822) * perf/hwbp: Simplify the perf-hwbp code, fix documentation (CVE-2018-1000199) * debian/lib/python/debian_linux/gencontrol.py: Allow uploads to *-security with a simple revision . [ Salvatore Bonaccorso ] * locks: remove i_have_this_lease check from __break_lease * locks: __break_lease cleanup in preparation of allowing direct removal of leases (Closes: #883217) linux (3.16.51-3+deb8u1) jessie-security; urgency=high . * dccp: CVE-2017-8824: use-after-free in DCCP code * Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket * Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket (CVE-2017-15868) * media: dvb-usb-v2: lmedm04: Improve logic checking of warm start (CVE-2017-16538) * media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner (CVE-2017-16538) * ipsec: Fix aborted xfrm policy dump crash (CVE-2017-16939) * netfilter: nfnetlink_cthelper: Add missing permission checks (CVE-2017-17448) * netlink: Add netns check on taps (CVE-2017-17449) * netfilter: xt_osf: Add missing permission checks (CVE-2017-17450) * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558) * [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio (CVE-2017-17741) * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805) * crypto: hmac - require that the underlying hash algorithm is unkeyed (CVE-2017-17806) * KEYS: add missing permission check for request_key() destination (CVE-2017-17807) * [x86] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (CVE-2017-1000407) * bluetooth: Prevent stack info leak from the EFS element. (CVE-2017-1000410) * Bump ABI to 5 and apply deferred stable changes: - Input: i8042 - break load dependency between atkbd/psmouse and i8042 - Input: i8042 - set up shared ps2_cmd_mutex for AUX ports - ACPICA: Utilities: split IO address types from data type models. - [arm64] Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO - block: fix bdi vs gendisk lifetime mismatch - cgroup: make sure a parent css isn't offlined before its children - libata: Align ata_device's id on a cacheline - libata: Ignore spurious PHY event on LPM policy change - net/ipv6: add sysctl option accept_ra_min_hop_limit - quota: Store maximum space limit in bytes - quota: Switch ->get_dqblk() and ->set_dqblk() to use bytes as space units - [s390*] Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO - scsi: scsi_error: count medium access timeout only once per EH run - [x86] panic: replace smp_send_stop() with kdump friendly version in panic path * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER) (CVE-2017-5754) linux (3.16.51-3) jessie; urgency=medium . * sched/topology: Add missing pieces of the fixes included in 3.16.49 (Closes: #883938): - Remove FORCE_SD_OVERLAP - Simplify build_overlap_sched_groups() - Optimize build_group_mask() linux-latest (63+deb8u2) jessie-security; urgency=medium . * Update to 3.16.0-6 linux-latest (63+deb8u1) jessie-security; urgency=medium . * Update to 3.16.0-5 linux-tools (3.16.56-1) jessie-security; urgency=high . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt21 - recordmcount: Fix endianness handling bug for nop_mcount - perf trace: Fix documentation for -i http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt23 - scripts: recordmcount: break hardlinks - ftrace/scripts: Have recordmcount copy the object file - ftrace/scripts: Fix incorrect use of sprintf in recordmcount http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt24 - tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines - scripts/recordmcount.pl: support data in text section on powerpc http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt25 - perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed - perf hists: Fix HISTC_MEM_DCACHELINE width setting https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.35 - perf pmu: Fix misleadingly indented assignment (whitespace) - perf tools: handle spaces in file names obtained from /proc/pid/maps - perf tools: Dont stop PMU parsing on alias parse error - perf stat: Document --detailed option https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.36 - tools lib traceevent: Do not reassign parg after collapse_tree() https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.37 - kbuild: move -Wunused-const-variable to W=1 warning level - perf tools: Fix perf regs mask generation - of: fix autoloading due to broken modalias with no 'compatible' https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.39 - ftrace/recordmcount: Work around for addition of metag magic but not relocations https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.40 - perf symbols: Fixup symbol sizes before picking best ones - scripts/has-stack-protector: add -fno-PIE https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.42 - perf trace: Use the syscall raw_syscalls:sys_enter timestamp - perf scripting: Avoid leaking the scripting_context variable https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.44 - perf evlist: Fix typo in perf_evlist__start_workload() - perf script: Fix man page about --dump-raw-trace option - perf tests: Avoid possible truncation with dirent->d_name + snprintf https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.46 - perf symbols: Fix symbols__fixup_end heuristic for corner cases https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.47 - perf hists browser: Fix typo in function switch_data_file - perf inject: Don't proceed if perf_session__process_event() fails https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.48 - perf probe: Fix examples section of documentation - perf script: Fix outdated comment for perf-trace-python - perf script: Fix documentation errors - perf script python: Fix wrong code snippets in documentation - perf script python: Updated trace_unhandled() signature - perf script python: Remove dups in documentation examples https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.50 - perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target - modpost: expand pattern matching to support substring matches - modpost: don't emit section mismatch warnings for compiler optimizations https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.51 - perf tests attr: Fix no-delay test - perf events parse: Rename parsing state struct to clearer name - perf events parse: Use just one parse events state struct - perf tools: Really install manpages via 'make install-man' https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.54 - usbip: tools: Install all headers needed for libusbip development - usbip: prevent vhci_hcd driver from leaking a socket pointer address https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.55 - hv: kvp: Avoid reading past allocated blocks from KVP file - usbip: fix usbip bind writing random string after command in match_busid https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.56 - module/retpoline: Warn about missing retpoline in module lucene-solr (3.6.2+dfsg-5+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2018-1308: XML external entity expansion in Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. (Closes: #896604) lucene-solr (3.6.2+dfsg-5+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-12629: possible remote code execution by exploiting XXE. For security reasons the RunExecutableListener class was permanently removed. * Update debian/conf/solrconfig.xml and remove example configuration for. RunExecutableListener which had to be removed for security reasons. * CVE-2017-3163: fix ReplicationHandler path traversal vulnerability. (Closes: #867712) mactelnet (0.4.0-1+deb8u1) jessie; urgency=low . * Backported bugfix of CVE 2016-7115 (closes: 836320) mailman (1:2.1.18-2+deb8u2) jessie-security; urgency=high . * CVE-2018-5950: XSS and information leak in user options. (Closes: #888201). mariadb-10.0 (10.0.32-0+deb8u1) jessie-security; urgency=medium . * New upstream version 10.0.32. Includes fixes for the following security vulnerabilities: - CVE-2017-3636 - CVE-2017-3641 - CVE-2017-3653 * Refresh patches on top of MariaDB 10.0.32 mat (0.5.2-3+deb8u1) jessie-security; urgency=high . * New patch: disable PDF support. (Closes: #826101) * debian/NEWS: mention disabled PDF support. * gbp.conf: adjust for Jessie. memcached (1.4.21-1.1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer over-read in try_read_command function (CVE-2017-9951) (Closes: #868701) * disable UDP port by default (CVE-2018-1000115) * debian/NEWS: Add explanation and document how to re-enable UDP if necessary * Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404) mupdf (1.5-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-6544, CVE-2018-1000051 add patches to fix use after free (Closes: #891245) mysql-5.5 (5.5.60-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.60 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html - CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819 * Don't install obsolete manpages. Do not try to install anymore obsolete manpages for mysql_client_test, mysql_client_test_embedded and mysqltest_embedded. mysql-5.5 (5.5.59-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.59 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html - CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 ncurses (5.9+20140913-1+deb8u3) jessie; urgency=medium . * Cherry-pick upstream fix from the 20171125 patchlevel to fix a buffer overflow in the _nc_write_entry function (CVE-2017-16879, Closes: #882620). net-snmp (5.7.2.1+dfsg-1+deb8u1) jessie-security; urgency=high . * CVE-2018-1000116: Correct a heap corruption vulnerability prior to the authentication process. (Closes: #894110) nvidia-graphics-drivers (340.106-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.106 (2018-01-16). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Fixed a compatibility problem between the nvidia.ko's Page Attribute Table (PAT) support and the kernel Page Table Isolation (PTI) patches. To optimize stores to memory, nvidia.ko contains support for configuring the CPU's PAT registers, as a fallback for Linux kernels that predate kernel native PAT support. On any recent kernel with CONFIG_X86_PAT enabled, the driver will detect that setup has already been done and skip its PAT setup. However, a static inline function called by nvidia.ko's PAT fallback support was updated in the PTI patches to use the EXPORT_SYMBOL_GPL symbol 'cpu_tlbstate'. nvidia.ko was updated to only contain its PAT fallback support, at build time, on kernels without CONFIG_X86_PAT. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Switch watch URL from ftp:// to https:// (375.82-1). * build-module-packages.sh: Order kernels by descending version (375.82-2). * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Use https:// URLs where possible (375.82-8). * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * Add #tls# substitution for the tls/ source directory (384.111-1). * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description (384.111-4). * Update lintian overrides. * Upload to jessie. . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Drop drm-driver-legacy.patch, deprecated-cpu-events.patch and vmf-address.patch, fixed upstream. * Add vm-fault.patch to fix kernel module build on Linux 4.11 and newer. . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-graphics-drivers-legacy-304xx (304.137-0~deb8u1) jessie; urgency=medium . * The 304.xx legacy driver series has been declared as End-of-Life by NVIDIA. No further updates fixing security issues, critical bugs, or adding support for new Xorg or Linux releases will be issued. https://nvidia.custhelp.com/app/answers/detail/a_id/3142 . * New upstream legacy 304xx branch release 304.137 (2017-09-19). - Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Add NEWS entry for End-of-Life status. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.137-5. * not-parallel.patch: New, prevent parallel module build (304.135-3). * Switch watch URL from ftp:// to https:// (375.82-1). * build-module-packages.sh: Order kernels by descending version (375.82-2). * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Use https:// URLs where possible (375.82-8). * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description (384.111-4). * Convert packaging repository from SVN to GIT. * Update lintian overrides. * Upload to jessie. . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Drop drm-driver-legacy.patch and deprecated-cpu-events.patch, fixed upstream (304.137-1). * Refresh disable-mtrr.patch to remove fuzz from upstream changes (304.137-1). * Add pud-offset.patch to fix runtime error on Linux 4.12 and newer. Original patch: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4629#c11 (304.135-5) * Add nvidia-drm-pci-init.patch to fix kernel module build on Linux 4.14 and newer (304.137-1). * Add timer.patch to fix kernel module build on Linux 4.15 and newer (304.137-4). . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-graphics-drivers-legacy-304xx (304.135-5) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.0. No changes needed. . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Update pud-offset.patch to fix runtime error on Linux 4.12 and newer. Original patch: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4629#c11 (Closes: #875425) . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-graphics-drivers-legacy-304xx (304.135-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.0.1. No changes needed. * nvidia-alternative: Explicitly use interest-await triggers. * Switch from dh_install --list-missing to dh_missing. * Use dpkg makefile snippets instead of manual parsing. * build-module-packages.sh: Order kernels by descending version. * Switch watch URL from ftp:// to https:// (375.82-1). * Update lintian overrides. . [ Luca Boccassi ] * Add pud-offset.patch to fix kernel module build on Linux 4.12 and newer. nvidia-graphics-drivers-legacy-304xx (304.135-3) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.135-1 (jessie). * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze). * not-parallel.patch: New, prevent parallel module build. . [ Luca Boccassi ] * Add drm-unload.patch to fix kernel module build on Linux 4.11 and newer. (Closes: #865964) nvidia-graphics-drivers-legacy-304xx (304.135-2) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.135 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855279) . [ Luca Boccassi ] * Add deprecated-cpu-events.patch and update disable-mtrr.patch to fix kernel module build on Linux 4.10 and newer. nvidia-graphics-drivers-legacy-304xx (304.135-2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers-legacy-304xx (304.135-2) unstable; urgency=medium . * Upload to unstable. (Closes: #855279) . nvidia-graphics-drivers-legacy-304xx (304.135-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.135 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855279) . [ Luca Boccassi ] * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.135-2: - Add deprecated-cpu-events.patch and update disable-mtrr.patch to fix kernel module build on Linux 4.10 and newer. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.134-2: - Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) * Upload to jessie. . nvidia-graphics-drivers-legacy-304xx (304.134-2) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.134-0~deb8u1 (jessie). * Add ${nvidia:Deb-Version-After:jessie} substvar to simplify adjusting Breaks/Replaces for new upstream releases in stable. * Switch to debhelper compat level 10. . [ Luca Boccassi ] * Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) openafs (1.6.9-2+deb8u7) jessie; urgency=high . * Apply upstream patches needed to fix kernel module build against linux 3.16.51-3+deb8u1 kernels after security update-induced ABI changes. (Closes: #886719) openafs (1.6.9-2+deb8u6) jessie-security; urgency=high . * CVE-2017-17432: remote triggered Rx assertion failure (Closes: #883602) * CVE-2016-4536: information leakage from OpenAFS clients * CVE-2016-9772: information leakage from directory objects (Closes: #846922) openjdk-7 (7u181-2.6.14-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security. openjdk-7 (7u171-2.6.13-1) experimental; urgency=high . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.13 (based on 7u171). Closes: #891330. * Security fixes: - S8160104: CORBA communication improvements - S8172525, CVE-2018-2579: Improve key keying case - S8174756: Extra validation for public keys - S8175932: Improve host instance supports - S8176458: Revise default document styling - S8178449, CVE-2018-2588: Improve LDAP logins - S8178458: Better use of certificates in LDAP - S8178466: Better RSA parameters - S8179536: Cleaner print job handling - S8179990: Cleaner palette entry handling - S8180011: Cleaner native graphics device handling - S8180015: Cleaner AWT robot handling - S8180020: Improve SymbolHashMap entry handling - S8180433: Cleaner CLR invocation handling - S8180877: More deeply colored ICC spaces - S8181664: Improve JVM UTF String handling - S8181670: Improve implementation of keystores - S8182125, CVE-2018-2599: Improve reliability of DNS lookups - S8182387, CVE-2018-2603: Improve PKCS usage - S8182601, CVE-2018-2602: Improve usage messages - S8185292, CVE-2018-2618: Stricter key generation - S8185325, CVE-2018-2641: Improve GTK initialization - S8186080: Transform XML interfaces - S8186212, CVE-2018-2629: Improve GSS handling - S8186600, CVE-2018-2634: Improve property negotiations - S8186606, CVE-2018-2633: Improve LDAP lookup robustness - S8186867: Improve native glyph layouts - S8186998, CVE-2018-2637: Improve JMX supportive features - S8189284, CVE-2018-2663: More refactoring for deserialization cases - S8190289, CVE-2018-2677: More refactoring for client deserialization cases - S8191142, CVE-2018-2678: More refactoring for naming deserialization cases * Remove multiarch-support pre-dependency. Closes: #887858. . [ Matthias Klose ] * Bump standards version. * Disable bootstrap on sid/buster, gcj is removed. * Remove Damien Raude-Morvan as uploader. Closes: #889378. openjdk-7 (7u161-2.6.12-1) experimental; urgency=medium . * IcedTea release 2.6.12 (based on 7u161). * Disable Hotspot workaround for Exec Shield (Debian only). Addresses: #876051. * Build-depend on g++-4.7 on wheezy. This is the default on some architectures such as amd64 or i386, but not on armhf or armel, which default to 4.6. There the build was working before because the bootstrap build pulled gcj-jdk, which depends on gcj-4.7-jdk and that in turn depends on g++-4.7. However since we have disabled the bootstrap build now, g++-4.7 is no longer installed on arm* builds, causing the build failure which couldn't be seen on amd64 (Emilio Pozuelo Monfort). openjdk-7 (7u151-2.6.11-3) experimental; urgency=medium . [ Matthias Klose ] * Disable bootstrap on wheezy, it currently fails due to the last round of 8u151 security patches (Emilio Pozuelo Monfort). . [ Tiago Stürmer Daitx ] * debian/patches/hotspot-aarch64-S8145438-fix-field-too-big-for-insn.patch: the S8144028 fix was incomplete and followed up by S8145438; without it aarch64 JVM can fail with "Internal Error, failed: Field too big for insn". openjdk-7 (7u151-2.6.11-2) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * Backport of 8u151 security fixes. Closes: #881764. * Security patches: - CVE-2017-10274, S8169026: Handle smartcard clean up better. If a CardImpl can be recovered via finalization, then separate instances pointing to the same device can be created. - CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's readObject allocates an array based on data in the stream which could cause an OOM. - CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced thread can be used as the root of a Trusted Method Chain. - CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and possibly other Linux flavors) CR-NL in the host field are ignored and can be used to inject headers in an HTTP request stream. - CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos implementations can incorrectly take information from the unencrypted portion of the ticket from the KDC. This can lead to an MITM attack impersonating Kerberos services. - CVE-2017-10346, S8180711: Better alignment of special invocations. A missing load constraint for some invokespecial cases can allow invoking a method from an unrelated class. - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10347, S8181323: Better timezone processing. An array is allocated based on data in the serial stream without a limit on the size. - CVE-2017-10349, S8181327: Better Node predications. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10345, S8181370: Better keystore handling. A malicious serialized object in a keystore can cause a DoS when using keytool. - CVE-2017-10348, S8181432: Better processing of unresolved permissions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious serialized stream could cause an OOM due to lack on checking on the number of interfaces read from the stream for a Proxy. - CVE-2017-10355, S8181612: More stable connection processing. If an attack can cause an application to open a connection to a malicious FTP server (e.g., via XML), then a thread can be tied up indefinitely in accept(2). - CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS keystores should be retired from common use in favor of more modern keystore protections. - CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds check could lead to leaked memory contents. - CVE-2016-9841, S8184682: Upgrade compression library. There were four off by one errors found in the zlib library. Two of them are long typed which could lead to RCE. * debian/patches/hotspot-aarch64-S8150652-unused-template.diff: unused template breaks builds with gcc-6 due to macro conflict. * debian/rules: try /etc/os-release before lsb-release; allows one to check if patches still apply cleanly across distros from the command line by setting distrel. openjdk-7 (7u151-2.6.11-2~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u151-2.6.11-1) experimental; urgency=medium . * IcedTea release 2.6.11 (based on 7u151). Closes: #869816. * Security fixes: - S8163958, CVE-2017-10102: Improved garbage collection. - S8167228: Update to libpng 1.6.28. - S8169209, CVE-2017-10053: Improved image post-processing steps. - S8169392, CVE-2017-10067: Additional jar validation steps. - S8170966, CVE-2017-10081: Right parenthesis issue. - S8172204, CVE-2017-10087: Better Thread Pool execution. - S8172461, CVE-2017-10089: Service Registration Lifecycle. - S8172465, CVE-2017-10090: Better handling of channel groups. - S8172469, CVE-2017-10096: Transform Transformer Exceptions. - S8173286, CVE-2017-10101: Better reading of text catalogs. - S8173697, CVE-2017-10107: Less Active Activations. - S8173770, CVE-2017-10074: Image conversion improvements. - S8174098, CVE-2017-10110: Better image fetching. - S8174105, CVE-2017-10108: Better naming attribution. - S8174113, CVE-2017-10109: Better sourcing of code. - S8174770: Check registry registration location. - S8174873: Improved certificate processing. - S8175106, CVE-2017-10115: Higher quality DSA operations. - S8175110, CVE-2017-10118: Higher quality ECDSA operations. - S8176055: JMX diagnostic improvements. - S8176067, CVE-2017-10116: Proper directory lookup processing. - S8176760, CVE-2017-10135: Better handling of PKCS8 material. - S8178135, CVE-2017-10176: Additional elliptic curve support. - S8181420, CVE-2017-10074: PPC: Image conversion improvements. - S8182054, CVE-2017-10243: Improve wsdl support. - S8183551, CVE-2017-10074, PR3423: AArch64: Image conversion improvements. - S8184119, CVE-2017-10111: Incorrect return processing for the LF editor of MethodHandles.permuteArguments. . [ Tiago Stürmer Daitx ] * d/control.in: - remove @bd_compress@ dependency. - replace @bd_autotools@ with fixed dependencies. * d/control.tests: package to hold all tests artifacts and logs. * d/repack: fixed and simplified download script. * d/rules: - include openjdk-7-tests package on Ubuntu derivatives only. - only save the full jtreg results when the openjdk-7-tests package is being built, otherwise stick to old behaviour (keep compressed test summaries + failed test results). Closes: #863007, #865533. - only run the long jdk testsuite when default vm is a hotspot. - only run the full testsuite for zero alternative vm on very fast systems, otherwise stick to the hotspot testsuite to avoid long build times. - remove with_nss as all supported releases have it now. - remove gcc/g++ configurations for EOL releases. - keep libjpeg8 dependency on wheezy, replace it with libjpeg62-turbo on other Debian releases and libjpeg-turbo8 on Ubuntu. Closes: #766601. - remove old logic to depend on libcupsys2. - always set rhino_source, all supported releases have dpkg > 1.16.2. - remove bd_compress and pkg_compress as they haven't been used for quite a while. - remove with_wgy_zenhai logic, lenny is EOL. - remove bd_autotools logic if/then, call dh_autoreconf and dh_autoreconf_clean. - simplify bootstrap dependency logic and remove EOL releases. - remove EOL releases from gcc/g++ dependency logic. - remove unused jamvm_defaults and simplify jamvm_archs logic. - use ttf-indic-fonts for trusty, otherwise stick to fonts-indic. - patch configure after dh_autoreconf call to include additional /usr/lib/jvm directories; setting DEB_HOST_ARCH=alpha to check if patches apply correctly fails because alpha requires a jdk for bootstrap and IcedTea does not look into our usual directories. * d/p/fontconfig-arphic-uming.diff: removed, not used since lenny. * d/p/jdk-getAccessibleValue.diff: libatk-wrapper-java: File selection dialog not refreshed when changing directory. Kindly provided by Samuel Thibault. Closes: #827741. * d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch: deleted, included in IcedTea 2.6.10. * d/p/kfreebsd-support-jdk.diff: updated, was failing to apply due to jdk changes in NetworkInterface.c. * d/p/sec-webrev-8u131-*.patch: deleted, included in IcedTea 2.6.10. * d/p/zero-sparc.diff: commented out chaitin.hpp hunk #1 as that #ifdef has been removed by JDK-8011621 (backported by IcedTea 2.6.10); this was also backported to 7u131 through JDK-8160961 but then backed out, better keep the hunk in case IcedTea decides to back it out as well. . [ Matthias Klose ] * Build using gcc-6 on recent releases. * Fix libjvm.so's .debug file names. Closes: #865749. LP: #1548434. openjdk-7 (7u151-2.6.11-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u131-2.6.9-3) experimental; urgency=medium . * Only include the failing tests in the packages, not the whole test world. * openjdk-7-jdk: Provide openjdk-7-jdk-headless. openjdk-7 (7u131-2.6.9-2) experimental; urgency=high . [ Tiago Stürmer Daitx ] * Fix JDK regression introduced by 7u131 upgrade: (LP: #1691126) - d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch: fix "IllegalArgumentException: jdk.tls.namedGroups" backported from http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f5d0aadb4d1c openjdk-7 (7u131-2.6.9-2~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u131-2.6.9-1) experimental; urgency=high . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.9 (based on 7u131): * Security fixes - S8167110, CVE-2017-3514: Windows peering issue. - S8163528, CVE-2017-3511: Better library loading. - S8169011, CVE-2017-3526: Resizing XML parse trees. - S8163520, CVE-2017-3509: Reuse cache entries. - S8171533, CVE-2017-3544: Better email transfer. - S8170222, CVE-2017-3533: Better transfers of files. - S8171121, CVE-2017-3539: Enhancing jar checking. - S8172299: Improve class processing. * debian/compat: updated from 5 to 9. * debian/watch: using watch version 4 to download both icedtea and icedtea-sound. LP: #1642420. * debian/repack: simplified tarball download. * debian/rules: - removed 8u121 patches as they have been applied to 7u131. - building icedtea-sound on build/ directory - replaced 'dh_strip -k' calls by dh_prep - have the 'build' rule depend on 'debian/control' rule to force failure if debian/control gets regenerated. - added file 'security/blacklisted.cert' to be copied to etc dir (introduced by S8011402). - simplified build dependencies. - removed jtreg's xvfb-run call since icedtea takes care of calling it. - removed window manager as there are no additional significant failures on the jdk tests when not running one. - re-enabled jdk jtreg tests. - removed lpia arch. - use fonts-wqy-microhei and fonts-wqy-zenhei instead of transitional package names. - drop Recommends on obsolete GNOME libraries so they are not in a default GNOME desktop installation (Simon McVittie). Closes: #850270. + sun.net.spi.DefaultProxySelector prefers libglib2.0-0 (>= 2.24) over obsolete libgconf2-4. + sun.nio.fs.GnomeFileTypeDetector prefers libglib2.0-0 (>= 2.24) over libgnomevfs-2-0. + sun.xawt.awt_Desktop prefers libgtk2.0-0 (>= 2.14) over libgnomevfs2-0. * debian/control.in: added static build dependencies as their previous selection logic in debian/rules is no longer required. * debian/control: regenerated. * debian/patches/icedtea-sound.diff: removed, now packing icedtea-sound 1.0.1 which includes those fixes. * debian/upstream/signing-key.asc: add new signing key. . [ Matthias Klose ] * Remove obsolete changelog entries from previous release. openjdk-7 (7u121-2.6.8-2) experimental; urgency=high . [ Tiago Stürmer Daitx ] * Security fixes from 8u121: - S8167104, CVE-2017-3289: Custom class constructor code can bypass the required call to super.init allowing for uninitialized objects to be created. - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling dispose() on a CMenuComponentmultiple times. - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various extraneous bytes added to them whereas the signature is supposed to be unique. - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt sections to be 2^32-1 bytes long so these should not be uncompressed unless the user explicitly requests it. - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may leak information about k. - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to deserialize responses from an LDAP server when an LDAP context is expected. - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how users or external applications would interpret them leading to possible security issues. - S8168705, CVE-2016-5547: A value from an InputStream is read directly into the size argument of a new byte[] without validation. - S8164147, CVE-2017-3261: An integer overflow exists in SocketOutputStream which can lead to memorydisclosure. - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will dispatch HTTP GET requests where the invoker does not have permission. - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when long running sessions are allowed. * Missing - S8165344, CVE-2017-3272: A protected field can be leveraged into type confusion. - S8156802, CVE-2017-3241: RMI deserialization should limit the types deserialized to prevent attacks that could escape the sandbox. * Ignored - S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may leak information about k. openjdk-7 (7u121-2.6.8-2~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie openjdk-7 (7u121-2.6.8-1) experimental; urgency=medium . * IcedTea release 2.6.8 (based on 7u121): openjdk-7 (7u111-2.6.7-3) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * Don't use precompiled header files on arm64. * Update the sec-webrev-8u111-S8159503.hotspot patch. openjdk-7 (7u111-2.6.7-2) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * Backported security fixes from 8u111: - CVE-2016-5568, S8158993: Service Menu services. - CVE-2016-5582, S8160591: Improve internal array handling. - CVE-2016-5573, S8159519: Reformat JDWP messages. - CVE-2016-5597, S8160838: Better HTTP service. - CVE-2016-5554, S8157739: Classloader Consistency Checking. - CVE-2016-5542, S8155973: Tighten jar checks. * debian/rules: - removed lcms version 1 option as no current release uses that, lcms2 is now default. - removed in-tree/system lcms selection to always use system's lcms. - removed all cacao references except for the transitional cacao package. - updated jtreg tests to use othervm. - simplified rhino and libcups dependency selection. * debian/buildwatch.sh: updated to stop it if no 'make' process is running, as it probably means that the build failed - otherwise buildwatch keeps the builder alive until it exits after the timer (3 hours by default) expires. * debian/control.in: removed cacao references. * debian/README.source: removed cacao references. * debian/patches/cacao-armv4.diff: deleted file. * Makefile.am: remove -samevm * debian/patches/it-jamvm-8158260-unsafe-methods.patch: fix JAMVM after the introduction of two new Unsafe methods in the OpenJDK hotspot. Closes: #833933. (LP: #1611598) . [ Matthias Klose ] * Fix building the -dbg package depending on the debhelper level. openjdk-7 (7u111-2.6.7-2~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u111-2.6.7-1) experimental; urgency=medium . [ Matthias Klose ] * Fix handling of /usr/lib/jvm/*/jre/lib/zi if internal tzdata is used (Andreas Beckmann). Closes: #821858. * Add missing includes for aarch64 hotspot backport (building without pch). * Use in-tree lcms for backports. . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.7 (based on 7u111): * Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking - S8149962, CVE-2016-3508: Better delineation of XML processing - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams - S8155981, CVE-2016-3606: Bolster bytecode verification - S8155985, CVE-2016-3598: Persistent Parameter Processing - S8158571, CVE-2016-3610: Additional method handle validation * debian/rules: - Create symbolic link in source package (thanks Avinash). Closes: #832720. * debian/JB-jre-headless.prerm.in: check for /var/lib/binfmts/jar instead of /var/lib/binfmts/@basename@ before removing jar entry from binfmts. Closes: #821146. openldap (2.4.40+dfsg-1+deb8u4) jessie; urgency=medium . * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719) * Import upstream patches to fix memory corruption caused by calling sasl_client_init() multiple times and possibly concurrently. (ITS#8648) (Closes: #860947) openocd (0.8.0-4+deb7u1) jessie-security; urgency=high . * Pull "bindto" command from upstream * Bind to localhost by default * Prevent some forms of Cross Protocol Scripting attacks (CVE-2018-5704) (Closes: #887488) openoffice.org-dictionaries (1:3.3.0~rc10-4+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Drop conflict on Thunderbird in preparaton for the next icedove/thunderbird security update openssl (1.0.1t-1+deb8u8) jessie-security; urgency=high . * CVE-2018-0739 (Constructed ASN.1 types with a recursive definition could exceed the stack) optipng (0.7.5-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229) (Closes: #882032) * gifread: Detect indirect circular dependencies in LZW tables (CVE-2017-16938) (Closes: #878839) otrs2 (3.3.18-1+deb8u4) jessie-security; urgency=high . * Add patch 20-OSA-2017-10: This fixes OSA-2017-10: An attacker can send a specially prepared email to an OTRS system. If this system has cookie support disabled, and a logged in agent clicks a link in this email, the session information could be leaked to external systems, allowing the attacker to take over the agent’s session. otrs2 (3.3.18-1+deb8u3) jessie-security; urgency=high . * Add patch 18-OSA-2017-08: This fixes OSA-2017-08, also known as CVE-2017-16854: An attacker who is logged into OTRS as a customer can use the ticket search form to disclose internal article information of their customer tickets. * Add patch 19-OSA-2017-09: This fixes OSA-2017-09, also known as CVE-2017-16921: An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user. Closes: #883774 p7zip (9.20.1~dfsg.1-4.1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp (CVE-2017-17969) Thanks to Antoine Beaupré (Closes: #888297) patch (2.7.5-1+deb8u1) jessie; urgency=medium . * Fix CVE-2018-1000156: arbitrary command execution in ed-style patches (closes: #894993). perl (5.20.2-3+deb8u11) jessie-security; urgency=high . * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability in Archive-Tar (Closes: #900834) perl (5.20.2-3+deb8u10) jessie-security; urgency=high . * [SECURITY] CVE-2018-6913: heap buffer overflow with large data blocks. php5 (5.6.33+dfsg-0+deb8u1) jessie-security; urgency=high . * Add support for signed upstream tarballs * Make d/copyright machine readable * Remove repack.sh script in favour of uscan repacking * Update Vcs-* links to salsa.d.o * New upstream version 5.6.33+dfsg * Rebase patches on top of new upstream releases. plexus-archiver (1.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fail when trying to extract outside of dest dir (CVE-2018-1002200) Fixes arbitrary file write vulnerability using a specially crafted zip file. (Closes: #900953) plexus-utils (1:1.5.15-4+deb8u1) jessie-security; urgency=medium . * CVE-2017-1000487 plexus-utils2 (3.0.15-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-1000487 poco (1.3.6p1-5+deb8u1) jessie-security; urgency=high . * Add backported patch for CVE-2017-1000472 polarssl (1.3.9-2.1+deb8u3) jessie-security; urgency=medium . * Fix CVE-2017-18187: Unsafe bounds check in ssl_parse_client_psk_identity(). * Fix CVE-2018-0487: Buffer overflow when verifying RSASSA-PSS signatures. (Closes: #890288) * Fix CVE-2018-0488: Buffer overflow when truncated HMAC is enabled. (Closes: #890287) poppler (0.26.5-2+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Correct patch for CVE-2017-9776. Fixes "[regression] Broken rendering of scan PDF from Xerox WorkCentre 5945". (Closes: #890826) poppler (0.26.5-2+deb8u3) jessie-security; urgency=medium . * Fix regression in fix for CVE-2017-14519 * CVE-2017-1000456 * CVE-2017-14929 poppler (0.26.5-2+deb8u2) jessie-security; urgency=medium . * Fix CVE-2017-9406: a memory leak vulnerability was found in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file. * Fix CVE-2017-9408: memory leak in the function Object::initArray in Object.cc that allows attackers to cause a DoS via a crafted file. * Fix CVE-2017-9775: Stack buffer overflow in GfxState.cc in pdftocairo that allows remote attackers to cause a denial of service (application crash) via a crafted PDF document. * Fix CVE-2017-9776: Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in pdftocairo allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. * Fix CVE-2017-9865: The function GfxImageColorMap::getGray in GfxState.cc allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document * Fix CVE-2017-14517: NULL pointer dereference vulnerability in the XRef::parseEntry() function in XRef.cc * Fix CVE-2017-14518: Floating point exception in the isImageInterpolationRequired() function in Splash.cc * Fix CVE-2017-14519: A memory corruption may occur in a call to Object::streamGetChar * Fix CVE-2017-14520: Floating point exception in Splash::scaleImageYuXd() * Fix CVE-2017-14617: Floating point exception in the ImageStream class in Stream.cc * Fix CVE-2017-14975: NULL pointer dereference vulnerability in the FoFiType1C::convertToType0 function in FoFiType1C.cc * Fix CVE-2017-14976: Heap-based buffer over-read vulnerability in the FoFiType1C::convertToType0 function in FoFiType1C.cc * Fix CVE-2017-14977: NULL pointer dereference vulnerability in the FoFiTrueType::getCFFBlock function in FoFiTrueType.cc * Fix CVE-2017-15565: NULL Pointer Dereference in the GfxImageColorMap::getGrayLine() function in GfxState.cc postgresql-9.4 (9.4.18-0+deb8u1) jessie; urgency=medium . * New upstream version. + Fix incorrect volatility markings on a few built-in functions. postgresql-9.4 (9.4.17-0+deb8u1) jessie; urgency=medium . * New upstream version. . If you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure. . Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions. . + Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users . Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. (CVE-2018-1058) . + Avoid use of insecure search_path settings in pg_dump and other client programs . pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well. . In cases where user-provided functions are indirectly executed by these programs -- for example, user-provided functions in index expressions -- the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. (CVE-2018-1058) postgresql-9.4 (9.4.16-0+deb8u1) jessie; urgency=medium . * New upstream version. + Ensure that all temporary files made by pg_upgrade are non-world-readable (CVE-2018-1053) procps (2:3.3.9-9+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * top: Do not default to the cwd in configs_read(). (CVE-2018-1122) * ps/output.c: Fix outbuf overflows in pr_args() etc. (CVE-2018-1123) * proc/readproc.c: Fix bugs and overflows in file2strvec(). (CVE-2018-1124) * pgrep: Prevent a potential stack-based buffer overflow (CVE-2018-1125) * proc/alloc.*: Use size_t, not unsigned int. (CVE-2018-1126) prosody (0.9.7-2+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * mod_c2s: Do not allow the stream 'to' to change across stream restarts (CVE-2018-10847) (Closes: #900524) psensor (1.1.3-2+deb8u1) jessie; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2014-10073: The create_response function in server/server.c in Psensor allows Directory Traversal because it lacks a check for whether a file is under the webserver directory. (Closes: #896195) python-django (1.7.11-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters * Fix CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters python-mimeparse (0.1.4-1+deb8u1) jessie; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport the fix from 0.1.4-3.1 to jessie. . [ Adrian Bunk ] * Fix the python3-mimeparse dependencies. (Closes: #867439) quagga (0.99.23.1-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * bgpd/security: Fix double free of unknown attribute (CVE-2018-5379) Security issue: Quagga-2018-1114 * bgpd/security: debug print of received NOTIFY data can over-read msg array (CVE-2018-5380) Security issue: Quagga-2018-1550 * bgpd/security: fix infinite loop on certain invalid OPEN messages (CVE-2018-5381) Security issue: Quagga-2018-1975 quassel (1:0.10.0-2.3+deb8u4) jessie-security; urgency=high . * Backport upstream commit to implement a custom deserializer. Fixes possible remote code execution. (Closes: #896914) * Backport upstream commit to reject client logins before the core is configured. Fixes a DoS vulnerability. (Closes: #896915) rar (2:4.2.0+dfsg.1-0.1) jessie; urgency=medium . * Non-maintainer upload * Repacked orig tarball excludes statically linked rar (Closes: #693396, #860952) * Install dynamically linked rar and remove the lintian override for it being static * Remove lintian override for default.sfx being static, which it hasn't been for a long time reportbug (6.6.3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Don't CC secure-testing-team@lists.alioth.debian.org anymore. The testing security team didn't exist for a long time and the mailinglist will disappear when Alioth will be decomissioned. Thanks to Moritz Muehlenhoff (Closes: #888832) rsync (3.1.1-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Enforce trailing \0 when receiving xattr name values (CVE-2017-16548) (Closes: #880954) * Check fname in recv_files sooner (CVE-2017-17433) (Closes: #883667) * Sanitize xname in read_ndx_and_attrs (CVE-2017-17434) (Closes: #883665) * Check daemon filter against fnamecmp in recv_files() (CVE-2017-17434) (Closes: #883665) ruby-omniauth (1.2.1-1+deb8u1) jessie-security; urgency=high . * Fix security issue in returning post parameters from session in callback phase (CVE-2017-18076) (Closes: #888523) sam2p (0.49.2-3+deb8u2) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2018-7487, CVE-2018-7551, CVE-2018-7552, CVE-2018-7553 and CVE-2018-7554. Multiple invalid frees and buffer-overflow vulnerabilities were discovered in sam2p that may lead to a denial-of-service (application crash) or unspecified other impact. sdl-image1.2 (1.2.12-5+deb8u1) jessie-security; urgency=high . * Backport various security fixes: - CVE-2017-2887 - CVE-2017-12122 - CVE-2017-14440 - CVE-2017-14441 - CVE-2017-14442 - CVE-2017-14448 - CVE-2017-14450 - CVE-2018-3837 - CVE-2018-3838 - CVE-2018-3839 sensible-utils (0.0.9+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Argument injection in sensible-browser (CVE-2017-17512) Thanks to Gabriel Corona (Closes: #881767) sharutils (1:4.14-2+deb8u1) jessie-security; urgency=medium . * Apply patch from Petr Pisar to fix heap buffer overflow in unshar. This is CVE-2018-1000097. Closes: #893525. simplesamlphp (1.13.1-2+deb8u1) jessie-security; urgency=high . * Update by the security team for jessie. CVE-2017-12867 CVE-2017-12869 CVE-2017-12873 CVE-2017-12874 CVE-2017-18121 CVE-2017-18122 CVE-2018-6519 CVE-2018-6521 SSPSA-201802-01 (closes: #889286). slurm-llnl (14.03.9-5+deb8u2) jessie; urgency=medium . * Team upload. * slurm-client: Add Breaks+Replaces: slurm-llnl-slurmdbd (<< 14.03.9-5) for clean upgrades from wheezy which shipped sacctmgr there. (Closes: #901513) smarty3 (3.1.21-1+deb8u2) jessie-security; urgency=medium . * debian/patches: + Fix object name in 0001_CVE-2017-1000480.patch. Thanks to Côme Chilliet from the FusionDirectory team for spotting this. smarty3 (3.1.21-1+deb8u1) jessie-security; urgency=medium . * debian/patches: + Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes: #886460). soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium . [ Gabor Karsay ] * Add patch to fix - CVE-2017-9258 (Closes: #870854) - CVE-2017-9259 (Closes: #870856) - CVE-2017-9260 (Closes: #870857) spip (3.0.17-2+deb8u4) jessie-security; urgency=medium . * Update security screen to 1.3.6 * Backport security fixes from 3.0.27 - Secure inserted URL in anchors - Secure URLs sent by self() - Escape charset in error message - Allow filter mode to be passed in interdire_scripts() - No onclick nor JS popup in footer - [Privacy] add rel attribute (noopener noreferrer) in private footer - PHP injection via XML file squid3 (3.4.8-6+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * ESI: make sure endofName never exceeds tagEnd (CVE-2018-1000024) (Closes: #888719) * Fix indirect IP logging for transactions without a client connection (CVE-2018-1000027) (Closes: #888720) squirrelmail (2:1.4.23~svn20120406-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Path traversal vulnerability (CVE-2018-8741) Directory traversal flaw in Deliver.class.php can allow a remote attacker to retrieve or delete arbitrary files. (Closes: #893202) strongswan (5.2.1-6+deb8u6) jessie-security; urgency=medium . * d/p/CVE-2018-10811.patch added, fix missing initialization of a variable in IKEv2 key derivation (CVE-2018-10811) * d/p/CVE-2018-5388 added, fix insufficient validation in the stroke plugin (CVE-2018-5388) subversion (1.8.10-6+deb8u6) jessie; urgency=medium . * Backport patches/perl-swig-crash from upstream to fix crashes with Perl bindings, commonly seen when using git-svn (Closes: #780246, #534763). thunderbird (1:52.8.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security . [ intrigeri ] * [acc3a6b] Revert "apparmor: allow access to @{HOME}/.gnupg/tofu.db" (Cherry-picked from debian/sid to not differ the Apparmor settings between the Debian releases) thunderbird (1:52.7.0-1) unstable; urgency=medium . * [9eb2692] New upstream version 52.7.0 Fixed CVE issues in upstream version 52.7 (MFSA 2018-09) CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList CVE-2018-5129: Out-of-bounds write with malformed IPC messages CVE-2018-5144: Integer overflow during Unicode conversion CVE-2018-5146: Out of bounds memory write in libvorbis CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7 CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and Thunderbird 52.7 * [a01cf4b] Revert "Use gcc-6 and g++-6 due broken GUI with GCC-7" Switching now back to GCC7 as we don't have any longer issues with broken visuals in the GUI. (Closes: #892404) thunderbird (1:52.7.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:52.7.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security thunderbird (1:52.6.0-1) unstable; urgency=high . * [97e1cd7] New upstream version 52.6.0 Fixed CVE issues in upstream version 52.6 (MFSA 2018-04) CVE-2018-5095: Integer overflow in Skia library during edge builder allocation CVE-2018-5096: Use-after-free while editing form elements CVE-2018-5097: Use-after-free when source document is manipulated during XSLT CVE-2018-5098: Use-after-free while manipulating form input elements CVE-2018-5099: Use-after-free with widget listener CVE-2018-5102: Use-after-free in HTML media elements CVE-2018-5103: Use-after-free during mouse event handling CVE-2018-5104: Use-after-free during font face manipulation CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6 * [0300242] rebuild patch queue from patch-queue branch Added patch debian-hacks/icu-use-locale.h-instead-of-xlocale.h.patch that fixes the build of the included ICU source against glibc 2.26. (Closes: #887766) * [4bf22e0] debian/control: increase Standards-Version to 4.1.3 No further changes needed. * [3616443] adjust Vcs fields to salsa.debian.org The Vcs for Thunderbird packaging live now on Salsa as Alioth will be shutdown in the future. * [c2f3e14] lintian: ignore non multiarch install folder for thunderbird.pc Ignore a lintian warning about unavailable pkg-config file thunderbird.pc as the ESR versions 52.x are the last series which will have a thunderbird-dev. The next ESR version will be 60.x which uses webextension and makes thunderbird-dev obsolete. thunderbird (1:52.6.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:52.6.0-1~deb8u1) jessie-security; urgency=medium . [ Vincas Dargis ] * [e418a50] AppArmor: Fix Jessie AppArmor syntax error (Closes: #884217) . [ Carsten Schoenert ] * [edba169] debian/rules: override target dh_autoreconf Don't use dh_autoreconf, Mozilla uses wrapper around the autotools and we care about the needed files in debian/rules for long time anyway. * Rebuild for jessie-security thunderbird (1:52.5.2-2) unstable; urgency=medium . [ Carsten Schoenert ] * [f597157] Revert "d/thunderbird.postinst: reload AA profile on updates" The trigger automatics for appamor already is handling the needed reload on profile updates for the applications. (Closes: #885158) * [8ebdb96] debian/control: increase Standards-Version to 4.1.2 No further changes needed. * [81a8c00] use inverse logic on version for AA profile status check By this change we don't enforce the disabled profile from the previous version in some cases and can also handle possible version strings from -security and -backports. (Closes: #885157) thunderbird (1:52.5.2-2~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:52.5.2-2~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security thunderbird (1:52.5.2-1) unstable; urgency=high . [ intrigeri ] * [b791221] AppArmor: support new thunderbird executable path (Closes: #883561, #884217) . [ Carsten Schoenert ] * [1f46308] New upstream version 52.5.2 Fixed CVE issues in upstream version 52.5 (MFSA 2017-30) CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin CVE-2017-7847: Local path string can be leaked from RSS feed CVE-2017-7848: RSS Feed vulnerable to new line Injection * [0dd21b9] d/thunderbird.postinst: reload AA profile on updates * [8c57218] don't disable AA profile on package updates As people want to re-enable the AA profile a update of thunderbird doesn't have to disable this again. (Closes: #884191) thunderbird (1:52.5.0-1) unstable; urgency=high . [ intrigeri ] * [48e6b65] AppArmor: fix the Crash Reporter and avoid noisy denial logs (Closes: #880953) * [ad8b3b5] AppArmor: fix compatibility with NVIDIA hardware (Closes: #880532) * [d8ff6b6] Disable the AppArmor profile by default Due the various side effects by the enabled AppArmor profile in Thunderbird it's currently better for a user experience we disabling the AppArmor profile for to not get people get mad with to many broken things. Users can always enable the profile by themselves again. (Closes: #882672) * [e50eac5] README.Debian: document how to opt-in for AppArmor confinement * [860d325] README.Debian: document how one can debug the AppArmor profile . [Guido Günther] * [50a8f60] Drop myself from maintainers Thank you Guido for always helping out if we had some questions! . [ Carsten Schoenert ] * [b64509b] New upstream version 52.5.0 Fixed CVE issues in upstream version 52.5 (MFSA 2017-26) CVE-2017-7828: Use-after-free of PressShell while restyling layout CVE-2017-7830: Cross-origin URL information leak through Resource Timing API CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 * [3166018] thunderbird.links: let thunderbird pointing to thunderbird-bin (Closes: #856492) * [6fff70c] [buster] tb-wrapper: searching the correct dbgsym package * [4763ca6] adding a NEWS file for thunderbird package Giving a note about the now disabled AppArmor profile. * [0b9d656] disabling crashreporter for now Also don't build and ship the Crashreporter any more, it's useless until we can collect all symbols correctly. * [a285647] move AppArmor specific things into own README file Put all AppArmor related information into one dedicated file. * [5d56439] d/thunderbird.js: prepare a line for extra X-Debbugs-Cc A really old bug report ... building a compromise and put the requested extra header config into the configuration file but keep it deactivated as default. (Closes: #379304) thunderbird (1:52.5.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security . * [9fb0603] Revert "[buster] tb-wrapper: searching the correct dbgsym package" * [3ba70b8] Revert "[buster] move thunderbird-dbg into *-dbgsym package" * [b16725e] Revert "[buster] remove Replace and Breaks for icedove" * [9cf7315] Revert "[buster] remove transitional icedove package" * [a1b62c0] Revert "[buster] remove Replace, Breaks and Provides for icedove-dev" * [435f016] Revert "[buster] remove transitional icedove-dev package" * [43c5ec2] Revert "[buster] remove transitional icedove-dbg package" * [f014c58] Revert "[buster] remove Replace, Breaks and Provides for iceowl-extension" * [5db94a1] Revert "[buster] remove transitional iceowl-extension package" * [2860355] Revert "[buster] remove Replace, Breaks and Provides for icedove-l10n-*" * [f148d56] Revert "[buster] remove transitional icedove-l10n-* packages" * [b7debd2] Revert "[buster] remove Replace, Breaks and Provides for iceowl-l10n-*" * [e89d082] Revert "[buster] remove transitional iceowl-l10n-* packages" thunderbird (1:52.5.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security . * [d07b29f] Revert "[buster] tb-wrapper: searching the correct dbgsym package" * [6bd3655] Revert "[buster] move thunderbird-dbg into *-dbgsym package" * [5f1fa71] Revert "[buster] remove Replace and Breaks for icedove" * [17d9c31] Revert "[buster] remove transitional icedove package" * [c194e27] Revert "[buster] remove Replace, Breaks and Provides for icedove-dev" * [1118358] Revert "[buster] remove transitional icedove-dev package" * [14fefb8] Revert "[buster] remove transitional icedove-dbg package" * [d1f914b] Revert "[buster] remove Replace, Breaks and Provides for iceowl-extension" * [6f70669] Revert "[buster] remove transitional iceowl-extension package" * [d3976d0] Revert "[buster] remove Replace, Breaks and Provides for icedove-l10n-*" * [cb2c710] Revert "[buster] remove transitional icedove-l10n-* packages" * [7df3bd7] Revert "[buster] remove Replace, Breaks and Provides for iceowl-l10n-*" * [62617ed] Revert "[buster] remove transitional iceowl-l10n-* packages" thunderbird (1:52.4.0-2~exp1) experimental; urgency=medium . [ Carsten Schoenert ] * [a3e73e9] disable usage of libgnomeui parts The libgnomeui stuff (only relevant for GTK+2) is deprecated for a long time and will be removed in buster, and we don't need this at all. See https://lists.debian.org/debian-devel/2017/10/msg00299.html * [9efc5c9] debian/watch: switch to https * [bd5a635] rebuild patch queue from patch-queue branch Fixup for [da3c5cc], add ppc64 to the list of BE architectures. Thanks Adrian Glaubitz for pointing the issue. (Closes: #879270) * [42f5ab5] apparmor: update profile from upstream (Closes: #876333, #855346) . [ intrigeri ] * [d7febc8, b026d28] AppArmor: update profile from upstream (Closes: #880425, #877324) * [377e7b5] README.Debian: fixing small typo * [3b0a63a] AppArmor: fix importing public OpenPGP keys from file (Closes: #880715) . [ Carsten Schoenert ] * [241690e] d/control: s/Icedove/Thunderbird in desc's for lightning-l10n-* The lightning-l10n package were still using the name 'Icdeove' instead of 'Thunderbird'. * [f17f735] debian/control: moving transitional packages at bottom * [91f9897] autopkg: adjust icedove to thunderbird depends Now move over to depend in favor of thunderbird for some of the autopkg tests. * [8ae2ad7] autopkg: adjust icedove-dev to thunderbird-dev depends Doing the same as before for thunderbird-dev as the native replacement for icedove-dev. * [fa0134c] bump debhelper >= 10.2.5 * [8752789] debian/rules: try to build extensions reproducible The two extensions (lightning and calendar-google-provider) don't build reproducible right now. Trying to fix this by using the timestamp from the changelog entry for the files. May not work correctly and we need to tune more. * [1496368] d/thunderbird.install: also install the fonts folder Recent versions of Thunderbird needing the font EmojiOne which isn't provided by any other package. (Closes: #881299) . The following changes are take effect in removing all transitional packages related to the old icedove packaging only for buster. We still need all the transitional packages in wheezy, jessie and stretch! * [54c8a9b] [buster] remove transitional iceowl-l10n-* packages * [c338630] [buster] remove Replace, Breaks and Provides for iceowl-l10n-* * [4311683] [buster] remove transitional icedove-l10n-* packages * [f6e3a01] [buster] remove Replace, Breaks and Provides for icedove-l10n-* * [a9117e4] [buster] remove transitional iceowl-extension package * [5aed012] [buster] remove Replace, Breaks and Provides for iceowl-extension * [27fc04b] [buster] remove transitional icedove-dbg package * [53b4825] [buster] remove transitional icedove-dev package * [e2d808f] [buster] remove Replace, Breaks and Provides for icedove-dev * [97edfbe] [buster] remove transitional icedove package * [3748054] [buster] remove Replace and Breaks for icedove * [611a704] [buster] move thunderbird-dbg into *-dbgsym package thunderbird (1:52.4.0-1) unstable; urgency=medium . [ Guido Günther ] * [da3c5cc] Simplify endianness selection for ICU Since we need to build ICU on the various Debian releases we need to ensure the architecture detection isn't to strict. Thanks Guido for helping out here! . [ Carsten Schoenert ] * [47748ca] debian/control: be more relaxed on Breaks for enigmail * [6a54666] thunderbird-wrapper: fix small typo in help output A small typo was happen in the example call with the JS console. * [6d5266e] README.Debian: update info around tls fallback-limit The default behavior on the TLS fallback has changed some versions ago, document this accordingly. * [24ad883] debian/control: change maintainer Thanks Christoph for the work over the past years! * [c78200e] debian/control: move src pkg name to thunderbird By this version we move the source package name also back to thunderbird. This follows the changes that are already made to the binary package names and we can call the source package now also again thunderbird. (Closes: #857075) * [c26133d] debian/gbp.conf: rename components to real used names Due the changes of the source package the names for the sub-folders within the additional tarballs can also be changed to be closer on the real upstream used names. * [a5ce4f7] New upstream version 52.4.0 (Closes: #878845, #878870) Fixed CVE issues in upstream version 52.0 (MFSA 2017-23) CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces CVE-2017-7823: CSP sandbox directive did not create a unique origin CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4, and Thunderbird 52.4 * [104b4e5] rebuild patch queue from patch-queue branch * [d63662a] lintian: move oldlibs/extra -> oldlibs/optional By moving all transitional package to oldlibs/optional we can help deborphan to detect better not needed packages. * [fb56001] d/rules: reflect changes from renamed component tarballs The additional tarballs are stored in folders which reflect the upstream names of those components. This also needs to be respected for the build instructions of the package. * [61288fb] debian/control: change Vcs* fields due the src name change Addressing the changed source package name in the Git Vcs urls. * [ef95ab5] debian/control: increase Standards-Version to 4.1.1 No further changes needed. * [45e8fe2] apparmor: update profile from upstream Thanks to Simon Deziel and intrigeri we can simply use the apparmor profile changes done for the Ubuntu releases. * [6b1649c] lintian: adding a override for thunderbird-l10n-all * [ceab93f] debian/README.source: reflect src package name change thunderbird (1:52.4.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security . [ Guido Günther ] * [da3c5cc] Simplify endianness selection for ICU Since we need to build ICU on the various Debian releases we need to ensure the architecture detection isn't to strict. Thanks Guido for helping out here! . [ Carsten Schoenert ] * [47748ca] debian/control: be more relaxed on Breaks for enigmail * [6a54666] thunderbird-wrapper: fix small typo in help output A small typo was happen in the example call with the JS console. * [6d5266e] README.Debian: update info around tls fallback-limit The default behavior on the TLS fallback has changed some versions ago, document this accordingly. * [24ad883] debian/control: change maintainer Thanks Christoph for the work over the past years! * [c78200e] debian/control: move src pkg name to thunderbird By this version we move the source package name also back to thunderbird. This follows the changes that are already made to the binary package names and we can call the source package now also again thunderbird. (Closes: #857075) * [c26133d] debian/gbp.conf: rename components to real used names Due the changes of the source package the names for the sub-folders within the additional tarballs can also be changed to be closer on the real upstream used names. * [a5ce4f7] New upstream version 52.4.0 (Closes: #878845, #878870) Fixed CVE issues in upstream version 52.0 (MFSA 2017-23) CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces CVE-2017-7823: CSP sandbox directive did not create a unique origin CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4, and Thunderbird 52.4 * [104b4e5] rebuild patch queue from patch-queue branch * [d63662a] lintian: move oldlibs/extra -> oldlibs/optional By moving all transitional package to oldlibs/optional we can help deborphan to detect better not needed packages. * [fb56001] d/rules: reflect changes from renamed component tarballs The additional tarballs are stored in folders which reflect the upstream names of those components. This also needs to be respected for the build instructions of the package. * [61288fb] debian/control: change Vcs* fields due the src name change Addressing the changed source package name in the Git Vcs urls. * [ef95ab5] debian/control: increase Standards-Version to 4.1.1 No further changes needed. * [45e8fe2] apparmor: update profile from upstream Thanks to Simon Deziel and intrigeri we can simply use the apparmor profile changes done for the Ubuntu releases. * [6b1649c] lintian: adding a override for thunderbird-l10n-all * [ceab93f] debian/README.source: reflect src package name change thunderbird (1:52.4.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security . [ Guido Günther ] * [da3c5cc] Simplify endianness selection for ICU Since we need to build ICU on the various Debian releases we need to ensure the architecture detection isn't to strict. Thanks Guido for helping out here! . [ Carsten Schoenert ] * [47748ca] debian/control: be more relaxed on Breaks for enigmail * [6a54666] thunderbird-wrapper: fix small typo in help output A small typo was happen in the example call with the JS console. * [6d5266e] README.Debian: update info around tls fallback-limit The default behavior on the TLS fallback has changed some versions ago, document this accordingly. * [24ad883] debian/control: change maintainer Thanks Christoph for the work over the past years! * [c78200e] debian/control: move src pkg name to thunderbird By this version we move the source package name also back to thunderbird. This follows the changes that are already made to the binary package names and we can call the source package now also again thunderbird. (Closes: #857075) * [c26133d] debian/gbp.conf: rename components to real used names Due the changes of the source package the names for the sub-folders within the additional tarballs can also be changed to be closer on the real upstream used names. * [a5ce4f7] New upstream version 52.4.0 (Closes: #878845, #878870) Fixed CVE issues in upstream version 52.0 (MFSA 2017-23) CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces CVE-2017-7823: CSP sandbox directive did not create a unique origin CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4, and Thunderbird 52.4 * [104b4e5] rebuild patch queue from patch-queue branch * [d63662a] lintian: move oldlibs/extra -> oldlibs/optional By moving all transitional package to oldlibs/optional we can help deborphan to detect better not needed packages. * [fb56001] d/rules: reflect changes from renamed component tarballs The additional tarballs are stored in folders which reflect the upstream names of those components. This also needs to be respected for the build instructions of the package. * [61288fb] debian/control: change Vcs* fields due the src name change Addressing the changed source package name in the Git Vcs urls. * [ef95ab5] debian/control: increase Standards-Version to 4.1.1 No further changes needed. * [45e8fe2] apparmor: update profile from upstream Thanks to Simon Deziel and intrigeri we can simply use the apparmor profile changes done for the Ubuntu releases. * [6b1649c] lintian: adding a override for thunderbird-l10n-all * [ceab93f] debian/README.source: reflect src package name change thunderbird (1.5.0.7-2) unstable; urgency=low * go through new upload ... reenable thunderbird-dbg * increase reference count for fontconfig charset 91_fontconfig_reference_increment_388739 (Closes: 388739) thunderbird (1.5.0.7-1) unstable; urgency=high * disabled new package to avoid queue new: thunderbird-dbg * new upstream release fixes security issues: + MFSA 2006-64 - CVE-2006-4571 + MFSA 2006-63 - CVE-2006-4570 + MFSA 2006-62 - CVE-2006-4569 + MFSA 2006-61 - CVE-2006-4568 + MFSA 2006-60 - CVE-2006-4340 (related to CVE-2006-4339) + MFSA 2006-59 - CVE-2006-4253 + MFSA 2006-58 - CVE-2006-4567 + MFSA 2006-57 - CVE-2006-4565, CVE-2006-4566 * disable patch 90_gcc-extern-fix, because it has been pulled in upstream * disable 91_271815.overthespot.v1.2, because applied upstream thunderbird (1.5.0.5-1) unstable; urgency=high * new upstream release fixes various security flaws: + MFSA 2006-44, CVE-2006-3801 + MFSA 2006-46, CVE-2006-3113 + MFSA 2006-47, CVE-2006-3802 + MFSA 2006-48, CVE-2006-3803 + MFSA 2006-49, CVE-2006-3804 + MFSA 2006-50, CVE-2006-3805, CVE-2006-3806 + MFSA 2006-51, CVE-2006-3807 + MFSA 2006-52, CVE-2006-3808 + MFSA 2006-53, CVE-2006-3809 + MFSA 2006-54, CVE-2006-3810 + MFSA 2006-55, CVE-2006-3811 * including patch 91_271815.overthespot.v1.2.dpatch (Closes: 379936, 363814) * improve manpage: Document -g, --debug options (Closes: 381096) * update for ja.po, contributed by Kenshi Muto (Closes: 379946) * update for pt.po, contributed by Rui Branco (Closes: 381444) * Provide virtual package news-reader (Closes: 363834) * Apply patch which introduces ReplyToList MessageType. This is the base to allow extensions that provide ReplyToList button to get installed. Thanks to Armin Berres for pointing out this unintrusive patch. (Closes: 381273) * fix README.Debian for firefox integration as well as example of global pref.js (firefox.js.tmpl) (Closes: 363723) * further improvements for README.Debian * fix gnome integration program path in a hard-coded fashion in 91_gnome_path_fix.dpatch (Closes: 365610) thunderbird (1.5.0.4-3) unstable; urgency=critical * fixing gcc-4.1 ftbfs (Closes: 377176) * improved manpage by Bastian Kleineidam documenting -safe-mode option (Closes: 370254) * include *no xgot* patch for mips/mipsel contributed by Thiemo Seufer (Closes: 374882) thunderbird (1.5.0.4-2) unstable; urgency=critical * fix version in install.rdf for inspector and typeaheafind (Closes: 374382) * (last one was a new upstream release fixing various security issues (Closes: 373878, 373553) * urgency=critical thunderbird (1.5.0.4-1) unstable; urgency=low * new upstream release fixing various security issues: MFSA 2006-42, CVE-2006-2783: Web site XSS using BOM on UTF-8 pages MFSA 2006-40, CVE-2006-2781: Double-free on malformed VCard MFSA 2006-38, CVE-2006-2778: Buffer overflow in crypto.signText() MFSA 2006-37, CVE-2006-2776: Remote compromise via content-defined setter on object prototypes MFSA 2006-35, CVE-2006-2775: Privilege escalation through XUL persist MFSA 2006-33, CVE-2006-2786: HTTP response smuggling MFSA 2006-32, CVE-2006-2779, CVE-2006-2780: Fixes for crashes with potential memory corruption MFSA 2006-31, CVE-2006-2787: EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) * build depends: + xorg-dev -> libx11-dev, libxt-dev, libxinerama-dev, libxft-dev, libfreetype6-dev, libxrender-dev + removed binutils, coreutils and po-debconf * enable xinerama in debian/rules * fixed lintian errors: + do not depend on xorg dev meta package + debhelper depend is now versioned + changed package description(s) to not start with 'thunderbird' thunderbird (1.5.0.2-3) unstable; urgency=low * patch-robbery from firefox package: + removed old mips and arm patches + added 50_arch_arm_fix + added 50_arch_alpha_fix + added 50_arch_m68k_fix + added 50_arch_mips_Makefile_fix + added 50_arch_mips_fix (Closes: 357755) + added 50_arch_parisc_Makefile_fix + added 50_arch_parisc_fix * included install.rdf for default theme in extensions dir (Closes: 363956) * removed chrome.d locales.d extensions.d from var/lib/thunderbird thunderbird (1.5.0.2-2) unstable; urgency=critical * debian/thunderbird.sgml. Greatly improved manpage for thunderbird, thanks to Sam Morris for contributing this (Closes: 361069) * add missing build depend to sharutils to fix ftbfs (Closes: 365539) * fix gnome-support package removing gnome dependencies from pure thunderbird package. * set urgency to critical which I forgot to set properly for the last upload thunderbird (1.5.0.2-1) unstable; urgency=low * removed enable xprint in order to build after X11R7 transition. * removed xprint recommends from control file. * 91_fontsfix_359763.dpatch: fix for 'thunderbird shows text illegibly' for some encodings. (Closes: 359763) * myspell is now depends (Closes: 357623) * (re-)including 10_mips_optimization_patch * debian/patches/90_ppc64-build-fix.dpatch: patch for 'FTBFS (ppc64)', thanks to Andreas Jochens for adding the final patch to the report. (Closes: 361036) * Thanks to Bastian Kleineidam for contributing: * Standards version 3.6.2.1 * Use debhelper v5 with debian/compat * Remove unneeded thunderbird.conffiles now that debhelper v5 is used * Remove CVS directories in debian/ * Fix debian/changelog syntax errors, and convert to UTF-8 * Fix bashism in debian/thunderbird.postrm, using 2> instead of &>. * Add ${misc:Depends} to thunderbird* dependencies, fixing a missing dependency on debconf * Move db_input commands from postinst into a separate thunderbird.config file. * distinct gnome-support package added. adds a good bunch of gnome build depends to allow module linking against gnome libs. * added new fhunderbird-branding in debian/fhunderbird-branding.tmpl (Closes: 358198) * use only one profile directory in configure (Closes: 358378) * Various security issues are fixed in this release. Namely: CVE-2006-1741 CVE-2006-1742 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1736 CVE-2006-1735 CVE-2006-1734 CVE-2006-1733 CVE-2006-1732 CVE-2006-0749 CVE-2006-1731 CVE-2006-1724 CVE-2006-0884 CVE-2006-1730 CVE-2006-1729 CVE-2006-1728 CVE-2006-1727 CVE-2006-1045 CVE-2006-0748 CVE-2006-1726 CVE-2006-1725 CVE-2005-2353 CVE-2006-1529 CVE-2006-1530 CVE-2006-1531 CVE-2006-1723 CVE-2006-0292/CVE-2006-0293 (Closes: 349242) CVE-2006-0294 CVE-2006-0295 CVE-2006-0296 CVE-2006-0297 CVE-2006-0298 CVE-2006-0299 tiff (4.0.3-12.3+deb8u5) jessie-security; urgency=high . [ Laszlo Boszormenyi (GCS) ] * Fix CVE-2017-11335: heap based buffer write overflow in tiff2pdf (closes: #868513). * Fix CVE-2017-12944: OOM prevention in TIFFReadDirEntryArray() (closes: #872607). * Fix CVE-2017-13726: reachable assertion abort in TIFFWriteDirectorySec() (closes: #873880). * Fix CVE-2017-13727: reachable assertion abort in TIFFWriteDirectoryTagSubifd() (closes: #873879). * Fix CVE-2017-18013: NULL pointer dereference in TIFFPrintDirectory() (closes: #885985). * Fix CVE-2017-9935: heap-based buffer overflow in the t2p_write_pdf() function (closes: #866109). . [ Moritz Muehlenhoff ] * CVE-2016-10371 tomcat-native (1.1.32~repack-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS. * Fix CVE-2017-15698: When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. tor (0.2.5.16-1) jessie-security; urgency=medium . * New upstream version, including among others: - Fix a denial of service bug where an attacker could use a malformed directory object to cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal. (Tor instances run without a terminal, which is the case for most Tor packages, are not impacted.) Fixes bug 24246; bugfix on every version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720. - When checking for replays in the INTRODUCE1 cell data for a (legacy) onion service, correctly detect replays in the RSA- encrypted part of the cell. We were previously checking for replays on the entire cell, but those can be circumvented due to the malleability of Tor's legacy hybrid encryption. This fix helps prevent a traffic confirmation attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 and CVE-2017-8819. - When running as a relay, make sure that we never build a path through ourselves, even in the case where we have somehow lost the version of our descriptor appearing in the consensus. Fixes part of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822. transmission (2.84-0.2+deb8u1) jessie-security; urgency=medium . * Fix RPC vulnerability discovered by Tavis Ormandy tzdata (2018e-0+deb8u1) jessie; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - North Korea switches back to +09 on 2018-05-05. tzdata (2018d-1) unstable; urgency=medium . [ Aurelien Jarno ] * debian/control: Update Vcs-Git and Vcs-Browser fields following the move to Salsa. . [ Clint Adams ] * New upstream version. * Remove Pacific-New as a choice. closes: #815200. tzdata (2018d-0+deb9u1) stretch; urgency=medium . * New upstream version. tzdata (2018d-0+deb8u1) jessie; urgency=medium . * New upstream version. tzdata (2018c-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version. * debian/control: Update Standards-Version to 4.1.3. * debian/patches/quiltrc: Remove. tzdata (2018c-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following past and future timestamps: - São Tomé and Príncipe switched from +00 to +01 on 2018-01-01 at 01:00. - Southern Brazil will begin DST on 2018-11-04 instead of 2018-10-21. * debian/control: Update Vcs-Git and Vcs-Browser fields following the move to Salsa. tzdata (2018c-0+deb8u1) jessie; urgency=medium . * New upstream version, affecting the following past and future timestamps: - São Tomé and Príncipe switched from +00 to +01 on 2018-01-01 at 01:00. - Southern Brazil will begin DST on 2018-11-04 instead of 2018-10-21. tzdata (2018b-1) unstable; urgency=medium . [ Aurelien Jarno ] * Update Russian debconf translation, by Lev Lamberov. Closes: #883876. * Update German debconf translation, by Holger Wansing. Closes: #884811. . [ Clint Adams ] * New upstream version. tzdata (2017c-1) unstable; urgency=medium . * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. * debian/control, debian/copyright: update upstream links to use https. * debian/upstream/signing-key.asc: new file. * debian/watch: update watch file to version 4, add check for the OpenPGP signatures. * debian/control: Update Standards-Version to 4.1.1. tzdata (2017c-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. uwsgi (2.0.7-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758) (Closes: #889753) * enforce php default document_root behaviour, to not show external files (CVE-2018-7490) (Closes: #891639) virtualbox-guest-additions-iso (4.3.36-1+deb8u1) jessie; urgency=medium . * New upstream bugfix release. - Addressed CVE-2016-0592, CVE-2016-0495, CVE-2015-8104, CVE-2015-7183, CVE-2015-5307, CVE-2015-7183, CVE-2015-4813, CVE-2015-4896, CVE-2015-3456 virtualbox-guest-additions-iso (4.3.30-1) unstable; urgency=medium . * New upstream release. * Conflict with upstream proprietary packages 5.0 series. virtualbox-guest-additions-iso (4.3.28-1) unstable; urgency=medium . * New upstream release (Closes: #786662). virtualbox-guest-additions-iso (4.3.26-2) unstable; urgency=medium . * Upload to Unstable virtualbox-guest-additions-iso (4.3.26-1) experimental; urgency=medium . * New upstream release. * Conflict with upstream proprietary packages 4.3 series. virtualbox-guest-additions-iso (4.3.24-1) experimental; urgency=medium . * New upstream release. virtualbox-guest-additions-iso (4.3.22-1) experimental; urgency=medium . * New upstream release. * Update copyright year. virtualbox-guest-additions-iso (4.3.20-1) experimental; urgency=medium . * New upstream release. wget (1.16-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix cookie injection (CVE-2018-0494) (Closes: #898076) wireshark (1.12.1+g01b65bf-4+deb8u14) jessie-security; urgency=medium . * CVE-2018-11358 CVE-2018-11362 CVE-2018-7334 CVE-2018-7335 * CVE-2018-7419 CVE-2018-9261 wireshark (1.12.1+g01b65bf-4+deb8u13) jessie-security; urgency=medium . * Non-maintainer upload by the Wheezy LTS Team. * fix for CVE-2018-5334 * fix for CVE-2018-5335 * fix for CVE-2018-5336 Several parsers of wireshark could be crashed by malformed packets. wireshark (1.12.1+g01b65bf-4+deb8u12) jessie-security; urgency=medium . * CVE-2017-11408 CVE-2017-17083 CVE-2017-17084 CVE-2017-17085 wordpress (4.1+dfsg-1+deb8u17) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2018-10100: the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. * Fix CVE-2018-10102: the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. (Closes: #895034) wordpress (4.1+dfsg-1+deb8u16) jessie-security; urgency=high . * Backport securitty patches from 4.9.1 - CVE-2017-17091 Changeset: 42296 Use a properly generated hash for the newbloguser key instead of a determinate substring. - CVE-2017-17092 Changeset: 42299 Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability - CVE-2017-17093 Changeset: 42297 Add escaping to the language attributes used on html elements - CVE-2017-17094 Changeset: 42298 Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds * Additional two patches for security fixes - CVE-2017-9066 Redirect validation patch from backports - CVE-2017-16510 Changeset: 42064 Restore numbered placeholders in $wpdb->prepare xdg-utils (1.1.0~rc1+git20111210-7.4+deb8u1) jessie-security; urgency=high . * Fix CVE-2017-18266, closes: #898317. - Avoid argument injection vulnerability in open_generic. xerces-c (3.1.1-5.1+deb8u4) jessie; urgency=medium . * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research discovered that the Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high . * [2890d0c] New patches fixing CVE-2018-0489: additional data forgery flaws. These flaws allow for changes to an XML document that do not break a digital signature but alter the user data passed through to applications enabling impersonation attacks and exposure of protected information. https://shibboleth.net/community/advisories/secadv_20180227.txt https://issues.shibboleth.net/jira/browse/CPPXT-128 The Add-disallowDoctype-to-parser-configuration.patch is not effective under Xerces 3.1 in jessie, but provides more generic protection under Xerces 3.2 against issues like CVE-2018-0486. It's included here for completeness and to avoid a conflict applying the CVE-2018-0489 patch. xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high . * [5c2845b] Add gbp.conf for jessie * [0ffc343] Convert our single patch into a proper patch queue * [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute data The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. While the use of XML Encryption can serve as a mitigation for this bug, it may still be possible to construct attacks in such cases, and the SP does not provide a means to enforce its use. CPPXT-127 - Block entity reference nodes during unmarshalling. https://issues.shibboleth.net/jira/browse/CPPXT-127 Thanks to Scott Cantor * [49b7352] Update Uploaders: add Etienne, remove Russ, update myself zookeeper (3.4.9-3+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2018-8012: No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. (Closes: #899332) zookeeper (3.4.9-3) unstable; urgency=medium . * Team upload. * Apply patch for CVE-2017-5637 (Closes: #863811) "wchp" and "wchc" are now disabled by default. zookeeper (3.4.9-2) unstable; urgency=medium . * Team upload. * Apply patch to set JAVA in the environment (Closes: #839184) - Thank you to Felix Dreissig. * Add patch for spelling corrections in upstream source. zookeeper (3.4.9-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches - Updated debian/pom.xml * Updated the upstream signing keys zookeeper (3.4.8-2) unstable; urgency=medium . * Team upload. * Add systemd unit file. (Closes: #830222) - Thanks to Felix Dreissig for the patch series. * Add dh-python to Build-Depends. (Closes: #830216) - Thanks to Felix Dreissig for the patch. * Standards-Version updated to 3.9.8 (no changes) zookeeper (3.4.8-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches - Updated debian/pom.xml * Build with ivy-debian-helper * Standards-Version updated to 3.9.7 (no changes) * Use secure Vcs-* URLs zookeeper (3.4.7-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches - Updated debian/pom.xml * Updated the upstream signing keys zookeeper (3.4.6-8) unstable; urgency=medium . * Team upload. * Fixed the netty dependency for libzookeeper-java (Closes: #797229) zookeeper (3.4.6-7) unstable; urgency=medium . * Team upload. * Build-dep on liblogx4cxx-dev. See transition bug #792013. (Closes: #794418) zookeeper (3.4.6-6) unstable; urgency=medium . * Team upload. * Depend on libnetty-3.9-java instead of libnetty-java zookeeper (3.4.6-5) unstable; urgency=medium . * Team upload. * Fixed the packaging type of the Maven artifact (pom -> jar) * Improved the build reproducibility: - Set the locale to 'en' when generating the javadoc zookeeper (3.4.6-4) unstable; urgency=medium . * Team upload. * Upload to unstable * Improved the build reproducibility: - Removed the Built-At, Built-By and Built-On entries in the manifests - Use the changelog date as the build date in Info.java zookeeper (3.4.6-3) experimental; urgency=medium . * Team upload. * Fixed the Maven rule for netty to work with maven-repo-helper << 1.8.10 zookeeper (3.4.6-2) experimental; urgency=medium . * Team upload. * Fixed the groupId of netty in the installed pom zookeeper (3.4.6-1) experimental; urgency=medium . * Team upload. . [ James Page ] * d/control: Bump epoch on default-jdk BD to exclude archictectures which don't have Java 6 or better (Closes: #742405). . [ Tim Retout ] * New upstream version. (Closes: #756982) * debian/patches: Refresh patches. . [ Emmanuel Bourg ] * Install the Maven artifacts (Closes: #775893) * Standards-Version updated to 3.9.6 (no changes) * Fixed some lintian warnings related to debian/copyright * libzookeeper-java suggests libzookeeper-java-doc but doesn't recommend it * Install the API documentation under /usr/share/doc/libzookeeper-java instead of usr/share/doc/libzookeeper-java-doc * debian/orig-tar.sh: - Removed src/contrib/loggraph from the upstream tarball since it isn't used and is missing the source of a minimized JavaScript file (yui-min.js) - Use XZ compression for the upstream tarball - Delete the non filtered upstream tarball after unpacking it * Added the .patch extension to the patches * Added the missing patch descriptions adminer (3.3.3-1+deb8u1) jessie; urgency=high . * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated to arbitrary systems and ports which could bypass external firewalls to identify internal hosts and/or perform port scanning of other servers. (Closes: #893668) apache2 (2.4.10-10+deb8u12) jessie-security; urgency=medium . * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap when using too small Accept-Language values. * CVE-2017-15715: bypass with a trailing newline in the file name. Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive 'RegexDefaultOptions'. * CVE-2018-1283: Tampering of mod_session data for CGI applications. * CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request * CVE-2018-1303: Possible out of bound read in mod_cache_socache * CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation asterisk (1:11.13.1~dfsg-2+deb8u5) jessie-security; urgency=medium . * CVE-2017-17090 / /AST-2017-013: memory leak from chan_skinny (Closes: #883342). * Note: advisories AST-2017-009 - AST-2017-012 do not apply to asterisk 11 (Closes: #881257, #881256). awstats (7.2+dfsg-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix traversal flaw in the handling of the "config" and "migrate" parameters (CVE-2017-1000501) (Closes: #885835) base-files (8+deb8u11) oldstable; urgency=medium . * Changed /etc/debian_version to 8.11, for Debian 8.11 point release. batik (1.7+dfsg-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2017-5662: XXE information disclosure. (Closes: #860566) * Fix CVE-2018-8013: information disclosure when deserializing a subclass of AbstractDocument. (Closes: #899374) beep (1.3-3+deb8u1) jessie-security; urgency=medium . * CVE-2018-0492 bind9 (1:9.9.5.dfsg-9+deb8u15) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Addresses could be referenced after being freed in resolver.c, causing an assertion failure. (CVE-2017-3145) blktrace (1.0.5-1+deb8u1) jessie; urgency=high . * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695) bwm-ng (0.6-3.1+deb8u1) jessie; urgency=medium . * d/rules: pass --without-libstatgrab, thanks to Mr Parked and Tiago Rocha for the help (closes: #855215, LP: #1502593). clamav (0.100.0+dfsg-0+deb8u1) jessie; urgency=medium . [ Sebastian Andrzej Siewior ] * New upstream release. - remove various documentation files including Changelog from the file list because they are no longer included in upstream archive. - update symbol file * Don't replace config file with sample config after debconf gets disabled (in milter and daemon (Closes: #870253). * Add bytecode.c(l|v)d to log clamav-freshclam.logcheck.ignore.server. Patch by Václav Ovsík (Closes: #868766). * Disable the freshclam service if changed to `manual' mode so it does not start again after system reboot with systemd (Closes: #881780). * Drop "demime = *" from Debian.README for clamav, this option is deprecated and will be removed from exim (Closes: #881634). * Point Vcs-* tags to salsa. . [ Scott Kitterman ] * Update README.Debian to describe how to disable apparmor for clamav-daemon and clamav-freshclam (Closes: #884707) clamav (0.100.0~beta+dfsg-2) unstable; urgency=medium . * Switch to pcre2 which is newer (Closes: #891195). * Cherry pick patches referenced in bb#11973 and bb#11980 to fix CVE-2018-0202. * Use compat level 11. clamav (0.100.0~beta+dfsg-1) unstable; urgency=medium . [ Scott Kitterman ] * Only create clamav user during clamav-base install if it does not exist (LP: #121872) - Thanks to Shane Williams for the patch * Add lintian override for clamav-freshclam: duplicate-updaterc.d-calls-in- postinst clamav-freshclam * New upstream beta release * Bump standards-version to 4.1.3 without further change * Update README.Debian to describe how to disable apparmor for clamav-daemon and clamav-freshclam (Closes: #884707) . [ Sebastian Andrzej Siewior ] * Point Vcs-* tags to salsa. clamav (0.99.4+dfsg-1+deb9u1) stretch; urgency=medium . * Update to upstream 0.99.4: Fixes for CVE: CVE-2018-1000085, CVE-2018-0202. * Update the gpg signing key (the old DSA expired). * Update version of private symbols due to version change. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. clamav (0.99.4+dfsg-1+deb8u1) jessie; urgency=medium . * Update to upstream 0.99.4: Fixes for CVE: CVE-2018-1000085, CVE-2018-0202. * Update the gpg signing key (the old DSA expired). * Update version of private symbols due to version change. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. clamav (0.99.3~snapshot20170704+dfsg-1) experimental; urgency=medium . * Update to upstream snapshot (commit 144ef69462427b63a650294257c892b047601aac): - add config options - boost symbol file - drop applied patches: - Allow-M-suffix-for-PCREMaxFileSize.patch - bb11549-fix-temp-file-cleanup-issue.patch - clamav_add_private_fts_implementation.patch - drop-AllowSupplementaryGroups-option-and-make-it-def.patch - fix-ssize_t-size_t-off_t-printf-modifier.patch - libclamav-use-libmspack.patch - make_it_compile_against_openssl_1_1_0.patch - add new ones: - fts-no-use-AC_TRY_RUN.patch - clamsubmit-add-JSON-libs-to-clamsubmit.patch clamav (0.99.3~beta2+dfsg-1) unstable; urgency=medium . * Update upstream's signing gpg key * Update to beta2: - freshclam does not complain that clamav is outdated (Closes: #873401). clamav (0.99.3~beta1+dfsg-4) unstable; urgency=medium . * Ignore errors from update-rc.d in freshclam postins (Closes: #882323). * Drop dh-systemd & autoreconf from B-D. clamav (0.99.3~beta1+dfsg-3) unstable; urgency=medium . * Drop "demime = *" from Debian.README for clamav, this option is gone from exim (Closes: #881634). * Use "ucf" instead "ucp" in clamav-milter's postinst. * Disable LLVM support due to 3.8 removal (Closes: #873401). * Disable the freshclam service if changed to `manual' mode so it does start again after system reboot with systemd (Closes: #881780). * Bump standards version to 4.1.1 without further change. * Allow to build as non root user. * Update dh compat level 10 clamav (0.99.3~beta1+dfsg-2) unstable; urgency=medium . * Build again against system's libmspack (dropped by accident) (Closes: #872594). * Don't replace config file with sample config after debconf gets disabled (in milter and daemon (Closes: #870253). * Update standards to 4.0.1 - use invoke-rc.d instead of /etc/init.d. - drop priority extra from clamav-milter. * Add bytecode.c(l|v)d to log clamav-freshclam.logcheck.ignore.server. Patch by Václav Ovsík (Closes: #868766). clamav (0.99.3~beta1+dfsg-1) unstable; urgency=medium . * Upload to unstable * update to official beta1 release: - drop fts-no-use-AC_TRY_RUN.patch, applied upstream. clamav (0.99.2+dfsg-6+deb9u1) stretch; urgency=medium . * Apply security patches from 0.99.3 (Closes: #888484): - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420, CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. clamav (0.99.2+dfsg-6) unstable; urgency=medium . * Fix detection of curl. Patch by Reiner Herrmann (Closes: #852894). clamav (0.99.2+dfsg-5) unstable; urgency=medium . [ Andreas Cadhalpun ] * Add patches to support LLVM 3.7-3.9. * Re-enable llvm support. * Update embedded-library lintian override for multiarch locations. * Update standards version to 3.9.8. (no changes needed) * Mark clamav-docs and clamav-testfiles as Multi-Arch foreign and libclamav7 as same. * Fix spelling errors in the debian files. (Closes: #825055) * Remove unused package-contains-timestamped-gzip lintian-override. * Fix wildcard-matches-nothing-in-dep5-copyright lintian warning. . [ Sebastian Andrzej Siewior ] * Remove clamav-daemon.service.d on purge (Closes: #842074). * Fix FTCBFS: Annotate interpreter dependencies with :native. Patch by Helmut Grohne (Closes: #844066). * Drop bc from B-D, it seems we no longer need it. * Cherry-pick patch from bb11549 to fix a temp file cleanup issue (Closes: #824196). clamav (0.99.2+dfsg-4) unstable; urgency=medium . * Remove Stephen Gran as Uploader and thank you for your work (Closes: #838405). * Drop llvm supported for now. The bytecode will be interpreted by clamav instead of llvm's JIT - there is loss in functionality. It will come back once we llvm support again (Closes: #839850). clamav (0.99.2+dfsg-3) unstable; urgency=medium . * BD on dh-strip-nondeterminism. * get it compiled against openssl 1.1.0 (Closes: #828083). * Drop support for clamav-daemon.socket. Should avoid restart loops if clamd crashes on start (via OOM for instance). (Closes: #824042). clamav (0.99.2+dfsg-2) unstable; urgency=medium . * Ensure the users of PRIVATE symbols (clamd + freshclam) do not fall behind a upstream version (Closes: #824485). clamav (0.99.2+dfsg-1) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * also remove bytecode.cld on purge * Update to new upstream release 0.99.2 * Drop AllowSupplementaryGroups option which is default now (Closes: #822445). * Let the LSB init script have more consistent output. Patch by Guillem Jover (Closes: #823074). clamav (0.99.2+dfsg-0+deb8u3) jessie; urgency=medium . * Apply security patches from 0.99.3 (Closes: #888484): - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420, CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380. * Bump symbol version of cl_retflevel because CL_FLEVEL changed. * Cherry-pick patch from bb11549 to fix a temp file cleanup issue (Closes: #824196). curl (7.38.0-4+deb8u11) jessie-security; urgency=high . * Fix heap buffer over-read when parsing bad RTSP headers as per CVE-2018-1000301 https://curl.haxx.se/docs/adv_2018-b138.html curl (7.38.0-4+deb8u10) jessie-security; urgency=high . * Fix NIL byte out of bounds write due to FTP path trickery as per CVE-2018-1000120 https://curl.haxx.se/docs/adv_2018-9cd6.html * Fix LDAP NULL pointer dereference as per CVE-2018-1000121 https://curl.haxx.se/docs/adv_2018-97a2.html * Fix RTSP RTP buffer over-read as per CVE-2018-1000122 https://curl.haxx.se/docs/adv_2018-b047.html curl (7.38.0-4+deb8u9) jessie-security; urgency=high . * Fix HTTP authentication leak in redirects as per CVE-2018-1000007 https://curl.haxx.se/docs/adv_2018-b3bf.html debian-installer (20150422+deb8u5) jessie; urgency=medium . * Bump Linux kernel ABI from 3.16.0-4 to 3.16.0-6 debian-installer-netboot-images (20150422+deb8u5) jessie; urgency=medium . * 20150422+deb8u5 images, from jessie-proposed-updates debian-security-support (2018.01.29~deb8u1) oldstable-proposed-updates; urgency=medium . * Rebuild for jessie debian-security-support (2017.06.02) unstable; urgency=medium . [ Moritz Muehlenhoff ] * Remove acidbase entry from security-support-limited, it's been removed and is no longer present in any currently supported suite * Mark trn as unsupported in jessie, it got removed in 8.6 * Mark sogo as unsupported in jessie, it got removed in 8.7 * Mark dotclear as unsupported in jessie, it got removed in 8.7 . [ Raphaël Hertzog ] * Mark autotrace as unsupported in wheezy. . [ Chris Lamb ] * Mark ioquake3 as unsupported in wheezy. . [ Guido Günther ] * Mark freebsd-* as unsupported in wheezy. * Mark cgiemail as unsupported in jessie, it got removed in 8.8. * Mark owncloud as unsupported in jessie, it got removed in 8.8. * Mark owncloud-app as unsupported in jessie, it got removed in 8.8. * d/control: Use https Git URL dh-make-perl (0.84-2+deb8u1) jessie; urgency=medium . [ Manfred Stock ] * Support Contents files without header. Current versions of the Contents files in the Debian archive don't seem to contain a header anymore, which kind-of breaks the parser, as it only processed lines after the line matched by the regular expression ^FILE\s+LOCATION. Since the regular expression which is used to parse the file column of the Contents files looks robust enough, it seems like this check can be dropped. . Closes: #851848 dns-root-data (2017072601~deb8u2) jessie; urgency=medium . [ Ondřej Surý ] * Update IANA DNSSEC files to 2017-02-02 versions * Strip the GPG verification (IANA doesn't provide it anymore) * Rewrite DS creation check (Closes: #877683) . [ Daniel Kahn Gillmor ] * added myself to uploaders dovecot (1:2.2.13-12~deb8u4) jessie-security; urgency=high . * [eb6eab8] Fix CVE-2017-14461: rfc822_parse_domain information leak (Closes: #891819) * [df2ccf9] Fix CVE-2017-15130: TLS SNI config lookups are inefficient and can be used for DoS (Closes: #891820) + Use dh-autoreconf, as src/Makefile.in needs to be regenerated. Also disable dovecot_name.patch, since it changes dovecot's banner in conjunction with dh_autoreconf. * [292742f] Fix CVE-2017-15132: memory leak on aborted SASL auth (Closes: #888432) * [3e2ccd1] Add myself to Uploaders drupal7 (7.32-1+deb8u12) jessie-security; urgency=high . * Move repository from Alioth to Salsa; update Vcs-Git and Vcs-Browser accordingly * SA-CORE-2018-004: Fix remote code execution vulnerability (CVE-2018- 7602) (Closes: #896701) drupal7 (7.32-1+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * SA-CORE-2018-002: Fix remote code execution vulnerability (CVE-2018-7600) (Closes: #894259) drupal7 (7.32-1+deb8u10) jessie-security; urgency=high . * Fixes multiple security vulnerabilities, grouped under Drupal's SA-CORE-2018-001 (CVEs yet unassigned): - External link injection on 404 pages when linking to the current page (Closes: #891154) - jQuery vulnerability with untrusted domains (Closes: #891153) - Private file access bypass (Closes: #891152) - JavaScript cross-site scripting prevention is incomplete (Closes: #891150) enigmail (2:1.9.9-1~deb8u1) jessie-security; urgency=high . * Rebuild for jessie-security . enigmail (2:1.9.9-1) unstable; urgency=medium . * new upstream release * Standards-Version: bump to 4.1.2 (no changes needed) * drop patch already upstreamed * debian/changelog: drop trailing whitespace . enigmail (2:1.9.8.3-1) unstable; urgency=medium . * New upstream release * Standards-Version: bump to 4.1.1 (no changes needed) . enigmail (2:1.9.8.2-2) unstable; urgency=medium . * fix memoryhole protected header force-display part . enigmail (2:1.9.8.2-1) unstable; urgency=medium . * New upstream bugfix release * refresh patches * clean up debian/copyright * clean up licensing in About dialog box (from upstream) * Standards-Version: bump to 4.1.0 (no changes needed) enigmail (2:1.9.8.3-1) unstable; urgency=medium . * New upstream release * Standards-Version: bump to 4.1.1 (no changes needed) enigmail (2:1.9.8.2-2) unstable; urgency=medium . * fix memoryhole protected header force-display part enigmail (2:1.9.8.2-1) unstable; urgency=medium . * New upstream bugfix release * refresh patches * clean up debian/copyright * clean up licensing in About dialog box (from upstream) * Standards-Version: bump to 4.1.0 (no changes needed) enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.8.1-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security (Closes: #869774) . enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.8-1) unstable; urgency=medium . * New upstream release. * Standards-Version to 4.0.0 (no changes needed) * use dpkg/pkg-info.mk instead of dpkg-parsechangelog * use wrap-and-sort -ast erlang (1:17.3-dfsg-4+deb8u2) jessie-security; urgency=high . * Applied a patch from the upstream which fixes CVE-2017-1000385 vulnerability (TLS server vunlerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery ot MITM attack). exim4 (4.84.2-2+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix base64d() buffer size (CVE-2018-6789) (Closes: #890000) faad2 (2.7-8+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2017-9218, CVE-2017-9219, CVE-2017-9220, CVE-2017-9221, CVE-2017-9222, CVE-2017-9223, CVE-2017-9253, CVE-2017-9254, CVE-2017-9255, CVE-2017-9256, CVE-2017-9257. Various issues were discovered in faad2, a fast audio decoder, that could cause a denial of service (large loop and CPU consumption) via a crafted mp4 file. (Closes: #889915) file (1:5.22+15-2+deb8u4) oldstable; urgency=high . * Avoid reading past the end of buffer. Closes: #901351 [CVE-2018-10360] firefox-esr (52.8.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-14, also known as CVE-2018-6126. . * debian/control*: Update Maintainer and Vcs fields, moving off alioth. Closes: #899509 . firefox-esr (52.8.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-12, also known as CVE-2018-5183, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, CVE-2018-5150. . firefox-esr (52.7.3esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.8.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-12, also known as CVE-2018-5183, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, CVE-2018-5150. firefox-esr (52.8.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-12, also known as CVE-2018-5183, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, CVE-2018-5150. . firefox-esr (52.7.3esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.8.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-12, also known as CVE-2018-5183, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, CVE-2018-5150. . firefox-esr (52.7.3esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.7.3esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. firefox-esr (52.7.3esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.7.3esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. . firefox-esr (52.7.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.7.2esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. firefox-esr (52.7.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.7.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. . firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.7.1esr-1) unstable; urgency=medium . * New upstream release. - Fixes search engines in Italian locale. firefox-esr (52.7.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.7.1esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.7.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. firefox-esr (52.7.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.7.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. . firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.6.0esr-2) unstable; urgency=medium . * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc 2.26 on big endian platforms. firefox-esr (52.6.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. * Fixes FTBFS with glibc >= 2.26. Closes: #887778. firefox-esr (52.6.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.6.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-03, also known as CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. . firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.5.3esr-1) unstable; urgency=medium . * New upstream release. firefox-esr (52.5.2esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. firefox-esr (52.5.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. . firefox-esr (52.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.5.2esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-28, also known as CVE-2017-7843. . firefox-esr (52.5.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. freeplane (1.3.12-1+deb8u1) jessie-security; urgency=high . * Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was affected by a XML External Entity (XXE) vulnerability in its mindmap loader that could compromise a user's machine by opening a specially crafted mind map file. (Closes: #893663) freerdp (1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) jessie-security; urgency=high . [ Bernhard Miklautz ] * debian/patches: + Add fix for CVE-2017-2834, CVE-2017-2835, CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839 (Closes: #869880) freexl (1.0.0g-1+deb8u5) jessie-security; urgency=high . * Add upstream patch to fix various heap-buffer-overflows. - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547879 - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST https://bugzilla.redhat.com/show_bug.cgi?id=1547883 - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547885 - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547889 - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4 https://bugzilla.redhat.com/show_bug.cgi?id=1547892 gcc-4.9 (4.9.2-10+deb8u1) jessie-security; urgency=medium . * Backport of retpoline support by HJ Lu gdk-pixbuf (2.31.1-2+deb8u7) jessie-security; urgency=medium . * CVE-2017-1000422 ghostscript (9.06~dfsg-2+deb8u7) jessie; urgency=medium . * Non-maintainer upload. * Segfault with fuzzing file in gxht_thresh_image_init * Buffer overflow in fill_threshold_buffer (CVE-2016-10317) (Closes: #860869) * pdfwrite - Guard against trying to output an infinite number (CVE-2018-10194) (Closes: #896069) gifsicle (1.86-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Closes: CVE-2017-1000421 gimp (2.8.14-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Out of bounds read / heap overflow in TGA importer (CVE-2017-17786) (Closes: #884862) * plug-ins: TGA 16-bit RGB (without alpha bit) is also valid * Heap buffer overflow in PSP importer (CVE-2017-17789) (Closes: #884837) * heap overread in gbr parser / load_image (CVE-2017-17784) (Closes: #884925) * heap overread in psp importer (CVE-2017-17787) (Closes: #884927) * Heap overflow while parsing FLI files (CVE-2017-17785) (Closes: #884836) * buffer overread in XCF parser if version field has no null terminator (CVE-2017-17788) (Closes: #885347) git (1:2.1.4-2.1+deb8u6) jessie-security; urgency=high . * Fix CVE-2018-11235, arbitrary code execution via submodule names in .gitmodules file: - submodule: verify submodule names as paths - fsck: drop inode-sorting code - fsck: simplify ".git" check - fsck: fsck blob data - fsck: detect gitmodules files - fsck: check .gitmodules content - fsck: call fsck_finish after fscking objects - unpack-objects: call fsck_finish after fscking objects - index-pack: check .gitmodules files with --strict * Fix CVE-2018-11233, out-of-bounds read when validating NTFS paths: - is_ntfs_dotgit: use a size_t for traversing string * Do not allow .gitmodules to be a symlink: - is_hfs_dotgit: loosen over-eager match of \u{..47} - is_hfs_dotgit: match other .git* files - is_ntfs_dotgit: match other .git* files - is_{hfs,ntfs}_dotgitmodules: add tests - skip_prefix: add case-insensitive variant - verify_path: drop clever fallthrough - verify_dotfile: mention case-insensitivity in comment - update-index: stat updated files earlier - verify_path: disallow .gitmodules symlinks - fsck: complain when .gitmodules is a symlink . Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for discovering and reporting these vulnerabilities and to Jeff King and Johannes Schindelin for fixing them. . * Prevent "git apply" without --index from escaping the current directory (compare GNU patch's CVE-2015-1196): - apply: reject input that touches outside the working area - apply: do not read from the filesystem under --index - apply: do not read from beyond a symbolic link - apply: do not touch a file beyond a symbolic link . Thanks to Josh Boyer for reporting this vulnerability and Junio C Hamano for fixing it. git-annex (5.20141125+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL (Closes: #873088) gnupg (1.4.18-7+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * gpg: Sanitize diagnostic with the original file name (CVE-2018-12020) gnupg2 (2.0.26-6+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * gpg: Sanitize diagnostic with the original file name (CVE-2018-12020) graphicsmagick (1.3.20-3+deb8u2) jessie-security; urgency=high . * Fix CVE-2015-8808: denial of service (uninitialized memory access) via a crafted GIF file. * Fix CVE-2016-2317: segmentation violation when reading SVG files (closes: #814732). * Fix CVE-2016-2318: make SVG path and other primitive parsing more robust. * Fix CVE-2016-5240: endless loop problem caused by negative stroke-dasharray arguments. * Fix CVE-2016-3714: remove delegates support for Gnuplot files. * Fix CVE-2016-3715: remove undocumented "TMP" magick prefix. * Fix CVE-2016-5118: remove support for reading input from a shell command, or writing output to a shell command (closes: #825800). * Fix CVE-2016-7996: possible heap overflow of colormap in Q8 build. * Fix CVE-2016-7997: correctly flip image->blob and rotated_image->blob. * Fix CVE-2016-8682: stack-based buffer overflow in ReadSCTImage (sct.c). * Fix CVE-2016-8684: memory allocation failure in MagickMalloc (memory.c). * Fix CVE-2016-8683: memory allocation failure in ReadPCXImage (pcx.c). * Fix CVE-2016-7800: unsigned underflow leading to heap overflow when parsing 8BIM chunk. * Fix CVE-2016-9830: memory allocation failure in MagickRealloc (closes: #847055). * Add new MagickGetToken@Base symbol to libgraphicsmagick3. gunicorn (19.0-1+deb8u1) jessie-security; urgency=high . * CVE-2018-1000164: Fix an issue where CRLF sequences in HTTP headers could result in an attacker tricking the server into returning arbitrary HTTP headers. (Closes: #896548) icedove (1:52.3.0-4~deb8u2) jessie-security; urgency=medium . [ Guido Günther ] * [6214253] Simplify endianess selection for ICU icedove (1:52.3.0-4~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security * [7f05741] debian/control: be more relaxed on Breaks for enigmail * [72e63f8] debian/mozconfig.default: stay on GTK2 toolkit for Jessie (Closes: #871438, #870719) icedove (1:52.3.0-3) unstable; urgency=medium . [ Carsten Schoenert ] * [c08f005] rebuild patch queue from patch-queue branch * [f658cab] debian/rules: enable verbose build for ICU icedove (1:52.3.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [d544a01] debian/rules: correct icu build sequence icedove (1:52.3.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [8e852be] New upstream version 52.3.0 Fixed CVE issues in upstream version 52.0 (MFSA 2017-20) CVE-2017-7800: Use-after-free in WebSockets during disconnection CVE-2017-7801: Use-after-free with marquee during window resizing CVE-2017-7809: Use-after-free while deleting attached editor DOM node CVE-2017-7784: Use-after-free with image observers CVE-2017-7802: Use-after-free resizing image elements CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM CVE-2017-7786: Buffer overflow while painting non-displayable SVG CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements CVE-2017-7787: Same-origin policy bypass with iframes through page reloads CVE-2017-7807: Domain hijacking through AppCache fallback CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections CVE-2017-7803: CSP containing 'sandbox' improperly applied CVE-2017-7779: Memory safety bugs fixed in Firefox 55, Firefox ESR 52.3, and Thunderbird 52.3 * [0b7243b] debian/rules: build icudt5*.dat on our own if needed If we need to use the internal sources of ICU (triggered by using --with-system-icu) we need to build the platform depended file icudt*[b,l].dat before we can call the configure run. This is needed as Mozilla only ships a precompiled little endian version of the file icudt*.dat and all platforms with big endianness are failing later due issues related to the wrong endianness. * [1964469] debian/mozconfig.default: enable i18n on big endian * [6b58ac5] debian/control: increase Standards-Version to 4.0.1 * [e59cf81] rebuild patch queue from patch-queue branch removed patche(s) (applied upstream): - fixes/Bug-1308908-Compare-the-whole-accessible-name-when-checki.patch updated/refreshed patches (no changes): - porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch . [ Simon Deziel ] * [a574010] apparmor/usr.bin.thunderbird: small update to avoid noise icedove (1:52.2.1-5) unstable; urgency=high . [ Carsten Schoenert ] * [133a574] Use gcc-6 and g++-6 due broken GUI with GCC-7 The usage of the GCC-7 suite introduces a broken GUI currently that make using thunderbird mostly impossible. (Closes: #871629) * [3ebacd1] d/rules: use DEB_* variables for entries from changelog By using variables that are prepared by dpkg we don't need to manually search for dates and versions. etc. * [52c2b83] d/copyright: MPL-1.1 and MPL-2.0 now provided by common-licenses Since policy 4.0.0 the two Mozilla related licenses are included and don't need to be added extra. * [3f37967] adjust X-Debian-Homepage to existing Thunderbird page * [41b5c03] debian/control: increase Standards-Version to 4.0.0 * [e3c3994] mozconfig.default: use proper disabled options * [2d4b846] debian/control: increase Breaks for enigmail version (Closes: #869789) . [ John Paul Adrian Glaubitz ] * [4879401] sh4: disable option --disable-pie (Closes: #867553) . [ Carsten Schoenert ] * [2646f3f] autpkgtests: disable the idlTest.sh test case icedove (1:52.2.1-4) unstable; urgency=medium . [ Guido Günther ] * [04de899] Don't use different profile folder for jessie and wheezy . [ Carsten Schoenert ] * [692d3ce] rebuild patch queue from patch-queue branch (Closes: #867013) added patch (provided by Adrian): - porting-alpha/FTBFS-alpha-adjust-some-source-to-prevent-build-issues.patch removed patch: - porting-hurd/FTBFS-hurd-adding-GNU-to-the-configure-platform-detection.patch (wrong approach, the Python wrapper around configure isn't yet smart enough) . [ John Paul Adrian Glaubitz ] * [5153ce2] mips: final fixups to prevent FTBFS icedove (1:52.2.1-3) unstable; urgency=medium . [ John Paul Adrian Glaubitz ] * [99b323a] d/mozconfig.default: fixups for --without-intl-api icedove (1:52.2.1-2) unstable; urgency=medium . [ Carsten Schoenert ] * [e8ce299] disabling ICU support on some big endian systems This hack should enable at least successful building of all RC platforms and needs to be solved in a not such agressive way without loosing ICU support on the problematic platforms. Thanks John Paul Adrian Glaubitz for catching the root of the issue. * [a66e812] rebuild patch queue from patch-queue branch Adding a small needed fix for getting mips* out od FTBFS. Also GNU/Hurd should pass the configure script now. icedove (1:52.2.1-1) unstable; urgency=medium . [ Guido Günther ] * [4e87d6b] d/rules: Make sure DIST is not passed on to configure . [ Carsten Schoenert ] * [35b84ef] rebuild patch queue from patch-queue branch added patches: - porting-mips/Fix-CPU_ARCH-test-for-libjpeg-on-mips.patch - porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch (Closes: #864974) * [c818874] New upstream version 52.2.1 (Closes: #861840) * [8c776c9] Icedove2Thunderbird: add opt out for dialogue pop-up (Closes: #860381) icedove (1:52.2.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [9ebc11d] mozconfig.default: remove configure option '--disable-methodjit' on armel This options isn't alive any more and was forgotten to removed on the previous upload. [ Simon Deziel ] * [d8e5d42] usr.bin.thunderbird: merge gpg(1) and gpg2 subprofiles (Closes: #859179) * [f18884e] usr.bin.thunderbird: allow accessing gpgconf in gpg subprofile * [e73afbb] usr.bin.thunderbird: allow accessing any gpg2keys providers . [ Carsten Schoenert ] * [066ddb9] mozconfig.default: switch back to internal libjpeg Going back and using the libjpeg library that's shipped by Mozilla, the system library probably provoking broken builds on various platforms. As we prepare the uploads for (old-)stable-security we need to use the internal libjpeg library at all. * [ff92bfa] rebuild patch queue from patch-queue branch modified patches: - porting-m68k/Add-m68k-support-to-Thunderbird.patch - porting-sh4/Add-sh4-support-to-Thunderbird.patch (Closes: #859271, #859508) * [0a89f76] New upstream version 52.2.0 Fixed CVE issues in upstream version 52.0 (MFSA 2017-17) CVE-2017-5472: Use-after-free using destroyed node when regenerating trees CVE-2017-7749: Use-after-free during docshell reloading CVE-2017-7750: Use-after-free with track elements CVE-2017-7751: Use-after-free with content viewer listeners CVE-2017-7752: Use-after-free with IME input CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors CVE-2017-7757: Use-after-free in IndexedDB CVE-2017-7778: Vulnerabilities in the Graphite 2 library CVE-2017-7758: Out-of-bounds read in Opus encoder CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52 * [e03380e] rebuild patch queue from patch-queue branch modified patch: - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch icedove (1:52.1.1-1) experimental; urgency=medium . [ Guido Günther ] * [db8d0db] Tighten meta package dependencies Be more strict on depends and add a version to all related Thunderbird specific packages. * [defb689] Copy-edit thunderbird-wrapper-helper.sh * [54b35d4] Allow one to override the location of the wrapper-helper Make $TB_HELPER more flexible and give the variable a default value, so a user can override it with it's own. * [a187364] dh-exec: avoid multiple spaces around filenames * [a85bc7a] thunderbird-wrapper: robustness when sourcing helper * [eee56ab] Drop replaces on packages no longer in any release . [ Carsten Schoenert ] * [1d85980] rebuild patch queue from patch-queue branch added patches: - porting-mk68/Add-m68k-support-to-Thunderbird.patch - porting-sparc64/Add-sparc64-support-to-Thunderbird.patch (Closes: #859151, #859271) * [2717849] tb-wrapper: call thunderbird starting with exec (Closes: #858100) * [8afa31b] d/gbp.conf: adjust upstream branch to new ESR version * [43d2e70] New upstream version 52.1.1 Fixed CVE issues in upstream version 52.0 (MFSA 2017-09) CVE-2017-5413: Segmentation fault during bidirectional operations CVE-2017-5414: File picker can choose incorrect default directory CVE-2017-5416: Null dereference crash in HttpChannel CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses CVE-2017-5419: Repeated authentication prompts lead to DOS attack CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports CVE-2017-5421: Print preview spoofing CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52 Fixed CVE issues in upstream version 52.1.0 (MFSA 2017-13) CVE-2017-5433: Use-after-free in SMIL animation functions CVE-2017-5435: Use-after-free during transaction processing in the editor CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2 CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS CVE-2017-5459: Buffer overflow in WebGL CVE-2017-5466: Origin confusion when reloading isolated data:text/html URLs CVE-2017-5434: Use-after-free during focus handling CVE-2017-5432: Use-after-free in text input selection CVE-2017-5460: Use-after-free in frame selection CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing CVE-2017-5441: Use-after-free with selection during scroll events CVE-2017-5442: Use-after-free during style changes CVE-2017-5464: Memory corruption with accessibility and DOM manipulation CVE-2017-5443: Out-of-bounds write during BinHex decoding CVE-2017-5444: Buffer overflow while parsing application/http-index-format contents CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data CVE-2017-5447: Out-of-bounds read during glyph processing CVE-2017-5465: Out-of-bounds read in ConvolvePixel CVE-2016-10196: Vulnerabilities in Libevent library CVE-2017-5454: Sandbox escape allowing file system read access through file picker CVE-2017-5469: Potential Buffer overflow in flex-generated code CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content CVE-2017-5449: Crash during bidirectional unicode manipulation with animation CVE-2017-5451: Addressbar spoofing with onblur event CVE-2017-5462: DRBG flaw in NSS CVE-2017-5467: Memory corruption when drawing Skia content CVE-2017-5430: Memory safety bugs fixed in Firefox 53, Firefox ESR 52.1, Thunderbird 52.1 CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, Firefox ESR 52.1, and Thunderbird 52.1 (Closes: #855344, #495372, #861480, #682208, #698244, #859909, #857593, #837771) * [de561ef] rebuild patch queue from patch-queue branch added patches: - debian-hacks/Allow-to-override-ICU_DATA_FILE-from-the-environment.patch - debian-hacks/Build-against-system-libjsoncpp.patch - debian-hacks/Don-t-build-testing-suites-and-stuff.patch - debian-hacks/Force-use-the-i686-rust-target.patch - fixes/Bug-1308908-Compare-the-whole-accessible-name-when-checki.patch (Closes: #826325) - porting-sh4/Add-sh4-support-to-Thunderbird.patch (Closes: #859508) removed patches (obsoleted by upstream changes): - debian-hacks/Don-t-build-example-component.patch - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - fixes/Bug-1245076-Don-t-include-mozalloc.h-from-the-cstdlib-wra.patch - fixes/Bug-1273020-Add-missing-null-checks-in-ApplicationAccessi.patch - fixes/Bug-1277295-Remove-obsolete-reference-to-storage-service-.patch - fixes/Bug-1340724-fix-SMTP-server-name-output-in-SMTP-logging.-.patch - fixes/Bug-497488-Implement-verify-mode-in-the-subscribe-dialog-.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit-1.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit.patch - porting-arm64/Bug-1091515-Don-t-set-64KB-page-size-on-aarch64.-r-glandi.patch - porting-kfreebsd-hurd/CrossProcessMutex.h-fix-build-on-kfreebsd-and-GNU-hurd.patch - porting-kfreebsd-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - porting-kfreebsd-hurd/correcting-file-inclusion-for-kfreebsd-and-hurd.patch - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch - porting-mips/libyuv_disable-mips-assembly-for-MIPS64.patch - porting-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch - porting-sparc64/Add-sparc64-support-to-Thunderbird.patch (unclear state, will be added later again) - porting/Add-xptcall-support-for-SH4-processors.patch (Closes: #859362) - debian-hacks/Move-profile.patch modified or adjusted patches: - debian-hacks/changing-the-default-search-engine.patch - debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch - icedove-l10n/disable-extension-update-extension-is-managed-by-apt.patch --> icedove-l10n/thunderbird-l10n-disable-external-extension-update.patch (renamed to and modified due new languages) - icedove/fix-installdir.patch --> debian-hacks/Thunderbird-fix-installdir-for-icons.patch * [684ad58] d/source.filter: update due upstream changes * [d005649] debian/control: modify various B-D * [7a8a98d] debian/rules: add some extra C*FLAGS Adding '-fno-lifetime-dse' to not enable dead store elimination of objects within their lifetime, some parts of the source is relying on the persistent values of such objects. Some other distributions as Ubuntu, Fedora and Arch e.g. use this flag too (at least with ESR52) to prevent possible segfaults. * [56f8f4b] debian/rules: adding hack to preserve correct config.status * [fb500a6] mozconfig.default: remove no longer existing options * [c9a3e60] mozconfig.default: some minor adjustments to configure options * [f584857] mozconfig.default: enable GTK3 theme explicit (Closes: #857593) * [3cbe1fb] debian/control: add packages for *-dsb language * [8317735] debian/control: add packages for *-hsb language * [39d90c1] debian/control: add packages for *-kab language * [82b4f50] debian/control: add missing packages for *-ast language * [0edde96] debian/rules: include also l10n folder with 3 characters * [47f17a4] lintian-overrides: modify the list for the js files to ignore * [8872d34] debian/copyright: update after upstream changes * [6755547] mozconfig.default: use some internal libraries Use libicu-dev, libnspr4-dev, libnss3-dev, libsqlite3-dev from shipped source as Stretch versions not recent enough. * [5b04b32] thunderbird.install: pick up icu*.dat if around * [edf24d7] debian/control: mark thunderbird-dbg as Multi-Arch: same * [5d5392b] apparmor/usr.bin.thunderbird: update for version 52 (cherry-picked from upstream) (Closes: #859179) * [f49ad79] apparmor/usr.bin.thunderbird: grant access to commonly used locations (cherry-picked from upstream) * [510fd6f] debian/rules: install lightning-l10n files into correct place * [d70ade4] lightning-l10n: adjust min/max version for ESR 52 cycle With the new ESR version tweaking the extension version of l10n packages for lightning > 52.0 and < 52.*. * [c0dd18f] debian/rules: install icudt5*.dat file more flexible * [b5136f7] autopkg: improve the output of idlTest.sh * [7ac04f6] autopkg: add extra test icudatfileTest.sh . [ Christoph Goehre ] * [13f5178] lintian-overrides: we build against internal nspr and nss * [56bbf23] rebuild patch queue from patch-queue branch added patches: - porting-sparc64/Add-sparc64-support-to-Thunderbird.patch (Closes: #859151) modified patches: - porting-mk68/Add-m68k-support-to-Thunderbird.patch -> porting-m68k/Add-m68k-support-to-Thunderbird.patch (renamed) * [6a7ef60] tests/idlTest.sh: remove duplicated 'done' output * [42bf8e1] debian/rules: remove duplicate .so files in thunderbird-dev * [5dc08bc] tests/soSymlinkTest.sh: check for symlinked .so files icedove (1:45.8.0-3) unstable; urgency=medium . [ Carsten Schoenert ] * [d923505] AppArmor: be more flexible on profile folders (Closes: #858735, #858737) * [1e04099] tb-wrapper: use readlink also on ${ID_PROFILE_FOLDER} (Closes: #858771) * [9f6b771] tb-wrapper: correct check for -dbg package (Closes: #858804) * [8b5271a] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1273020-Add-missing-null-checks-in-ApplicationAccessi.patch icu (52.1-8+deb8u7) jessie-security; urgency=high . * Backport upstream security fix for CVE-2017-15422: Persian calendar integer overflow (closes: #892766). imagemagick (8:6.8.9.9-5+deb8u12) jessie-security; urgency=high . * Non-maintainer upload. * Fix the following security vulnerabilities: - CVE-2017-10995: heap-based buffer over-read and application crash via a crafted MNG image. (Closes: #867748) - CVE-2017-11533: heap-based buffer over-read in the WriteUILImage() function in coders/uil.c. (Closes: #869834) - CVE-2017-11535: heap-based buffer over-read in the WritePSImage() function in coders/ps.c. (Closes: #869827) - CVE-2017-11639: heap-based buffer over-read in the WriteCIPImage() function in coders/cip.c. (Closes: #870065) - CVE-2017-13143: ReadMATImage function in coders/mat.c uses uninitialized data, which might allow remote attackers to obtain sensitive information from process memory. (Closes: #870012) - CVE-2017-17504: heap-based buffer over-read. (Closes: #885340) - CVE-2017-17879: heap-based buffer over-read in ReadOneMNGImage in coders/png.c. (Closes: #885125) - CVE-2018-5248: heap-based buffer over-read in coders/sixel.c in the ReadSIXELImage function. (Closes: #886588) intel-microcode (3.20180425.1~deb8u1) jessie; urgency=medium . * Upload to Debian jessie (no changes) * RELEASE MANAGER INFORMATION: This update deploys the microcode side fix for CVE-2017-5715 (Spectre v2). On the more recent processors, it also fixes other unspecified errata. This microcode update pack has been extensively tested in Debian unstable, testing, strech-backports and jessie-backports. It has been extensively deployed by other distributions to their stable branches without causing any issues, with one notable exception (a distro-specific kernel bug, already fixed by that distro). . intel-microcode (3.20180425.1) unstable; urgency=medium . * New upstream microcode data file 20180425 (closes: #897443, #895878) + Updated Microcodes: sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + Note that sig 0x000604f1 has been blacklisted from late-loading since Debian release 3.20171117.1. * source: remove undesired list files from microcode directories * source: switch to microcode-.d/ since Intel dropped .dat support. . intel-microcode (3.20180312.1) unstable; urgency=medium . * New upstream microcode data file 20180312 (closes: #886367) + New Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake + Missing production updates: + Broadwell-E/EX Xeons (sig 0x406f1) + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, Gemini Lake, Denverton * Update past changelog entries with new information: Intel already had all necessary semanthics in LFENCE, so the Spectre-related Intel microcode changes did not need to enhance LFENCE. * debian/control: update Vcs-* fields for the move to salsa.debian.org . intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical . * Revert to release 20171117, as per Intel instructions issued to the public in 2018-01-22 (closes: #886998) * This effectively removes IBRS/IBPB/STIPB microcode support for Spectre variant 2 mitigation. . intel-microcode (3.20180108.1) unstable; urgency=high . * New upstream microcode data file 20180108 (closes: #886367) + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715) + Very likely fixes several other errata on some of the processors * supplementary-ucode-CVE-2017-5715.d/: remove. + Downgraded microcodes: sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + Recall related to bug #886998 * source: remove superseded upstream data file: 20171117 * README.Debian, copyright: update download URLs (closes: #886368) . intel-microcode (3.20171215.1) unstable; urgency=high . * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) New upstream microcodes to partially address CVE-2017-5715 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 * Implements IBRS and IBPB support via new MSR (Spectre variant 2 mitigation, indirect branches). Support is exposed through cpuid(7).EDX. . intel-microcode (3.20171117.1) unstable; urgency=medium . * New upstream microcode data file 20171117 + New Microcodes: sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + Updated Microcodes: sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 * source: remove superseded upstream data file: 20170707. * source: remove unneeded intel-ucode/ directory for 20171117. * debian/control: bump standards version to 4.1.1 (no changes) * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. * README.source: fix IUC_EXCLUDE example and minor issues. * Makefile, README.souce: support loading ucode from directories. * debian/rules: switch to dh mode (debhelper v9) * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late loading. intel-microcode (3.20180425.1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20180425.1) unstable; urgency=medium . * New upstream microcode data file 20180425 (closes: #897443, #895878) + Updated Microcodes: sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + Note that sig 0x000604f1 has been blacklisted from late-loading since Debian release 3.20171117.1. * source: remove undesired list files from microcode directories * source: switch to microcode-.d/ since Intel dropped .dat support. intel-microcode (3.20180425.1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes) . intel-microcode (3.20180425.1) unstable; urgency=medium . * New upstream microcode data file 20180425 (closes: #897443, #895878) + Updated Microcodes: sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + Note that sig 0x000604f1 has been blacklisted from late-loading since Debian release 3.20171117.1. * source: remove undesired list files from microcode directories * source: switch to microcode-.d/ since Intel dropped .dat support. intel-microcode (3.20180312.1) unstable; urgency=medium . * New upstream microcode data file 20180312 (closes: #886367) + New Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake + Missing production updates: + Broadwell-E/EX Xeons (sig 0x406f1) + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, Gemini Lake, Denverton * Update past changelog entries with new information: Intel already had all necessary semanthics in LFENCE, so the Spectre-related Intel microcode changes did not need to enhance LFENCE. * debian/control: update Vcs-* fields for the move to salsa.debian.org intel-microcode (3.20180312.1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20180312.1) unstable; urgency=medium . * New upstream microcode data file 20180312 (closes: #886367) + New Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake + Missing production updates: + Broadwell-E/EX Xeons (sig 0x406f1) + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, Gemini Lake, Denverton * Update past changelog entries with new information: Intel already had all necessary semanthics in LFENCE, so the Spectre-related Intel microcode changes did not need to enhance LFENCE. * debian/control: update Vcs-* fields for the move to salsa.debian.org . intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical . * Revert to release 20171117, as per Intel instructions issued to the public in 2018-01-22 (closes: #886998) * This effectively removes IBRS/IBPB/STIPB microcode support for Spectre variant 2 mitigation. . intel-microcode (3.20180108.1) unstable; urgency=high . * New upstream microcode data file 20180108 (closes: #886367) + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715) + Very likely fixes several other errata on some of the processors * supplementary-ucode-CVE-2017-5715.d/: remove. + Downgraded microcodes: sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + Recall related to bug #886998 * source: remove superseded upstream data file: 20171117 * README.Debian, copyright: update download URLs (closes: #886368) . intel-microcode (3.20171215.1) unstable; urgency=high . * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) New upstream microcodes to partially address CVE-2017-5715 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 * Implements IBRS and IBPB support via new MSR (Spectre variant 2 mitigation, indirect branches). Support is exposed through cpuid(7).EDX. intel-microcode (3.20180312.1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes) . intel-microcode (3.20180312.1) unstable; urgency=medium . * New upstream microcode data file 20180312 (closes: #886367) + New Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake + Missing production updates: + Broadwell-E/EX Xeons (sig 0x406f1) + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, Gemini Lake, Denverton * Update past changelog entries with new information: Intel already had all necessary semanthics in LFENCE, so the Spectre-related Intel microcode changes did not need to enhance LFENCE. * debian/control: update Vcs-* fields for the move to salsa.debian.org . intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical . * Revert to release 20171117, as per Intel instructions issued to the public in 2018-01-22 (closes: #886998) * This effectively removes IBRS/IBPB/STIPB microcode support for Spectre variant 2 mitigation. . intel-microcode (3.20180108.1) unstable; urgency=high . * New upstream microcode data file 20180108 (closes: #886367) + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715) + Very likely fixes several other errata on some of the processors * supplementary-ucode-CVE-2017-5715.d/: remove. + Downgraded microcodes: sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + Recall related to bug #886998 * source: remove superseded upstream data file: 20171117 * README.Debian, copyright: update download URLs (closes: #886368) . intel-microcode (3.20171215.1) unstable; urgency=high . * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) New upstream microcodes to partially address CVE-2017-5715 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 * Implements IBRS and IBPB support via new MSR (Spectre variant 2 mitigation, indirect branches). Support is exposed through cpuid(7).EDX. intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical . * Revert to release 20171117, as per Intel instructions issued to the public in 2018-01-22 (closes: #886998) * This effectively removes IBRS/IBPB/STIPB microcode support for Spectre variant 2 mitigation. intel-microcode (3.20180108.1) unstable; urgency=high . * New upstream microcode data file 20180108 (closes: #886367) + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + Implements IBRS/IBPB support and enhances LFENCE: mitigation against Spectre (CVE-2017-5715) + Very likely fixes several other errata on some of the processors * supplementary-ucode-CVE-2017-5715.d/: remove. + Downgraded microcodes: sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + This removes IBRS/IBPB support for these two platforms when compared with the previous (and unofficial) release, 20171215. We don't know why Intel declined to include these microcode updates (as well as several others) in the release. * source: remove superseded upstream data file: 20171117 * README.Debian, copyright: update download URLs (closes: #886368) intel-microcode (3.20171215.1) unstable; urgency=high . * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) New upstream microcodes to partially address CVE-2017-5715 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 * Implements IBRS and IBPB support via new MSR (Spectre variant 2 mitigation, indirect branches). Support is exposed through cpuid(7).EDX. * LFENCE terminates all previous instructions (Spectre variant 2 mitigation, conditional branches). intel-microcode (3.20171117.1) unstable; urgency=medium . * New upstream microcode data file 20171117 + New Microcodes: sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + Updated Microcodes: sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 * source: remove superseded upstream data file: 20170707. * source: remove unneeded intel-ucode/ directory for 20171117. * debian/control: bump standards version to 4.1.1 (no changes) * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. * README.source: fix IUC_EXCLUDE example and minor issues. * Makefile, README.souce: support loading ucode from directories. * debian/rules: switch to dh mode (debhelper v9) * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late loading. intel-microcode (3.20171117.1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20171117.1) unstable; urgency=medium . * New upstream microcode data file 20171117 + New Microcodes: sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + Updated Microcodes: sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 * source: remove superseded upstream data file: 20170707. * source: remove unneeded intel-ucode/ directory for 20171117. * debian/control: bump standards version to 4.1.1 (no changes) * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. * README.source: fix IUC_EXCLUDE example and minor issues. * Makefile, README.souce: support loading ucode from directories. * debian/rules: switch to dh mode (debhelper v9) * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late loading. . intel-microcode (3.20170707.1~bpo9+1) stretch-backports; urgency=high . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 . intel-microcode (3.20170511.1) unstable; urgency=medium . * New upstream microcode datafile 20170511 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + This release fixes undisclosed errata on the desktop, mobile and server processor models from the Haswell, Broadwell, and Skylake families, including even the high-end multi-socket server Xeons + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and similar) on several processor families + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + Likely fix serious or critical Skylake errata: SKL138/144, SKL137/145, SLK149 * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, either this erratum is very-low-hitting, or gcc/clang/icc/msvc won't usually issue the affected opcode pattern and it ends up being rare. SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" * source: remove unneeded intel-ucode/ directory Since release 20170511, upstream ships the microcodes both in .dat format, and as Linux-style split /lib/firmware/intel-ucode files. It is simpler to just use the .dat format file for now, so remove the intel-ucode/ directory. Note: before removal, it was verified that there were no discrepancies between the two microcode sets (.dat and intel-ucode/) * source: remove superseded upstream data file: 20161104 . intel-microcode (3.20161104.1) unstable; urgency=medium . * New upstream microcode datafile 20161104 + New Microcodes: sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480 sig 0x00050664, pf_mask 0x10, 2016-06-02, rev 0xf00000a, size 21504 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2016-10-07, rev 0x0039, size 32768 sig 0x000406f1, pf_mask 0xef, 2016-10-07, rev 0xb00001f, size 25600 + Removed Microcodes: sig 0x000106e4, pf_mask 0x09, 2013-07-01, rev 0x0003, size 6144 + This update fixes critical errata on Broadwell-DE V2/Y0 (Xeon D-1500 family), including one that can crash VMWare ESXi 6 with #PF (VMWare KB2146388), and could affect Linux as well. This same issue was fixed for the E5v4 Xeons in release 20160607 + This update fixes undisclosed (and likely critical) errata on Broadwell-E Core i7-68xxK/69xxK/6950X, Broadwell-EP/EX B0/R0/M0 Xeon E5v4 and Xeon E7v4, and Haswell-EP Xeon E5v3 + This release deletes the microcode update for the Jasper Forest embedded Xeons (Xeon EC35xx/LC35xx/EC35xx/LC55xx), for undisclosed reasons. The deleted microcode is outdated when compared with the updates for the other Nehalem Xeons * Makefile: always exclude microcode sig 0x206c2 just in case Intel is quite clear in the Intel SA-00030 advisory text that recent revisions (0x14 and later?) of the 0x206c2 microcode updates must be installed along with updated SINIT ACM on vPro systems (i.e. through an UEFI/BIOS firmware update). This is a defensive change so that we don't ship such a microcode update in the future by mistake * source: remove partially superseded upstream data file: 20160714 * source: remove superseded upstream data file: 20101123 * changelog: replace "pf mask" with "pf_mask" * control, compat: switch debhelper compatibility level to 9 * control: bump standards-version, no changes required . intel-microcode (3.20160714.1) unstable; urgency=medium . * New upstream microcode datafile 20160714 + Updated Microcodes: sig 0x000306f4, pf mask 0x80, 2016-06-07, rev 0x000d, size 15360 sig 0x000406e3, pf mask 0xc0, 2016-06-22, rev 0x009e, size 97280 sig 0x000406f1, pf mask 0xef, 2016-06-06, rev 0xb00001d, size 25600 sig 0x000506e3, pf mask 0x36, 2016-06-22, rev 0x009e, size 97280 + This release hopefully fixes a hang when updating the microcode on some Skylake-U D-1/Skylake-Y D-1 (sig 0x406e3, pf 0x80) systems * source: remove superseded upstream data file: 20160607 . intel-microcode (3.20160607.2) unstable; urgency=low . * REMOVE microcode: sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 (closes: #828819) * The Core i7-6500U and m3-6Y30 processors (Skylake-UY D-1, sig=0x406e3, pf=0x80) may hang while attempting an early microcode update to revision 0x8a, apparently due to some sort of firmware dependency. On affected systems, the only way to avoid the issue is to get a firmware update that includes microcode revision 0x8a or later. At this time, there are reports of both sucessful and failed updates on the m3-6Y30, and only of failed updates on the i7-6500U. There are no reports about Skylake-U K-1 (pf=0x40). + WARNING: it is unsafe to use a system based on an Intel Skylake-U/Y processor with microcode earlier than revision 0x8a, due to several critical errata that cause unpredictable behavior, data corruption, and other problems. Users *must* update their firmware to get microcode 0x8a or newer, and keep it up-to-date. . intel-microcode (3.20160607.1) unstable; urgency=medium . * New upstream microcode data file 20160607 + New Microcodes: sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 sig 0x000406f1, pf mask 0xef, 2016-05-20, rev 0xb00001c, size 25600 sig 0x00050662, pf mask 0x10, 2015-12-12, rev 0x000f, size 28672 sig 0x000506e3, pf mask 0x36, 2016-04-06, rev 0x008a, size 96256 + Updated Microcodes: sig 0x000306c3, pf mask 0x32, 2016-03-16, rev 0x0020, size 22528 sig 0x000306d4, pf mask 0xc0, 2016-04-29, rev 0x0024, size 17408 sig 0x000306f2, pf mask 0x6f, 2016-03-28, rev 0x0038, size 32768 sig 0x000306f4, pf mask 0x80, 2016-02-11, rev 0x000a, size 15360 sig 0x00040651, pf mask 0x72, 2016-04-01, rev 0x001f, size 20480 sig 0x00040661, pf mask 0x32, 2016-04-01, rev 0x0016, size 24576 sig 0x00040671, pf mask 0x22, 2016-04-29, rev 0x0016, size 11264 * source: remove superseded upstream data file: 20151106. * control: change upstream URL to a search for "linux microcode" Unfortunately, many of the per-processor-model feeds have not been updated for microcode release 20160607. Switch to the general search page as the upstream URL. * README.Debian: fix duplicated word 'to' intel-microcode (3.20171117.1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes) . intel-microcode (3.20171117.1) unstable; urgency=medium . * New upstream microcode data file 20171117 + New Microcodes: sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + Updated Microcodes: sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 * source: remove superseded upstream data file: 20170707. * source: remove unneeded intel-ucode/ directory for 20171117. * debian/control: bump standards version to 4.1.1 (no changes) * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. * README.source: fix IUC_EXCLUDE example and minor issues. * Makefile, README.souce: support loading ucode from directories. * debian/rules: switch to dh mode (debhelper v9) * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late loading. intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 intel-microcode (3.20170707.1~deb9u1) stretch; urgency=medium . * Rebuild for stretch (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 isc-dhcp (4.3.1-6+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Plugs a socket descriptor leak in OMAPI (CVE-2017-3144) (Closes: #887413) * Corrected refcnt loss in option parsing (CVE-2018-5733) (Closes: #891785) * Correct buffer overrun in pretty_print_option (CVE-2018-5732) (Closes: #891786) isc-dhcp (4.3.1-6+deb8u2+kbsd8u1) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd jackson-databind (2.4.2-2+deb8u4) jessie-security; urgency=high . * Team upload. * Fix CVE-2018-7489: allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. (Closes: #891614) jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-17485 and CVE-2018-5968: Bybass of deserialization blackist to disallow unauthenticated remote code execution. These CVE exist due to an incomplete fix for CVE-2017-7525. (Closes: #888316, #888318) kamailio (4.2.0-2+deb8u3) jessie-security; urgency=medium . * fixes from upstream related to security issues CVE-2018-8828 https://www.kamailio.org/w/2018/03/kamailio-security-announcement-tmx-lcr/ lame (3.99.5+repack1-7+deb8u2) jessie; urgency=high . [ Fabian Greffrath ] . * Build the frontend with the sndfile io routines, RAW PCM and WAV can be read from stdin since at least 3.99.0 (Closes: #867725). - Add Build-Depends: libsndfile1-dev. . Addressed CVEs: CVE-2017-9872, CVE-2017-9871, CVE-2017-9870, CVE-2017-9869, CVE-2017-15046, CVE-2017-15045, CVE-2017-15018. ldap-account-manager (4.7.1-1+deb8u1) jessie-security; urgency=high . * XSS vulnerabilities CVE-2018-8763 libav (6:11.12-1~deb8u1) jessie-security; urgency=medium . * New upstream release. - smacker: add sanity check for length in smacker_decode_tree() (CVE-2017-16803) libdatetime-timezone-perl (1:1.75-2+2018e) jessie; urgency=medium . * Update to Olson database version 2018e. This update contains contemporary changes for North Korea. libdatetime-timezone-perl (1:1.75-2+2018d) jessie; urgency=medium . * Update to Olson database version 2018d. This update contains contemporary changes for Palestine and Casey Station. libdatetime-timezone-perl (1:1.75-2+2018b) jessie; urgency=medium . * Update to Olson database version 2018b. This update contains contemporary changes for São Tomé and Príncipe, Brazil, and Ireland. libextractor (1:1.3-2+deb8u1) jessie; urgency=medium . * Fix CVE-2017-15266, CVE-2017-15267, CVE-2017-15600, CVE-2017-15601, CVE-2017-15602, CVE-2017-15922 and CVE-2017-17440. Leon Zhao discovered several security vulnerabilities, NULL Pointer Dereferences, heap-based buffer overflows, integer signedness errors and out-of-bounds read that may lead to a denial-of-service (application crash) or have other unspecified impact. libipc-run-perl (0.92-1+deb8u1) jessie; urgency=medium . * Backport upstream patch to fix memory leak libmad (0.15.1b-8+deb8u1) jessie-security; urgency=high . * Properly check the size of the main data. The previous patch only checked that it could fit in the buffer, but didn't ensure there was actually enough room free in the buffer. This was assigned both CVE-2017-8372 and CVE-2017-8373, but they are really the same, just a different way to detect it. (Closes: #287519) * Rewrite patch to check the size of buffer. It now checks it before reading it instead of afterwards checking that we did read too much. This now also covers parsing the frame and layer3, not just layer 1 and 2. This was original reported in #508133. CVE-2017-8374 mentions a case in layer 3. librelp (1.2.7-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Stack-based buffer overflow in relpTcpChkPeerName function (CVE-2018-1000140) libreoffice (1:4.3.3-2+deb8u11) jessie-security; urgency=high . * debian/patches/CVE-2018-10119.diff, debian/patches/CVE-2018-10120.diff: as name says... libreoffice (1:4.3.3-2+deb8u10) jessie-security; urgency=high . * debian/patches/WEBSERVICE-only-http-and-https.diff: backport; as name says. fix for "Remote arbitrary file disclosure vulnerability via WEBSERVICE formula" (CVE-2018-1055 / CVE-2018-6871) * debian/patches/layout-footnote-use-after-free.diff: add; as name says. possible patch for iDefense V-mct3ei5wml libsdl2-image (2.0.0+dfsg-3+deb8u1) jessie-security; urgency=high . * Backport various security fixes: - CVE-2017-2887 - CVE-2017-12122 - CVE-2017-14440 - CVE-2017-14441 - CVE-2017-14442 - CVE-2017-14448 - CVE-2017-14449 - CVE-2017-14450 - CVE-2018-3837 - CVE-2018-3838 - CVE-2018-3839 libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high . * Switch gbp.conf to jessie * Rediff patches to avoid diff noise when using gbp-pq. * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor (Closes: #887700) * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent libvncserver (0.9.9+dfsg2-6.1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. (Closes: #894045) libvorbis (1.3.4-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent out-of-bounds write in codebook decoding (CVE-2018-5146) libvorbisidec (1.0.2+svn18153-1~deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent out-of-bounds write in codebook decoding (CVE-2018-5147) (Closes: #893132) libvpx (1.3.0-3+deb8u1) jessie-security; urgency=high . * Fix OOB caused by odd frame width (CVE-2017-13194) libxcursor (1:1.1.14-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix heap overflows when parsing malicious files (CVE-2017-16612) (Closes: #883792) libxml2 (2.9.1+dfsg1-5+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix XPath stack frame logic (CVE-2017-15412) (Closes: #883790) linux (3.16.56-1+deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * [mipsel] Apply the Loongson-3 part of "Respect the ISA level in FCSR handling" (fixes FTBFS) * tun: allow positive return values on dev_get_valid_name() call (Closes: #897427, regression in 3.16.56-1) * [x86] microcode: Fix accessing dis_ucode_ldr on 32-bit * [x86] microcode: Do not load when running on a hypervisor (Closes: #898067, regression in 3.16.56-1) * sctp: Fix mangled IPv4 addresses on a IPv6 listening socket (Closes: #898100, regression in 3.16.56-1) * [x86] traps: Enable DEBUG_STACK after cpu_init() for TRAP_DB/BP . [ Salvatore Bonaccorso ] * [x86] x86/entry/64: Don't use IST entry for #BP stack (CVE-2018-8897) * [x86] kvm: fix icebp instruction handling (CVE-2018-1087) linux (3.16.56-1) jessie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.52 - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD - cifs: check rsp for NULL before dereferencing in SMB2_open - HID: i2c-hid: allocate hid buffers for real worst case - spi: uapi: spidev: add missing ioctl header - scsi: lpfc: Don't return internal MBXERR_ERROR code from probe function - uwb: ensure that endpoint is interrupt - uwb: properly check kthread_run return value (CVE-2017-16526) - usb: Increase quirk delay for USB devices - xhci: fix finding correct bus_state structure for USB 3.1 hosts - usb: pci-quirks.c: Corrected timeout values used in handshake - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header - [s390*] mm: fix write access check in gup_huge_pmd() - gpio: acpi: work around false-positive -Wstring-overflow warning - tracing: Erase irqsoff trace with empty write - tracing: Fix trace_pipe behavior for instance traces - tcp: fastopen: fix on syn-data transmit failure - [powerpc*] sysrq: Fix oops whem ppmu is not registered - usb: gadget: dummy: fix nonsensical comparisons - cifs: release cifs root_cred after exit_cifs - cifs: release auth_key.response for reconnect. - SMB: Validate negotiate (to protect against downgrade) even if signing off - [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node() - net_sched: always reset qdisc backlog in qdisc_reset() - Input: uinput - avoid FF flush when destroying device - Input: uinput - avoid crash when sending FF request to device going away - usb-storage: fix bogus hardware error messages for ATA pass-thru devices - usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives - USB: gadgetfs: fix copy_to_user while holding spinlock - USB: gadgetfs: Fix crash caused by inadequate synchronization - USB: g_mass_storage: Fix deadlock when driver is unbound - IB/ocrdma: fix incorrect fall-through on switch statement - SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags - iio: core: Return error for failed read_reg - KEYS: fix cred refcount leak in request_key_auth_new() - KEYS: don't revoke uninstantiated key in request_key_auth_new() - KEYS: fix key refcount leak in keyctl_assume_authority() - KEYS: fix key refcount leak in keyctl_read_key() - KEYS: fix writing past end of user-supplied buffer in keyring_read() - KEYS: prevent creating a different user's keyrings - IB/mlx5: Fix the size parameter to find_first_bit - IB/mlx5: Simplify mlx5_ib_cont_pages - security/keys: properly zero out sensitive key material in big_key - PCI: Fix race condition with driver_override - Btrfs: fix incorrect {node,sector}size endianness from BTRFS_IOC_FS_INFO - btrfs: prevent to set invalid default subvolid - [x86] drm/i915/bios: ignore HDMI on port A - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit - l2tp: fix race condition in l2tp_tunnel_delete - netfilter: ipset: pernet ops must be unregistered last - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets - [arm64] Make sure SPsel is always set - Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" - USB: dummy-hcd: fix connection failures (wrong speed) - USB: dummy-hcd: fix infinite-loop resubmission bug - USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks - USB: dummy-hcd: Fix erroneous synchronization change - packet: only test po->has_vnet_hdr once in packet_snd - sched/sysctl: Check user input value of sysctl_sched_time_avg - [arm64] fault: Route pte translation faults via do_translation_fault - staging: iio: ade7759: fix signed extension bug on shift of a u8 - ipv4: fix broadcast packets reception - IPv4: early demux can return an error code - udp: perform source validation for mcast early demux - l2tp: fix l2tp_eth module loading - brcmfmac: Add length checks on firmware events - brcmfmac: Add check for short event packets - ALSA: usx2y: Suppress kernel warning at page allocation failures - scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP - mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function - mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long - lsm: fix smack_inode_removexattr and xattr_getsecurity memleak - nl80211: Define policy for packet pattern attributes - netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user - ALSA: seq: Fix copy_from_user() call inside lock - udp: fix bcast packet reception - workqueue: replace pool->manager_arb mutex with a flag - crypto: shash - Fix zero-length shash ahash digest crash - direct-io: Prevent NULL pointer access in submit_page_section - vfs: more bio_map_user_iov() leak fixes - USB: dummy-hcd: Fix deadlock caused by disconnect detection - usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options - ALSA: caiaq: Fix stray URB at probe error path - scsi: libiscsi: fix shifting of DID_REQUEUE host byte - [armhf] iommu/exynos: Remove initconst attribute to avoid potential kernel oops - [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit - [armhf] bus: mbus: fix window size calculation for 4GB windows - KEYS: encrypted: fix dereference of NULL user_key_payload - FS-Cache: fix dereference of NULL user_key_payload - lib/digsig: fix dereference of NULL user_key_payload - ecryptfs: fix dereference of NULL user_key_payload - [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap() - fs/mpage.c: fix mpage_writepage() for pages with buffers - l2tp: check ps->sock before running pppol2tp_session_ioctl() - net: enable interface alias removal via rtnl - tun: call dev_get_valid_name() before register_netdevice() - [s390*] scsi: zfcp: fix erp_action use-before-initialize in REC action trace - usb: xhci: Handle error condition in xhci_stop_device() - usb: cdc_acm: Add quirk for Elatec TWN3 - usb: quirks: add quirk for WORLDE MINI MIDI keyboard - ALSA: hda: Remove superfluous '-' added by printk conversion - [x86] microcode/intel: Disable late loading on model 79 - [armhf] Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen - usb: hub: Allow reset retry for USB2 devices on connect bounce - can: esd_usb2: Fix can_dlc value for received RTR, frames - can: gs_usb: fix busy loop if no more TX context is available - sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect - [armhf,arm64] KVM: set right LR register value for 32 bit guest when inject abort - [x86] cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't - [armel,armhf] 8715/1: add a private asm/unaligned.h - can: kvaser_usb: Correct return value in printout - fuse: fix READDIRPLUS skipping an entry - SMB: fix leak of validate negotiate info response buffer - SMB: fix validate negotiate info uninitialised memory use - net/unix: don't show information about sockets from other namespaces - xfrm: Clear sk_dst_cache when applying per-socket policy. - SMB3: Validate negotiate request must always be signed - ip6_gre: Reduce log level in ip6gre_err() to debug - ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err - sctp: fix a type cast warnings that causes a_rwnd gets the wrong value - [x86] uaccess, sched/preempt: Verify access_ok() context - workqueue: Fix NULL pointer dereference - l2tp: hold tunnel in pppol2tp_connect() - ALSA: timer: Add missing mutex lock for compat ioctls - ALSA: seq: Fix nested rwsem annotation for lockdep splat - [mips*] Fix CM region target definitions - macvtap: fix TUNSETSNDBUF values > 64k - tun/tap: sanitize TUNSETSNDBUF input - tcp: fix tcp_mtu_probe() vs highest_sack - KEYS: return full count in keyring_read() if buffer is too small - KEYS: trusted: sanitize all key material - KEYS: trusted: fix writing past end of buffer in trusted_read() - KEYS: fix out-of-bounds read during ASN.1 parsing - [arm64] fix dump_instr when PAN and UAO are in use - [arm64] ensure __dump_instr() checks addr_limit - ocfs2: fstrim: Fix start offset of first cluster group during fstrim - netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 - l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 - ALSA: timer: Protect the whole snd_timer_close() with open race - ALSA: timer: Limit max instances per timer - [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit - ALSA: seq: Avoid invalid lockdep class warning - ALSA: seq: Fix OSS sysex delivery in OSS emulation - [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context - KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] - rbd: use GFP_NOIO for parent stat and data requests - can: c_can: don't indicate triple sampling support for D_CAN - vlan: fix a use-after-free in vlan_device_event() - security: let security modules use PTRACE_MODE_* with bitmasks - ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock - mm: Add a user_ns owner to mm_struct and fix ptrace permission checks (CVE-2015-8709) - ptrace: Capture the ptracer's creds not PT_PTRACE_CAP - exec: Ensure mm->user_ns contains the execed files - ptrace: Don't allow accessing an undumpable mm - ptrace: Properly initialize ptracer_cred on fork https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.53 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.54 - [x86] drm: gma500: fix logic error - staging: lustre: ptlrpc: kfree used instead of kvfree - ipmi: fix unsigned long underflow - [s390*] runtime instrumention: fix possible memory corruption - rtc: interface: ignore expired timers when enqueuing new timers - rtc: set the alarm to the next expiring timer - usbip: tools: Install all headers needed for libusbip development - [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off - PCI/AER: Report non-fatal errors only to the affected endpoint - [x86] iommu/vt-d: Don't register bus-notifier under dmar_global_lock - ext4: fix interaction between i_size, fallocate, and delalloc after a crash - [x86] drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get() - [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel - p54: don't unregister leds when they are not initialized - USB: serial: garmin_gps: fix I/O after failed probe and remove - USB: serial: garmin_gps: fix memory leak on probe errors - media: rc: check for integer overflow - [x86] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state - USB: serial: metro-usb: stop I/O after failed open - bcache: check ca->alloc_thread initialized before wake up it - scsi: bfa: integer overflow in debugfs - IB/srpt: Do not accept invalid initiator port names - IB/srp: Avoid that a cable pull can trigger a kernel crash - tpm-dev-common: Reject too short writes - fs/9p: Compare qid.path in v9fs_test_inode - net/9p: Switch to wait_event_killable() - net: bcmgenet: enable loopback during UniMAC sw_reset - f2fs: expose some sectors to user in inline data or dentry case - mtd: nand: omap2: Fix subpage write - l2tp: ensure sessions are freed after their PPPOL2TP socket - l2tp: don't register sessions in l2tp_session_create() - l2tp: initialise l2tp_eth sessions before registering them - l2tp: protect sock pointer of struct pppol2tp_session with RCU - l2tp: initialise PPP sessions before registering them - btrfs: avoid null pointer dereference on fs_info when calling btrfs_crit - bcache: only permit to recovery read error when cache device is clean - USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update - [arm64] vdso: minor ABI fix for clock_getres - [arm64] vdso: fix clock_getres for 4GiB-aligned res - [armhf] media: omap_vout: Fix a possible null pointer dereference in omap_vout_open() - mtd: nand: Fix writing mtdoops to nand flash. - isofs: fix timestamps beyond 2027 - drm/ttm: once more fix ttm_buffer_object_transfer - drm/radeon: fix atombios on big endian - [armhf] clk: tegra: Fix cclk_lp divisor register - staging: rtl8188eu: avoid a null dereference on pmlmepriv - [x86] platform: sony-laptop: Fix error handling in sony_nc_setup_rfkill() - coda: fix 'kernel memory exposure attempt' in fsync - NFC: fix device-allocation error return - f2fs: remove redundant lines in allocate_data_block - Revert "f2fs: handle dirty segments inside refresh_sit_entry" - [powerpc*] pseries/vio: Dispose of virq mapping on vdevice unregister - [powerpc*] opal: Fix EBUSY bug in acquiring tokens - eCryptfs: use after free in ecryptfs_release_messaging() - [powerpc*] powernv/cpufreq: Fix the frequency read by /proc/cpuinfo - ACPI / APEI: Replace ioremap_page_range() with fixmap - ACPI / APEI: Remove ghes_ioremap_area - kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules - target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK - target/iscsi: Fix iSCSI task reassignment handling - iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref - iscsi-target: Fix non-immediate TMR reference leak - ima: fix hash algorithm initialization - USB: usbfs: compute urb->actual_length for isochronous - [mips*] Fix an n32 core file generation regset support regression - video: udlfb: Fix read EDID timeout - rt2x00usb: mark device removed when get ENOENT usb error - [s390*] fix transactional execution control register handling - dm: fix race between dm_get_from_kobject() and __dm_destroy() (CVE-2017-18203) - blktrace: Fix potential deadlock between delete & sysfs ops - blktrace: fix unlocked access to init/start-stop/teardown - IB/mlx5: Assign send CQ and recv CQ of UMR QP - IB/mlx4: Increase maximal message size under UD QP - [s390*] disassembler: increase show_code buffer size - sctp: Fixup v4mapped behaviour to comply with Sock API - sctp: fully initialize the IPv6 address in sctp_v6_to_addr() - net/sctp: Always set scope_id in sctp_inet6_skb_msgname - dm: discard support requires all targets in a table support discards - dm bufio: fix integer overflow when limiting maximum cache size - [x86] KVM: vmx: Inject #GP on invalid PAT CR - [x86] KVM: SVM: obey guest PAT - NFS: Avoid RCU usage in tracepoints - nfs: Fix ugly referral attributes - NFS: Fix typo in nomigration mount option - lib/int_sqrt: optimize small argument - autofs: don't fail mount for transient error - autofs: fix careless error in recent commit - nilfs2: fix race condition that causes file system corruption - route: update fnhe_expires for redirect when the fnhe exists - route: also update fnhe_genid when updating a route cache - nl80211: don't expose wdev->ssid for most interfaces - apparmor: ensure that undecidable profile attachments fail - [armhf] 8721/1: mm: dump: check hardware RO bit for LPAE - ALSA: timer: Remove kernel warning at compat ioctl error paths - ALSA: usb-audio: Add sanity checks to FE parser - ALSA: usb-audio: Fix potential out-of-bound access at parsing SU - ALSA: usb-audio: Add sanity checks in v2 clock parsers - [powerpc*] ixgbe: Fix skb list corruption on Power systems - i40e,ixgbevf,igbvf,igb,i40evf: Use smp_rmb rather than read_barrier_depends - netfilter: xt_TCPMSS: add more sanity tests on tcph->doff (CVE-2017-18017) - RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332) - RDS: null pointer dereference in rds_atomic_free_op (CVE-2018-5333) - ALSA: seq: Make ioctls race-free (CVE-2018-1000004) - usbip: fix NULL pointer dereference on errors - usbip: fix stub_rx: get_pipe() to validate endpoint number (CVE-2017-16912) - usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input (CVE-2017-16913) - usbip: prevent vhci_hcd driver from leaking a socket pointer address (CVE-2017-16911) - usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer (CVE-2017-16914) - cx231xx: Fix the max number of interfaces - [x86] vdso: Move the vvar area before the vdso text - [x86] pvclock: Really remove the sched notifier for cross-cpu migrations - [x86] vdso, pvclock: Simplify and speed up the vdso pvclock reader - [x86] vdso: Get pvclock data from the vvar VMA instead of the fixmap - [x86] Revert "x86: kvmclock: Disable use from vDSO if KPTI is enabled" - [x86] vdso: Remove pvclock fixmap machinery - kaiser: Set _PAGE_NX only if supported https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.55 - ALSA: seq: Fix regression by incorrect ioctl_mutex usages - [armhf] ASoC: twl4030: fix child-node lookup - [x86] KVM: Exit to user-mode on #UD intercept when emulator requires - [x86] KVM: emulator: Return to user-mode on L1 CPL=0 emulation failure - [x86] KVM: Don't re-execute instruction when not passing CR2 value - [x86] iommu/vt-d: Fix scatterlist offset handling - btrfs: clear space cache inode generation always - scsi: dma-mapping: always provide dma_get_cache_alignment - scsi: use dma_get_cache_alignment() as minimum DMA alignment - scsi: libsas: align sata_device's rps_resp on a cacheline - bcache: recover data from backing when data is clean - [armhf] ASoC: fsl_ssi: add AC'97 ops setting check and cleanup - [armhf] ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure - blktrace: fix trace mutex deadlock - [x86] drm/i915: Don't try indexed reads to alternate slave addresses - [x86] drm/i915: Prevent zero length "index" write - usb: gadget: don't dereference g until after it has been null checked - USB: usbfs: Filter flags passed in from user space - usb: host: fix incorrect updating of offset - USB: core: Add type-specific length check of BOS descriptors - usb: hub: Cycle HUB power when initialization fails - isa: Prevent NULL dereference in isa_bus driver callbacks - sctp: force the params with right types for sctp csum apis - net/packet: fix a race in packet_bind() and packet_notifier() - eeprom: at24: check at24_read/write arguments - [arm64] KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one - [armhf] KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one - quota: Check for register_shrinker() failure. - [armhf] mfd: twl4030-audio: Fix sibling-node lookup - [armhf] mfd: twl6040: Fix child-node lookup - ALSA: seq: Remove spurious WARN_ON() at timer check - media: dvb: i2c transfers over usb cannot be done from stack - can: kvaser_usb: free buf in error paths - can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() - can: kvaser_usb: ratelimit errors if incomplete messages are received - virtio: release virtio index when fail to device_register - xhci: Don't show incorrect WARN message about events for empty rings - usb: xhci: fix panic in xhci_free_virt_devices_depth_first - ext4: fix fdatasync(2) after fallocate(2) operation - ALSA: usb-audio: Fix out-of-bound error - ALSA: usb-audio: Add check return value for usb_string() - netfilter: xt_bpf: add overflow checks - batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq - dm mpath: simplify failure path of dm_multipath_init() - dm: fix various targets to dm_register_target after module __init resources created - [s390*] always save and restore all registers on context switch - net_sched: red: Avoid devision by zero - net_sched: red: Avoid illegal values - ALSA: pcm: prevent UAF in snd_pcm_info - [x86] PCI: Make broadcom_postcore_init() check acpi_disabled - [arm64] fpsimd: Prevent registers leaking from dead tasks - efi: Move some sysfs files to be read-only by root - btrfs: fix missing error return in btrfs_drop_snapshot - Btrfs: disable FUA if mounted with nobarrier - btrfs: Fix possible off-by-one in btrfs_search_path_in_tree - net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case - can: ems_usb: cancel urb on -EPIPE and -EPROTO - can: esd_usb2: cancel urb on -EPIPE and -EPROTO - can: kvaser_usb: cancel urb on -EPIPE and -EPROTO - can: usb_8dev: cancel urb on -EPIPE and -EPROTO - ASN.1: fix out-of-bounds read when parsing indefinite length item - ASN.1: check for error from ASN1_OP_END__ACT actions - lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string - X.509: reject invalid BIT STRING for subjectPublicKey - X.509: fix buffer overflow detection in sprint_oid() - 509: fix printing uninitialized stack memory when OID is empty - USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID - xhci: Don't add a virt_dev to the devs array before it's fully allocated - nl80211: fix nl80211_send_iface() error paths - ipv4: Use standard iovec primitive in raw_probe_proto_opt - ipv4: Avoid reading user iov twice after raw_probe_proto_opt - net: ipv4: fix for a race condition in raw_sendmsg - ext4: fix crash when a directory's i_size is too small - tcp md5sig: Use skb's saddr when replying to an incoming segment - [mips*] CPS: Fix r1 .set mt assembler warning - [mips*] clear MSACSR cause bits when handling MSA FP exception - [mips*] Clear [MSA]FPE CSR.Cause after notify_die() - [mips*] prevent FP context set via ptrace being discarded - [mips*] lose_fpu(): Disable FPU when MSA enabled - [mips*] Respect the FCSR exception mask for `si_code' - [mips*] Always clear FCSR cause bits after emulation - [mips*] Set `si_code' for SIGFPE signals sent from emulation too - [mips*] math-emu: Define IEEE 754-2008 feature control bits - [mips*] Respect the ISA level in FCSR handling - [mips*] Fix a preemption issue with thread's FPU defaults - [mips*] ptrace: Fix FP context restoration FCSR regression - [mips*] ptrace: Prevent writes to read-only FCSR bits - [mips*] MSA: bugfix - disable MSA correctly for new threads/processes. - [mips*] Fix FCSR Cause bit handling for correct SIGFPE issue - [mips*] ptrace: Preserve previous registers for short regset write - [mips*] Factor out NT_PRFPREG regset access helpers - [mips*] Guard against any partial write attempt with PTRACE_SETREGSET - [mips*] Fix an FCSR access API regression with NT_PRFPREG and MSA - [mips*] Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses - [powerpc*] perf: Dereference BHRB entries safely - [x86] KVM: Fix load RFLAGS w/o the fixed bit - ALSA: rawmidi: Avoid racy info ioctl via ctl device - kernel: make groups_sort calling a responsibility group_info allocators - nfsd: auth: Fix gid sorting when rootsquash enabled - posix-timer: Properly check sigevent->sigev_notify - [armhf,arm64] KVM: Fix HYP unmapping going off limits - PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() - ACPI: APEI / ERST: Fix missing error handling in erst_reader() - net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well. - net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks - ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU - xfrm: Reinject transport-mode packets through tasklet - usbip: vhci: stop printing kernel pointer addresses in messages - usbip: stub: stop printing kernel pointer addresses in messages - usbip: prevent leaking socket pointer address in messages - usbip: fix usbip bind writing random string after command in match_busid - net/mlx5: Fix misspelling in the error message and comment - net/mlx5: Cleanup IRQs in case of unload failure - net/mlx5: Stay in polling mode when command EQ destroy fails - [armhf] net: mvneta: clear interface link status on port disable - n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) - iw_cxgb4: Only validate the MSN for successful completions - sctp: Replace use of sockets_allocated with specified macro. - ring-buffer: Mask out the info bits when returning buffer page length - tracing: Fix crash when it fails to alloc ring buffer - tracing: Fix possible double free on failure of allocating trace buffer - nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() - af_key: fix buffer overread in verify_address_len() - af_key: fix buffer overread in parse_exthdrs() - fscache: Fix the default for fscache_maybe_release_page() - ALSA: pcm: Remove incorrect snd_BUG_ON() usages - IB/ipoib: Fix race condition in neigh creation - e1000e: Separate signaling for link check/link up - e1000e: Fix e1000_check_for_copper_link_ich8lan return value. - IB/srpt: Disable RDMA access by the initiator - can: gs_usb: fix return value of the "set_bittiming" callback - ALSA: pcm: Add missing error checks in OSS emulation plugin builder - usbip: remove kernel addresses from usb device and urb debug msgs - [armhf] net: stmmac: enable EEE in MII, GMII or RGMII only - kernel/acct.c: fix the acct->needcheck check in check_free_space() - mm/mprotect: add a cond_resched() inside change_pmd_range() - crypto: algapi - fix NULL dereference in crypto_remove_spawns() - xfrm: Use __skb_queue_tail in xfrm_trans_queue - [armhf] dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7 - [x86] alternatives: Add missing ' ' at end of ALTERNATIVE inline asm - ALSA: aloop: Release cable upon open error path - ALSA: aloop: Fix inconsistent format due to incomplete rule - ALSA: aloop: Fix racy hw constraints adjustment - [x86] microcode/intel: Extend BDW late-loading with a revision check - xfrm: Return error on unknown encap_type in init_state - ALSA: pcm: Abort properly at pending signal in OSS read/write loops - ALSA: pcm: Allow aborting mutex lock at OSS read/write loops - [armhf] mdio-sun4i: Fix a memory leak - [armhf] Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning - [armhf] Input: twl4030-vibra - fix sibling-node lookup - [armhf] Input: twl6040-vibra - fix DT node memory management - [armhf] Input: twl6040-vibra - fix child-node lookup - USB: fix usbmon BUG trigger - usb: udc: core: add device_del() call to error pathway - USB: Gadget core: fix inconsistency in the interface to usb_add_gadget_udc_release() - USB: UDC core: fix double-free in usb_add_gadget_udc_release - net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() - [powerpc*] Don't preempt_disable() in show_cpuinfo() - 8021q: fix a memory leak for VLAN 0 device - ALSA: pcm: Remove yet superfluous WARN_ON() - [x86] KVM: Add memory barrier on vmcs field lookup - [armhf] usb: misc: usb3503: make sure reset is low for at least 100us - futex: Prevent overflow by strengthen input validation (CVE-2018-6927) - nl80211: take RCU read lock when calling ieee80211_bss_get_ie() - mac80211_hwsim: validate number of different channels - cfg80211: check dev_set_name() return value - [arm64] KVM: Fix SMCCC handling of unimplemented SMC/HVC calls - sctp: use the right sk after waking up from wait_buf sleep - sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf - sctp: do not allow the v4 socket to bind a v4mapped v6 address - [x86] KVM: Check input paging mode when cs.l is set - [x86] KVM: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs() - dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 - dm btree: fix serious bug in btree_split_beneath() - i2c: core: decrease reference count of device node in i2c_unregister_device - i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA - net: fs_enet: do not call phy_stop() in interrupts - can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once - can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once - cfg80211: fix station info handling bugs - [x86] mce: Make machine check speculation protected - net: igmp: Use correct source address on IGMPv3 reports - net: igmp: fix source address check for IGMPv3 reports - pppoe: take ->needed_headroom of lower device into account on xmit - [x86] microcode/intel: Extend BDW late-loading further with LLC size check - dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state - hrtimer: Reset hrtimer cpu base proper on CPU hotplug - mac80211_hwsim: fix compiler warning on MIPS - blk-mq: fix race between timeout and freeing request (CVE-2015-9016) - v4l2-compat-ioctl32: fix sparse warnings - V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data copy-back - media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32 - media: v4l2-compat-ioctl32.c: add capabilities field to, v4l2_input32 - media: v4l2-ioctl.c: don't copy back the result for -ENOTTY - vb2: V4L2_BUF_FLAG_DONE is set after DQBUF - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 - media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type - media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors - media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic (CVE-2017-13166) - ACPI: sbshc: remove raw pointer from printk() message (CVE-2018-5750) - rds: Fix NULL pointer dereference in __rds_rdma_map (CVE-2018-7492) - [mips*] CPS: Fix MIPS_ISA_LEVEL_RAW fallout https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.56 - [x86] kvm: vmx: Scrub hardware GPRs at VM-exit - [x86] Documentation: Add PTI description - [x86] cpu: Factor out application of forced CPU caps - [x86] cpufeatures: Make CPU bugs sticky - [x86] cpufeatures: Add X86_BUG_CPU_INSECURE - [x86] pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN - [x86] cpufeatures: Add X86_BUG_SPECTRE_V[12] - [x86] cpu: Merge bugs.c and bugs_64.c - sysfs/cpu: Add vulnerability folder - [x86] cpu: Implement CPU vulnerabilites sysfs functions - [x86] alternatives: Guard NOPs optimization - [x86] alternatives: Fix ALTERNATIVE_2 padding generation properly - [x86] alternatives: Make optimize_nops() interrupt safe and synced - [x86] alternatives: Fix optimize_nops() checking - [x86] cpu/AMD: Make LFENCE a serializing instruction - [x86] cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC - [x86] asm: Make asm/alternative.h safe from assembly - kconfig.h: use __is_defined() to check if MODULE is defined - [x86] Clean up current_stack_pointer - [x86] asm: Use register variable to get stack pointer value - [x86] retpoline: Add initial retpoline support (partial mitigation of CVE-2017-5715) - [x86] spectre: Add boot time option to select Spectre v2 mitigation - [x86] retpoline/crypto: Convert crypto assembler indirect jumps - [x86] retpoline/entry: Convert entry assembler indirect jumps - [x86] retpoline/ftrace: Convert ftrace assembler indirect jumps - [x86] retpoline/hyperv: Convert assembler indirect jumps - [x86] retpoline/xen: Convert Xen hypercall indirect jumps - [x86] retpoline/checksum32: Convert assembler indirect jumps - [x86] retpoline/irq32: Convert assembler indirect jumps - [x86] retpoline: Fill return stack buffer on vmexit - [x86] retpoline: Remove compile time warning - [x86] retpoline: Add LFENCE to the retpoline/RSB filling RSB macros - [x86] retpoline: Introduce start/end markers of indirect thunk - [x86] kprobes: Blacklist indirect thunk functions for kprobes - [x86] kprobes: Disable optimizing on the function jumps to indirect thunk - [x86] pti: Document fix wrong index - [x86] retpoline: Optimize inline assembler for vmexit_fill_RSB - [x86] cpu/intel: Introduce macros for Intel family numbers - [x86] retpoline: Fill RSB on context switch for affected CPUs - [x86] cpu: Change type of x86_cache_size variable to unsigned int - [x86] KVM: Make indirect calls in emulator speculation safe - [x86] KVM: VMX: Make indirect call speculation safe - [x86] module/retpoline: Warn about missing retpoline in module - [x86] bugs: Drop one "mitigation" from dmesg - [x86] cpu/bugs: Make retpoline module warning conditional - [x86] spectre: Check CONFIG_RETPOLINE in command line parser - Documentation: Document array_index_nospec - array_index_nospec: Sanitize speculative array de-references (partial mitigation of CVE-2017-5753) - [x86] Implement array_index_mask_nospec - [x86] Introduce barrier_nospec - [x86] get_user: Use pointer masking to limit speculation - [x86] syscall: Sanitize syscall table de-references under speculation - vfs, fdtable: Prevent bounds-check bypass via speculative execution - nl80211: Sanitize array index in parse_txq_params - [x86] spectre: Report get_user mitigation for spectre_v1 - [x86] spectre: Fix spelling mistake: "vunerable"-> "vulnerable" - [x86] paravirt: Remove 'noreplace-paravirt' cmdline option - [x86] kvm: Update spectre-v1 mitigation - [x86] retpoline: Avoid retpolines for built-in __init functions - [x86] spectre: Simplify spectre_v2 command line parsing - [x86] cpufeatures: Clean up Spectre v2 related CPUID flags - [x86] spectre: Fix an error message - nospec: Move array_index_nospec() parameter checking into separate macro - nospec: Kill array_index_nospec_mask_check() - nospec: Include dependency - [x86] reorganize SMAP handling in user space accesses - [i386] fix SMAP in 32-bit environments - [x86] Introduce __uaccess_begin_nospec() and uaccess_try_nospec - [x86] usercopy: Replace open coded stac/clac with __uaccess_{begin, end} - [x86] uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec (partial mitigation of CVE-2017-5753) . [ Ben Hutchings ] * abiupdate.py: Use current config instead of downloading previous config * abiupdate.py: Add support for security mirrors * Revert "ptrace: being capable wrt a process requires mapped uids/gids", redundant with ptrace changes in 3.16.52 * Bump ABI to 6 * [x86] Compile with gcc-4.9 * [x86] Add versioned build-dependency on gcc-4.9 for retpoline support * [x86] linux-compiler-gcc-4.9-x86: Add versioned dependency on gcc-4.9 for retpoline support * [x86] linux-headers: Depend on linux-compiler-gcc-4.9-x86 and linux-kbuild versions with retpoline support * Bluetooth: hidp_connection_add() unsafe use of l2cap_pi() (CVE-2017-13220) * ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent (CVE-2017-18216) * scsi: libsas: direct call probe and destruct (CVE-2017-18232) * f2fs: fix a panic caused by NULL flush_cmd_control (CVE-2017-18241) * CIFS: Enable encryption during session setup phase (CVE-2018-1066) * netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets (CVE-2018-1068) * netfilter: ebtables: fix erroneous reject of last rule * ext4: fail ext4_iget for root directory if unallocated (CVE-2018-1092) * sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803) * ALSA: seq: Fix racy pool initializations (CVE-2018-7566) * ALSA: seq: Don't allow resizing pool in use * ALSA: seq: More protection for concurrent write and ioctl races * hugetlbfs: fix offset overflow in hugetlbfs mmap * hugetlbfs: check for pgoff value overflow (CVE-2018-7740) * scsi: libsas: fix memory leak in sas_smp_get_phy_events() (CVE-2018-7757) * [x86] MCE: Serialize sysfs changes (CVE-2018-7995) * drm: udl: Properly check framebuffer mmap offsets (CVE-2018-8781) * ncpfs: memory corruption in ncp_read_kernel() (CVE-2018-8822) * perf/hwbp: Simplify the perf-hwbp code, fix documentation (CVE-2018-1000199) * debian/lib/python/debian_linux/gencontrol.py: Allow uploads to *-security with a simple revision . [ Salvatore Bonaccorso ] * locks: remove i_have_this_lease check from __break_lease * locks: __break_lease cleanup in preparation of allowing direct removal of leases (Closes: #883217) linux (3.16.51-3+deb8u1) jessie-security; urgency=high . * dccp: CVE-2017-8824: use-after-free in DCCP code * Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket * Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket (CVE-2017-15868) * media: dvb-usb-v2: lmedm04: Improve logic checking of warm start (CVE-2017-16538) * media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner (CVE-2017-16538) * ipsec: Fix aborted xfrm policy dump crash (CVE-2017-16939) * netfilter: nfnetlink_cthelper: Add missing permission checks (CVE-2017-17448) * netlink: Add netns check on taps (CVE-2017-17449) * netfilter: xt_osf: Add missing permission checks (CVE-2017-17450) * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558) * [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio (CVE-2017-17741) * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805) * crypto: hmac - require that the underlying hash algorithm is unkeyed (CVE-2017-17806) * KEYS: add missing permission check for request_key() destination (CVE-2017-17807) * [x86] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (CVE-2017-1000407) * bluetooth: Prevent stack info leak from the EFS element. (CVE-2017-1000410) * Bump ABI to 5 and apply deferred stable changes: - Input: i8042 - break load dependency between atkbd/psmouse and i8042 - Input: i8042 - set up shared ps2_cmd_mutex for AUX ports - ACPICA: Utilities: split IO address types from data type models. - [arm64] Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO - block: fix bdi vs gendisk lifetime mismatch - cgroup: make sure a parent css isn't offlined before its children - libata: Align ata_device's id on a cacheline - libata: Ignore spurious PHY event on LPM policy change - net/ipv6: add sysctl option accept_ra_min_hop_limit - quota: Store maximum space limit in bytes - quota: Switch ->get_dqblk() and ->set_dqblk() to use bytes as space units - [s390*] Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO - scsi: scsi_error: count medium access timeout only once per EH run - [x86] panic: replace smp_send_stop() with kdump friendly version in panic path * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER) (CVE-2017-5754) linux (3.16.51-3) jessie; urgency=medium . * sched/topology: Add missing pieces of the fixes included in 3.16.49 (Closes: #883938): - Remove FORCE_SD_OVERLAP - Simplify build_overlap_sched_groups() - Optimize build_group_mask() linux-latest (63+deb8u2) jessie-security; urgency=medium . * Update to 3.16.0-6 linux-latest (63+deb8u1) jessie-security; urgency=medium . * Update to 3.16.0-5 linux-tools (3.16.56-1) jessie-security; urgency=high . * New upstream stable update: http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt21 - recordmcount: Fix endianness handling bug for nop_mcount - perf trace: Fix documentation for -i http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt23 - scripts: recordmcount: break hardlinks - ftrace/scripts: Have recordmcount copy the object file - ftrace/scripts: Fix incorrect use of sprintf in recordmcount http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt24 - tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines - scripts/recordmcount.pl: support data in text section on powerpc http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt25 - perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed - perf hists: Fix HISTC_MEM_DCACHELINE width setting https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.35 - perf pmu: Fix misleadingly indented assignment (whitespace) - perf tools: handle spaces in file names obtained from /proc/pid/maps - perf tools: Dont stop PMU parsing on alias parse error - perf stat: Document --detailed option https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.36 - tools lib traceevent: Do not reassign parg after collapse_tree() https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.37 - kbuild: move -Wunused-const-variable to W=1 warning level - perf tools: Fix perf regs mask generation - of: fix autoloading due to broken modalias with no 'compatible' https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.39 - ftrace/recordmcount: Work around for addition of metag magic but not relocations https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.40 - perf symbols: Fixup symbol sizes before picking best ones - scripts/has-stack-protector: add -fno-PIE https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.42 - perf trace: Use the syscall raw_syscalls:sys_enter timestamp - perf scripting: Avoid leaking the scripting_context variable https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.44 - perf evlist: Fix typo in perf_evlist__start_workload() - perf script: Fix man page about --dump-raw-trace option - perf tests: Avoid possible truncation with dirent->d_name + snprintf https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.46 - perf symbols: Fix symbols__fixup_end heuristic for corner cases https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.47 - perf hists browser: Fix typo in function switch_data_file - perf inject: Don't proceed if perf_session__process_event() fails https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.48 - perf probe: Fix examples section of documentation - perf script: Fix outdated comment for perf-trace-python - perf script: Fix documentation errors - perf script python: Fix wrong code snippets in documentation - perf script python: Updated trace_unhandled() signature - perf script python: Remove dups in documentation examples https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.50 - perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target - modpost: expand pattern matching to support substring matches - modpost: don't emit section mismatch warnings for compiler optimizations https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.51 - perf tests attr: Fix no-delay test - perf events parse: Rename parsing state struct to clearer name - perf events parse: Use just one parse events state struct - perf tools: Really install manpages via 'make install-man' https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.54 - usbip: tools: Install all headers needed for libusbip development - usbip: prevent vhci_hcd driver from leaking a socket pointer address https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.55 - hv: kvp: Avoid reading past allocated blocks from KVP file - usbip: fix usbip bind writing random string after command in match_busid https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.56 - module/retpoline: Warn about missing retpoline in module lucene-solr (3.6.2+dfsg-5+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2018-1308: XML external entity expansion in Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. (Closes: #896604) lucene-solr (3.6.2+dfsg-5+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-12629: possible remote code execution by exploiting XXE. For security reasons the RunExecutableListener class was permanently removed. * Update debian/conf/solrconfig.xml and remove example configuration for. RunExecutableListener which had to be removed for security reasons. * CVE-2017-3163: fix ReplicationHandler path traversal vulnerability. (Closes: #867712) mactelnet (0.4.0-1+deb8u1) jessie; urgency=low . * Backported bugfix of CVE 2016-7115 (closes: 836320) mailman (1:2.1.18-2+deb8u2) jessie-security; urgency=high . * CVE-2018-5950: XSS and information leak in user options. (Closes: #888201). mariadb-10.0 (10.0.32-0+deb8u1) jessie-security; urgency=medium . * New upstream version 10.0.32. Includes fixes for the following security vulnerabilities: - CVE-2017-3636 - CVE-2017-3641 - CVE-2017-3653 * Refresh patches on top of MariaDB 10.0.32 mat (0.5.2-3+deb8u1) jessie-security; urgency=high . * New patch: disable PDF support. (Closes: #826101) * debian/NEWS: mention disabled PDF support. * gbp.conf: adjust for Jessie. memcached (1.4.21-1.1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer over-read in try_read_command function (CVE-2017-9951) (Closes: #868701) * disable UDP port by default (CVE-2018-1000115) * debian/NEWS: Add explanation and document how to re-enable UDP if necessary * Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404) mupdf (1.5-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-6544, CVE-2018-1000051 add patches to fix use after free (Closes: #891245) mysql-5.5 (5.5.60-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.60 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html - CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819 * Don't install obsolete manpages. Do not try to install anymore obsolete manpages for mysql_client_test, mysql_client_test_embedded and mysqltest_embedded. mysql-5.5 (5.5.59-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.59 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html - CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 ncurses (5.9+20140913-1+deb8u3) jessie; urgency=medium . * Cherry-pick upstream fix from the 20171125 patchlevel to fix a buffer overflow in the _nc_write_entry function (CVE-2017-16879, Closes: #882620). net-snmp (5.7.2.1+dfsg-1+deb8u1) jessie-security; urgency=high . * CVE-2018-1000116: Correct a heap corruption vulnerability prior to the authentication process. (Closes: #894110) nvidia-graphics-drivers (340.106-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.106 (2018-01-16). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Fixed a compatibility problem between the nvidia.ko's Page Attribute Table (PAT) support and the kernel Page Table Isolation (PTI) patches. To optimize stores to memory, nvidia.ko contains support for configuring the CPU's PAT registers, as a fallback for Linux kernels that predate kernel native PAT support. On any recent kernel with CONFIG_X86_PAT enabled, the driver will detect that setup has already been done and skip its PAT setup. However, a static inline function called by nvidia.ko's PAT fallback support was updated in the PTI patches to use the EXPORT_SYMBOL_GPL symbol 'cpu_tlbstate'. nvidia.ko was updated to only contain its PAT fallback support, at build time, on kernels without CONFIG_X86_PAT. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Switch watch URL from ftp:// to https:// (375.82-1). * build-module-packages.sh: Order kernels by descending version (375.82-2). * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Use https:// URLs where possible (375.82-8). * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * Add #tls# substitution for the tls/ source directory (384.111-1). * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description (384.111-4). * Update lintian overrides. * Upload to jessie. . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Drop drm-driver-legacy.patch, deprecated-cpu-events.patch and vmf-address.patch, fixed upstream. * Add vm-fault.patch to fix kernel module build on Linux 4.11 and newer. . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-graphics-drivers-legacy-304xx (304.137-0~deb8u1) jessie; urgency=medium . * The 304.xx legacy driver series has been declared as End-of-Life by NVIDIA. No further updates fixing security issues, critical bugs, or adding support for new Xorg or Linux releases will be issued. https://nvidia.custhelp.com/app/answers/detail/a_id/3142 . * New upstream legacy 304xx branch release 304.137 (2017-09-19). - Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Add NEWS entry for End-of-Life status. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.137-5. * not-parallel.patch: New, prevent parallel module build (304.135-3). * Switch watch URL from ftp:// to https:// (375.82-1). * build-module-packages.sh: Order kernels by descending version (375.82-2). * bug-control: Add arch qualification to M-A:same packages in report-with list otherwise reportbug will ignore them if more than one is installed (375.82-5). * Use https:// URLs where possible (375.82-8). * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir (384.111-1). (Closes: #883615) * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description (384.111-4). * Convert packaging repository from SVN to GIT. * Update lintian overrides. * Upload to jessie. . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Drop drm-driver-legacy.patch and deprecated-cpu-events.patch, fixed upstream (304.137-1). * Refresh disable-mtrr.patch to remove fuzz from upstream changes (304.137-1). * Add pud-offset.patch to fix runtime error on Linux 4.12 and newer. Original patch: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4629#c11 (304.135-5) * Add nvidia-drm-pci-init.patch to fix kernel module build on Linux 4.14 and newer (304.137-1). * Add timer.patch to fix kernel module build on Linux 4.15 and newer (304.137-4). . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-graphics-drivers-legacy-304xx (304.135-5) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.0. No changes needed. . [ Luca Boccassi ] * Switch to my debian.org email address in Uploaders. * Update pud-offset.patch to fix runtime error on Linux 4.12 and newer. Original patch: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4629#c11 (Closes: #875425) . [ Russ Allbery ] * Remove myself from Uploaders. nvidia-graphics-drivers-legacy-304xx (304.135-4) unstable; urgency=medium . [ Andreas Beckmann ] * Bump Standards-Version to 4.0.1. No changes needed. * nvidia-alternative: Explicitly use interest-await triggers. * Switch from dh_install --list-missing to dh_missing. * Use dpkg makefile snippets instead of manual parsing. * build-module-packages.sh: Order kernels by descending version. * Switch watch URL from ftp:// to https:// (375.82-1). * Update lintian overrides. . [ Luca Boccassi ] * Add pud-offset.patch to fix kernel module build on Linux 4.12 and newer. nvidia-graphics-drivers-legacy-304xx (304.135-3) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.135-1 (jessie). * Do not prevent ccache usage. The bug was fixed in ccache 3.0 (in squeeze). * not-parallel.patch: New, prevent parallel module build. . [ Luca Boccassi ] * Add drm-unload.patch to fix kernel module build on Linux 4.11 and newer. (Closes: #865964) nvidia-graphics-drivers-legacy-304xx (304.135-2) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.135 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855279) . [ Luca Boccassi ] * Add deprecated-cpu-events.patch and update disable-mtrr.patch to fix kernel module build on Linux 4.10 and newer. nvidia-graphics-drivers-legacy-304xx (304.135-2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers-legacy-304xx (304.135-2) unstable; urgency=medium . * Upload to unstable. (Closes: #855279) . nvidia-graphics-drivers-legacy-304xx (304.135-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.135 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855279) . [ Luca Boccassi ] * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.135-2: - Add deprecated-cpu-events.patch and update disable-mtrr.patch to fix kernel module build on Linux 4.10 and newer. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.134-2: - Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) * Upload to jessie. . nvidia-graphics-drivers-legacy-304xx (304.134-2) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.134-0~deb8u1 (jessie). * Add ${nvidia:Deb-Version-After:jessie} substvar to simplify adjusting Breaks/Replaces for new upstream releases in stable. * Switch to debhelper compat level 10. . [ Luca Boccassi ] * Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) openafs (1.6.9-2+deb8u7) jessie; urgency=high . * Apply upstream patches needed to fix kernel module build against linux 3.16.51-3+deb8u1 kernels after security update-induced ABI changes. (Closes: #886719) openafs (1.6.9-2+deb8u6) jessie-security; urgency=high . * CVE-2017-17432: remote triggered Rx assertion failure (Closes: #883602) * CVE-2016-4536: information leakage from OpenAFS clients * CVE-2016-9772: information leakage from directory objects (Closes: #846922) openjdk-7 (7u181-2.6.14-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security. openjdk-7 (7u171-2.6.13-1) experimental; urgency=high . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.13 (based on 7u171). Closes: #891330. * Security fixes: - S8160104: CORBA communication improvements - S8172525, CVE-2018-2579: Improve key keying case - S8174756: Extra validation for public keys - S8175932: Improve host instance supports - S8176458: Revise default document styling - S8178449, CVE-2018-2588: Improve LDAP logins - S8178458: Better use of certificates in LDAP - S8178466: Better RSA parameters - S8179536: Cleaner print job handling - S8179990: Cleaner palette entry handling - S8180011: Cleaner native graphics device handling - S8180015: Cleaner AWT robot handling - S8180020: Improve SymbolHashMap entry handling - S8180433: Cleaner CLR invocation handling - S8180877: More deeply colored ICC spaces - S8181664: Improve JVM UTF String handling - S8181670: Improve implementation of keystores - S8182125, CVE-2018-2599: Improve reliability of DNS lookups - S8182387, CVE-2018-2603: Improve PKCS usage - S8182601, CVE-2018-2602: Improve usage messages - S8185292, CVE-2018-2618: Stricter key generation - S8185325, CVE-2018-2641: Improve GTK initialization - S8186080: Transform XML interfaces - S8186212, CVE-2018-2629: Improve GSS handling - S8186600, CVE-2018-2634: Improve property negotiations - S8186606, CVE-2018-2633: Improve LDAP lookup robustness - S8186867: Improve native glyph layouts - S8186998, CVE-2018-2637: Improve JMX supportive features - S8189284, CVE-2018-2663: More refactoring for deserialization cases - S8190289, CVE-2018-2677: More refactoring for client deserialization cases - S8191142, CVE-2018-2678: More refactoring for naming deserialization cases * Remove multiarch-support pre-dependency. Closes: #887858. . [ Matthias Klose ] * Bump standards version. * Disable bootstrap on sid/buster, gcj is removed. * Remove Damien Raude-Morvan as uploader. Closes: #889378. openjdk-7 (7u161-2.6.12-1) experimental; urgency=medium . * IcedTea release 2.6.12 (based on 7u161). * Disable Hotspot workaround for Exec Shield (Debian only). Addresses: #876051. * Build-depend on g++-4.7 on wheezy. This is the default on some architectures such as amd64 or i386, but not on armhf or armel, which default to 4.6. There the build was working before because the bootstrap build pulled gcj-jdk, which depends on gcj-4.7-jdk and that in turn depends on g++-4.7. However since we have disabled the bootstrap build now, g++-4.7 is no longer installed on arm* builds, causing the build failure which couldn't be seen on amd64 (Emilio Pozuelo Monfort). openjdk-7 (7u151-2.6.11-3) experimental; urgency=medium . [ Matthias Klose ] * Disable bootstrap on wheezy, it currently fails due to the last round of 8u151 security patches (Emilio Pozuelo Monfort). . [ Tiago Stürmer Daitx ] * debian/patches/hotspot-aarch64-S8145438-fix-field-too-big-for-insn.patch: the S8144028 fix was incomplete and followed up by S8145438; without it aarch64 JVM can fail with "Internal Error, failed: Field too big for insn". openjdk-7 (7u151-2.6.11-2) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * Backport of 8u151 security fixes. Closes: #881764. * Security patches: - CVE-2017-10274, S8169026: Handle smartcard clean up better. If a CardImpl can be recovered via finalization, then separate instances pointing to the same device can be created. - CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's readObject allocates an array based on data in the stream which could cause an OOM. - CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced thread can be used as the root of a Trusted Method Chain. - CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and possibly other Linux flavors) CR-NL in the host field are ignored and can be used to inject headers in an HTTP request stream. - CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos implementations can incorrectly take information from the unencrypted portion of the ticket from the KDC. This can lead to an MITM attack impersonating Kerberos services. - CVE-2017-10346, S8180711: Better alignment of special invocations. A missing load constraint for some invokespecial cases can allow invoking a method from an unrelated class. - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10347, S8181323: Better timezone processing. An array is allocated based on data in the serial stream without a limit on the size. - CVE-2017-10349, S8181327: Better Node predications. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10345, S8181370: Better keystore handling. A malicious serialized object in a keystore can cause a DoS when using keytool. - CVE-2017-10348, S8181432: Better processing of unresolved permissions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious serialized stream could cause an OOM due to lack on checking on the number of interfaces read from the stream for a Proxy. - CVE-2017-10355, S8181612: More stable connection processing. If an attack can cause an application to open a connection to a malicious FTP server (e.g., via XML), then a thread can be tied up indefinitely in accept(2). - CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS keystores should be retired from common use in favor of more modern keystore protections. - CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds check could lead to leaked memory contents. - CVE-2016-9841, S8184682: Upgrade compression library. There were four off by one errors found in the zlib library. Two of them are long typed which could lead to RCE. * debian/patches/hotspot-aarch64-S8150652-unused-template.diff: unused template breaks builds with gcc-6 due to macro conflict. * debian/rules: try /etc/os-release before lsb-release; allows one to check if patches still apply cleanly across distros from the command line by setting distrel. openjdk-7 (7u151-2.6.11-2~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u151-2.6.11-1) experimental; urgency=medium . * IcedTea release 2.6.11 (based on 7u151). Closes: #869816. * Security fixes: - S8163958, CVE-2017-10102: Improved garbage collection. - S8167228: Update to libpng 1.6.28. - S8169209, CVE-2017-10053: Improved image post-processing steps. - S8169392, CVE-2017-10067: Additional jar validation steps. - S8170966, CVE-2017-10081: Right parenthesis issue. - S8172204, CVE-2017-10087: Better Thread Pool execution. - S8172461, CVE-2017-10089: Service Registration Lifecycle. - S8172465, CVE-2017-10090: Better handling of channel groups. - S8172469, CVE-2017-10096: Transform Transformer Exceptions. - S8173286, CVE-2017-10101: Better reading of text catalogs. - S8173697, CVE-2017-10107: Less Active Activations. - S8173770, CVE-2017-10074: Image conversion improvements. - S8174098, CVE-2017-10110: Better image fetching. - S8174105, CVE-2017-10108: Better naming attribution. - S8174113, CVE-2017-10109: Better sourcing of code. - S8174770: Check registry registration location. - S8174873: Improved certificate processing. - S8175106, CVE-2017-10115: Higher quality DSA operations. - S8175110, CVE-2017-10118: Higher quality ECDSA operations. - S8176055: JMX diagnostic improvements. - S8176067, CVE-2017-10116: Proper directory lookup processing. - S8176760, CVE-2017-10135: Better handling of PKCS8 material. - S8178135, CVE-2017-10176: Additional elliptic curve support. - S8181420, CVE-2017-10074: PPC: Image conversion improvements. - S8182054, CVE-2017-10243: Improve wsdl support. - S8183551, CVE-2017-10074, PR3423: AArch64: Image conversion improvements. - S8184119, CVE-2017-10111: Incorrect return processing for the LF editor of MethodHandles.permuteArguments. . [ Tiago Stürmer Daitx ] * d/control.in: - remove @bd_compress@ dependency. - replace @bd_autotools@ with fixed dependencies. * d/control.tests: package to hold all tests artifacts and logs. * d/repack: fixed and simplified download script. * d/rules: - include openjdk-7-tests package on Ubuntu derivatives only. - only save the full jtreg results when the openjdk-7-tests package is being built, otherwise stick to old behaviour (keep compressed test summaries + failed test results). Closes: #863007, #865533. - only run the long jdk testsuite when default vm is a hotspot. - only run the full testsuite for zero alternative vm on very fast systems, otherwise stick to the hotspot testsuite to avoid long build times. - remove with_nss as all supported releases have it now. - remove gcc/g++ configurations for EOL releases. - keep libjpeg8 dependency on wheezy, replace it with libjpeg62-turbo on other Debian releases and libjpeg-turbo8 on Ubuntu. Closes: #766601. - remove old logic to depend on libcupsys2. - always set rhino_source, all supported releases have dpkg > 1.16.2. - remove bd_compress and pkg_compress as they haven't been used for quite a while. - remove with_wgy_zenhai logic, lenny is EOL. - remove bd_autotools logic if/then, call dh_autoreconf and dh_autoreconf_clean. - simplify bootstrap dependency logic and remove EOL releases. - remove EOL releases from gcc/g++ dependency logic. - remove unused jamvm_defaults and simplify jamvm_archs logic. - use ttf-indic-fonts for trusty, otherwise stick to fonts-indic. - patch configure after dh_autoreconf call to include additional /usr/lib/jvm directories; setting DEB_HOST_ARCH=alpha to check if patches apply correctly fails because alpha requires a jdk for bootstrap and IcedTea does not look into our usual directories. * d/p/fontconfig-arphic-uming.diff: removed, not used since lenny. * d/p/jdk-getAccessibleValue.diff: libatk-wrapper-java: File selection dialog not refreshed when changing directory. Kindly provided by Samuel Thibault. Closes: #827741. * d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch: deleted, included in IcedTea 2.6.10. * d/p/kfreebsd-support-jdk.diff: updated, was failing to apply due to jdk changes in NetworkInterface.c. * d/p/sec-webrev-8u131-*.patch: deleted, included in IcedTea 2.6.10. * d/p/zero-sparc.diff: commented out chaitin.hpp hunk #1 as that #ifdef has been removed by JDK-8011621 (backported by IcedTea 2.6.10); this was also backported to 7u131 through JDK-8160961 but then backed out, better keep the hunk in case IcedTea decides to back it out as well. . [ Matthias Klose ] * Build using gcc-6 on recent releases. * Fix libjvm.so's .debug file names. Closes: #865749. LP: #1548434. openjdk-7 (7u151-2.6.11-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u131-2.6.9-3) experimental; urgency=medium . * Only include the failing tests in the packages, not the whole test world. * openjdk-7-jdk: Provide openjdk-7-jdk-headless. openjdk-7 (7u131-2.6.9-2) experimental; urgency=high . [ Tiago Stürmer Daitx ] * Fix JDK regression introduced by 7u131 upgrade: (LP: #1691126) - d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch: fix "IllegalArgumentException: jdk.tls.namedGroups" backported from http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f5d0aadb4d1c openjdk-7 (7u131-2.6.9-2~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u131-2.6.9-1) experimental; urgency=high . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.9 (based on 7u131): * Security fixes - S8167110, CVE-2017-3514: Windows peering issue. - S8163528, CVE-2017-3511: Better library loading. - S8169011, CVE-2017-3526: Resizing XML parse trees. - S8163520, CVE-2017-3509: Reuse cache entries. - S8171533, CVE-2017-3544: Better email transfer. - S8170222, CVE-2017-3533: Better transfers of files. - S8171121, CVE-2017-3539: Enhancing jar checking. - S8172299: Improve class processing. * debian/compat: updated from 5 to 9. * debian/watch: using watch version 4 to download both icedtea and icedtea-sound. LP: #1642420. * debian/repack: simplified tarball download. * debian/rules: - removed 8u121 patches as they have been applied to 7u131. - building icedtea-sound on build/ directory - replaced 'dh_strip -k' calls by dh_prep - have the 'build' rule depend on 'debian/control' rule to force failure if debian/control gets regenerated. - added file 'security/blacklisted.cert' to be copied to etc dir (introduced by S8011402). - simplified build dependencies. - removed jtreg's xvfb-run call since icedtea takes care of calling it. - removed window manager as there are no additional significant failures on the jdk tests when not running one. - re-enabled jdk jtreg tests. - removed lpia arch. - use fonts-wqy-microhei and fonts-wqy-zenhei instead of transitional package names. - drop Recommends on obsolete GNOME libraries so they are not in a default GNOME desktop installation (Simon McVittie). Closes: #850270. + sun.net.spi.DefaultProxySelector prefers libglib2.0-0 (>= 2.24) over obsolete libgconf2-4. + sun.nio.fs.GnomeFileTypeDetector prefers libglib2.0-0 (>= 2.24) over libgnomevfs-2-0. + sun.xawt.awt_Desktop prefers libgtk2.0-0 (>= 2.14) over libgnomevfs2-0. * debian/control.in: added static build dependencies as their previous selection logic in debian/rules is no longer required. * debian/control: regenerated. * debian/patches/icedtea-sound.diff: removed, now packing icedtea-sound 1.0.1 which includes those fixes. * debian/upstream/signing-key.asc: add new signing key. . [ Matthias Klose ] * Remove obsolete changelog entries from previous release. openjdk-7 (7u121-2.6.8-2) experimental; urgency=high . [ Tiago Stürmer Daitx ] * Security fixes from 8u121: - S8167104, CVE-2017-3289: Custom class constructor code can bypass the required call to super.init allowing for uninitialized objects to be created. - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling dispose() on a CMenuComponentmultiple times. - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various extraneous bytes added to them whereas the signature is supposed to be unique. - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt sections to be 2^32-1 bytes long so these should not be uncompressed unless the user explicitly requests it. - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may leak information about k. - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to deserialize responses from an LDAP server when an LDAP context is expected. - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how users or external applications would interpret them leading to possible security issues. - S8168705, CVE-2016-5547: A value from an InputStream is read directly into the size argument of a new byte[] without validation. - S8164147, CVE-2017-3261: An integer overflow exists in SocketOutputStream which can lead to memorydisclosure. - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will dispatch HTTP GET requests where the invoker does not have permission. - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when long running sessions are allowed. * Missing - S8165344, CVE-2017-3272: A protected field can be leveraged into type confusion. - S8156802, CVE-2017-3241: RMI deserialization should limit the types deserialized to prevent attacks that could escape the sandbox. * Ignored - S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may leak information about k. openjdk-7 (7u121-2.6.8-2~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie openjdk-7 (7u121-2.6.8-1) experimental; urgency=medium . * IcedTea release 2.6.8 (based on 7u121): openjdk-7 (7u111-2.6.7-3) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * Don't use precompiled header files on arm64. * Update the sec-webrev-8u111-S8159503.hotspot patch. openjdk-7 (7u111-2.6.7-2) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * Backported security fixes from 8u111: - CVE-2016-5568, S8158993: Service Menu services. - CVE-2016-5582, S8160591: Improve internal array handling. - CVE-2016-5573, S8159519: Reformat JDWP messages. - CVE-2016-5597, S8160838: Better HTTP service. - CVE-2016-5554, S8157739: Classloader Consistency Checking. - CVE-2016-5542, S8155973: Tighten jar checks. * debian/rules: - removed lcms version 1 option as no current release uses that, lcms2 is now default. - removed in-tree/system lcms selection to always use system's lcms. - removed all cacao references except for the transitional cacao package. - updated jtreg tests to use othervm. - simplified rhino and libcups dependency selection. * debian/buildwatch.sh: updated to stop it if no 'make' process is running, as it probably means that the build failed - otherwise buildwatch keeps the builder alive until it exits after the timer (3 hours by default) expires. * debian/control.in: removed cacao references. * debian/README.source: removed cacao references. * debian/patches/cacao-armv4.diff: deleted file. * Makefile.am: remove -samevm * debian/patches/it-jamvm-8158260-unsafe-methods.patch: fix JAMVM after the introduction of two new Unsafe methods in the OpenJDK hotspot. Closes: #833933. (LP: #1611598) . [ Matthias Klose ] * Fix building the -dbg package depending on the debhelper level. openjdk-7 (7u111-2.6.7-2~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u111-2.6.7-1) experimental; urgency=medium . [ Matthias Klose ] * Fix handling of /usr/lib/jvm/*/jre/lib/zi if internal tzdata is used (Andreas Beckmann). Closes: #821858. * Add missing includes for aarch64 hotspot backport (building without pch). * Use in-tree lcms for backports. . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.7 (based on 7u111): * Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking - S8149962, CVE-2016-3508: Better delineation of XML processing - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams - S8155981, CVE-2016-3606: Bolster bytecode verification - S8155985, CVE-2016-3598: Persistent Parameter Processing - S8158571, CVE-2016-3610: Additional method handle validation * debian/rules: - Create symbolic link in source package (thanks Avinash). Closes: #832720. * debian/JB-jre-headless.prerm.in: check for /var/lib/binfmts/jar instead of /var/lib/binfmts/@basename@ before removing jar entry from binfmts. Closes: #821146. openldap (2.4.40+dfsg-1+deb8u4) jessie; urgency=medium . * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719) * Import upstream patches to fix memory corruption caused by calling sasl_client_init() multiple times and possibly concurrently. (ITS#8648) (Closes: #860947) openocd (0.8.0-4+deb7u1) jessie-security; urgency=high . * Pull "bindto" command from upstream * Bind to localhost by default * Prevent some forms of Cross Protocol Scripting attacks (CVE-2018-5704) (Closes: #887488) openoffice.org-dictionaries (1:3.3.0~rc10-4+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Drop conflict on Thunderbird in preparaton for the next icedove/thunderbird security update openssl (1.0.1t-1+deb8u8) jessie-security; urgency=high . * CVE-2018-0739 (Constructed ASN.1 types with a recursive definition could exceed the stack) optipng (0.7.5-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229) (Closes: #882032) * gifread: Detect indirect circular dependencies in LZW tables (CVE-2017-16938) (Closes: #878839) otrs2 (3.3.18-1+deb8u4) jessie-security; urgency=high . * Add patch 20-OSA-2017-10: This fixes OSA-2017-10: An attacker can send a specially prepared email to an OTRS system. If this system has cookie support disabled, and a logged in agent clicks a link in this email, the session information could be leaked to external systems, allowing the attacker to take over the agent’s session. otrs2 (3.3.18-1+deb8u3) jessie-security; urgency=high . * Add patch 18-OSA-2017-08: This fixes OSA-2017-08, also known as CVE-2017-16854: An attacker who is logged into OTRS as a customer can use the ticket search form to disclose internal article information of their customer tickets. * Add patch 19-OSA-2017-09: This fixes OSA-2017-09, also known as CVE-2017-16921: An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user. Closes: #883774 p7zip (9.20.1~dfsg.1-4.1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp (CVE-2017-17969) Thanks to Antoine Beaupré (Closes: #888297) patch (2.7.5-1+deb8u1) jessie; urgency=medium . * Fix CVE-2018-1000156: arbitrary command execution in ed-style patches (closes: #894993). perl (5.20.2-3+deb8u11) jessie-security; urgency=high . * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability in Archive-Tar (Closes: #900834) perl (5.20.2-3+deb8u10) jessie-security; urgency=high . * [SECURITY] CVE-2018-6913: heap buffer overflow with large data blocks. php5 (5.6.33+dfsg-0+deb8u1) jessie-security; urgency=high . * Add support for signed upstream tarballs * Make d/copyright machine readable * Remove repack.sh script in favour of uscan repacking * Update Vcs-* links to salsa.d.o * New upstream version 5.6.33+dfsg * Rebase patches on top of new upstream releases. plexus-archiver (1.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fail when trying to extract outside of dest dir (CVE-2018-1002200) Fixes arbitrary file write vulnerability using a specially crafted zip file. (Closes: #900953) plexus-utils (1:1.5.15-4+deb8u1) jessie-security; urgency=medium . * CVE-2017-1000487 plexus-utils2 (3.0.15-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-1000487 poco (1.3.6p1-5+deb8u1) jessie-security; urgency=high . * Add backported patch for CVE-2017-1000472 polarssl (1.3.9-2.1+deb8u3) jessie-security; urgency=medium . * Fix CVE-2017-18187: Unsafe bounds check in ssl_parse_client_psk_identity(). * Fix CVE-2018-0487: Buffer overflow when verifying RSASSA-PSS signatures. (Closes: #890288) * Fix CVE-2018-0488: Buffer overflow when truncated HMAC is enabled. (Closes: #890287) poppler (0.26.5-2+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Correct patch for CVE-2017-9776. Fixes "[regression] Broken rendering of scan PDF from Xerox WorkCentre 5945". (Closes: #890826) poppler (0.26.5-2+deb8u3) jessie-security; urgency=medium . * Fix regression in fix for CVE-2017-14519 * CVE-2017-1000456 * CVE-2017-14929 poppler (0.26.5-2+deb8u2) jessie-security; urgency=medium . * Fix CVE-2017-9406: a memory leak vulnerability was found in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file. * Fix CVE-2017-9408: memory leak in the function Object::initArray in Object.cc that allows attackers to cause a DoS via a crafted file. * Fix CVE-2017-9775: Stack buffer overflow in GfxState.cc in pdftocairo that allows remote attackers to cause a denial of service (application crash) via a crafted PDF document. * Fix CVE-2017-9776: Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in pdftocairo allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. * Fix CVE-2017-9865: The function GfxImageColorMap::getGray in GfxState.cc allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document * Fix CVE-2017-14517: NULL pointer dereference vulnerability in the XRef::parseEntry() function in XRef.cc * Fix CVE-2017-14518: Floating point exception in the isImageInterpolationRequired() function in Splash.cc * Fix CVE-2017-14519: A memory corruption may occur in a call to Object::streamGetChar * Fix CVE-2017-14520: Floating point exception in Splash::scaleImageYuXd() * Fix CVE-2017-14617: Floating point exception in the ImageStream class in Stream.cc * Fix CVE-2017-14975: NULL pointer dereference vulnerability in the FoFiType1C::convertToType0 function in FoFiType1C.cc * Fix CVE-2017-14976: Heap-based buffer over-read vulnerability in the FoFiType1C::convertToType0 function in FoFiType1C.cc * Fix CVE-2017-14977: NULL pointer dereference vulnerability in the FoFiTrueType::getCFFBlock function in FoFiTrueType.cc * Fix CVE-2017-15565: NULL Pointer Dereference in the GfxImageColorMap::getGrayLine() function in GfxState.cc postgresql-9.4 (9.4.18-0+deb8u1) jessie; urgency=medium . * New upstream version. + Fix incorrect volatility markings on a few built-in functions. postgresql-9.4 (9.4.17-0+deb8u1) jessie; urgency=medium . * New upstream version. . If you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure. . Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions. . + Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users . Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. (CVE-2018-1058) . + Avoid use of insecure search_path settings in pg_dump and other client programs . pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well. . In cases where user-provided functions are indirectly executed by these programs -- for example, user-provided functions in index expressions -- the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. (CVE-2018-1058) postgresql-9.4 (9.4.16-0+deb8u1) jessie; urgency=medium . * New upstream version. + Ensure that all temporary files made by pg_upgrade are non-world-readable (CVE-2018-1053) procps (2:3.3.9-9+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * top: Do not default to the cwd in configs_read(). (CVE-2018-1122) * ps/output.c: Fix outbuf overflows in pr_args() etc. (CVE-2018-1123) * proc/readproc.c: Fix bugs and overflows in file2strvec(). (CVE-2018-1124) * pgrep: Prevent a potential stack-based buffer overflow (CVE-2018-1125) * proc/alloc.*: Use size_t, not unsigned int. (CVE-2018-1126) prosody (0.9.7-2+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * mod_c2s: Do not allow the stream 'to' to change across stream restarts (CVE-2018-10847) (Closes: #900524) psensor (1.1.3-2+deb8u1) jessie; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2014-10073: The create_response function in server/server.c in Psensor allows Directory Traversal because it lacks a check for whether a file is under the webserver directory. (Closes: #896195) python-django (1.7.11-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters * Fix CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters python-mimeparse (0.1.4-1+deb8u1) jessie; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport the fix from 0.1.4-3.1 to jessie. . [ Adrian Bunk ] * Fix the python3-mimeparse dependencies. (Closes: #867439) quagga (0.99.23.1-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * bgpd/security: Fix double free of unknown attribute (CVE-2018-5379) Security issue: Quagga-2018-1114 * bgpd/security: debug print of received NOTIFY data can over-read msg array (CVE-2018-5380) Security issue: Quagga-2018-1550 * bgpd/security: fix infinite loop on certain invalid OPEN messages (CVE-2018-5381) Security issue: Quagga-2018-1975 quassel (1:0.10.0-2.3+deb8u4) jessie-security; urgency=high . * Backport upstream commit to implement a custom deserializer. Fixes possible remote code execution. (Closes: #896914) * Backport upstream commit to reject client logins before the core is configured. Fixes a DoS vulnerability. (Closes: #896915) rar (2:4.2.0+dfsg.1-0.1) jessie; urgency=medium . * Non-maintainer upload * Repacked orig tarball excludes statically linked rar (Closes: #693396, #860952) * Install dynamically linked rar and remove the lintian override for it being static * Remove lintian override for default.sfx being static, which it hasn't been for a long time reportbug (6.6.3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Don't CC secure-testing-team@lists.alioth.debian.org anymore. The testing security team didn't exist for a long time and the mailinglist will disappear when Alioth will be decomissioned. Thanks to Moritz Muehlenhoff (Closes: #888832) rsync (3.1.1-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Enforce trailing \0 when receiving xattr name values (CVE-2017-16548) (Closes: #880954) * Check fname in recv_files sooner (CVE-2017-17433) (Closes: #883667) * Sanitize xname in read_ndx_and_attrs (CVE-2017-17434) (Closes: #883665) * Check daemon filter against fnamecmp in recv_files() (CVE-2017-17434) (Closes: #883665) ruby-omniauth (1.2.1-1+deb8u1) jessie-security; urgency=high . * Fix security issue in returning post parameters from session in callback phase (CVE-2017-18076) (Closes: #888523) sam2p (0.49.2-3+deb8u2) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2018-7487, CVE-2018-7551, CVE-2018-7552, CVE-2018-7553 and CVE-2018-7554. Multiple invalid frees and buffer-overflow vulnerabilities were discovered in sam2p that may lead to a denial-of-service (application crash) or unspecified other impact. sdl-image1.2 (1.2.12-5+deb8u1) jessie-security; urgency=high . * Backport various security fixes: - CVE-2017-2887 - CVE-2017-12122 - CVE-2017-14440 - CVE-2017-14441 - CVE-2017-14442 - CVE-2017-14448 - CVE-2017-14450 - CVE-2018-3837 - CVE-2018-3838 - CVE-2018-3839 sensible-utils (0.0.9+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Argument injection in sensible-browser (CVE-2017-17512) Thanks to Gabriel Corona (Closes: #881767) sharutils (1:4.14-2+deb8u1) jessie-security; urgency=medium . * Apply patch from Petr Pisar to fix heap buffer overflow in unshar. This is CVE-2018-1000097. Closes: #893525. simplesamlphp (1.13.1-2+deb8u1) jessie-security; urgency=high . * Update by the security team for jessie. CVE-2017-12867 CVE-2017-12869 CVE-2017-12873 CVE-2017-12874 CVE-2017-18121 CVE-2017-18122 CVE-2018-6519 CVE-2018-6521 SSPSA-201802-01 (closes: #889286). slurm-llnl (14.03.9-5+deb8u2) jessie; urgency=medium . * Team upload. * slurm-client: Add Breaks+Replaces: slurm-llnl-slurmdbd (<< 14.03.9-5) for clean upgrades from wheezy which shipped sacctmgr there. (Closes: #901513) smarty3 (3.1.21-1+deb8u2) jessie-security; urgency=medium . * debian/patches: + Fix object name in 0001_CVE-2017-1000480.patch. Thanks to Côme Chilliet from the FusionDirectory team for spotting this. smarty3 (3.1.21-1+deb8u1) jessie-security; urgency=medium . * debian/patches: + Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes: #886460). soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium . [ Gabor Karsay ] * Add patch to fix - CVE-2017-9258 (Closes: #870854) - CVE-2017-9259 (Closes: #870856) - CVE-2017-9260 (Closes: #870857) spip (3.0.17-2+deb8u4) jessie-security; urgency=medium . * Update security screen to 1.3.6 * Backport security fixes from 3.0.27 - Secure inserted URL in anchors - Secure URLs sent by self() - Escape charset in error message - Allow filter mode to be passed in interdire_scripts() - No onclick nor JS popup in footer - [Privacy] add rel attribute (noopener noreferrer) in private footer - PHP injection via XML file squid3 (3.4.8-6+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * ESI: make sure endofName never exceeds tagEnd (CVE-2018-1000024) (Closes: #888719) * Fix indirect IP logging for transactions without a client connection (CVE-2018-1000027) (Closes: #888720) squirrelmail (2:1.4.23~svn20120406-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Path traversal vulnerability (CVE-2018-8741) Directory traversal flaw in Deliver.class.php can allow a remote attacker to retrieve or delete arbitrary files. (Closes: #893202) strongswan (5.2.1-6+deb8u6) jessie-security; urgency=medium . * d/p/CVE-2018-10811.patch added, fix missing initialization of a variable in IKEv2 key derivation (CVE-2018-10811) * d/p/CVE-2018-5388 added, fix insufficient validation in the stroke plugin (CVE-2018-5388) subversion (1.8.10-6+deb8u6) jessie; urgency=medium . * Backport patches/perl-swig-crash from upstream to fix crashes with Perl bindings, commonly seen when using git-svn (Closes: #780246, #534763). thunderbird (1:52.8.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security . [ intrigeri ] * [acc3a6b] Revert "apparmor: allow access to @{HOME}/.gnupg/tofu.db" (Cherry-picked from debian/sid to not differ the Apparmor settings between the Debian releases) thunderbird (1:52.7.0-1) unstable; urgency=medium . * [9eb2692] New upstream version 52.7.0 Fixed CVE issues in upstream version 52.7 (MFSA 2018-09) CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList CVE-2018-5129: Out-of-bounds write with malformed IPC messages CVE-2018-5144: Integer overflow during Unicode conversion CVE-2018-5146: Out of bounds memory write in libvorbis CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7 CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and Thunderbird 52.7 * [a01cf4b] Revert "Use gcc-6 and g++-6 due broken GUI with GCC-7" Switching now back to GCC7 as we don't have any longer issues with broken visuals in the GUI. (Closes: #892404) thunderbird (1:52.7.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:52.7.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security thunderbird (1:52.6.0-1) unstable; urgency=high . * [97e1cd7] New upstream version 52.6.0 Fixed CVE issues in upstream version 52.6 (MFSA 2018-04) CVE-2018-5095: Integer overflow in Skia library during edge builder allocation CVE-2018-5096: Use-after-free while editing form elements CVE-2018-5097: Use-after-free when source document is manipulated during XSLT CVE-2018-5098: Use-after-free while manipulating form input elements CVE-2018-5099: Use-after-free with widget listener CVE-2018-5102: Use-after-free in HTML media elements CVE-2018-5103: Use-after-free during mouse event handling CVE-2018-5104: Use-after-free during font face manipulation CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6 * [0300242] rebuild patch queue from patch-queue branch Added patch debian-hacks/icu-use-locale.h-instead-of-xlocale.h.patch that fixes the build of the included ICU source against glibc 2.26. (Closes: #887766) * [4bf22e0] debian/control: increase Standards-Version to 4.1.3 No further changes needed. * [3616443] adjust Vcs fields to salsa.debian.org The Vcs for Thunderbird packaging live now on Salsa as Alioth will be shutdown in the future. * [c2f3e14] lintian: ignore non multiarch install folder for thunderbird.pc Ignore a lintian warning about unavailable pkg-config file thunderbird.pc as the ESR versions 52.x are the last series which will have a thunderbird-dev. The next ESR version will be 60.x which uses webextension and makes thunderbird-dev obsolete. thunderbird (1:52.6.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:52.6.0-1~deb8u1) jessie-security; urgency=medium . [ Vincas Dargis ] * [e418a50] AppArmor: Fix Jessie AppArmor syntax error (Closes: #884217) . [ Carsten Schoenert ] * [edba169] debian/rules: override target dh_autoreconf Don't use dh_autoreconf, Mozilla uses wrapper around the autotools and we care about the needed files in debian/rules for long time anyway. * Rebuild for jessie-security thunderbird (1:52.5.2-2) unstable; urgency=medium . [ Carsten Schoenert ] * [f597157] Revert "d/thunderbird.postinst: reload AA profile on updates" The trigger automatics for appamor already is handling the needed reload on profile updates for the applications. (Closes: #885158) * [8ebdb96] debian/control: increase Standards-Version to 4.1.2 No further changes needed. * [81a8c00] use inverse logic on version for AA profile status check By this change we don't enforce the disabled profile from the previous version in some cases and can also handle possible version strings from -security and -backports. (Closes: #885157) thunderbird (1:52.5.2-2~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:52.5.2-2~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security thunderbird (1:52.5.2-1) unstable; urgency=high . [ intrigeri ] * [b791221] AppArmor: support new thunderbird executable path (Closes: #883561, #884217) . [ Carsten Schoenert ] * [1f46308] New upstream version 52.5.2 Fixed CVE issues in upstream version 52.5 (MFSA 2017-30) CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin CVE-2017-7847: Local path string can be leaked from RSS feed CVE-2017-7848: RSS Feed vulnerable to new line Injection * [0dd21b9] d/thunderbird.postinst: reload AA profile on updates * [8c57218] don't disable AA profile on package updates As people want to re-enable the AA profile a update of thunderbird doesn't have to disable this again. (Closes: #884191) thunderbird (1:52.5.0-1) unstable; urgency=high . [ intrigeri ] * [48e6b65] AppArmor: fix the Crash Reporter and avoid noisy denial logs (Closes: #880953) * [ad8b3b5] AppArmor: fix compatibility with NVIDIA hardware (Closes: #880532) * [d8ff6b6] Disable the AppArmor profile by default Due the various side effects by the enabled AppArmor profile in Thunderbird it's currently better for a user experience we disabling the AppArmor profile for to not get people get mad with to many broken things. Users can always enable the profile by themselves again. (Closes: #882672) * [e50eac5] README.Debian: document how to opt-in for AppArmor confinement * [860d325] README.Debian: document how one can debug the AppArmor profile . [Guido Günther] * [50a8f60] Drop myself from maintainers Thank you Guido for always helping out if we had some questions! . [ Carsten Schoenert ] * [b64509b] New upstream version 52.5.0 Fixed CVE issues in upstream version 52.5 (MFSA 2017-26) CVE-2017-7828: Use-after-free of PressShell while restyling layout CVE-2017-7830: Cross-origin URL information leak through Resource Timing API CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 * [3166018] thunderbird.links: let thunderbird pointing to thunderbird-bin (Closes: #856492) * [6fff70c] [buster] tb-wrapper: searching the correct dbgsym package * [4763ca6] adding a NEWS file for thunderbird package Giving a note about the now disabled AppArmor profile. * [0b9d656] disabling crashreporter for now Also don't build and ship the Crashreporter any more, it's useless until we can collect all symbols correctly. * [a285647] move AppArmor specific things into own README file Put all AppArmor related information into one dedicated file. * [5d56439] d/thunderbird.js: prepare a line for extra X-Debbugs-Cc A really old bug report ... building a compromise and put the requested extra header config into the configuration file but keep it deactivated as default. (Closes: #379304) thunderbird (1:52.5.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security . * [9fb0603] Revert "[buster] tb-wrapper: searching the correct dbgsym package" * [3ba70b8] Revert "[buster] move thunderbird-dbg into *-dbgsym package" * [b16725e] Revert "[buster] remove Replace and Breaks for icedove" * [9cf7315] Revert "[buster] remove transitional icedove package" * [a1b62c0] Revert "[buster] remove Replace, Breaks and Provides for icedove-dev" * [435f016] Revert "[buster] remove transitional icedove-dev package" * [43c5ec2] Revert "[buster] remove transitional icedove-dbg package" * [f014c58] Revert "[buster] remove Replace, Breaks and Provides for iceowl-extension" * [5db94a1] Revert "[buster] remove transitional iceowl-extension package" * [2860355] Revert "[buster] remove Replace, Breaks and Provides for icedove-l10n-*" * [f148d56] Revert "[buster] remove transitional icedove-l10n-* packages" * [b7debd2] Revert "[buster] remove Replace, Breaks and Provides for iceowl-l10n-*" * [e89d082] Revert "[buster] remove transitional iceowl-l10n-* packages" thunderbird (1:52.5.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security . * [d07b29f] Revert "[buster] tb-wrapper: searching the correct dbgsym package" * [6bd3655] Revert "[buster] move thunderbird-dbg into *-dbgsym package" * [5f1fa71] Revert "[buster] remove Replace and Breaks for icedove" * [17d9c31] Revert "[buster] remove transitional icedove package" * [c194e27] Revert "[buster] remove Replace, Breaks and Provides for icedove-dev" * [1118358] Revert "[buster] remove transitional icedove-dev package" * [14fefb8] Revert "[buster] remove transitional icedove-dbg package" * [d1f914b] Revert "[buster] remove Replace, Breaks and Provides for iceowl-extension" * [6f70669] Revert "[buster] remove transitional iceowl-extension package" * [d3976d0] Revert "[buster] remove Replace, Breaks and Provides for icedove-l10n-*" * [cb2c710] Revert "[buster] remove transitional icedove-l10n-* packages" * [7df3bd7] Revert "[buster] remove Replace, Breaks and Provides for iceowl-l10n-*" * [62617ed] Revert "[buster] remove transitional iceowl-l10n-* packages" thunderbird (1:52.4.0-2~exp1) experimental; urgency=medium . [ Carsten Schoenert ] * [a3e73e9] disable usage of libgnomeui parts The libgnomeui stuff (only relevant for GTK+2) is deprecated for a long time and will be removed in buster, and we don't need this at all. See https://lists.debian.org/debian-devel/2017/10/msg00299.html * [9efc5c9] debian/watch: switch to https * [bd5a635] rebuild patch queue from patch-queue branch Fixup for [da3c5cc], add ppc64 to the list of BE architectures. Thanks Adrian Glaubitz for pointing the issue. (Closes: #879270) * [42f5ab5] apparmor: update profile from upstream (Closes: #876333, #855346) . [ intrigeri ] * [d7febc8, b026d28] AppArmor: update profile from upstream (Closes: #880425, #877324) * [377e7b5] README.Debian: fixing small typo * [3b0a63a] AppArmor: fix importing public OpenPGP keys from file (Closes: #880715) . [ Carsten Schoenert ] * [241690e] d/control: s/Icedove/Thunderbird in desc's for lightning-l10n-* The lightning-l10n package were still using the name 'Icdeove' instead of 'Thunderbird'. * [f17f735] debian/control: moving transitional packages at bottom * [91f9897] autopkg: adjust icedove to thunderbird depends Now move over to depend in favor of thunderbird for some of the autopkg tests. * [8ae2ad7] autopkg: adjust icedove-dev to thunderbird-dev depends Doing the same as before for thunderbird-dev as the native replacement for icedove-dev. * [fa0134c] bump debhelper >= 10.2.5 * [8752789] debian/rules: try to build extensions reproducible The two extensions (lightning and calendar-google-provider) don't build reproducible right now. Trying to fix this by using the timestamp from the changelog entry for the files. May not work correctly and we need to tune more. * [1496368] d/thunderbird.install: also install the fonts folder Recent versions of Thunderbird needing the font EmojiOne which isn't provided by any other package. (Closes: #881299) . The following changes are take effect in removing all transitional packages related to the old icedove packaging only for buster. We still need all the transitional packages in wheezy, jessie and stretch! * [54c8a9b] [buster] remove transitional iceowl-l10n-* packages * [c338630] [buster] remove Replace, Breaks and Provides for iceowl-l10n-* * [4311683] [buster] remove transitional icedove-l10n-* packages * [f6e3a01] [buster] remove Replace, Breaks and Provides for icedove-l10n-* * [a9117e4] [buster] remove transitional iceowl-extension package * [5aed012] [buster] remove Replace, Breaks and Provides for iceowl-extension * [27fc04b] [buster] remove transitional icedove-dbg package * [53b4825] [buster] remove transitional icedove-dev package * [e2d808f] [buster] remove Replace, Breaks and Provides for icedove-dev * [97edfbe] [buster] remove transitional icedove package * [3748054] [buster] remove Replace and Breaks for icedove * [611a704] [buster] move thunderbird-dbg into *-dbgsym package thunderbird (1:52.4.0-1) unstable; urgency=medium . [ Guido Günther ] * [da3c5cc] Simplify endianness selection for ICU Since we need to build ICU on the various Debian releases we need to ensure the architecture detection isn't to strict. Thanks Guido for helping out here! . [ Carsten Schoenert ] * [47748ca] debian/control: be more relaxed on Breaks for enigmail * [6a54666] thunderbird-wrapper: fix small typo in help output A small typo was happen in the example call with the JS console. * [6d5266e] README.Debian: update info around tls fallback-limit The default behavior on the TLS fallback has changed some versions ago, document this accordingly. * [24ad883] debian/control: change maintainer Thanks Christoph for the work over the past years! * [c78200e] debian/control: move src pkg name to thunderbird By this version we move the source package name also back to thunderbird. This follows the changes that are already made to the binary package names and we can call the source package now also again thunderbird. (Closes: #857075) * [c26133d] debian/gbp.conf: rename components to real used names Due the changes of the source package the names for the sub-folders within the additional tarballs can also be changed to be closer on the real upstream used names. * [a5ce4f7] New upstream version 52.4.0 (Closes: #878845, #878870) Fixed CVE issues in upstream version 52.0 (MFSA 2017-23) CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces CVE-2017-7823: CSP sandbox directive did not create a unique origin CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4, and Thunderbird 52.4 * [104b4e5] rebuild patch queue from patch-queue branch * [d63662a] lintian: move oldlibs/extra -> oldlibs/optional By moving all transitional package to oldlibs/optional we can help deborphan to detect better not needed packages. * [fb56001] d/rules: reflect changes from renamed component tarballs The additional tarballs are stored in folders which reflect the upstream names of those components. This also needs to be respected for the build instructions of the package. * [61288fb] debian/control: change Vcs* fields due the src name change Addressing the changed source package name in the Git Vcs urls. * [ef95ab5] debian/control: increase Standards-Version to 4.1.1 No further changes needed. * [45e8fe2] apparmor: update profile from upstream Thanks to Simon Deziel and intrigeri we can simply use the apparmor profile changes done for the Ubuntu releases. * [6b1649c] lintian: adding a override for thunderbird-l10n-all * [ceab93f] debian/README.source: reflect src package name change thunderbird (1:52.4.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security . [ Guido Günther ] * [da3c5cc] Simplify endianness selection for ICU Since we need to build ICU on the various Debian releases we need to ensure the architecture detection isn't to strict. Thanks Guido for helping out here! . [ Carsten Schoenert ] * [47748ca] debian/control: be more relaxed on Breaks for enigmail * [6a54666] thunderbird-wrapper: fix small typo in help output A small typo was happen in the example call with the JS console. * [6d5266e] README.Debian: update info around tls fallback-limit The default behavior on the TLS fallback has changed some versions ago, document this accordingly. * [24ad883] debian/control: change maintainer Thanks Christoph for the work over the past years! * [c78200e] debian/control: move src pkg name to thunderbird By this version we move the source package name also back to thunderbird. This follows the changes that are already made to the binary package names and we can call the source package now also again thunderbird. (Closes: #857075) * [c26133d] debian/gbp.conf: rename components to real used names Due the changes of the source package the names for the sub-folders within the additional tarballs can also be changed to be closer on the real upstream used names. * [a5ce4f7] New upstream version 52.4.0 (Closes: #878845, #878870) Fixed CVE issues in upstream version 52.0 (MFSA 2017-23) CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces CVE-2017-7823: CSP sandbox directive did not create a unique origin CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4, and Thunderbird 52.4 * [104b4e5] rebuild patch queue from patch-queue branch * [d63662a] lintian: move oldlibs/extra -> oldlibs/optional By moving all transitional package to oldlibs/optional we can help deborphan to detect better not needed packages. * [fb56001] d/rules: reflect changes from renamed component tarballs The additional tarballs are stored in folders which reflect the upstream names of those components. This also needs to be respected for the build instructions of the package. * [61288fb] debian/control: change Vcs* fields due the src name change Addressing the changed source package name in the Git Vcs urls. * [ef95ab5] debian/control: increase Standards-Version to 4.1.1 No further changes needed. * [45e8fe2] apparmor: update profile from upstream Thanks to Simon Deziel and intrigeri we can simply use the apparmor profile changes done for the Ubuntu releases. * [6b1649c] lintian: adding a override for thunderbird-l10n-all * [ceab93f] debian/README.source: reflect src package name change thunderbird (1:52.4.0-1~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for jessie-security . [ Guido Günther ] * [da3c5cc] Simplify endianness selection for ICU Since we need to build ICU on the various Debian releases we need to ensure the architecture detection isn't to strict. Thanks Guido for helping out here! . [ Carsten Schoenert ] * [47748ca] debian/control: be more relaxed on Breaks for enigmail * [6a54666] thunderbird-wrapper: fix small typo in help output A small typo was happen in the example call with the JS console. * [6d5266e] README.Debian: update info around tls fallback-limit The default behavior on the TLS fallback has changed some versions ago, document this accordingly. * [24ad883] debian/control: change maintainer Thanks Christoph for the work over the past years! * [c78200e] debian/control: move src pkg name to thunderbird By this version we move the source package name also back to thunderbird. This follows the changes that are already made to the binary package names and we can call the source package now also again thunderbird. (Closes: #857075) * [c26133d] debian/gbp.conf: rename components to real used names Due the changes of the source package the names for the sub-folders within the additional tarballs can also be changed to be closer on the real upstream used names. * [a5ce4f7] New upstream version 52.4.0 (Closes: #878845, #878870) Fixed CVE issues in upstream version 52.0 (MFSA 2017-23) CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces CVE-2017-7823: CSP sandbox directive did not create a unique origin CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4, and Thunderbird 52.4 * [104b4e5] rebuild patch queue from patch-queue branch * [d63662a] lintian: move oldlibs/extra -> oldlibs/optional By moving all transitional package to oldlibs/optional we can help deborphan to detect better not needed packages. * [fb56001] d/rules: reflect changes from renamed component tarballs The additional tarballs are stored in folders which reflect the upstream names of those components. This also needs to be respected for the build instructions of the package. * [61288fb] debian/control: change Vcs* fields due the src name change Addressing the changed source package name in the Git Vcs urls. * [ef95ab5] debian/control: increase Standards-Version to 4.1.1 No further changes needed. * [45e8fe2] apparmor: update profile from upstream Thanks to Simon Deziel and intrigeri we can simply use the apparmor profile changes done for the Ubuntu releases. * [6b1649c] lintian: adding a override for thunderbird-l10n-all * [ceab93f] debian/README.source: reflect src package name change thunderbird (1.5.0.7-2) unstable; urgency=low * go through new upload ... reenable thunderbird-dbg * increase reference count for fontconfig charset 91_fontconfig_reference_increment_388739 (Closes: 388739) thunderbird (1.5.0.7-1) unstable; urgency=high * disabled new package to avoid queue new: thunderbird-dbg * new upstream release fixes security issues: + MFSA 2006-64 - CVE-2006-4571 + MFSA 2006-63 - CVE-2006-4570 + MFSA 2006-62 - CVE-2006-4569 + MFSA 2006-61 - CVE-2006-4568 + MFSA 2006-60 - CVE-2006-4340 (related to CVE-2006-4339) + MFSA 2006-59 - CVE-2006-4253 + MFSA 2006-58 - CVE-2006-4567 + MFSA 2006-57 - CVE-2006-4565, CVE-2006-4566 * disable patch 90_gcc-extern-fix, because it has been pulled in upstream * disable 91_271815.overthespot.v1.2, because applied upstream thunderbird (1.5.0.5-1) unstable; urgency=high * new upstream release fixes various security flaws: + MFSA 2006-44, CVE-2006-3801 + MFSA 2006-46, CVE-2006-3113 + MFSA 2006-47, CVE-2006-3802 + MFSA 2006-48, CVE-2006-3803 + MFSA 2006-49, CVE-2006-3804 + MFSA 2006-50, CVE-2006-3805, CVE-2006-3806 + MFSA 2006-51, CVE-2006-3807 + MFSA 2006-52, CVE-2006-3808 + MFSA 2006-53, CVE-2006-3809 + MFSA 2006-54, CVE-2006-3810 + MFSA 2006-55, CVE-2006-3811 * including patch 91_271815.overthespot.v1.2.dpatch (Closes: 379936, 363814) * improve manpage: Document -g, --debug options (Closes: 381096) * update for ja.po, contributed by Kenshi Muto (Closes: 379946) * update for pt.po, contributed by Rui Branco (Closes: 381444) * Provide virtual package news-reader (Closes: 363834) * Apply patch which introduces ReplyToList MessageType. This is the base to allow extensions that provide ReplyToList button to get installed. Thanks to Armin Berres for pointing out this unintrusive patch. (Closes: 381273) * fix README.Debian for firefox integration as well as example of global pref.js (firefox.js.tmpl) (Closes: 363723) * further improvements for README.Debian * fix gnome integration program path in a hard-coded fashion in 91_gnome_path_fix.dpatch (Closes: 365610) thunderbird (1.5.0.4-3) unstable; urgency=critical * fixing gcc-4.1 ftbfs (Closes: 377176) * improved manpage by Bastian Kleineidam documenting -safe-mode option (Closes: 370254) * include *no xgot* patch for mips/mipsel contributed by Thiemo Seufer (Closes: 374882) thunderbird (1.5.0.4-2) unstable; urgency=critical * fix version in install.rdf for inspector and typeaheafind (Closes: 374382) * (last one was a new upstream release fixing various security issues (Closes: 373878, 373553) * urgency=critical thunderbird (1.5.0.4-1) unstable; urgency=low * new upstream release fixing various security issues: MFSA 2006-42, CVE-2006-2783: Web site XSS using BOM on UTF-8 pages MFSA 2006-40, CVE-2006-2781: Double-free on malformed VCard MFSA 2006-38, CVE-2006-2778: Buffer overflow in crypto.signText() MFSA 2006-37, CVE-2006-2776: Remote compromise via content-defined setter on object prototypes MFSA 2006-35, CVE-2006-2775: Privilege escalation through XUL persist MFSA 2006-33, CVE-2006-2786: HTTP response smuggling MFSA 2006-32, CVE-2006-2779, CVE-2006-2780: Fixes for crashes with potential memory corruption MFSA 2006-31, CVE-2006-2787: EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) * build depends: + xorg-dev -> libx11-dev, libxt-dev, libxinerama-dev, libxft-dev, libfreetype6-dev, libxrender-dev + removed binutils, coreutils and po-debconf * enable xinerama in debian/rules * fixed lintian errors: + do not depend on xorg dev meta package + debhelper depend is now versioned + changed package description(s) to not start with 'thunderbird' thunderbird (1.5.0.2-3) unstable; urgency=low * patch-robbery from firefox package: + removed old mips and arm patches + added 50_arch_arm_fix + added 50_arch_alpha_fix + added 50_arch_m68k_fix + added 50_arch_mips_Makefile_fix + added 50_arch_mips_fix (Closes: 357755) + added 50_arch_parisc_Makefile_fix + added 50_arch_parisc_fix * included install.rdf for default theme in extensions dir (Closes: 363956) * removed chrome.d locales.d extensions.d from var/lib/thunderbird thunderbird (1.5.0.2-2) unstable; urgency=critical * debian/thunderbird.sgml. Greatly improved manpage for thunderbird, thanks to Sam Morris for contributing this (Closes: 361069) * add missing build depend to sharutils to fix ftbfs (Closes: 365539) * fix gnome-support package removing gnome dependencies from pure thunderbird package. * set urgency to critical which I forgot to set properly for the last upload thunderbird (1.5.0.2-1) unstable; urgency=low * removed enable xprint in order to build after X11R7 transition. * removed xprint recommends from control file. * 91_fontsfix_359763.dpatch: fix for 'thunderbird shows text illegibly' for some encodings. (Closes: 359763) * myspell is now depends (Closes: 357623) * (re-)including 10_mips_optimization_patch * debian/patches/90_ppc64-build-fix.dpatch: patch for 'FTBFS (ppc64)', thanks to Andreas Jochens for adding the final patch to the report. (Closes: 361036) * Thanks to Bastian Kleineidam for contributing: * Standards version 3.6.2.1 * Use debhelper v5 with debian/compat * Remove unneeded thunderbird.conffiles now that debhelper v5 is used * Remove CVS directories in debian/ * Fix debian/changelog syntax errors, and convert to UTF-8 * Fix bashism in debian/thunderbird.postrm, using 2> instead of &>. * Add ${misc:Depends} to thunderbird* dependencies, fixing a missing dependency on debconf * Move db_input commands from postinst into a separate thunderbird.config file. * distinct gnome-support package added. adds a good bunch of gnome build depends to allow module linking against gnome libs. * added new fhunderbird-branding in debian/fhunderbird-branding.tmpl (Closes: 358198) * use only one profile directory in configure (Closes: 358378) * Various security issues are fixed in this release. Namely: CVE-2006-1741 CVE-2006-1742 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1736 CVE-2006-1735 CVE-2006-1734 CVE-2006-1733 CVE-2006-1732 CVE-2006-0749 CVE-2006-1731 CVE-2006-1724 CVE-2006-0884 CVE-2006-1730 CVE-2006-1729 CVE-2006-1728 CVE-2006-1727 CVE-2006-1045 CVE-2006-0748 CVE-2006-1726 CVE-2006-1725 CVE-2005-2353 CVE-2006-1529 CVE-2006-1530 CVE-2006-1531 CVE-2006-1723 CVE-2006-0292/CVE-2006-0293 (Closes: 349242) CVE-2006-0294 CVE-2006-0295 CVE-2006-0296 CVE-2006-0297 CVE-2006-0298 CVE-2006-0299 tiff (4.0.3-12.3+deb8u5) jessie-security; urgency=high . [ Laszlo Boszormenyi (GCS) ] * Fix CVE-2017-11335: heap based buffer write overflow in tiff2pdf (closes: #868513). * Fix CVE-2017-12944: OOM prevention in TIFFReadDirEntryArray() (closes: #872607). * Fix CVE-2017-13726: reachable assertion abort in TIFFWriteDirectorySec() (closes: #873880). * Fix CVE-2017-13727: reachable assertion abort in TIFFWriteDirectoryTagSubifd() (closes: #873879). * Fix CVE-2017-18013: NULL pointer dereference in TIFFPrintDirectory() (closes: #885985). * Fix CVE-2017-9935: heap-based buffer overflow in the t2p_write_pdf() function (closes: #866109). . [ Moritz Muehlenhoff ] * CVE-2016-10371 tomcat-native (1.1.32~repack-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS. * Fix CVE-2017-15698: When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. tor (0.2.5.16-1) jessie-security; urgency=medium . * New upstream version, including among others: - Fix a denial of service bug where an attacker could use a malformed directory object to cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal. (Tor instances run without a terminal, which is the case for most Tor packages, are not impacted.) Fixes bug 24246; bugfix on every version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720. - When checking for replays in the INTRODUCE1 cell data for a (legacy) onion service, correctly detect replays in the RSA- encrypted part of the cell. We were previously checking for replays on the entire cell, but those can be circumvented due to the malleability of Tor's legacy hybrid encryption. This fix helps prevent a traffic confirmation attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 and CVE-2017-8819. - When running as a relay, make sure that we never build a path through ourselves, even in the case where we have somehow lost the version of our descriptor appearing in the consensus. Fixes part of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822. transmission (2.84-0.2+deb8u1) jessie-security; urgency=medium . * Fix RPC vulnerability discovered by Tavis Ormandy tzdata (2018e-0+deb8u1) jessie; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - North Korea switches back to +09 on 2018-05-05. tzdata (2018d-1) unstable; urgency=medium . [ Aurelien Jarno ] * debian/control: Update Vcs-Git and Vcs-Browser fields following the move to Salsa. . [ Clint Adams ] * New upstream version. * Remove Pacific-New as a choice. closes: #815200. tzdata (2018d-0+deb9u1) stretch; urgency=medium . * New upstream version. tzdata (2018d-0+deb8u1) jessie; urgency=medium . * New upstream version. tzdata (2018c-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version. * debian/control: Update Standards-Version to 4.1.3. * debian/patches/quiltrc: Remove. tzdata (2018c-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following past and future timestamps: - São Tomé and Príncipe switched from +00 to +01 on 2018-01-01 at 01:00. - Southern Brazil will begin DST on 2018-11-04 instead of 2018-10-21. * debian/control: Update Vcs-Git and Vcs-Browser fields following the move to Salsa. tzdata (2018c-0+deb8u1) jessie; urgency=medium . * New upstream version, affecting the following past and future timestamps: - São Tomé and Príncipe switched from +00 to +01 on 2018-01-01 at 01:00. - Southern Brazil will begin DST on 2018-11-04 instead of 2018-10-21. tzdata (2018b-1) unstable; urgency=medium . [ Aurelien Jarno ] * Update Russian debconf translation, by Lev Lamberov. Closes: #883876. * Update German debconf translation, by Holger Wansing. Closes: #884811. . [ Clint Adams ] * New upstream version. tzdata (2017c-1) unstable; urgency=medium . * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. * debian/control, debian/copyright: update upstream links to use https. * debian/upstream/signing-key.asc: new file. * debian/watch: update watch file to version 4, add check for the OpenPGP signatures. * debian/control: Update Standards-Version to 4.1.1. tzdata (2017c-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. uwsgi (2.0.7-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758) (Closes: #889753) * enforce php default document_root behaviour, to not show external files (CVE-2018-7490) (Closes: #891639) virtualbox-guest-additions-iso (4.3.36-1+deb8u1) jessie; urgency=medium . * New upstream bugfix release. - Addressed CVE-2016-0592, CVE-2016-0495, CVE-2015-8104, CVE-2015-7183, CVE-2015-5307, CVE-2015-7183, CVE-2015-4813, CVE-2015-4896, CVE-2015-3456 virtualbox-guest-additions-iso (4.3.30-1) unstable; urgency=medium . * New upstream release. * Conflict with upstream proprietary packages 5.0 series. virtualbox-guest-additions-iso (4.3.28-1) unstable; urgency=medium . * New upstream release (Closes: #786662). virtualbox-guest-additions-iso (4.3.26-2) unstable; urgency=medium . * Upload to Unstable virtualbox-guest-additions-iso (4.3.26-1) experimental; urgency=medium . * New upstream release. * Conflict with upstream proprietary packages 4.3 series. virtualbox-guest-additions-iso (4.3.24-1) experimental; urgency=medium . * New upstream release. virtualbox-guest-additions-iso (4.3.22-1) experimental; urgency=medium . * New upstream release. * Update copyright year. virtualbox-guest-additions-iso (4.3.20-1) experimental; urgency=medium . * New upstream release. wget (1.16-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix cookie injection (CVE-2018-0494) (Closes: #898076) wireshark (1.12.1+g01b65bf-4+deb8u14) jessie-security; urgency=medium . * CVE-2018-11358 CVE-2018-11362 CVE-2018-7334 CVE-2018-7335 * CVE-2018-7419 CVE-2018-9261 wireshark (1.12.1+g01b65bf-4+deb8u13) jessie-security; urgency=medium . * Non-maintainer upload by the Wheezy LTS Team. * fix for CVE-2018-5334 * fix for CVE-2018-5335 * fix for CVE-2018-5336 Several parsers of wireshark could be crashed by malformed packets. wireshark (1.12.1+g01b65bf-4+deb8u12) jessie-security; urgency=medium . * CVE-2017-11408 CVE-2017-17083 CVE-2017-17084 CVE-2017-17085 wordpress (4.1+dfsg-1+deb8u17) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2018-10100: the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. * Fix CVE-2018-10102: the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. (Closes: #895034) wordpress (4.1+dfsg-1+deb8u16) jessie-security; urgency=high . * Backport securitty patches from 4.9.1 - CVE-2017-17091 Changeset: 42296 Use a properly generated hash for the newbloguser key instead of a determinate substring. - CVE-2017-17092 Changeset: 42299 Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability - CVE-2017-17093 Changeset: 42297 Add escaping to the language attributes used on html elements - CVE-2017-17094 Changeset: 42298 Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds * Additional two patches for security fixes - CVE-2017-9066 Redirect validation patch from backports - CVE-2017-16510 Changeset: 42064 Restore numbered placeholders in $wpdb->prepare xdg-utils (1.1.0~rc1+git20111210-7.4+deb8u1) jessie-security; urgency=high . * Fix CVE-2017-18266, closes: #898317. - Avoid argument injection vulnerability in open_generic. xerces-c (3.1.1-5.1+deb8u4) jessie; urgency=medium . * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research discovered that the Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high . * [2890d0c] New patches fixing CVE-2018-0489: additional data forgery flaws. These flaws allow for changes to an XML document that do not break a digital signature but alter the user data passed through to applications enabling impersonation attacks and exposure of protected information. https://shibboleth.net/community/advisories/secadv_20180227.txt https://issues.shibboleth.net/jira/browse/CPPXT-128 The Add-disallowDoctype-to-parser-configuration.patch is not effective under Xerces 3.1 in jessie, but provides more generic protection under Xerces 3.2 against issues like CVE-2018-0486. It's included here for completeness and to avoid a conflict applying the CVE-2018-0489 patch. xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high . * [5c2845b] Add gbp.conf for jessie * [0ffc343] Convert our single patch into a proper patch queue * [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute data The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. While the use of XML Encryption can serve as a mitigation for this bug, it may still be possible to construct attacks in such cases, and the SP does not provide a means to enforce its use. CPPXT-127 - Block entity reference nodes during unmarshalling. https://issues.shibboleth.net/jira/browse/CPPXT-127 Thanks to Scott Cantor * [49b7352] Update Uploaders: add Etienne, remove Russ, update myself zookeeper (3.4.9-3+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2018-8012: No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. (Closes: #899332) zookeeper (3.4.9-3) unstable; urgency=medium . * Team upload. * Apply patch for CVE-2017-5637 (Closes: #863811) "wchp" and "wchc" are now disabled by default. zookeeper (3.4.9-2) unstable; urgency=medium . * Team upload. * Apply patch to set JAVA in the environment (Closes: #839184) - Thank you to Felix Dreissig. * Add patch for spelling corrections in upstream source. zookeeper (3.4.9-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches - Updated debian/pom.xml * Updated the upstream signing keys zookeeper (3.4.8-2) unstable; urgency=medium . * Team upload. * Add systemd unit file. (Closes: #830222) - Thanks to Felix Dreissig for the patch series. * Add dh-python to Build-Depends. (Closes: #830216) - Thanks to Felix Dreissig for the patch. * Standards-Version updated to 3.9.8 (no changes) zookeeper (3.4.8-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches - Updated debian/pom.xml * Build with ivy-debian-helper * Standards-Version updated to 3.9.7 (no changes) * Use secure Vcs-* URLs zookeeper (3.4.7-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches - Updated debian/pom.xml * Updated the upstream signing keys zookeeper (3.4.6-8) unstable; urgency=medium . * Team upload. * Fixed the netty dependency for libzookeeper-java (Closes: #797229) zookeeper (3.4.6-7) unstable; urgency=medium . * Team upload. * Build-dep on liblogx4cxx-dev. See transition bug #792013. (Closes: #794418) zookeeper (3.4.6-6) unstable; urgency=medium . * Team upload. * Depend on libnetty-3.9-java instead of libnetty-java zookeeper (3.4.6-5) unstable; urgency=medium . * Team upload. * Fixed the packaging type of the Maven artifact (pom -> jar) * Improved the build reproducibility: - Set the locale to 'en' when generating the javadoc zookeeper (3.4.6-4) unstable; urgency=medium . * Team upload. * Upload to unstable * Improved the build reproducibility: - Removed the Built-At, Built-By and Built-On entries in the manifests - Use the changelog date as the build date in Info.java zookeeper (3.4.6-3) experimental; urgency=medium . * Team upload. * Fixed the Maven rule for netty to work with maven-repo-helper << 1.8.10 zookeeper (3.4.6-2) experimental; urgency=medium . * Team upload. * Fixed the groupId of netty in the installed pom zookeeper (3.4.6-1) experimental; urgency=medium . * Team upload. . [ James Page ] * d/control: Bump epoch on default-jdk BD to exclude archictectures which don't have Java 6 or better (Closes: #742405). . [ Tim Retout ] * New upstream version. (Closes: #756982) * debian/patches: Refresh patches. . [ Emmanuel Bourg ] * Install the Maven artifacts (Closes: #775893) * Standards-Version updated to 3.9.6 (no changes) * Fixed some lintian warnings related to debian/copyright * libzookeeper-java suggests libzookeeper-java-doc but doesn't recommend it * Install the API documentation under /usr/share/doc/libzookeeper-java instead of usr/share/doc/libzookeeper-java-doc * debian/orig-tar.sh: - Removed src/contrib/loggraph from the upstream tarball since it isn't used and is missing the source of a minimized JavaScript file (yui-min.js) - Use XZ compression for the upstream tarball - Delete the non filtered upstream tarball after unpacking it * Added the .patch extension to the patches * Added the missing patch descriptions ====================================== Sat, 09 Dec 2017 - Debian 8.10 released ====================================== ========================================================================= [Date: Sat, 09 Dec 2017 09:40:02 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: aiccu | 20070115-15.2 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 869273 ------------------- Reason ------------------- useless since shutdown of SixXS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 09 Dec 2017 09:41:29 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libnet-ping-external-perl | 0.13-1 | source, all Closed bugs: 881202 ------------------- Reason ------------------- unmaintained, security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 09 Dec 2017 09:51:06 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firefox-esr-l10n-be | 45.9.0esr-1~deb8u1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 09 Dec 2017 09:51:27 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: iceweasel-l10n-be | 1:45.9.0esr-1~deb8u1 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 09 Dec 2017 09:51:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: enigmail | 2:1.8.2-4~deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= apache2 (2.4.10-10+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method (Closes: #876109) apache2 (2.4.10-10+deb8u10) jessie-security; urgency=medium . * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory asterisk (1:11.13.1~dfsg-2+deb8u4) jessie-security; urgency=high . * CVE-2017-14603 / AST-2017-008 This is a follow-up for AST-2017-005: RTP/RTCP information leak improving robustness of the security fix and fixing a regression with re-INVITEs (Closes: #876328) asterisk (1:11.13.1~dfsg-2+deb8u3) jessie-security; urgency=high . * CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) * CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) atril (1.8.1+dfsg1-4+deb8u1) jessie-security; urgency=high . * Non-maintainer upload * Add 0003-CVE-2017-1000083-evince-comics-remove-tar-commands-support-3-10-3.patch Fixes a command injection vulnerability in CBT handler. CVE-2017-1000083 (Closes: #868500) augeas (1.2.0-0.2+deb8u2) jessie-security; urgency=high . * Add patch to fix CVE-2017-7555 (Closes: #872400) bareos (14.2.1+20141017gitc6c5b56-3+deb8u3) jessie; urgency=medium . * Fix permissions of bareos-dir logrotate config. (Closes: #864926) * Fix file corruption when using SHA1 signature. (Closes: #869608) * Add autopkgtest for SHA1 signature. base-files (8+deb8u10) oldstable; urgency=medium . * Changed /etc/debian_version to 8.10, for Debian 8.10 point release. bchunk (1.2.0-12+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2017-15953, CVE-2017-15954 and CVE-2017-15955. bchunk was vulnerable to a heap-based buffer overflow with an resultant invalid free when processing a malformed CUE (.cue) file that may lead to the execution of arbitrary code or a application crash. (Closes: #880116) bind9 (1:9.9.5.dfsg-9+deb8u14) jessie; urgency=high . [ Bernhard Schmidt ] * Import upcoming DNSSEC KSK-2017 from 9.10.5 . [ Ondřej Surý ] * Non-maintainer upload. bind9 (1:9.9.5.dfsg-9+deb8u13) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to fix regression introduced by patch for CVE-2017-3042. closes: #868952 bluez (5.23-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req (Closes: #875633) botan1.10 (1.10.8-2+deb8u2) jessie-security; urgency=medium . * CVE-2017-2801 bzr (2.6.0+bzr6595-6+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Use 'localhost' rather than '127.0.0.1' in SSL certificates, as the latter trips up pycurl (Closes: #868966) * Ship a refreshed copy of the ssl certs used in testsuite * Prevent SSH command line options from being specified in bzr+ssh:// URLs (CVE-2017-14176) (Closes: #874429) catdoc (0.94.4-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-11110: Heap buffer overflow in ole_init (Closes: #867717) connman (1.21-1.2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12865: Fix crash on malformed DNS response (Closes: #872844) cups (1.7.5-11+deb8u2) jessie; urgency=high . * Disable SSLv3 and RC4 by default to address POODLE vulnerability (Closes: #839226) - Implement SSLOptions to permit the use of AllowSSL3 and AllowRC4 respectively * Refresh patches curl (7.38.0-4+deb8u8) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816 https://curl.haxx.se/docs/adv_2017-11e7.html * Fix FTP wildcard out of bounds read as per CVE-2017-8817 https://curl.haxx.se/docs/adv_2017-ae72.html curl (7.38.0-4+deb8u7) jessie-security; urgency=medium . * Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257 https://curl.haxx.se/docs/adv_20171023.html curl (7.38.0-4+deb8u6) jessie-security; urgency=medium . * Fix TFTP sends more than buffer size as per CVE-2017-1000100 https://curl.haxx.se/docs/adv_20170809B.html * Fix URL globbing out of bounds read as per CVE-2017-1000101 https://curl.haxx.se/docs/adv_20170809A.html * Fix FTP PWD response parser out of bounds read as per CVE-2017-1000254 https://curl.haxx.se/docs/adv_20171004.html cvs (2:1.12.13+real-15+deb8u1) jessie-security; urgency=high . * Fix CVE-2017-12836 (Closes: #871810) db (5.1.29-9+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * CVE-2017-10140: Reads DB_CONFIG from the current working directory. Do not access DB_CONFIG when db_home is not set. db5.3 (5.3.28-9+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * CVE-2017-10140: Reads DB_CONFIG from the current working directory. Do not access DB_CONFIG when db_home is not set. (Closes: #872436) debian-installer-netboot-images (20150422+deb8u4.b5) jessie; urgency=medium . * Update to 20150422+deb8u4+b5 images, from jessie-proposed-updates debmirror (1:2.16+deb8u1) jessie; urgency=medium . * Tolerate unknown lines in *.diff/Index (closes: #808216, #815149). * Mirror DEP-11 metadata files (closes: #814416). * Prefer xz over gz, and cope with either being missing as long as we can get some version of the index file in question. * Use check_lists to check Translation files rather than a similar custom function; this allows use of stronger hashes. * Mirror and validate InRelease files (closes: #619188). dns-root-data (2017072601~deb8u1) jessie; urgency=high . * Add KSK-2017 to root.key file * Update root.hints to 2017072601 version * Add gbp.conf for master-jessie branch dns-root-data (2017071401) unstable; urgency=medium . * Update the root.hints to 2017060102 version * Change the state of KSK-2017 to VALID dns-root-data (2017041102) unstable; urgency=high . [ Robert Edmonds ] * Change DS creation to omit TTL and use spaces instead of tabs (Closes: #864016) dns-root-data (2017041101) unstable; urgency=medium . * Fix parse-root-anchors.sh in non-dash shells (Closes: #862252) * Update to 2017041101 version of root zone * Remove timestamps from root.key to make the build reproducible * Shell syntax cleanup dns-root-data (2017020200) unstable; urgency=medium . * Update to 2016102001 version of the root.zone * Add KSK-2017 (valid from 2017-02-02) into root.key file * Reduce number of IANA files as they don't exist at upstream anymore * draft-icann-dnssec-trust-anchor is now RFC 7958 * Update all other IANA DNSSEC files to 2017-02-02 versions * Strip the GPG verification as IANA doesn't provide the GPG signatures anymore * Rewrite DS creation check to xml2 and ldnsutils, as neither xmllint nor bind9utils handle multiple DNSKEY in one file correctly dns-root-data (2015052300+h+1) unstable; urgency=medium . * Update root.hints to 2015052300 version * Move the package under Debian DNS Maintainers umbrella * Implement the H.ROOT-SERVERS.NET IP addresses changes that's scheduled for December 1st, but operational now dnsmasq (2.72-3+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-14491: DNS heap buffer overflow * CVE-2017-14492: DHCPv6 RA heap overflow * CVE-2017-14493: DHCPv6 - Stack buffer overflow * CVE-2017-14494: Infoleak handling DHCPv6 forwarded requests * CVE-2017-14491: DNS heap buffer overflow (further fix) dput (0.9.6.4+deb8u1) jessie; urgency=medium . * dput.cf: replace security-master.d.o with ftp.upload.security.d.o (Closes: #863348) dwww (1.12.1+deb8u1) jessie; urgency=medium . * Fix an old typo in the `Last-Modified' header name that prevents dwww from working correctly on systems running the latest available jessie version of apache2, which as a part its security update for CVE-2016-8743 started enforcing HTTP headers conformance with the appropriate standards (closes: #850016, #850885). elog (2.9.2+2014.05.11git44800a7-2+deb8u2) jessie; urgency=medium . * update patch 0005_elogd_CVE-2016-6342_fix to grant access to logbooks also as normal login user (Closes: #851909) emacs24 (24.4+1-5+deb8u1) jessie-security; urgency=medium . * Remove unsafe enriched mode translations enigmail (2:1.9.8.1-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security (Closes: #869774) . enigmail (2:1.9.8.1-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.8-1) unstable; urgency=medium . * New upstream release. * Standards-Version to 4.0.0 (no changes needed) * use dpkg/pkg-info.mk instead of dpkg-parsechangelog * use wrap-and-sort -ast . enigmail (2:1.9.7-2) unstable; urgency=medium . * enable re-certifying keys with expired certs (Closes: #863273) . enigmail (2:1.9.7-1) unstable; urgency=medium . * new upstream bugfix release . enigmail (2:1.9.6-2) unstable; urgency=medium . * pulled a bugfix from upstream, refreshed patches . enigmail (2:1.9.6-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.5-7) unstable; urgency=medium . * fix "exchange repair" variant format of e-mail . enigmail (2:1.9.5-6) unstable; urgency=medium . * refresh patches from upstream enigmail-1.9-branch . enigmail (2:1.9.5-5) unstable; urgency=medium . * fix query for getKeyFileType (Closes: #842212) . enigmail (2:1.9.5-4) unstable; urgency=medium . * avoid parallel build failures . enigmail (2:1.9.5-3) unstable; urgency=medium . * more patches from upstream * bump to debhelper 10 (no changes needed) . enigmail (2:1.9.5-2) unstable; urgency=medium . * include two patches from upstream . enigmail (2:1.9.5-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.4-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.3-2) unstable; urgency=medium . * pulled more fixes from upstream . enigmail (2:1.9.3-1) unstable; urgency=medium . * new upstream release . enigmail (2:1.9.2-1) unstable; urgency=medium . * new upstream release * drop old upstream patches, pull more fixes from upstream . enigmail (2:1.9.1-2) unstable; urgency=medium . * changed dependencies to acknowledge newer versions of gnupg. * bumped Standards-Version to 3.9.8 (no changes needed) . enigmail (2:1.9.1-1) unstable; urgency=medium . * new upstream release * incorporated some additional minor patches from upstream's enigmial-1.9-branch as well. . enigmail (2:1.9-1) unstable; urgency=medium . * new upstream release * include upstream fix for excessive dumping * bumped Standards-Version to 3.9.7 (no changes needed) . enigmail (2:1.9~beta2+16.gd99b-1) experimental; urgency=medium . * new upstream snapshot . enigmail (2:1.9~beta2-1) experimental; urgency=medium . * new upstream beta release. * depend directly on gnupg2 -- 1.9 and later won't work with gpg1. . enigmail (2:1.9~beta1-1) experimental; urgency=medium . * package new upstream beta for experimental. . enigmail (2:1.8.2-4) unstable; urgency=medium . * pass through {GTK,QT}_IM_MODULE, XMODIFIERS, and DBUS_SESSION_BUS_ADDRESS so that modern pinentry works. (Closes: #794627) * correct reported version number of enigmail enigmail (2:1.9.8-1) unstable; urgency=medium . * New upstream release. * Standards-Version to 4.0.0 (no changes needed) * use dpkg/pkg-info.mk instead of dpkg-parsechangelog * use wrap-and-sort -ast enigmail (2:1.9.7-2) unstable; urgency=medium . * enable re-certifying keys with expired certs (Closes: #863273) enigmail (2:1.9.7-1) unstable; urgency=medium . * new upstream bugfix release enigmail (2:1.9.6-2) unstable; urgency=medium . * pulled a bugfix from upstream, refreshed patches enigmail (2:1.9.6-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.5-7) unstable; urgency=medium . * fix "exchange repair" variant format of e-mail enigmail (2:1.9.5-6) unstable; urgency=medium . * refresh patches from upstream enigmail-1.9-branch enigmail (2:1.9.5-5) unstable; urgency=medium . * fix query for getKeyFileType (Closes: #842212) enigmail (2:1.9.5-4) unstable; urgency=medium . * avoid parallel build failures enigmail (2:1.9.5-3) unstable; urgency=medium . * more patches from upstream * bump to debhelper 10 (no changes needed) enigmail (2:1.9.5-2) unstable; urgency=medium . * include two patches from upstream enigmail (2:1.9.5-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.4-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.3-2) unstable; urgency=medium . * pulled more fixes from upstream enigmail (2:1.9.3-1) unstable; urgency=medium . * new upstream release enigmail (2:1.9.2-1) unstable; urgency=medium . * new upstream release * drop old upstream patches, pull more fixes from upstream enigmail (2:1.9.1-2) unstable; urgency=medium . * changed dependencies to acknowledge newer versions of gnupg. * bumped Standards-Version to 3.9.8 (no changes needed) enigmail (2:1.9.1-1) unstable; urgency=medium . * new upstream release * incorporated some additional minor patches from upstream's enigmial-1.9-branch as well. enigmail (2:1.9-1) unstable; urgency=medium . * new upstream release * include upstream fix for excessive dumping * bumped Standards-Version to 3.9.7 (no changes needed) enigmail (2:1.9~beta2-1) experimental; urgency=medium . * new upstream beta release. * depend directly on gnupg2 -- 1.9 and later won't work with gpg1. enigmail (2:1.9~beta1-1) experimental; urgency=medium . * package new upstream beta for experimental. enigmail (2:1.8.2-4) unstable; urgency=medium . * pass through {GTK,QT}_IM_MODULE, XMODIFIERS, and DBUS_SESSION_BUS_ADDRESS so that modern pinentry works. (Closes: #794627) * correct reported version number of enigmail firefox-esr (52.5.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-25, also known as: CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. * debian/import-tar.py: Make python 3.6 happy. firefox-esr (52.4.0esr-2) unstable; urgency=medium . * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. firefox-esr (52.4.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-22, also known as: CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, CVE-2017-7805, CVE-2017-7814, CVE-2017-7823, CVE-2017-7810. * debian/rules: Really build with gcc 6 on unstable. Closes: #871583. . * js/src/jsmath.cpp: Add GETRANDOM_NR definition for powerpc and mips. bz#1389281. * media/libcubeb/tests/moz.build: Fixup workaround for binutil assertion on mips. firefox-esr (52.4.0esr-1~deb8u1) jessie-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-22, also known as: CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, CVE-2017-7805, CVE-2017-7814, CVE-2017-7823, CVE-2017-7810. * debian/rules: Really build with gcc 6 on unstable. Closes: #871583. firefox-esr (52.3.0esr-2) unstable; urgency=medium . * debian/rules: Really build with gcc 6. Closes: #871583. firefox-esr (52.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-19, also known as: CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7784, CVE-2017-7802, CVE-2017-7785, CVE-2017-7786, CVE-2017-7753, CVE-2017-7787, CVE-2017-7807, CVE-2017-7792, CVE-2017-7791, CVE-2017-7803, CVE-2017-7779. . * debian/upstream.mk: Set DIST differently for experimental. * debian/control*, debian/rules: Build with gcc 6 because display is broken with gcc 7. . * FTBFS fixes: - js/src/jsmath.cpp: Define GETRANDOM_NR on more artitectures. bz#1352236, bz#1357874. - media/libyuv/source/row_mips.cc: Only use the perf opcode on mips arches that support it. bz#1012232. firefox-esr (52.3.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-19, also known as: CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7784, CVE-2017-7802, CVE-2017-7785, CVE-2017-7786, CVE-2017-7753, CVE-2017-7787, CVE-2017-7807, CVE-2017-7792, CVE-2017-7791, CVE-2017-7803, CVE-2017-7779. . * debian/upstream.mk: - Consider testing/unstable as buster, which implies build depending on system nspr, nss and sqlite again. - Support DEB_DISTRIBUTION being bustersomething or sid. Closes: #865650. . * debian/upstream.mk: Set DIST differently for experimental. * debian/control*, debian/rules: Build with gcc 6 because display is broken with gcc 7. . * FTBFS fixes: - js/src/jsmath.cpp: Define GETRANDOM_NR on more artitectures. bz#1352236, bz#1357874. - media/libyuv/source/row_mips.cc: Only use the perf opcode on mips arches that support it. bz#1012232. firefox-esr (52.3.0esr-1~deb8u2) jessie-security; urgency=medium . * js/src/jsmath.cpp: Add GETRANDOM_NR definition for powerpc and mips. bz#1389281. * media/libcubeb/tests/moz.build: Fixup workaround for binutil assertion on mips. firefox-esr (52.2.0esr-2) unstable; urgency=medium . * debian/upstream.mk: - Consider testing/unstable as buster, which implies build depending on system nspr, nss and sqlite again. - Support DEB_DISTRIBUTION being bustersomething or sid. Closes: #865650. firefox-esr (52.2.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-16, also known as: CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7778, CVE-2017-7758, CVE-2017-7764, CVE-2017-5470. . * debian/rules, debian/control.in: Switch to GCC 4.8 on wheezy. * debian/rules: Don't remove debian/control on clean. Thanks to Emilio Pozuelo Monfort for those two changes for wheezy LTS support. * debian/control.in: Bump nss build dependency. * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk: Rename the BACKPORT variable to DIST, and set it to "stretch" for unstable/testing targetted builds. * debian/rules: Normalize the system libraries used depending on the Debian version. firefox-esr (52.2.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-16, also known as: CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7778, CVE-2017-7758, CVE-2017-7764, CVE-2017-5470. . * debian/rules, debian/control.in: Switch to GCC 4.8 on wheezy. * debian/rules: Don't remove debian/control on clean. Thanks to Emilio Pozuelo Monfort for those two changes for wheezy LTS support. * debian/control.in: Bump nss build dependency. * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk: Rename the BACKPORT variable to DIST, and set it to "stretch" for unstable/testing targetted builds. * debian/rules: Normalize the system libraries used depending on the Debian version. . firefox-esr (52.1.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-12, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459, CVE-2017-5466, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5469, CVE-2017-5445, CVE-2017-5449, CVE-2017-5451, CVE-2017-5462, CVE-2017-5467, CVE-2017-5430, CVE-2017-5429. . firefox-esr (52.0.2esr-1) experimental; urgency=medium . * New upstream release. * debian/browser.mozconfig.in, debian/mls.key: Enable geolocation using Mozilla's Location Service. Closes: #726230. . * browser/app/profile/firefox.js: Use the Mozilla Location Service when the Google Key is not there. . firefox-esr (52.0.1esr-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2017-08, also known as CVE-2017-5428. . * debian/browser.mozconfig.in: Build with --enable-alsa. Closes: #857281. . firefox-esr (52.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-05, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5406, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5426, CVE-2017-5427, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5405, CVE-2017-5421, CVE-2017-5422, CVE-2017-5399, CVE-2017-5398. . * debian/control*: - Bump nss and sqlite build dependencies. - Build depend on libjsoncpp-dev. * debian/rules: - Update ICU_DATA_FILE version. - Don't build against system sqlite until we have the right version in Debian. * debian/browser.lintian-overrides.in: Add a lintian override for NSPR and NSS. * debian/browser.install.in: - Install chrome.manifest, libmozsandbox.so and minidump-analyzer. - Remove browser/components. . * browser/installer/allowed-dupes.mn, toolkit/mozapps/installer/find-dupes.py, toolkit/mozapps/installer/packager.mk: Preprocess find-dupes exception list. bz#1315309. * config/system-headers, toolkit/crashreporter/jsoncpp/src/lib_json/moz.build, toolkit/crashreporter/minidump-analyzer/moz.build: Build against system libjsoncpp. . firefox (51.0.1-3) unstable; urgency=medium . * js/src/jit/mips-shared/Assembler-mips-shared.h, js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp, js/src/jit/mips-shared/CodeGenerator-mips-shared.h, js/src/jit/mips-shared/MacroAssembler-mips-shared-inl.h, js/src/jit/mips-shared/MacroAssembler-mips-shared.cpp, js/src/jit/mips-shared/MacroAssembler-mips-shared.h, js/src/jit/mips32/MacroAssembler-mips32-inl.h, js/src/jit/mips32/MacroAssembler-mips32.cpp, js/src/jit/mips32/MacroAssembler-mips32.h, js/src/jit/mips64/MacroAssembler-mips64-inl.h, js/src/jit/mips64/MacroAssembler-mips64.cpp, js/src/jit/mips64/MacroAssembler-mips64.h: Apply patch from bz#1303688 hopefully fixing the FTBFS on mips*. . firefox (51.0.1-2) unstable; urgency=medium . * debian/symbols.mk: - Better handle downloading symbols from packages with epochs. - Don't filter file names when getting symbols. - Add experimental buildd apt source for symbols download. - Avoid apt-get download being re-run when the file is already there. - Adjust DBGTYPE depending on package version, not whether it's a backport. - Only dump symbols for files of type application/x-sharedlib. This covers binary executables too because they are PIE and undistinguishable from shared libraries as a consequence. * debian/rules: - Add -fno-schedule-insns2 back. Closes: #854258. - Build with -fno-schedule-insns on armel and armhf when building with GCC6. Closes: #854640. - Hack to disable --gc-sections when building NSS, working around bug #844357 again. Should fix FTBFS on mips*. * debian/browser.desktop.in, debian/rules: Followup for the StartupWMClass changes in 51.0.1-1: Use the same name in desktop file and application.ini RemotingName. Closes: #854397. . firefox (51.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/browser.desktop.in: - Use the application name as StartupWMClass in the desktop file. Along the change to nsAppRunner.cpp, this prevents e.g. GNOME Shell from making Firefox appear as Firefox ESR when both are used. - Remove Encoding key from desktop file. Closes: #812493 * debian/rules: Remove -fno-schedule-insns2 and add -fno-lifetime-dse when building with GCC6. * debian/rules, debian/control*: Build with GCC6 on arm*. Closes: #852009. AFAIK, that will lead to FTBFS on at least armhf, but let's already see how it goes. * debian/upstream.mk: Use pkg-info.mk to figure out source name and version. Closes: #850720. * debian/control*: - Remove build dependency and suggest on libgnome*. It hasn't actually been used for a long time. Closes: #850265. - Bump Standards-Version to 3.9.8. No changes required. - Bump libvpx build dependency. * debian/rules: Resize the symbolic icon. * Move the -l10n-all package to the metapackages section. Closes: #824784. * debian/browser.postrm.in, debian/browser.preinst.in, debian/rules: Don't install preinst and postrm at all for the firefox package. * debian/symbols.apt.conf, debian/symbols.mk, debian/symbols.sources.list: Add scripts to create symbols archive to upload to Mozilla crash servers. * debian/browser-dev.links.in, debian/browser.install.in, debian/browser.mozconfig.in, debian/control*, debian/make.mk, debian/rules: Add more granularity as to what system libraries are used and only disable NSPR/NSS until we have the right versions in Debian. . * gfx/2d/BorrowedContext.h, gfx/layers/composite/LayerManagerComposite.*, gfx/layers/moz.build: Fix --disable-skia builds. bz#1319374. * gfx/skia/moz.build: Build Skia NEON code on arm64. * toolkit/xre/nsAppRunner.cpp: Set program name from the remoting name. * config/recurse.mk: Work around race condition between building NSPR and NSS. bz#1115944, bz#1315882. . firefox (51.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-01, also known as: CVE-2017-5375, CVE-2017-5376, CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5390, CVE-2017-5389, CVE-2017-5396, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5391, CVE-2017-5393, CVE-2017-5387, CVE-2017-5388, CVE-2017-5374, CVE-2017-5373. . * debian/upstream.mk: Don't rely on FIREFOX_*_RELEASE tags to pull some files to determine all source urls. * debian/browser.bug-presubj.in: Add a note about submitting crash reports upstream and pasting the url to Debian bug reports. * debian/rules, debian/control*: Adjust rust build configure to new upstream. It requires rustc >= 1.10 and cargo, the latter of which is not available on arm64. Also depend on cargo >= 0.13, that doesn't access the network with the Cargo.toml files in the source. Note rust code is still not enabled unless building a beta release. * debian/control*: Bump nspr, nss and sqlite build dependencies. * debian/rules, debian/control: Use more embedded libraries until the required versions of NSPR and NSS can be in unstable. . * build/moz.configure/rust.configure: Force use the i686 rust target. * gfx/skia/skia/include/core/SkPreConfig.h: Generically set SK_CPU_[BL]ENDIAN based on __BYTE_ORDER__ when available. bz#1319389. . firefox (50.1.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-95, also known as: CVE-2016-9894, CVE-2016-9899, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9904, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903, CVE-2016-9080, CVE-2016-9893. . firefox (50.0.2-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{91-92}, also known as: CVE-2016-9078, CVE-2016-9079. . * widget/gtk/mozgtk/mozgtk.c: work around race in system Cairo's XShm usage. bz#1271100. . firefox (50.0-3) unstable; urgency=medium . * media/libjpeg/simd/jsimd_mips.c: Pull libjpeg-turbo upstream fix for FTBFS on mips. * widget/gtk/mozgtk/gtk3/moz.build: Work around Debian bug #844357. . firefox (50.0-2) unstable; urgency=medium . * debian/rules: Use mach to run icu_source_data.py. This should fix FTBFS on big endian platforms. . * js/src/jit/mips64/CodeGenerator-mips64.cpp: Fix CodeGenerator::visitAsmSelectI64. bz#1290811. . firefox (50.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{87,89} also known as: CVE-2016-5287, CVE-2016-5288, CVE-2016-5296, CVE-2016-5292, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-9067, CVE-2016-9068, CVE-2016-9075, CVE-2016-9077, CVE-2016-5291, CVE-2016-9070, CVE-2016-9073, CVE-2016-9076, CVE-2016-9063, CVE-2016-9071, CVE-2016-5289, CVE-2016-5290. . * debian/rules: Only generate configure files on nightlies, and use client.mk to generate them instead of using autoconf manually (which, while compatible, is wrong nowadays). * debian/control*: - Remove outdated alternative build dependencies. - Bump sqlite and nss build dependency. - Add build dependency on libx11-xcb-dev. * debian/browser.mozconfig.in, debian/control*, debian/rules: Enable rust on non-release/ESR. * debian/browser.install.in: Add the EmojiOneMozilla font. . firefox (49.0-5) unstable; urgency=medium . * debian/rules: - Don't install crashreporter files on arm64, where it's not built. Should fix FTBFS on arm64. - Ship a symbolic icon from the silhouette icon from branding. Closes: #832297. - Remove old workaround for GCC 4.5 on armel. - Remove old workarounds for ia64. - Remove GENSYMBOLS_FLAGS, which hasn't been used for 5 years. - Remove CMP_AWK, which hasn't been used since xulrunner packages were removed. - Remove dh_builddeb override forcing xz compression, which is the default since dpkg 1.15.6. - Remove old workaround for ppc64. - Disable both baseline JIT and ion on mips via prefs. * debian/rules, debian/control: Re-enable Gtk+3 to see how it goes. Closes: #832301. . * security/sandbox/linux/SandboxFilter.cpp: Allow media plugins to call madvise with MADV_FREE. bz#1303813. Closes: #838911. * js/src/jit/AtomicOperations.h: Fix crashes in AtomicOperations-none on s390x. Should fix FTBFS on s390x. . firefox (49.0-4) unstable; urgency=medium . * debian/rules, dbeian/browser.install.in: Always install GMP clearkey. Should fix FTBFSes on non-x86/x86-64, this time. * debian/browser.js.in: Unset media.gmp-manager.url.override. Closes: #838902. * debian/compat, debian/control*: Bump debhelper compat and dependency to 9. * debian/rules, debian/control*: Generate debug symbols debs when not backporting. * debian/browser.install.in, browser.mozconfig.in, debian/rules: Don't disable the crash reporter. . firefox (49.0-3) unstable; urgency=medium . * debian/browser.desktop.in: Use the full path to the real Firefox executable in the .desktop file. Closes: #832298 . * toolkit/moz.configure: Ensure we don't enable Widevine unintentionally. bz#1299694. Should fix FTBFSes on non-x86/x86-64. . firefox (49.0-2) unstable; urgency=medium . * debian/rules, debian/control*: Only force GCC 5 on arm when building for stretch+. * debian/browser.mozconfig.in, debian/browser.install.in, debian/rules: Do not disable EME. Closes: #838478. * debian/rules, debian/browser.install.in: Build and use big-endian ICU data on big-endian architectures. Fixes FTBFS on big-endian architectures. . * build/autoconf/icu.m4: Allow to override ICU_DATA_FILE from the environment. * js/src/jit/mips-shared/MacroAssembler-mips-shared.cpp: OdinMonkey: MIPS: Fix nop-jump patching code. bz#1277478. Fixes FTBFS on mips*el. * media/libjpeg/moz.build: Fix CPU_ARCH test for libjpeg on mips. Fixes FTBFS on mips. . firefox (49.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa-2016-85, also known as: CVE-2016-2827, CVE-2016-5270, CVE-2016-5271, CVE-2016-5272, CVE-2016-5273, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5275, CVE-2016-5278, CVE-2016-5279, CVE-2016-5280, CVE-2016-5281, CVE-2016-5282, CVE-2016-5283, CVE-2016-5284, CVE-2016-5256, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) * debian/control*: Force build against libnss3-dev >= 2:3.26-2~, which fixed its symbols file. Closes: #833719. . * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) . firefox (48.0-2) unstable; urgency=medium . * debian/rules: Build with -fno-schedule-insns2 and -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles Firefox. Closes: #836533. . firefox (48.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa-2016-{62-68,70-81,83-84}, also known as: CVE-2016-2836, CVE-2016-2835, CVE-2016-2830, CVE-2016-2838, CVE-2016-2839, CVE-2016-5251, CVE-2016-5252, CVE-2016-0718, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-2837, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5268, CVE-2016-5250. . * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --build from configure invocation. * debian/browser.mozconfig.in: s/NATIVE/SYSTEM/. The variables set for --enable-system flags have changed upstream. * debian/browser.install.in, debian/browser.links.in: Don't install webapprt files, they are gone. * debian/browser.install.in: - Install ICU data file. - libfreebl3 changed name. - Take mozicon128.png from dist/firefox instead of dist/bin. . firefox (47.0.1-1) unstable; urgency=medium . * New upstream release. . firefox (47.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa-2016-{49-52,54,56-60}, also known as: CVE-2016-2815, CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2825, CVE-2016-2828, CVE-2016-2829, CVE-2016-2831, CVE-2016-2832, CVE-2016-2833. . * debian/rules: Read default toolkit from old-configure.in, but still keep Gtk+3 disabled. * debian/upstream.mk: Use l10n_changesets.txt from last candidate build for L10N_REV. . firefox (46.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/control*: Remove build dependencies that were only required for the iceweasel branding. * debian/control*, debian/browser.mozconfig.in: Remove configure flags and build dependencies related to gnomevfs. They have been ignored for close to a year. * debian/browser.mozconfig.in: - Remove configure flags explicitly enabling gio, it has been enabled by default for more than 3 years. - Remove --enable-svg, the option has been ignored for more than 5 years. - Remove --enable-mathml, the option has been ignored for more than 4 years. - Remove --enable-pango, the option has been ignored for 2 years. - Remove --disable-pedantic, the option has been ignored for 3 years. - Remove --disable-long-long-warning, the option has been ignored for almost 5 years. - Remove --disable-gnomeui, it is the default. - Remove --disable-mochitest, the option has been ignored for more than 7 years. - Remove --disable-debug, it is the default. - Remove --enable-canvas, the option has been ignored for more than 6 years. - Remove --disable-installer, the option has been ignored for close to 4 years. - Remove --disable-javaxpcom, the option has been ignored for close to 5 years. - Remove --disable-elf-dynstr-gc, the option has been ignored for more than 2 years. - Remove --enable-url-classifier, it is the default. - Remove --with-user-appdir=.mozilla, it is the default. - Remove --enable-single-profile, the option has been ignored for more than 7 years. - Remove --disable-profilesharing, the option has been ignored for more than 7 years. * debian/rules: Use the mach compare-locales command for l10n. * debian/upstream.mk, debian/watch: Remove "mozilla.org" from path in archive.mozilla.org urls. * debian/upstream.mk: Don't use get a separate source tarball for compare-locales. There is a copy in-tree that we now use. * debian/browser.desktop.in, debian/control*, debian/rules: Allow to distinguish between firefox and firefox-esr. Closes: #821952. * debian/control, debian/rules: Disable Gtk+3 for now. Closes: #822807. . firefox (46.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,42,44-48}, also known as: CVE-2016-2807, CVE-2016-2806, CVE-2016-2804, CVE-2016-2811, CVE-2016-2812, CVE-2016-2814, CVE-2016-2816, CVE-2016-2817, CVE-2016-2808, CVE-2016-2820. . * debian/browser.install.in: Add ffmpeg vp9 libraries. * debian/browser.lintian-overrides.in: Add a lintian override for libmozavutil.so, which is not exactly libavutil. * debian/control*: Bump nss and sqlite3 build dependencies. * debian/browser.mozconfig.in, debian/control*, debian/rules: Remove gstreamer dependencies and such, gstreamer support was removed upstream. firefox-esr (52.1.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-12, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459, CVE-2017-5466, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5469, CVE-2017-5445, CVE-2017-5449, CVE-2017-5451, CVE-2017-5462, CVE-2017-5467, CVE-2017-5430, CVE-2017-5429. firefox-esr (52.0.2esr-1) experimental; urgency=medium . * New upstream release. * debian/browser.mozconfig.in, debian/mls.key: Enable geolocation using Mozilla's Location Service. Closes: #726230. . * browser/app/profile/firefox.js: Use the Mozilla Location Service when the Google Key is not there. firefox-esr (52.0.1esr-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2017-08, also known as CVE-2017-5428. . * debian/browser.mozconfig.in: Build with --enable-alsa. Closes: #857281. firefox-esr (52.0esr-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2017-05, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5406, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5426, CVE-2017-5427, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5405, CVE-2017-5421, CVE-2017-5422, CVE-2017-5399, CVE-2017-5398. . * debian/control*: - Bump nss and sqlite build dependencies. - Build depend on libjsoncpp-dev. * debian/rules: - Update ICU_DATA_FILE version. - Don't build against system sqlite until we have the right version in Debian. * debian/browser.lintian-overrides.in: Add a lintian override for NSPR and NSS. * debian/browser.install.in: - Install chrome.manifest, libmozsandbox.so and minidump-analyzer. - Remove browser/components. . * browser/installer/allowed-dupes.mn, toolkit/mozapps/installer/find-dupes.py, toolkit/mozapps/installer/packager.mk: Preprocess find-dupes exception list. bz#1315309. * config/system-headers, toolkit/crashreporter/jsoncpp/src/lib_json/moz.build, toolkit/crashreporter/minidump-analyzer/moz.build: Build against system libjsoncpp. firefox-esr (45.9.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-11, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5469, CVE-2017-5445, CVE-2017-5462, CVE-2017-5429. . * accessible/generic/ApplicationAccessible.h: Add missing null checks causing crashes with accessibility. Closes: #852149. flightgear (3.0.0-5+deb8u3) jessie; urgency=high . [ Florent Rougon ] * Add two patches for CVE-2017-13709: - call-fgInitAllowedPaths-earlier-c7a2ae.patch (required by the next patch) - CVE-2017-13709-FGLogger-2a5e3d.patch Closes: #873439. . [ Markus Wanner ] * Massage patch meta information to fit DEP-3. fontforge (20120731.b-5+deb8u1) jessie-security; urgency=high . * Import upstream patches fixing following CVE's CVE-2017-11577, CVE-2017-11576, CVE-2017-11575, CVE-2017-11574, CVE-2017-11572, CVE-2017-11571, CVE-2017-11569, CVE-2017-11568. freeradius (2.2.5+dfsg-0.2+deb8u1) jessie-security; urgency=high . * Apply upstream patches: fr-ad-001.patch fr-gv-201.patch (CVE-2017-10978) fr-gv-202.patch (CVE-2017-10979) fr-gv-203.patch (CVE-2017-10980) fr-gv-204.patch (CVE-2017-10981) fr-gv-205.patch (CVE-2017-10982) fr-gv-206.patch (CVE-2017-10983) fr-gv-207.patch (Closes: #868765) freexl (1.0.0g-1+deb8u4) jessie-security; urgency=high . * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. (closes: #875690, #875691) gajim (0.16-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-10376: XEP-0146 extension can be abused by malicious XMPP servers. Add config option to activate XEP-0146 commands. (Closes: #863445) gdk-pixbuf (2.31.1-2+deb8u6) jessie-security; urgency=medium . * CVE-2017-2862 (Closes: #874552) gdk-pixbuf (2.31.1-2+deb8u5+kbsd8u2) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd gdk-pixbuf (2.31.1-2+deb8u5+kbsd8u1) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd ghostscript (9.06~dfsg-2+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Bounds check the array allocations methods (CVE-2017-9835) (Closes: #869907) * Bounds check zone pointer in Ins_MIRP() (CVE-2017-9611) (Closes: #869917) * Bounds check zone pointers in Ins_IP() (CVE-2017-9612) (Closes: #869916) * Bounds check zone pointer in Ins_MDRP (CVE-2017-9726) (Closes: #869915) * Make bounds check in gx_ttfReader__Read more robust (CVE-2017-9727) (Closes: #869913) * Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910) * Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977) git (1:2.1.4-2.1+deb8u5) jessie-security; urgency=high . * Fix remote shell command execution via CVS protocol: - git-shell: drop cvsserver support by default - git-cvsserver: harden backtick captures against user input * Avoid shell command injection in other commands as well: - git-cvsimport: harden backtick captures against user input - git-archimport: harden backtick captures against user input . Thanks to joernchen of Phenoelit for discovering, reporting, and fixing this vulnerability, and to Junio C Hamano and Jeff King for the fixes to related issues. git (1:2.1.4-2.1+deb8u4) jessie-security; urgency=high . * Fix CVE-2017-1000117, arbitrary code execution issues via URLs: - reject ssh hostname that begins with a dash - add test for hostname starting with dash to the testsuite - factor out "looks like command line option" check - reject dashed arguments to $GIT_PROXY_COMMAND - ssh:// and local URLs: reject path to repositories that look like command line options . Thanks to Joern Schneeweisz of Recurity Labs for discovering this vulnerability, Brian Neel at GitLab for reporting it to the Git project, and Junio Hamano and Jeff King for writing the patches to address it. gnupg (1.4.18-7+deb8u4) jessie-security; urgency=high . * Backport fixes for CVE-2017-7526 from STABLE-BRANCH-1-4 branch gsoap (2.8.17-1+deb8u1) jessie; urgency=medium . * Fix for CVE-2017-9765 Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via a large XML document. hexchat (2.10.1-1+deb8u2) jessie; urgency=medium . * Fix segfault on /server, by adding missing braces around an `if`. (Closes: #779892) icu (52.1-8+deb8u6) jessie; urgency=high . * Backport upstream security fix for CVE-2017-14952: double free in createMetazoneMappings() (closes: #878840). imagemagick (8:6.8.9.9-5+deb8u11) jessie-security; urgency=medium . * Multiple security fixes CVE-2017-12983 (Closes: #873134) CVE-2017-13134 (Closes: #873099) CVE-2017-13769 (Closes: #878507) CVE-2017-14224 (Closes: #876097) CVE-2017-14607 (Closes: #878527) CVE-2017-14682 (Closes: #876488) CVE-2017-14989 (Closes: #878562) CVE-2017-15277 (Closes: #878578) CVE-2017-11352 (Closes: #868469) CVE-2017-11640 (Closes: #870067) CVE-2017-12431 (Closes: #869715) CVE-2017-12640 (Closes: #870106) CVE-2017-13139 (Closes: #870109) CVE-2017-13144 (Closes: #869728) CVE-2017-13758 (Closes: #878508) CVE-2017-16546 (Closes: #881392) CVE-2017-12877 (Closes: #872373) imagemagick (8:6.8.9.9-5+deb8u10) jessie-security; urgency=high . * Fix security bugs: + Previous CVE-2017-9144 fix was incomplete. A crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c (Closes: #863126) + CVE-2017-10928: A heap-based buffer over-read in the GetNextToken function in token.c allows remote attackers to obtain sensitive information from process memory or possibly have unspecified other impact via a crafted SVG document that is mishandled in the GetUserSpaceCoordinateValue function in coders/svg.c. (Closes: #867367). + CVE-2017-9500: An assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file. (Closes: #867778). + CVE-2017-9501: An assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file. (Closes: #867721). + CVE-2017-9440: A memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file. (Closes: 864273). + CVE-2017-9439: A memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file. (Closes: #864274). + CVE-2017-11188: CPU exhaustion in ReadDPXImage Because dpx.file.image_offset is a unsigned int, it can be controlled as large as 4294967295. This will cause ImageMagick spend a lot of time to process a crafted DPX imagefile, even if the imagefile is very small. (Closes: #867806) + CVE-2017-11141: memory exhaustion in ReadMATImage When identify MAT file, imagemagick will allocate memory to store data in function ReadMATImage. Modifying MAT's MATLAB_HDR field can cause ImageMagick to allocate a anysize amount of memory, this may cause a memory exhaustion (Closes: #868264) + CVE-2017-11170: memory exhaustion in ReadTGAImage When identify VST file, imagemagick will allocate memory to store data in function ReadTGAImage in coders/tga.c using tga_info.bits_per_pixel field diretly from VST file without checking in tga.c By review the founction code, tga_info.bits_per_pixel max valid value is 32. On 32bit os, size_t one will be 32bit, so image->colors can be overflow to 0. On 64bit os, size_t one will be 64bit, so image->colors can be large as 0x100000000(64GB). (Closes: #868184) + Memory exhaustion in ReadCINImage When identify CIN file that contains User defined data, imagemagick will allocate memory to store the data in function ReadCINImage in coders\inc.c There is a security checking in the function SetImageExtent, but it after memory allocation, so IM can not control the memory usage (Closes: #867810) + CPU exhaustion in ReadRLEImage A corrupted rle file could trigger a DOS (Closes: #867808) + Memory leak in ReadDIBImage in dib.c The ReadDIBImage function in dib.c allows attackers to cause a denial of service (memory leak) via a small crafted dib file. (Closes: #867811) + Memory exhaustion in ReadDPXImage in dpx.c When identify DPX file that contains user header data, imagemagick will allocate memory to store the data in function ReadDPXImage in coders\dpx.c There is a security checking in the function SetImageExtent, but it is too late, so IM can not control the memory usage. (Closes: #867812) + Enable heap overflow check for stdin for mpc files Enabling seekable streams is required to ensure checking the blob size works when an image is streamed on stdin. (Closes: #867896) + Assertion failure in WriteBlob A crafted file revealed an assertion failure in blob.c. (Closes: #867798) + Memory exhaustion in ReadEPTImage in ept.c When identify EPT file , imagemagick will allocate memory to store the data. There is a security checking in the function SetImageExtent, but it is not used in the allocation function, so IM can not control the memory usage. (Closes: #867821) + CPU exhaustion in ReadOneJNGImage Due to lack of validation of PNG format, imagemagick could loop 2^32 in a CPU intensive loop. (Closes: #867824, #867825). + CPU exhaustion in ReadOneDJVUImag Due to lack of format validation, a crafted file will cause a loop to run endless. (Closes: #867826). + Zero pixel buffer Avoid a data leak in case of incorrect file by clearing a buffer (Closes: #867893). + memory leak in ReadMATImage in mat.c The ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a small crafted mat file. (Closes: #867823). + Avoid heap based overflow for jpeg A corrupted jpeg file could trigger an heap overflow (Closes: #867894). + Fix a memory leak in screenshot coder (Closes: #867897) + CVE-2017-9409: Memory leak in the icon file coder. (Closes: #864087) + CVE-2017-9407: the ReadPALMImage function in palm.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #864089). + CVE-2017-9409: the ReadMPCImage function in mpc.c allows attackers to cause a denial of service (memory leak) + CVE-2017-9262: Memory leak in the ReadJNGImage function (Closes: #863834). + CVE-2017-9261: Memory leak in the ReadMNGImage function (Closes: #863833). ioquake3 (1.36+u20140802+gca9eebb-2+deb8u2) jessie-security; urgency=medium . * Add patch from upstream: + Address read buffer overflow in MSG_ReadBits (CVE-2017-11721) (Closes: #870725) + Check buffer boundary exactly in MSG_WriteBits, instead of potentially failing with a few bytes still available irssi (0.8.17-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Address IRSSI-SA-2017-07. - CVE-2017-10965: NULL pointer dereference when receiving messages with invalid timestamp. - CVE-2017-10966: Use after free after nicklist structure has been corrupted while updating a nick group. (Closes: #867598) * Address IRSSI-SA-2017-10. - CVE-2017-15228: Unterminated colour formatting sequences may cause data access beyond the end of the buffer. - CVE-2017-15227: Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on. - CVE-2017-15721: Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. - CVE-2017-15723: Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. - CVE-2017-15722: Read beyond end of buffer may occur if a Safe channel ID is not long enough. (Closes: #879521) jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high . * Team upload * CVE-2017-15095: incomplete fixes for CVE-2017-7525 jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper. (Closes: #870848) kdepim (4:4.14.1-1+deb8u1) jessie; urgency=high . * Team upload. * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864804) - Added upstream patch 78c5552be2f00a4ac25bd77ca39386522fca70a8 in file fix-CVE-2017-9604.patch - Added upstream patch c54706e990bbd6498e7b1597ec7900bc809e8197 in file fix-CVE-2017-9604.p2.patch (nowadays messagelib) kedpm (1.0+deb8u1) jessie; urgency=high . * CVE-2017-8296: fix information leak via command history file (Closes: #860817) keyringer (0.3.7-1+deb8u1) jessie-proposed-updates; urgency=medium . * debian/patches backported from version 0.5.0 * Handle subkeys without expiration date (Closes: #847963) * Handle public keys listed multiple times (Closes: #847964) konversation (1.5-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-15923: Crash in parsing IRC color formatting codes (Closes: #881586) krb5 (1.12.1+dfsg-19+deb8u4) jessie; urgency=medium . * New version number; same code as deb8u3 but rebuilt to build arch all packages and because dgit doesn't deal well with reusing a version number when a package is rejected libav (6:11.11-1~deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the Security Team. * New upstream release fixing multiple security issues. - dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks (CVE-2017-9992) - pictor: Correctly check frame dimensions (CVE-2017-7862) - h264_cavlc: check the value of run_before - dvbsubdec: improve error checking - dvbsubdec: Fixed segfault when decoding subtitles - rmdec: don't ignore the return value of av_get_packet() - caf: add an Opus tag - yadif: Account for the buffer alignment while processing the frame edges - mov: log and return early on non-positive stsd entry counts - arm: Fix SIGBUS on ARM when compiled with binutils 2.29 - smacker: return meaningful error codes on failure - smacker: fix integer overflow with pts_inc - mm: Skip unexpected audio packets - aacsbr: Turnoff in the event of over read. - smacker: Check that the data size is a multiple of a sample vector (CVE-2015-8365) - build: Add an option for passing linker flags to the shared library build - flv: Validate the packet size - mjpeg: Report non-3 component rgb lossless as not supported - vc1dec: raise an error if sprite picture data is missing - doc: Drop the legacy symlink to README libdatetime-timezone-perl (1:1.75-2+2017c) jessie; urgency=medium . * Update to Olson database version 2017c. This update contains contemporary changes for Northern Cyprus, Fiji, Namibia, Sudan, Tonga, and Turks & Caicos. libdbi (0.9.0-4+deb8u1) jessie; urgency=medium . * Backport fix to re-enable a call to _error_handler() that was commented out for no obvious reason in dbi_result_next_row() . libembperl-perl (2.5.0-4+deb8u1) jessie; urgency=medium . [ Axel Beckert ] * Change hard dependency on mod_perl in zembperl.load to Recommends. mod_perl is not required, and is enabled by default anyway if it is installed. This change matches the package dependencies and fixes an installation failure when libapache2-mod-perl2 is not installed. (Closes: #810655) libgd2 (2.1.0-5+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-6362: Double-free in gdImagePngPtr() libgd2 (2.1.0-5+deb8u10) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7890: Fix unitialized memory read vulnerability in GIF reading (Closes: #869263) libidn2-0 (0.10-2+deb8u1) jessie-security; urgency=high . * CVE-2017-14062: Fix integer overflow in decode_digit (Closes: #873902) * Add myself to Uploaders: * Update d/gbp.conf for jessie updates libio-socket-ssl-perl (2.002-2+deb8u3) jessie; urgency=medium . * Fix segfault using malformed client certificates (Closes: #881711) liblouis (2.5.3-3+deb8u1) jessie; urgency=medium . * Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621). * Fix RedHat's patch. libmspack (0.5-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Correct rejection of empty strings. * Fix mis-handling of sys->read() errors in cabd_read_string() (CVE-2017-11423) (Closes: #868956). * Reject negative output length in SpanInfo (CVE-2017-6419) (Closes: #871263). libofx (1:0.9.10-1+deb8u1) jessie; urgency=medium . * Add upstream patches to fix: - CVE-2017-2816 (Closes: #875801). - CVE-2017-14731 (Closes: #877442). libpam4j (1.4-2+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-12197 (Closes: #879001): It was discovered that libpam4j does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account was able to log in. libraw (0.16.0-9+deb8u3) jessie-security; urgency=high . * debian/patches/: patchset updated - 0003-Fix_CVE-2017-6886.patch added | CVE-2017-6886, CVE-2017-6887: | Fix various buffer overflows that can be exploited | via crafted input files. Thanks to Emilio Pozuelo Monfort (pochu) for the patch. libreoffice (1:4.3.3-2+deb8u9) jessie-security; urgency=medium . * debian/patches/CVE-2017-1260{6,7}.diff: don't create empty test files * debian/patches/CVE-2017-12608.diff: remove filters-test.cxx hunk libreoffice (1:4.3.3-2+deb8u8) jessie-security; urgency=medium . * debian/rules: - make i386 make check notfatal for now given the i386 Java Stack Clash regression * debian/patches/CVE-2017-12607.diff, debian/patches/CVE-2017-12608.diff. debian/patches/series: apply patches for above CVEs libsoup2.4 (2.48.0-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix chunked decoding buffer overrun (CVE-2017-2885) libspring-ldap-java (1.3.1.RELEASE-5+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-8028: Tobias Schneider discovered that Spring-LDAP would allow authentication with an arbitrary password when the username is correct, no additional attributes are bound and when using LDAP BindAuthenticator with DefaultTlsDirContextAuthenticationStrategy as the authentication strategy and setting userSearch. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect. libwnckmm (0.1.1-1+deb8u1) jessie; urgency=medium . * Make libwnckmm-1.0-0-dev depend on the same version of libwnckmm-1.0-0. (closes: #796530) * Use jquery.js from libjs-jquery. libwpd (0.10.0-2+deb8u1) jessie; urgency=medium . * debian/patches/libwpd-tdf112269.diff: backport patch to fix CVE-2017-14226 (closes: #876001) libx11 (2:1.6.2-3+deb8u1) jessie; urgency=medium . * Insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts()). Addresses CVE-2016-7942 and CVE-2016-7943. libxfixes (1:5.0.1-2+deb8u1) jessie; urgency=high . * Integer overflow on illegal server response (CVE-2016-7944) libxfont (1:1.5.1-1+deb8u1) jessie-security; urgency=high . * Check for end of string in PatternMatch (CVE-2017-13720) * pcfGetProperties: Check string boundaries (CVE-2017-13722) libxi (2:1.7.4-1+deb8u1) jessie; urgency=medium . * Insufficient validation of data from the X server can cause out of boundary memory access or endless loops. Addresses CVE-2016-7945 and CVE-2016-7946. libxml-libxml-perl (2.0116+dfsg-1+deb8u2) jessie-security; urgency=high . * Team upload. * CVE-2017-10672: Use-after-free by controlling the arguments to a replaceChild call (Closes: #866676) libxml2 (2.9.1+dfsg1-5+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Increase buffer space for port in HTTP redirect support (CVE-2017-7376) Incorrect limit was used for port values. (Closes: #870865) * Prevent unwanted external entity reference (CVE-2017-7375) Missing validation for external entities in xmlParsePEReference. (Closes: #870867) * Fix handling of parameter-entity references (CVE-2017-9049, CVE-2017-9050) - Heap-based buffer over-read in function xmlDictComputeFastKey (CVE-2017-9049). - Heap-based buffer over-read in function xmlDictAddString (CVE-2017-9050). (Closes: #863019, #863018) * Fix buffer size checks in xmlSnprintfElementContent (CVE-2017-9047, CVE-2017-9048) - Buffer overflow in function xmlSnprintfElementContent (CVE-2017-9047). - Stack-based buffer overflow in function xmlSnprintfElementContent (CVE-2017-9048). (Closes: #863022, #863021) * Fix type confusion in xmlValidateOneNamespace (CVE-2017-0663) Heap buffer overflow in xmlAddID. (Closes: #870870) libxrandr (2:1.4.2-1+deb8u1) jessie; urgency=medium . * Avoid out of boundary accesses on illegal responses. Addresses CVE-2016-7947 and CVE-2016-7948. libxtst (2:1.2.2-1+deb8u1) jessie; urgency=medium . * Insufficient validation of data from the X server can cause out of boundary memory access or endless loops. Addresses CVE-2016-7951 and CVE-2016-7952. libxv (2:1.0.10-1+deb8u1) jessie; urgency=high . * Protocol handling issues in libXv (CVE-2016-5407) libxvmc (2:1.0.8-2+deb8u1) jessie; urgency=medium . * Avoid buffer underflow on empty strings (CVE-2016-7953) linux (3.16.51-2) jessie; urgency=medium . * [mips*] inst: Avoid ABI change in 3.16.51 linux (3.16.51-1) jessie; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.49 - sched/topology: Refactor function build_overlap_sched_groups() - sched/topology: Fix building of overlapping sched-groups - sched/topology: Fix overlapping sched_group_mask - sched/topology: Fix overlapping sched_group_capacity - mwifiex: fixup error cases in mwifiex_add_virtual_intf() - f2fs: load inode's flag from disk - f2fs: try to freeze in gc and discard threads - [arm64] Preventing READ_IMPLIES_EXEC propagation - [x86] drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail - mceusb: fix memory leaks in error path - [x86] kvm: vmx: Do not disable intercepts for BNDCFGS - [x86] kvm: Guest BNDCFGS requires guest MPX support - [x86] kvm: vmx: Check value written to IA32_BNDCFGS - e1000e: Fix Runtime PM blocks EEE link negotiation in S5 - e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails - perf/core: Correct event creation with PERF_FORMAT_GROUP - Bluetooth: use constant time memory comparison for secret values - vxlan: dont migrate permanent fdb entries during learn - usb: usbip: set buffer pointers to NULL after free - usb: Fix typo in the definition of Endpoint[out]Request - PCI: Correct PCI_STD_RESOURCE_END usage - md: don't use flush_signals in userspace processes - udf: Fix races with i_size changes during readpage - udf: Fix deadlock between writeback and udf_setsize() - NFC: fix broken device allocation - ASoC: compress: Derive substream from stream based on direction - Btrfs: skip commit transaction if we don't have enough pinned bytes - [x86] xhci: Limit USB2 port wake support for AMD Promontory hosts - [x86] nmi: Fix timeout test in test_nmi_ipi() - Btrfs: fix invalid extent maps due to hole punching - iwlwifi: mvm: fix the recovery flow while connecting - staging: comedi: fix clean-up of comedi_class in comedi_init() - [s390*] af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers - scsi: virtio_scsi: let host do exception handling - scsi: bnx2i: missing error code in bnx2i_ep_connect() - [mips*] Bail on unsupported module relocs - [mips*] module: Ensure we always clean up r_mips_hi16_list - [mips*] Fix mips_atomic_set() retry condition - [mips*] Save static registers before sysmips - ath9k: fix tx99 use after free - ath9k: fix tx99 bus error - libertas: Fix lbs_prb_rsp_limit_set() - vfio: Fix group release deadlock - vfio: New external user group/file match - [x86] PCI: Mark Haswell Power Control Unit as having non-compliant BARs - [x86] PCI: Work around poweroff & suspend-to-RAM issue on Macbook Pro 11 - PM / Domains: Fix unsafe iteration over modified list of device links - [mips*] math-emu: Prevent wrong ISA mode instruction emulation - [mips*] Actually decode JALX in `__compute_return_epc_for_insn' - [mips*] Fix unaligned PC interpretation in `compute_return_epc' - [mips*] Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' - Add USB quirk for HVR-950q to avoid intermittent device resets - [arm64] ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails - mwifiex: do not update MCS set from hostapd - PCI/PM: Restore the status of PCI devices across hibernation - scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails. - scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state - ipv6: always add flag an address that failed DAD with DADFAILED - ipv6: dad: don't remove dynamic addresses if link is down - [x86] xen: allow userspace access during hypercalls - [x86] drm/i915: Disable MSI for all pre-gen5 - RDMA/uverbs: Check port number supplied by user verbs cmds - net: reflect mark on tcp syn ack packets - [s390*] syscalls: Fix out of bounds arguments access - CIFS: fix circular locking dependency - tpm: fix a kernel memory leak in tpm-sysfs.c - target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce - cfg80211: Check if PMKID attribute is of expected size - cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE - cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES - [x86] drm/radeon: Fix eDP for single-display iMac10,1 (v2) - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (Closes: #865416) - fs/dcache.c: fix spin lockup issue on nlru->lock - [powerpc*] asm: Mark cr0 as clobbered in mftb() - [mips*] Negate error syscall return in trace - iscsi-target: Add login_keys_workaround attribute for non RFC initiators - [powerpc*] Fix emulation of mfocrf in emulate_step() - [powerpc*/*64*] Fix atomic64_inc_not_zero() to return an int - PM / QoS: return -EINVAL for bogus strings - Input: i8042 - fix crash at boot time - sysctl: fix lax sysctl_check_table() sanity check - sunrpc: use constant time memory comparison for mac - ubifs: Correctly evict xattr inodes - ubifs: Don't leak kernel memory to the MTD - mm: fix overflow check in expand_upwards() - reiserfs: preserve i_mode if __reiserfs_set_acl() fails - jfs: preserve i_mode if __jfs_set_acl() fails - f2fs: preserve i_mode if __f2fs_set_acl() fails - btrfs: preserve i_mode if __btrfs_set_acl() fails - saa7164: fix double fetch PCIe access condition (CVE-2017-8831) - l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv - net/route: enforce hoplimit max value - ipv4/fib: don't warn when primary address is missing if in_dev is dead - net_dbg_ratelimited: turn into no-op when !DEBUG - net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case - net: Don't forget pr_fmt on net_dbg_ratelimited for CONFIG_DYNAMIC_DEBUG - net sched filters: fix notification of filter delete with proper handle - Revert "ACPI / EC: Add support to disallow QR_EC to be issued before completing previous QR_EC" - drm/irq: BUG_ON() -> WARN_ON() - [x86] efi: Avoid triple faults during EFI mixed mode calls - [armhf] usb: musb: cppi41: correct the macro name EP_MODE_AUTOREG_* - [armhf] usb: musb: cppi41: improve rx channel abort routine - v4l2-dv-timings.h: fix polarity for 4k formats - Input: ads7846 - correct the value got from SPI - Btrfs: don't use src fd for printk - [armhf] serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() - misc: ad525x_dpot: Fix the enabling of the "otpXen" attributes - [x86] perf: Honor the architectural performance monitoring version - [i386] perf: Fix undefined shift on 32-bit kernels - [powerpc*] macintosh/therm_windtunnel: Export I2C module alias information - [arm64] Rework valid_user_regs - mm/swap.c: flush lru pvecs on compound page arrival - [s390*] seccomp: fix error return for filtered system calls - mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED - PCI: Support PCIe devices with short cfg_size - PCI: Limit config space size for Netronome NFP6000 family - PCI: Limit config space size for Netronome NFP4000 - [x86] netvsc: fix incorrect receive checksum offloading - fs/cifs: make share unaccessible at root level mountable - cifs: Fix memory leaks in cifs_do_mount() - cifs: Compare prepaths when comparing superblocks - cifs: Move check for prefix path to within cifs_get_root() - cifs: Fix regression which breaks DFS mounting - cifs: Fix match_prepath() - sched: move no_new_privs into new atomic flags - sched: fix confusing PFA_NO_NEW_PRIVS constant - sched: add macros to define bitops for task atomic flags - cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags - dm: flush queued bios when process blocks to avoid deadlock https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.50 - fuse: initialize the flock flag in fuse_file on allocation - md: Raid5 should update rdev->sectors after reshape - net: bridge: fix dest lookup when vlan proto doesn't match - net/packet: Fix Tx queue selection for AF_PACKET - usb: storage: return on error to avoid a null pointer dereference - libceph: potential NULL dereference in ceph_msg_data_create() - ASoC: do not close shared backend dailink - [x86] drm/vmwgfx: Fix gcc-7.1.1 warning - netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry - libata: array underflow in ata_find_dev() - workqueue: restore WQ_UNBOUND/max_active==1 to be ordered - nfs: mount: copy the port field into the cloned nfs_server structure. - [x86] acpi: Prevent out of bound access caused by broken ACPI tables - [armel,armhf] kexec: Make .text R/W in machine_kexec - [armel,armhf] kexec: fix failure to boot crash kernel - xhci: Fix NULL pointer dereference when cleaning up streams for removed host - xhci: Bad Ethernet performance plugged in ASM1042A host - xhci: fix 20000ms port resume timeout - xhci: fix memleak in xhci_run() - tracing: Fix kmemleak in instance_rmdir - cxgb4: Fix error codes in c4iw_create_cq() - IB/cxgb3: Fix error codes in iwch_alloc_mr() - RDMA/ocrdma: Fix an error code in ocrdma_alloc_pd() - RDMA/ocrdma: Fix error codes in ocrdma_create_srq() - IB/cma: Fix a race condition in iboe_addr_get_sgid() - IB/cma: Fix reference count leak when no ipv4 addresses are set - RDMA/uverbs: Fix the check for port number - RDMA/core: Initialize port_num in qp_attr - ipv4: initialize fib_trie prior to register_netdev_notifier call. - perf/core: Fix locking for children siblings group read - iwlwifi: dvm: prevent an out of bounds access - IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp - IB/ipoib: Set IPOIB_NEIGH_TBL_FLUSH after flushed completion initialization - IB/ipoib: Remove double pointer assigning - [powerpc*] KVM: Book3S HV: Enable TM before accessing TM registers - [x86] kprobes: Release insn_slot in failure path - md/raid5: add thread_group worker async_tx_issue_pending_all - workqueue: implicit ordered attribute should be overridable - [powerpc*] pseries: Fix of_node_put() underflow during reconfig remove - media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds - [x86] iommu/amd: Fix schedule-while-atomic BUG in initialization code - [powerpc*] mm/hash: Free the subpage_prot_table correctly - sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() - sctp: fix the check for _sctp_walk_params and _sctp_walk_errors - net/mlx5: Fix command bad flow on command entry allocation failure - USB: hcd: Mark secondary HCD as dead if the primary one died - batman-adv: fix TT sync flag inconsistencies - iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw - USB: serial: option: add D-Link DWM-222 device ID - [x86] KVM: async_pf: make rcu irq exit if not triggered from idle task - net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support - ocfs2: don't clear SGID when inheriting ACLs - ipv6: set rt6i_protocol properly in the route when it is installed - RDMA/uverbs: Prevent leak of reserved field - IB/uverbs: Fix device cleanup - ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize - ext4: fix overflow caused by missing cast in ext4_resize_fs() - iscsi-target: Fix iscsi_np reset hung task during parallel delete - [s390*] qeth: fix L3 next-hop in xmit qeth hdr - scsi: st: fix blk_get_queue usage - net: reduce skb_warn_bad_offload() noise - net: skb_needs_check() accepts CHECKSUM_NONE for tx - net: avoid skb_warn_bad_offload false positives on UFO - [x86] crypto: sha1 - Fix reads beyond the number of blocks passed - [amd64] asm: Clear AC on NMI entries - USB: Check for dropped connection before switching to full speed - mm: migrate: prevent racy access to tlb_flush_pending - xfs: fix inobt inode allocation search optimization - af_key: do not use GFP_KERNEL in atomic contexts - audit: Fix use after free in audit_remove_watch_rule() - dst: Increase alignment of metrics to allow extra flag on pointers - ipv4: add reference counting to metrics - ipv4: fix NULL dereference in free_fib_info_rcu() - net_sched/sfq: update hierarchical backlog when drop packet - netxen: fix incorrect loop counter decrement - mm/mempolicy: fix use after free when calling get_mempolicy - ipv6: reset fn->rr_ptr when replacing route - net_sched: fix order of queue length updates in qdisc_replace() - drm: Release driver tracking before making the object available again - ALSA: core: Fix unexpected error at replacing user TLV - [arm64] fpsimd: Prevent registers leaking across exec - [arm64] mm: abort uaccess retries upon fatal signal - ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() - ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) - cifs: Fix df output for users with quota limits - cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() - tracing: Fix freeing of filter in create_filter() when set_str is false - qlge: avoid memcpy buffer overflow - nfsd: Limit end of page list when decoding NFSv4 WRITE - mtd: nandsim: remove debugfs entries in error path - [x86] netvsc: fix deadlock betwen link status and removal - perf/core: Fix group {cpu,task} validation - PM/hibernate: touch NMI watchdog when creating snapshot - ipv6: add rcu grace period before freeing fib6_node - ipv6: Fix may be used uninitialized warning in rt6_check - r8169: Do not increment tx_dropped in TX ring cleaning - r8169: Be drop monitor friendly - vfs: Clarify (and fix) MAX_LFS_FILESIZE macros - xfrm_user: fix info leak in xfrm_notify_sa() - xfrm_user: fix info leak in build_aevent() - dm: fix printk() rate limiting code - l2tp: initialise session's refcount before making it reachable - l2tp: hold tunnel while looking up sessions in l2tp_netlink - l2tp: hold tunnel while processing genl delete command - l2tp: hold tunnel while handling genl tunnel updates - l2tp: hold tunnel while handling genl TUNNEL_GET commands - l2tp: hold tunnel used while creating sessions with netlink - ipv6: fix sparse warning on rt6i_node - [x86] ldt: Fix off by one in get_segment_base() - [x86] i2c: ismt: Don't duplicate the receive length for block reads - [x86] i2c: ismt: Return EMSGSIZE for block reads with bogus length - CIFS: Fix maximum SMB2 header size - CIFS: remove endian related sparse warning - net_sched: fix error recovery at qdisc creation - sch_htb: fix crash on init failure - sch_multiq: fix double free on init failure - sch_hhf: fix null pointer dereference on init failure - sch_hfsc: fix null pointer deref and double free on init failure - sch_cbq: fix null pointer dereferences on init failure - sch_fq_codel: avoid double free on init failure - sch_netem: avoid null pointer deref on init failure - sch_tbf: fix two null pointer dereferences on init failure - epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ ep_remove() - cifs: check MaxPathNameComponentLength != 0 before using it - brcmfmac: add length check in brcmf_cfg80211_escan_handler() (CVE-2017-0786) - fix unbalanced page refcounting in bio_map_user_iov (CVE-2017-12190) - KEYS: prevent KEYCTL_READ on negative key - assoc_array: Fix a buggy node-splitting case (CVE-2017-12193) - mac80211: accept key reinstall without changing anything (CVE-2017-13080) - ALSA: seq: Fix use-after-free at creating a port (CVE-2017-15265) - KEYS: don't let add_key() update an uninstantiated key (CVE-2017-15299) - packet: hold bind lock when rebinding to fanout hook (CVE-2017-15649) - packet: in packet_do_bind, test fanout with bind_lock held (CVE-2017-15649) - ALSA: usb-audio: Kill stray URB at exiting (CVE-2017-16527) - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (CVE-2017-16529) - USB: uas: fix bug in handling of alternate settings (CVE-2017-16530) - USB: fix out-of-bounds in usb_set_configuration (CVE-2017-16531) - usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) - HID: usbhid: fix out-of-bounds bug (CVE-2017-16533) - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() (CVE-2017-16535) - ALSA: seq: Enable 'use' locking in all configurations - [x86] platform: samsung-laptop: Initialize loca variable - mm/init: fix zone boundary creation - module: fix types of device tables aliases - mm/hugetlb: improve locking in dissolve_free_huge_pages() - cpumask_set_cpu_local_first => cpumask_local_spread, lament - [arm64] Input: joystick - use get_cycles on ARMv8 - [armhf] ASoC: fsl-ssi: fix do_div build warning in fsl_ssi_set_bclk() - i2o: hide unsafe ioctl on 64-bit - paride: fix the "verbose" module param - aic94xx: Skip reading user settings if flash is not found - i40e: Reduce stack in i40e_dbg_dump_desc - mISDN: avoid arch specific __builtin_return_address call - net: am2150: fix nmclan_cs.c shared interrupt handling - am2150: Update nmclan_cs.c to use update PCMCIA API - net: tulip: turn compile-time warning into dev_warn() - hostap: avoid uninitialized variable use in hfa384x_get_rid - Staging: lustre: missing curly braces in ll_setattr_raw() - [x86] Staging: wlan-ng: fix sparse warning in prism2fw.c - [x86] xen: fix upper bound of pmd loop in xen_cleanhighmap() - [x86] boot: Add CONFIG_PARAVIRT_SPINLOCKS quirk to arch/x86/boot/compressed/misc.h - [armhf] 8296/1: cache-l2x0: clean up aurora cache handling - staging: r8192ee: prorperly format warning message - mtd: cfi: reduce stack size - perf: Avoid horrible stack usage - e1000e: fix call to do_div() to use u64 arg - [x86] i2c: ismt: Separate I2C block read from SMBus block read https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.51 - IB/core: Fix the validations of a multicast LID in attach or detach operations - fcntl: Don't use ambiguous SIG_POLL si_codes - printk: only unregister boot consoles when necessary - printk/console: Always disable boot consoles that use init memory before it is freed - [x86] rtlwifi: rtl8821ae: Fix HW_VAR_NAV_UPPER operation - [powerpc*] mm: Fix check of multiple 16G pages from device tree - [x86] PCI: shpchp: Enable bridge bus mastering if MSI is enabled - dlm: avoid double-free on error path in dlm_device_{register,unregister} - media: v4l2-compat-ioctl32: Fix timespec conversion - [armhf] OMAP2+: omap_device: drop broken RPM status update from suspend_noirq - [amd64] fsgsbase: Report FSBASE and GSBASE correctly in core dumps - [s390*] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled - [s390*] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path - [s390*] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records - [s390*] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA - [s390*] scsi: zfcp: fix missing trace records for early returns in TMF eh handlers - [s390*] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records - [s390*] scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response - [i386] cs5536: add support for IDE controller variant - btrfs: resume qgroup rescan on rw remount - drm/ttm: Fix accounting error when fail to get pages for pool - block: Relax a check in blk_start_queue() - skd: Avoid that module unloading triggers a use-after-free - skd: Submit requests to firmware before triggering the doorbell - net: don't decrement kobj reference count on init failure - media: uvcvideo: Prevent heap overflow when accessing mapped controls - [x86] media: lirc_zilog: driver only sends LIRCCODE - [x86] staging/rts5208: fix incorrect shift to extract upper nybble - [armhf] pwm: tiehrpwm: Fix runtime PM imbalance at unbind - [armhf] pwm: tiehrpwm: fix clock imbalance in probe error path - f2fs: check hot_data for roll-forward recovery - RDMA/usnic: Fix remove address space warning - IB/mlx5: Fix integer overflow when page_shift == 31 - media: em28xx: calculate left volume level correctly - staging: lustre: obdclass: return -EFAULT if copy_from_user() fails - USB: core: Avoid race of async_completed() w/ usbdev_release() - usb:xhci:Fix regression when ATI chipsets detected - ACPI, APEI, EINJ: Subtract any matching Register Region from Trigger resources - IB/{qib, hfi1}: Avoid flow control testing for RDMA write operation - IB/usnic: check for allocation failure - [armel,armhf] 8692/1: mm: abort uaccess retries upon fatal signal - net/mlx4_core: Make explicit conversion to 64bit value - scsi: aacraid: Fix command send race condition - iwlwifi: mvm: Avoid deferring non bufferable frames - [powerpc*] Fix DAR reporting when alignment handler faults - [powerpc*] Correct instruction code for xxlor instruction - xen/events: events_fifo: Don't use {get,put}_cpu() in xen_evtchn_fifo_init() - driver core: bus: Fix a potential double free - md/bitmap: disable bitmap_resize for file-backed bitmaps. - xfs: fix incorrect log_flushed on fsync - Revert "net: use lib/percpu_counter API for fragmentation mem accounting" - l2tp: prevent creation of sessions on terminated tunnels - l2tp: pass tunnel pointer to ->session_create() - [armhf] mfd: omap-usb-tll: Fix register offsets - mac80211_hwsim: Use proper TX power - mac80211: flush hw_roc_start work before cancelling the ROC - [s390*] mm: fix race on mm->context.flush_mm - bcache: Fix leak of bdev reference - bcache: fix sequential large write IO bypass - bcache: do not subtract sectors_to_gc for bypassed IO - bcache: correct cache_dirty_target in __update_writeback_rate() - bcache: Correct return value for sysfs attach errors - bcache: fix crash on shutdown in passthrough mode - bcache: fix for gc and write-back race - bcache: fix bch_hprint crash and improve output - tracing: Apply trace_clock changes to instance max buffer - genirq: Make sparse_irq_lock protect what it should protect - bcache: initialize dirty stripes in flash_dev_run() - ipv6: fix memory leak with multiple tables during netns destruction - ipv6: fix typo in fib6_net_exit() - Input: xpad - don't depend on endpoint order - Input: xpad - validate USB endpoint type during probe - smsc95xx: Configure pause time to 0xffff when tx flow control enabled - [x86] KVM: SVM: Add a missing 'break' statement - IB/mlx4: fix sprintf format warning - [x86] KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously - sctp: do not peel off an assoc from one netns to another one (CVE-2017-15115) - USB: serial: console: fix use-after-free after failed setup (CVE-2017-16525) - cx231xx-cards: fix NULL-deref on missing association descriptor (CVE-2017-16536) - media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) - Input: gtco - fix potential out-of-bound access (CVE-2017-16643) - net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649) - net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650) - mac80211: use constant time comparison with keys - mac80211: don't compare TKIP TX MIC key in reinstall prevention (CVE-2017-13080) - [x86] VSOCK: sock_put wasn't safe to call in interrupt context - [x86] VSOCK: Detach QP check should filter out non matching QPs. - [x86] kvm: Handle async PF in RCU read-side critical sections - [x86] kvm: Avoid async PF preempting the kernel incorrectly . [ Salvatore Bonaccorso ] * KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags (Closes: #877760) * mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() (CVE-2017-1000405) . [ Ben Hutchings ] * [s390*] qeth: Ignore ABI changes * Revert "[SCSI] aic94xx: Remove broken fallback for missing 'Ctrl-A' user settings", as the fallback has been fixed upstream * [x86] kvm: Ignore ABI change * l2tp: Ignore ABI change * perf: Ignore ABI change * sched: Avoid ABI change in 3.16.49 * cpumask: Avoid ABI change in 3.16.50 * dm: Avoid ABI change in 3.16.50 * gpio: Avoid ABI change in 3.16.50 * ip6_fib: Avoid ABI change in 3.16.50 * ip_fib: Avoid ABI change in 3.16.50 * mm: Avoid ABI change in 3.16.50 * inet_frag: Limit ABI change in 3.16.51 * [s390*] mm: Avoid ABI change in 3.16.51 * mm/mmap.c: expand_downwards: don't require the gap if !vm_prev * mmap: Remember the MAP_FIXED flag as VM_FIXED * [x86] mmap: Add an exception to the stack gap for Hotspot JVM compatibility (Closes: #865303) linux (3.16.48-1) jessie; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.44 - [x86] drm/i915: relax uncritical udelay_range() - adm80211: return an error if adm8211_alloc_rings() fails - iio: st_pressure: Fix data sign - rtlwifi: Fix alignment issues - [mips*] Clear ISA bit correctly in get_frame_info() - [mips*] Prevent unaligned accesses during stack unwinding - [mips*] Fix get_frame_info() handling of microMIPS function size - [mips*] Fix is_jump_ins() handling of 16b microMIPS instructions - [mips*] Calculate microMIPS ra properly when unwinding the stack - [mips*] Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps - [x86] scsi: storvsc: use tagged SRB requests if supported by the device - [x86] scsi: storvsc: Fix a bug in the handling of SRB status flags - [x86] scsi: storvsc: properly handle SRB_ERROR when sense message is present - [x86] scsi: storvsc: properly set residual data length on errors - IB/mlx5: Fix retrieval of index to first hi class bfreg - samples/seccomp: fix 64-bit comparison macros - clk: wm831x: fix usleep_range with bad range - [x86] hv: vmbus_post_msg: retry the hypercall on some transient errors - [x86] hv_vmbus: Add gradually increased delay for retries in vmbus_post_msg() - [x86] Drivers: hv: vmbus: Reduce the delay between retries in vmbus_post_msg() - [x86] Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg() - [x86] hv: allocate synic pages for all present CPUs - [x86] hv: init percpu_list in hv_synic_alloc() - perf evlist: Fix typo in perf_evlist__start_workload() - ext4: avoid deadlock when expanding inode size - ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea() - tty: serial: msm: Fix module autoload - ath5k: drop bogus warning on drv_set_key with unsupported cipher - ASoC: rt5640: use msleep() for long delays - RDMA/core: Fix incorrect structure packing for booleans - IB/ipoib: Set device connection mode only when needed - IB/ipoib: Fix deadlock over vlan_mutex - IB/ipoib: Fix deadlock between rmmod and set_mode - IB/ipoib: rtnl_unlock can not come after free_netdev - IB/ipoib: Replace list_del of the neigh->list with list_del_init - IB/ipoib: Change list_del to list_del_init in the tx object - locking/ww_mutex: Fix compilation of __WW_MUTEX_INITIALIZER - USB: serial: ch341: fix modem-status handling - USB: serial: ark3116: fix register-accessor error handling - USB: serial: ark3116: fix open error handling - USB: serial: ftdi_sio: fix modem-status error handling - USB: serial: ftdi_sio: fix latency-timer error handling - USB: serial: io_edgeport: fix epic-descriptor handling - USB: serial: io_edgeport: fix descriptor error handling - USB: serial: mct_u232: fix modem-status error handling - USB: serial: quatech2: fix control-message error handling - USB: serial: spcp8x5: fix modem-status handling - USB: serial: ssu100: fix control-message error handling - USB: serial: ti_usb_3410_5052: fix control-message error handling - USB: serial: opticon: fix CTS retrieval at open - staging: rtl: fix possible NULL pointer dereference - mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print - blk-mq: Make bt_clear_tag() easier to read - sbitmap: fix wakeup hang after sbq resize - [armhf] usb: dwc3: gadget: skip Set/Clear Halt when invalid - usb: gadget: define free_ep_req as universal function - usb: gadget: f_hid: fix: Free out requests - usb: gadget: f_hid: fix: Prevent accessing released memory - usb: gadget: f_hid: Use spinlock instead of mutex - W1: ds2490: Increase timeout when waiting for status - w1: ds2490: USB transfer buffers need to be DMAable - w1: don't leak refcount on slave attach failure in w1_attach_slave_device() - USB: serial: ftdi_sio: fix extreme low-latency setting - iwlwifi: mvm: rs: Remove unused 'mcs' variable - drm/ttm: Make sure BOs being swapped out are cacheable - [armhf] clk: samsung: mark s3c...._clk_sleep_init() as __init - drm/radeon: handle vfct with multiple vbios images - ext4: trim allocation requests to group size - ext4: use private version of page_zero_new_buffers() for data=journal mode - ext4: fix data corruption in data=journal mode - [arm*] KVM: Enforce unconditional flush to PoC when mapping to stage-2 - bcma: use (get|put)_device when probing/removing device driver - staging: wlan-ng: add missing byte order conversion - [x86] iommu/vt-d: Don't over-free page table directories - uvcvideo: Fix a wrong macro - USB: serial: digi_acceleport: fix OOB data sanity check - USB: serial: digi_acceleport: fix incomplete rx sanity check - USB: serial: keyspan_pda: fix receive sanity checks - usb: misc: adutux: remove redundant error check on copy_to_user return code - [s390*] qdio: clear DSCI prior to scanning multiple input queues - [x86] pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0 - ext4: fix inline data error paths - jbd2: don't leak modified metadata buffers on an aborted journal - ext4: preserve the needs_recovery flag when the journal is aborted - ext4: return EROFS if device is r/o and journal replay is needed - [s390*] KVM: Disable dirty log retrieval for UCONTROL guests - USB: serial: ftdi_sio: fix line-status over-reporting - USB: serial: sierra: fix bogus alternate-setting assumption - mwifiex: Avoid skipping WEP key deletion for AP - ath9k: fix race condition in enabling/disabling IRQs - NFSv4: Fix memory and state leak in _nfs4_open_and_get_state - USB: serial: mos7840: fix another NULL-deref at open - i2c: i2c-mux-gpio: rename i2c-gpio-mux to i2c-mux-gpio - KEYS: Fix an error code in request_master_key() - serial: exar: Fix initialization of EXAR registers for ports > 0 - [x86] drivers: hv: Turn off write permission on the hypercall page - [armhf] mmc: host: omap_hsmmc: avoid possible overflow of timeout value - md linear: fix a race between linear_add() and linear_congested() - md: ensure md devices are freed before module is unloaded. - nlm: Ensure callback code also checks that the files match - IB/mlx5: Fix out-of-bound access - IB/mlx5: Return error for unsupported signature type - [powerpc*] xmon: Fix data-breakpoint - ath9k: use correct OTP register offsets for the AR9340 and AR9550 - dm cache: fix corruption seen when using cache > 2TB - [mips*] Fix special case in 64 bit IP checksumming. - [mips*] OCTEON: Fix copy_from_user fault handling for large buffers - sfc: do not device_attach if a reset is pending - PM / QoS: Fix memory leak on resume_latency.notifiers - mlx4: reduce OOM risk on arches with large pages - [x86] KVM: VMX: use correct vmcs_read/write for guest segment selector/base - nfsd: update mtime on truncate - nfsd: minor nfsd_setattr cleanup - nfsd: special case truncates some more - batman-adv: Fix double free during fragment merge error - batman-adv: Fix transmission of final, 16th fragment - drm/ttm: fix use-after-free races in vm fault handling - NFSv4: Fix the underestimation of delegation XDR space reservation - fuse: add missing FR_FORCE - rdma_cm: fail iwarp accepts w/o connection params - l2tp: Avoid schedule while atomic in exit_net - net/dccp: fix use after free in tw_timer_handler() - tcp: account for ts offset only if tsecr not zero - scsi: aacraid: Fix memory leak in fib init path - scsi: aacraid: Reorder Adapter status check - mm: fix stray kernel-doc notation - [s390*] chsc: Add exception handler for CHSC instruction - net/mlx4: Spoofcheck and zero MAC can't coexist - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs - net/mlx4_en: Use __skb_fill_page_desc() - f2fs: use for_each_set_bit to simplify the code - f2fs: add ovp valid_blocks check for bg gc victim to fg_gc - NFSv4: fix getacl head length estimation - NFSv4: fix getacl ERANGE for some ACL buffer sizes - vxlan: correctly validate VXLAN ID against VXLAN_N_VID - mm/page_alloc: fix nodes for reclaim in fast path - mm: vmpressure: fix sending wrong events on underflow - mm: do not access page->mapping directly on page_endio - ipv4: mask tos for input route - net sched actions: decrement module reference count after table flush. - mac80211: flush delayed work when entering suspend - drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS - ALSA: timer: Reject user params with too small ticks - ALSA: ctxfi: Fallback DMA mask to 32bit - ALSA: seq: Fix link corruption by event error handling - net/mlx4: && vs & typo - net: net_enable_timestamp() can be called from irq contexts - can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer - virtio-console: avoid DMA from stack - net: ipv6: check route protocol when deleting routes - [x86] platform: acer-wmi: setup accelerometer when machine has appropriate notify event https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.45 - Allow stack to grow up to address space limit https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.46 - xfrm: policy: init locks early - xen: do not re-use pirq number cached in pci device msi msg data - scsi: libiscsi: add lock around task lists to fix list corruption regression - [x86] kprobes: Fix kernel panic when certain exception-handling addresses are probed - [s390*] KVM: Fix guest migration for huge guests resulting in panic - batman-adv: Keep fragments equally sized - net: phy: Do not perform software reset for Generic PHY - [armhf] usb: dwc3: gadget: make Set Endpoint Configuration macros safe - usb: gadget: function: f_fs: pass companion descriptor along - USB: serial: digi_acceleport: fix OOB-event processing - scsi: aacraid: Fix typo in blink status - libceph: don't set weight to IN when OSD is destroyed - [powerpc*] boot: Fix zImage TOC alignment - scsi: lpfc: Add shutdown method for kexec - target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export - target: Fix VERIFY_16 handling in sbc_parse_cdb - [mips*] End spinlocks with .insn - USB: serial: io_ti: fix NULL-deref in interrupt callback - USB: serial: safe_serial: fix information leak in completion handler - dvb-usb: don't use stack for firmware load - dvb-usb-firmware: don't do DMA on stack - USB: iowarrior: fix NULL-deref in write - md/raid1/10: fix potential deadlock - udp: avoid ufo handling on IP payload compression packets - [x86] platform/intel-mid: Correct MSI IRQ line for watchdog device - NFSv4: fix a reference leak caused WARNING messages - ipv6: make ECMP route replacement less greedy - isdn/gigaset: fix NULL-deref at probe - net: wimax/i2400m: fix NULL-deref at probe - dccp/tcp: fix routing redirect race - USB: idmouse: fix NULL-deref at probe - USB: uss720: fix NULL-deref at probe - USB: wusbcore: fix NULL-deref at probe - uwb: hwa-rc: fix NULL-deref at probe - uwb: i1480-dfu: fix NULL-deref at probe - usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI - futex: Add missing error handling to FUTEX_REQUEUE_PI - ext4: mark inode dirty after converting inline directory - [armhf] iio: adc: ti_am335x_adc: fix fifo overrun recovery - net: properly release sk_frag.page - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting - nl80211: fix dumpit error path RTNL deadlocks - perf/core: Fix event inheritance on fork() - mmc: ushc: fix NULL-deref at probe - Input: iforce - validate number of endpoints before using them - Input: cm109 - validate number of endpoints before using them - Input: ims-pcu - validate number of endpoints before using them - Input: yealink - validate number of endpoints before using them - Input: hanwang - validate number of endpoints before using them - Input: kbtab - validate number of endpoints before using them - Input: sur40 - validate number of endpoints before using them - net: ipv6: set route type for anycast routes - USB: usbtmc: add missing endpoint sanity check - ACM gadget: fix endianness in notifications - usb: hub: Fix crash after failure to read BOS descriptor - perf symbols: Fix symbols__fixup_end heuristic for corner cases - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call - scsi: libsas: fix ata xfer length - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() - net: unix: properly re-increment inflight counter of GC discarded candidates - bpf: try harder on clones when writing into skb - sch_dsmark: fix invalid skb_cow() usage - bna: integer overflow bug in debugfs - [s390*] decompressor: fix initrd corruption caused by bss clear - usb: gadget: uvc: Fix endianness mismatches - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval - net/mlx5: Increase number of max QPs in default profile - mmc: sdhci: Do not disable interrupts while waiting for clock - libceph: force GFP_NOIO for socket allocations - xen/acpi: upload PM state from init-domain to Xen - [x86] KVM: clear bus pointer when destroyed - KVM: kvm_io_bus_unregister_dev() should never fail - hwmon: (asus_atk0110) fix uninitialized data access - ALSA: seq: Fix race during FIFO resize - net: phy: handle state correctly in phy_stop_machine - IB/qib: fix false-postive maybe-uninitialized warning - ext4: lock the xattr block before checksuming it - USB: fix linked-list corruption in rh_call_control() - netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register - [powerpc*] Disable HFSCR[TM] if TM is not supported - virtio_balloon: init 1st buffer in stats vq - virtio_balloon: prevent uninitialized variable use - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC - ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal - ACPI: Fix incompatibility with mcount-based function graph tracing - xhci: Manually give back cancelled URB if we can't queue it for cancel - l2tp: purge socket queues in the .destruct() callback - [s390x] uaccess: get_user() should zero on failure (again) - ubi/upd: Always flush after prepared for an update - iscsi-target: Fix TMR reference leak during session shutdown - [x86] drm/vmwgfx: Type-check lookups of fence objects - [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl() - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces - [x86] drm/vmwgfx: Remove getparam error message - mmc: sdhci: Disable runtime pm when the sdio_irq is enabled - l2tp: fix race in l2tp_recv_common() - l2tp: ensure session can't get removed during pppol2tp_session_ioctl() - l2tp: fix duplicate session creation - l2tp: take a reference on sessions used in genetlink handlers - kernel.h: make abs() work with 64-bit types - include/linux/kernel.h: change abs() macro so it uses consistent return type - iio: core: Fix IIO_VAL_FRACTIONAL_LOG2 for negative values - iio: hid-sensor-attributes: Fix sensor property setting failure. - iscsi-target: Drop work-around for legacy GlobalSAN initiator - af_key: Add lock to key dump - [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd - [powerpc*] Don't try to fix up misaligned load-with-reservation instructions - l2tp: take reference on sessions being dumped - [powerpc*] kernel: Use kprobe blacklist for asm functions - [powerpc*/*64*] Fix flush_(d|i)cache_range() called from modules - crypto: caam - fix RNG deinstantiation error checking - ring-buffer: Fix return value check in test_ringbuffer() - CIFS: Handle mismatched open calls - CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT - virtio_console: fix uninitialized variable use - xen, fbfront: fix connecting to backend - scsi: sr: Sanity check returned mode data - ptrace: fix PTRACE_LISTEN race corrupting task->state - l2tp: don't mask errors in pppol2tp_setsockopt() - l2tp: don't mask errors in pppol2tp_getsockopt() - [x86] vdso: Ensure vdso32_enabled gets set to valid values only - [x86] vdso: Plug race between mapping and ELF header setup - CIFS: remove bad_network_name flag - [s390x] mm: fix CMMA vs KSM vs others - [mips*] KGDB: Use kernel context for sleeping threads - ALSA: seq: Don't break snd_use_lock_sync() loop by timeout - zram: do not use copy_page with non-page aligned address - [x86] perf: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32() - [x86] ftrace: Fix triple fault with graph tracing and suspend-to-ram - p9_client_readdir() fix - cifs: Do not send echoes before Negotiate is complete - KEYS: Change the name of the dead type to ".dead" to prevent user access - [x86] Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled - tracing: Allocate the snapshot buffer before enabling probe - ACPI / power: Avoid maybe-uninitialized warning - ring-buffer: Have ring_buffer_iter_empty() return true when empty - mac80211: reject ToDS broadcast data frames - smsc75xx: use skb_cow_head() to deal with cloned skbs - cx82310_eth: use skb_cow_head() to deal with cloned skbs - sr9700: use skb_cow_head() to deal with cloned skbs - net: ipv6: send unsolicited NA if enabled for all interfaces - [x86] Input: i8042 - add Clevo P650RS to the i8042 reset list - macvlan: Fix device ref leak when purging bc_queue - team: fix memory leaks - ipv6: move stub initialization after ipv6 setup completion - ceph: fix recursion between ceph_set_acl() and __ceph_setattr() https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.47 - pvrusb2: reduce stack usage pvr2_eeprom_analyze() - [x86] staging: comedi: jr3_pci: fix possible null pointer dereference - [x86] staging: comedi: jr3_pci: cope with jiffies wraparound - zd1211rw: fix NULL-deref at probe - usb: hub: Fix error loop seen after hub communication errors - usb: hub: Do not attempt to autosuspend disconnected devices - serial_ir: iommap is a memory address, not bool - mceusb: fix NULL-deref at probe - USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously - cdc-acm: fix possible invalid access when processing notification - ath9k_htc: fix NULL-deref at probe - IPoIB: Remove unnecessary test for NULL before debugfs_remove() - IB/IPoIB: ibX: failed to create mcg debug file - gspca: konica: add missing endpoint sanity check - dib0700: fix NULL-deref at probe - usbvision: fix NULL-deref at probe - cx231xx-cards: fix NULL-deref at probe - cx231xx-audio: fix init error path - cx231xx-audio: fix NULL-deref at probe - uvcvideo: Fix empty packet statistic - padata: free correct variable - [armhf] serial: omap: fix runtime-pm handling on unbind - [armhf] serial: omap: suspend device on probe errors - PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms - vfio/type1: Remove locked page accounting workqueue - [x86] perf/pebs: Fix handling of PEBS buffer overflows - [x86] perf: Fix spurious NMI with PEBS Load Latency event - ftrace: Fix removing of second function probe - net: ipv6: send unsolicited NA on admin up - digitv: limit messages to buffer size - zr364xx: enforce minimum size when reading header - PCI: Ignore write combining when mapping I/O port space - PCI: Fix another sanity check bug in /proc/pci mmap - PCI: Only allow WC mmap on prefetchable resources - PCI: Freeze PME scan before suspending devices - ttusb2: limit messages to buffer size - dw2102: limit messages to buffer size - ov2640: fix vflip control - ath9k: off by one in ath9k_hw_nvram_read_array() - [armhf,arm64] KVM: fix races in kvm_psci_vcpu_on - usb: host: xhci: print correct command ring address - mwifiex: pcie: fix cmd_buf use-after-free in remove/reset - [x86] boot: Fix BSS corruption/overwrite bug in early x86 kernel startup - NFS: Use GFP_NOIO for two allocations in writeback - IB/ipoib: Update broadcast object if PKey value was changed in index 0 - HSI: ssi_protocol: double free in ssip_pn_xmit() - IB/mlx4: Fix ib device initialization error flow - [powerpc*] pseries: Fix of_node_put() underflow during DLPAR remove - [powerpc*] sysfs: Fix reference leak of cpu device_nodes present at boot - netfilter: ctnetlink: fix deadlock due to acquire _expect_lock twice - netfilter: ctnetlink: make it safer when updating ct->status - dm btree: fix for dm_btree_find_lowest_key() - dm era: save spacemap metadata root after the pre-commit - PCI: Disable boot interrupt quirk for ASUS M2N-LR - fanotify: don't expose EOPENSTALE to userspace - usb: Make sure usb/phy/of gets built-in - [x86] mm: Fix flush_tlb_page() on Xen - usb: misc: legousbtower: Fix buffers on stack - mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode - dm ioctl: prevent stack leak in dm ioctl call - staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data() - IB/core: If the MGID/MLID pair is not on the list return an error - IB/core: For multicast functions, verify that LIDs are multicast LIDs - libata: reject passthrough WRITE SAME requests - ext4: evict inline data when writing to memory map - Bluetooth: Fix user channel for 32bit userspace on 64bit kernel - [armhf] Input: twl4030-pwrbutton - use correct device for irq request - ip6_tunnel: Fix missing tunnel encapsulation limit option - ipv6: Need to export ipv6_push_frag_opts for tunneling now. - dm bufio: avoid a possible ABBA deadlock - [arm64] KVM: Fix decoding of Rt/Rt2 when trapping AArch32 CP accesses - [x86] drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2 - [powerpc*] eeh: Avoid use after free in eeh_handle_special_event() - tcp: fix wraparound issue in tcp_lp - cifs: small underflow in cnvrtDosUnixTm() - CIFS: Set unicode flag on cifs echo request to avoid Mac error - tg3: don't clear stats while tg3_close - CIFS: fix oplock break deadlocks - CIFS: SMB3: Work around mount failure when using SMB3 dialect to Macs - ceph: fix memory leak in __ceph_setxattr() - of: fix sparse warning in of_pci_range_parser_one - target/fileio: Fix zero-length READ and WRITE handling - fs/xattr.c: zero out memory copied to userspace in getxattr - [i386] mm: Set the '__vmalloc_start_set' flag in initmem_init() - virtio_net: fix support for small rings - net/mlx4_en: Change the error print to debug print - net/mlx4_en: Avoid adding steering rules with invalid ring - [arm64] ensure extension of smp_store_release value - [arm64] uaccess: ensure extension of access_ok() addr - usb: misc: legousbtower: Fix memory leak - net/mlx4: Fix the check in attaching steering rules https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.48 - xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY - af_key: Fix slab-out-of-bounds in pfkey_compile_policy. - netxen_nic: set rcode to the return status from the call to netxen_issue_cmd - [s390x] qeth: handle sysfs error during initialization - ]s390x] qeth: unbreak OSM and OSN support - netem: fix skb_orphan_partial() - tcp: avoid fragmenting peculiar skbs in SACK - SMB2: Fix share type handling - pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes - pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes() - PowerCap: Fix an error code in powercap_register_zone() - USB: serial: ftdi_sio: fix setting latency for unprivileged users - staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory. - staging: rtl8192e: fix 2 byte alignment of register BSSIDR. - staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD. - USB: serial: ir-usb: fix big-endian baud-rate debug printk - USB: serial: mct_u232: fix big-endian baud-rate handling - USB: serial: io_ti: fix div-by-zero in set_termios - [x86] KVM: Fix load damaged SSEx MXCSR register - dm thin metadata: call precommit before saving the roots - dm space map disk: fix some book keeping in the disk space map - [armhf,arm64] kvm: Fix race in resetting stage2 PGD - [armhf,arm64] kvm: Force reading uncached stage2 PGD - [armhf,arm64] kvm: Fix use after free of stage2 page table - usb: dwc3: gadget: Prevent losing events in event cache - btrfs: fix incorrect error return ret being passed to mapping_set_error - tcp: eliminate negative reordering in tcp_clean_rtx_queue - uio: add missing error codes - uio: fix incorrect memory leak cleanup - uwb: fix device quirk on big-endian hosts - USB: iowarrior: fix info ioctl on big-endian hosts - USB: gadget: dummy_hcd: fix hub-descriptor removable fields - [x86] USB: usbip: fix nonconforming hub descriptor - USB: hub: fix SS hub-descriptor handling - USB: hub: fix non-SS hub-descriptor handling - USB: hub: fix SS max number of ports - mac80211: strictly check mesh address extension mode - tracing/kprobes: Enforce kprobes teardown after testing - xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton - usb: host: xhci-mem: allocate zeroed Scratchpad Buffer - usb: host: xhci: simplify irq handler return - USB: xhci: fix lock-inversion problem - usb: host: xhci-plat: propagate return value of platform_get_irq() - drivers: char: mem: Check for address space wraparound with mmap() - watchdog: pcwd_usb: fix NULL-deref at probe - [powerpc*] mm: Fix virt_addr_valid() etc. on 64-bit hash - batman-adv: Fix rx packet/bytes stats on local ARP reply - [x86] KVM: Fix read out-of-bounds vulnerability in kvm pio emulation - [x86] KVM: zero base3 of unusable segments - ext4: fix SEEK_HOLE - ext4: keep existing extra fields when inode expands - ext4: use __GFP_NOFAIL in ext4_free_blocks() - ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors - i2c: i2c-tiny-usb: fix buffer not being DMA capable - crypto: gcm - wait for crypto op not signal safe - block: fix an error code in add_partition() - libceph: NULL deref on crush_decode() error path - [x86] drm/gma500/psb: Actually use VBT mode when it is found - netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize - ASoC: Fix use-after-free at card unregistration - scsi: qla2xxx: don't disable a not previously enabled PCI device - net: phy: marvell: Limit errata to 88m1101 - drm/radeon/ci: disable mclk switching for high refresh rates (v2) - drm/radeon: Unbreak HPD handling for r600+ - xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff() - xfs: Fix missed holes in SEEK_HOLE implementation - tcp: avoid fastopen API to be used on AF_UNSPEC - net: ethernet: ax88796: don't call free_irq without request_irq first - ext4: fix data corruption for mmap writes - ext4: fix fdatasync(2) after extent manipulation operations - net: phy: fix marvell phy status reading - iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race - target/iscsi: Fix indentation in iscsi_target_start_negotiation() - iscsi-target: Fix initial login PDU asynchronous socket close OOPs - iscsi-target: Always wait for kthread_should_stop() before kthread exit - [powerpc*] spufs: Fix coredump of SPU contexts - btrfs: use correct types for page indices in btrfs_page_exists_in_range - btrfs: fix memory leak in update_space_info failure path - bnx2x: Fix Multi-Cos - usb: gadget: f_mass_storage: Serialize wake and sleep execution - mm/migrate: fix refcount handling when !hugepage_migration_supported() - mlock: fix mlock count can not decrease in race condition - [x86] staging/lustre/lov: remove set_fs() call from lov_getstripe() - drivers: char: mem: Fix wraparound check to allow mappings up to the end - alarmtimer: Prevent overflow of relative timers - alarmtimer: Rate limit periodic intervals - rc-core: race condition during ir_raw_event_register() - fs/ufs: Set UFS default maximum bytes per file - net: ping: do not abuse udp_poll() - tags: honor COMPILED_SOURCE with apart output directory - vb2: Fix an off by one error in 'vb2_plane_vaddr' - kvm: async_pf: fix rcu_irq_enter() with irqs enabled - [x86] KVM: nVMX: Fix exception injection - [arm64] KVM: Preserve RES1 bits in SCTLR_EL2 - [arm64] KVM: Allow unaligned accesses at EL2 - [armhf] KVM: Allow unaligned accesses at HYP - [x86] drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() - [x86] KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation - [mips*] kprobes: flush_insn_slot should flush only if probe initialised - [powerpc*] net: emac: fix reset timeout with AR8035 phy - rcu: Move preemption disabling out of __srcu_read_lock() - srcu: Allow use of Classic SRCU from both process and interrupt context - KEYS: fix dereferencing NULL payload with nonzero length - target: Fix kref->refcount underflow in transport_cmd_finish_abort - can: gs_usb: fix memory leak in gs_cmd_reset() - ufs: fix ufs_isblockset() - ufs: restore maintaining ->i_blocks - ufs: set correct ->s_maxsize - ufs: excessive checks in ufs_write_failed() and ufs_evict_inode() - l2tp: cast l2tp traffic counter to unsigned - KVM: async_pf: avoid async pf injection when in guest mode - configfs: Fix race between create_link and configfs_rmdir - cpufreq: conservative: Allow down_threshold to take values from 1 to 10 - genirq: Release resources in __setup_irq() error path - [powerpc*] KVM: Book3S HV: Context-switch EBB registers properly - selinux: fix double free in selinux_parse_opts_str() - mac80211: don't look at the PM bit of BAR frames - mac80211/wpa: use constant time memory comparison for MACs - xfrm: Oops on error in pfkey_msg2xfrm_state() - xfrm: NULL dereference on allocation failure - IB/ipoib: Fix memory leak in create child syscall - [powerpc*] KVM: Book3S HV: Preserve userspace HTM state properly - [x86] i2c: ismt: fix wrong device address when unmap the data buffer - [powerpc*] kprobes: Pause function_graph tracing during jprobes handling - mm/memory-failure.c: use compound_head() flags for huge pages - swap: cond_resched in swap_cgroup_prepare() - mm: numa: avoid waiting on freed migrated pages - signal: Only reschedule timers on signals timers have sent - ipv6: Do not leak throw route references - rtnetlink: add IFLA_GROUP to ifla_policy - [armhf] i2c: imx: Use correct function to write to register - ipv6: initialize route null entry in addrconf_init() - ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf - ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER - ipv6: avoid unregistering inet6_dev for loopback - [powerpc*/*64*] Initialise thread_info for emergency stacks - ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output - net: account for current skb length when deciding about UFO - autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL - tcp: reset sk_rx_dst in tcp_disconnect() - net: prevent sign extension in dev_get_stats() - ALSA: hda - set input_path bitmap to zero after moving it to new place - net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish() - [armel,armhf] 8685/1: ensure memblock-limit is pmd-aligned - [mips*] pm-cps: Drop manual cache-line alignment of ready_count - [mips*] Fix IRQ tracing & lockdep when rescheduling - tracing/kprobes: Allow to create probe with a module name starting with a digit - ptrace: use fsuid, fsgid, effective creds for fs access checks . [ Ben Hutchings ] * SCSI: Revert "scsi: scsi_error: count medium access timeout only once per EH run" to avoid ABI change * ttm: Avoid ABI change for ttm_ref_object_add() require_existing param * cxgbi, IB, libiscsi, l2tp, rds: Ignore ABI changes * ptrace, xfrm: Avoid ABI changes in 3.16.48 * Fix regressions caused by fix for CVE-2016-7097 (Closes: #873026): - ext2: Don't clear SGID when inheriting ACLs - hfsplus: Don't clear SGID when inheriting ACLs - reiserfs: Don't clear SGID when inheriting ACLs - btrfs: Don't clear SGID when inheriting ACLs - jfs: Don't clear SGID when inheriting ACLs - xfs: Don't clear SGID when inheriting ACLs - f2fs: Don't clear SGID when inheriting ACLs - ext4: preserve i_mode if __ext4_set_acl() fails - ext4: Don't clear SGID when inheriting ACLs * vfs: avoid creation of inode number 0 in get_next_ino (Closes: #876762) linux (3.16.43-2+deb8u5) jessie-security; urgency=medium . * [amd64] mm: revert ELF_ET_DYN_BASE base changes (fixes regression of ASan) linux (3.16.43-2+deb8u4) jessie-security; urgency=high . * [x86] KVM: fix singlestepping over syscall (CVE-2017-7518) * binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370, CVE-2017-1000371) * ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380) * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (CVE-2017-1000380) * timerfd: Protect the might cancel mechanism proper (CVE-2017-10661) * xfrm: policy: check policy direction value (CVE-2017-11600) * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111) * ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output * udp: consistently apply ufo or fragmentation (CVE-2017-1000112) * xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511) * nl80211: check for the required netlink attributes presence (CVE-2017-12153) * [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154) * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051) * tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (CVE-2017-14106) * Sanitize 'move_pages()' permission checks (CVE-2017-14140) * video: fbdev: aty: do not leak uninitialized padding in clk to userspace (CVE-2017-14156) * xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present (CVE-2017-14340) * scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (CVE-2017-14489) * Bluetooth: Properly check L2CAP config option output buffer length (CVE-2017-1000251) (Closes: #875881) linux (3.16.43-2+deb8u3) jessie-security; urgency=high . * regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing (CVE-2014-9940) * [x86] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() (CVE-2017-7346) * rxrpc: Fix several cases where a padded len isn't checked in ticket decode (CVE-2017-7482) * brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541) * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542) * [x86] mm: Tighten x86 /dev/mem with zeroing reads (CVE-2017-7889) * [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605) * xen-blkback: don't leak stack data via response ring (CVE-2017-10911) * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176) * char: lp: fix possible integer overflow in lp_setup() (CVE-2017-1000363) * fs/exec.c: account for argv/envp pointers (CVE-2017-1000365) . [ Ben Hutchings ] * dentry name snapshots (CVE-2017-7533) mercurial (3.1.2-2+deb8u4) jessie-security; urgency=medium . * CVE-2017-1000115: path traversal via symlink * CVE-2017-1000116: command injection on clients through malicious ssh URLs mupdf (1.5-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-15587: Integer overflow was discovered in pdf_read_new_xref_section (Closes: #879055) mysql-5.5 (5.5.58-0+deb8u1) jessie-security; urgency=high . * Imported upstream version 5.5.58 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html - CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384 (Closes: #878402) mysql-5.5 (5.5.57-0+deb8u1) jessie-security; urgency=high . * Imported upstream version 5.5.57 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html - CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648 - CVE-2017-3651 CVE-2017-3652 CVE-2017-3653 (Closes: #868788) ncurses (5.9+20140913-1+deb8u2) jessie; urgency=medium . * Re-upload with no changes to work around #826161. ncurses (5.9+20140913-1+deb8u1) jessie; urgency=medium . * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels for various crash bugs in the tic library and the tic binary (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113). * Apply termcap-format fix from openSUSE's ncurses-5.9-55.6.1 package, repairing a regression from the above security fixes (see #868266). * Cherry-pick upstream fixes from the 20170826 patchlevel for more crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734, Closes: #873723). * Cherry-pick upstream fixes from the 20170902 patchlevel to fix another crash bug in the tic program (CVE-2017-13733, Closes: #873746). newsbeuter (2.8-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Work around shell code in podcast names (CVE-2017-14500) Remote code execution in podbeuter. (Closes: #876004) newsbeuter (2.8-2+deb8u1) jessie-security; urgency=high . * Fix RCE on bookmark. (CVE-2017-12904) nginx (1.6.2-5+deb8u5) jessie-security; urgency=high . * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109) nss (2:3.26-1+debu8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7805: Potential use-after-free in TLS 1.2 server when verifying client authentication openjpeg2 (2.1.0-2+deb8u3) jessie-security; urgency=medium . * CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch * CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch * CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch * CVE-2016-10504: not needed * CVE-2017-14039: CVE-2017-14039.patch * CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch * CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch * CVE-2017-14151: not needed * CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch * CVE-2016-5157: CVE-2016-5157.patch opensaml2 (2.5.3-2+deb8u2) jessie-security; urgency=high . * [28c33b1] Adjust my name and email in Uploaders * [4be47e7] New patch: Security fix from V2.6.1 (CPPOST-105) Thanks to Scott Cantor openssh (1:6.7p1-5+deb8u4) jessie; urgency=medium . * Test configuration before starting or reloading sshd under systemd (closes: #865770). * Make "--" before the hostname terminate argument processing after the hostname too (closes: #873201). openssl (1.0.1t-1+deb8u7) jessie-security; urgency=medium . * Fix CVE-2017-3735.patch otrs2 (3.3.18-1+deb8u2) jessie-security; urgency=high . * Add patch 16-OSA-2017-06 which fixes OSA-2017-06, also known as CVE-2017-15864: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the disclosure of any configuration information, including database credentials. * Add patch 17-OSA-2017-07 which fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user. Closes: #882370 otrs2 (3.3.18-1+deb8u1) jessie-security; urgency=high . * New upstream release. - Refresh patches 03-backup, 04-opt, 05-database, 06-no-installer, 09-disable-DashboardProductNotify, 10-nice-packagemanager-permissions-message, 12-use-debian-libjs-packages, 13-load-debian-libjs, 14-font-paths and 15-dbupdate-as-root. - This fixes OSA-2017-04, also known as CVE-2017-14635: An attacker who is logged into OTRS as an agent with write permissions for statistics can inject arbitrary code into the system. This can lead to serious problems like privilege escalation, data loss, and denial of service. Closes: #876462 . otrs2 (3.3.11-1) experimental; urgency=low . * New upstream release. - Fixes CVE-2014-9324, also known as OSA-2014-06. - Refresh hunky patch 03-backup. - Refresh hunky patch 07-dont-chown-links. - Refresh hunky patch 10-nice-packagemanager-permissions-message. - Refresh hunky patch 11-fix-SetPermissions-to-include-some-more-dirs. * Watch again all releases. * Do not install auto_build.sh. Closes: #772287 * Merge 3.3.9-3 changelog. . otrs2 (3.3.10-1) experimental; urgency=low . * New upstream release. - Refresh hunky patch 03-backup. - non-free flash files have been removed. - Remove an extra license file. * Move database servers from recommends to suggest and add Postgres and MySQL clients to recommends. Closes: #767517 otrs2 (3.3.11-1) experimental; urgency=low . * New upstream release. - Fixes CVE-2014-9324, also known as OSA-2014-06. - Refresh hunky patch 03-backup. - Refresh hunky patch 07-dont-chown-links. - Refresh hunky patch 10-nice-packagemanager-permissions-message. - Refresh hunky patch 11-fix-SetPermissions-to-include-some-more-dirs. * Watch again all releases. * Do not install auto_build.sh. Closes: #772287 * Merge 3.3.9-3 changelog. otrs2 (3.3.10-1) experimental; urgency=low . * New upstream release. - Refresh hunky patch 03-backup. - non-free flash files have been removed. - Remove an extra license file. * Move database servers from recommends to suggest and add Postgres and MySQL clients to recommends. Closes: #767517 pdns (3.4.1-4+deb8u8) jessie; urgency=medium . * Add patch fixing security issue: * Missing check on API operations: CVE-2017-15091 pdns-recursor (3.6.2-2+deb8u4) jessie; urgency=medium . * Add upstream patch fixing security issue: * Configuration file injection in the API. CVE-2017-15093 perl (5.20.2-3+deb8u9) jessie-security; urgency=high . * Update upstream base.pm no-dot-in-inc fix patch description. * [SECURITY] CVE-2017-12837: Fix a heap buffer overflow in regular expression compiler. (Closes: #875596) * [SECURITY] CVE-2017-12883: Fix a buffer over-read in regular expression parser. (Closes: #875597) + also includes a separate upstream fix from the 5.23 cycle pjproject (2.1.0.0.ast20130823-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-9359 CVE-2017-9372 postgresql-9.4 (9.4.15-0+deb8u1) jessie-security; urgency=medium . * New upstream version. . + Fix crash due to rowtype mismatch in json{b}_populate_recordset() (Michael Paquier, Tom Lane) . These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. (CVE-2017-15098) postgresql-9.4 (9.4.14-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. postgresql-9.4 (9.4.13-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. + Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. See the release notes for instructions for applying the fix to existing database clusters. (CVE-2017-7547; extends fix for CVE-2017-7486) + Disallow empty passwords in all password-based authentication methods. (CVE-2017-7546) + Make lo_put() check for UPDATE privilege on the target large object. (CVE-2017-7548) postgresql-common (165+deb8u3) jessie-security; urgency=medium . * pg_ctlcluster, pg_createcluster, pg_upgradecluster: Use lchown instead of chown to mitigate privilege escalation via symlinks. (CVE-2017-8806. Related to CVE-2017-12172 in PostgreSQL; extends our earlier fix for CVE-2016-1255.) procmail (3.22-24+deb8u1) jessie-security; urgency=high . * Fix buffer overflow in loadbuf(). Closes: #876511. Reported by Jakub Wilk using American Fuzzy Lop. For reference, this is CVE-2017-16844. pyjwt (0.2.1-1+deb8u2) jessie-security; urgency=medium . * CVE-2017-11424 python-tablib (0.9.11-2+deb8u1) jessie; urgency=low . * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818). quagga (0.99.23.1-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * bgpd: Fix AS_PATH size calculation for long paths (CVE-2017-16227) (Closes: #879474) request-tracker4 (4.2.8-3+deb8u3) jessie; urgency=medium . * Fix regression in previous security release where incorrect SHA256 passwords could trigger an error ruby-ox (2.1.1-2+deb8u1) jessie; urgency=medium . * Team upload * Add fix_parse_obj_segfault.patch picked from upstream + fix CVE-2017-15928: segmentation fault in parse_obj (Closes: #881445) sam2p (0.49.2-3+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2017-14628, CVE-2017-14629, CVE-2017-14630, CVE-2017-14631, CVE-2017-14636, CVE-2017-14637, CVE-2017-16663: Several integer overflow or heap-based buffer overflow issues were discovered in sam2p that may lead to an application crash or other unspecified impact. (Closes: #876744) samba (2:4.2.14+dfsg-0+deb8u9) jessie-security; urgency=high . * This is a security release in order to address the following defects: - CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. - CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug. samba (2:4.2.14+dfsg-0+deb8u8) jessie-security; urgency=high . * This is a security release in order to address the following defects: - CVE-2017-12150: Some code path don't enforce smb signing, when they should - CVE-2017-12151: Keep required encryption across SMB3 dfs redirects - CVE-2017-12163: Server memory information leak over SMB1 samba (2:4.2.14+dfsg-0+deb8u7) jessie-security; urgency=high . * This is a security release in order to address the following defect: - CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation (Closes: #868209) shibboleth-sp2 (2.5.3+dfsg-2+deb8u1) jessie-security; urgency=high . * [19b043c] Adjust my name and email in Uploaders * [cf997f0] New patch: Security fix from V2.6.1 (SSPCPP-763) Thanks to Scott Cantor slurm-llnl (14.03.9-5+deb8u1) jessie; urgency=high . * Fix security issue caused by insecure file path handling triggered by the failure of a Prolog script (CVE-2016-10030) smb4k (1.2.1-2~deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Backport version 1.2.1-2 from Stretch and fix CVE-2017-8849. Previous versions of smb4k allowed local users to gain root privileges by leveraging failure to verify arguments to the mount helper DBUS service. smb4k (1.2.1-1) unstable; urgency=medium . * Team upload. * New upstream release. * Drop menu file, since smb4k already provides a .desktop file. * Use https for the Vcs-Browser field. * Bump Standards-Version to 3.9.7, no changes required. * Improve description; also drop the reference to the Plasma widget, since it has never been built, and it will not work anyway in a Plasma 5 environment. (Closes: #763624) * Link in as-needed mode. strongswan (5.2.1-6+deb8u5) jessie-security; urgency=medium . * debian/patches: - CVE-2017-11185 added, fix insufficient validation in gmp plugin (CVE-2017-11185) subversion (1.8.10-6+deb8u5) jessie-security; urgency=high . * patches/CVE-2016-8734: Unrestricted XML entity expansion in HTTP clients * patches/CVE-2017-9800: Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url sudo (1.8.10p3-1+deb8u5) jessie; urgency=medium . * Non-maintainer upload. * Use /proc/self consistently on Linux * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897) supervisor (3.0r1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Disable object traversal in XML-RPC dispatch (CVE-2017-11610) (Closes: #870187) syslinux (3:6.03+dfsg-5+deb8u2) jessie; urgency=medium . * Add patch from upstream to fix boot problem for old BIOS firmware from around 2005 by correcting the C/H/S order (thanks Thomas Schmitt, Closes: #879004). tcpdump (4.9.2-1~deb8u1) jessie-security; urgency=high . * New upstream release, fixing 90 new CVEs. See the upstream changelog for the full list (closes: #867718, #873804, #873805, #873806). tcpdump (4.9.1-3) unstable; urgency=high . * Cherry-pick three upstream commits to fix the following: + CVE-2017-11541: buffer over-read in safeputs() (closes: #873804) + CVE-2017-11542: buffer over-read in pimv1_print() (closes: #873805) + CVE-2017-11543: buffer overflow in sliplink_print() (closes: #873806) * Urgency high due to security fixes. tcpdump (4.9.1-2) unstable; urgency=medium . * Disable IKEv2 test which mysteriously fails on ppc64el (closes: #873377). tcpdump (4.9.1-1) unstable; urgency=medium . * New upstream release, fixes CVE-2017-11108 (closes: #867718). * Bump Standards-Version to 4.1.0. * debian/watch: add pgpsigurlmangle option. * Add upstream signing key in debian/upstream. tcpdump (4.9.0-3) unstable; urgency=medium . [ intrigeri ] * Include AppArmor profile from Ubuntu (closes: #866682). . [ Romain Francoise ] * Bump Standards-Version to 4.0.0. tcpdump (4.9.0-2) unstable; urgency=medium . * Re-enable crypto support, targeting OpenSSL 1.0 as upstream still doesn't support OpenSSL 1.1. * Drop --enable-ipv6 from configure line, it has been the default for years now. tcpdump (4.9.0-1) unstable; urgency=high . * New upstream security release, fixing the following: + CVE-2016-7922: buffer overflow in print-ah.c:ah_print(). + CVE-2016-7923: buffer overflow in print-arp.c:arp_print(). + CVE-2016-7924: buffer overflow in print-atm.c:oam_print(). + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print(). + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print(). + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print(). + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print(). + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header(). + CVE-2016-7930: buffer overflow in print-llc.c:llc_print(). + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print(). + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum(). + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print(). + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print(). + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print(). + CVE-2016-7936: buffer overflow in print-udp.c:udp_print(). + CVE-2016-7937: buffer overflow in print-udp.c:vat_print(). + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame(). + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions. + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions. + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions. + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions. + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print(). + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print(). + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print(). + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print(). + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions. + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print(). + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print(). + CVE-2016-8575: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print(). + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print(). + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print(). + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print(). + CVE-2017-5341: buffer overflow in print-otv.c:otv_print(). + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). + CVE-2017-5482: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse(). + CVE-2017-5484: buffer overflow in print-atm.c:sig_print(). + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap(). + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print(). * Re-enable all tests and bump build-dep on libpcap0.8-dev to >= 1.8 accordingly. * Switch Vcs-Git URL to the https one. * Adjust lintian override name about dh 9. tomcat8 (8.0.14-1+deb8u11) jessie-security; urgency=high . * Fix CVE-2017-7674: The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. tor (0.2.5.15-1) jessie; urgency=medium . * New upstream version: - update directory authority set transfig (1:3.2.5.e-4+deb8u1) jessie; urgency=medium . * CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG files (Closes: #881143, #881144). * 34_fill-style-overflow: Sanitize input of fill patterns (Closes: #881396). tzdata (2017c-0+deb8u1) jessie; urgency=medium . * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. tzdata (2017b-2) unstable; urgency=medium . [ Aurelien Jarno ] * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #861700. * debian/control: provide tzdata-buster instead of tzdata-stretch. tzdata (2017b-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - Haiti resumed observance of DST in 2017. unbound (1.4.22-3+deb8u3) jessie; urgency=high . * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes installs between sep11 and oct11 2017." * Cherry-pick upstream commit svn r4000, "Include root trust anchor id 20326 in unbound-anchor". varnish (4.0.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Correctly handle bogusly large chunk sizes. This fixes a denial of service attack vector where bogusly large chunk sizes in requests could be used to force restarts of the Varnish server. vlc (2.2.7-1~deb8u1) jessie-security; urgency=high . * New upstream release. - Fix crash in libavcodec module (heap write out-of band). (CVE-2017-10699) - Fix flac heap write overflow on format change. (CVE-2017-9300) - Fix AVI read/write overflow. vlc (2.2.6-6) unstable; urgency=medium . * Update to ffmpeg 2.8.13. vlc (2.2.6-5) unstable; urgency=medium . * debian/control: Bump Standards-Version. * debian/patches: Add support for libupnp 1.8. (Closes: #868936) vlc (2.2.6-4) unstable; urgency=medium . * debian/upstream: Add DEP-12 metadata. * debian/control: - Restrict Recommends on vlc-plugin-samba to linux-any kfreebsd-any. - Switch to timgm6mb-soundfont. (Closes: #870790) - Bump Standards-Version. * debian/{rules,control,vlc-plugin-base}: No longer build directfb plugin. directfb upstream is inactive and the plugin got removed for vlc 3.0. * debian/vlc-plugin-base.lintian-overrides: Override shlibs-with-non-pic-code. See lintian overrides of ffmpeg for more details. vlc (2.2.6-3) unstable; urgency=medium . [ Mateusz Łukasik ] * debian/patches: avcodec: Check visible sizes (CVE-2017-10699). . [ Sebastian Ramacher ] * debian/patches: flac: Fix heap write overflow on frame format change. (CVE-2017-9300) vlc (2.2.6-2) unstable; urgency=medium . * Upload to unstable. * Update to ffmpeg 2.8.12. * debian/control: - Remove Build-Conflicts. - Bump Standards-Version. * debian/rules: Build with hardening=+all. vlc (2.2.6-1) experimental; urgency=medium . * New upstream release. - demuxer: Fix heap buffer overflows (CVE-2017-8312). vlc (2.2.6-1~deb9u1) unstable; urgency=high . * New upstream release. - demux: Fix heap buffer overflows (CVE-2017-8312) * debian/*.maintscript: Bump all versions to 2.2.6-1~z. This is necessary to properly handle symlink to directory conversions once 2.2.6 is available in jessie. * debian/control: Bump Breaks + Replaces to 2.2.6-1~deb9u1 where necessary to ensure proper upgrades from jessie. weechat (1.0.1-1+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * logger: call strftime before replacing buffer local variables (CVE-2017-14727) (Closes: #876553) wget (1.16-1+deb8u4) jessie-security; urgency=medium . * CVE-2017-13089 / CVE-2017-13090 wordpress (4.1+dfsg-1+deb8u15) jessie-security; urgency=medium . * Backport security patches from 4.8.2 - CVE-2017-14723 $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) Changeset 41472, 41498 - CVE-2017-14726 Cross-site scripting (XSS) vulnerability in the visual editor Changeset 41436 - CVE-2017-14719 Path traversal vulnerability in the file unzipping code Changeset 41459 - CVE-2017-14721 Cross-site scripting (XSS) vulnerability in the plugin editor Changeset 41413 - CVE-2017-14725 Open redirect in the user edit screens The term/tag edit screen does not have this issue. Changeset 41424 - CVE-2017-14722 Path traversal vulnerability in the customizer Changeset 41430 - CVE-2017-14720 Cross-site scripting (XSS) vulnerability in template names Changeset 41413 (same as plugin editor) - CVE-2017-14718 Cross-site scripting (XSS) vulnerability in the link modal * Not vulnerable: - CVE-2017-14724 Cross-site scripting (XSS) vulnerability in the oEmbed discovery oEmbed feature not present in this version * Hash user activation key Closes: #877629 Fixes CVE-2017-14990 wordpress-shibboleth (1.4-2+deb8u1) jessie-security; urgency=high . * [CVE-2017-14313]: Fix XSS in login form (Closes: #874416) wpa (2.3-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to fix WPA protocol vulnerabilities (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088): - hostapd: Avoid key reinstallation in FT handshake - Prevent reinstallation of an already in-use group key - Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases - Fix PTK rekeying to generate a new ANonce - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used - WNM: Ignore WNM-Sleep Mode Response without pending request - FT: Do not allow multiple Reassociation Response frames - TDLS: Ignore incoming TDLS Setup Response retries xen (4.4.1-9+deb8u10) jessie-security; urgency=medium . Security updates, including some very important fixes: * XSA-217 CVE-2017-10912 * XSA-218 CVE-2017-10913 CVE-2017-10914 * XSA-219 CVE-2017-10915 * XSA-221 CVE-2017-10917 * XSA-222 CVE-2017-10918 * XSA-224 CVE-2017-10919 * XSA-226 CVE-2017-12135 * XSA-227 CVE-2017-12137 * XSA-230 CVE-2017-12855 * XSA-235 no CVE assigned yet . Bugfixes: * evtchn: don't reuse ports that are still "busy" (for XSA-221 patch) . FYI, XSAs which remain outstanding because no patch is available. * XSA-223: armhf/arm64 guest-induced host crash vulnerability . FYI, inapplicable XSAs, for which no patch is included: * XSA-216: Bugs are in Linux and Qemu, not Xen * XSA-220: Xen 4.4 is not vulnerable * XSA-225: Xen 4.4 is not vulnerable * XSA-228: Xen 4.4 is not vulnerable * XSA-229: Bug is in Linux, not Xen xorg-server (2:1.16.4-1+deb8u2) jessie-security; urgency=high . * render: Fix out of boundary heap access * Xext/shm: Validate shmseg resource id (CVE-2017-13721) * xkb: Escape non-printable characters correctly. * xkb: Handle xkb formated string output safely (CVE-2017-13723) * os: Make sure big requests have sufficient length. * Unvalidated lengths in - XFree86-VidModeExtension (CVE-2017-12180) - XFree86-DGA (CVE-2017-12181) - XFree86-DRI (CVE-2017-12182) - XFIXES (CVE-2017-12183) - XINERAMA (CVE-2017-12184) - MIT-SCREEN-SAVER (CVE-2017-12185) - X-Resource (CVE-2017-12186) - RENDER (CVE-2017-12187) * Xi: Test exact size of XIBarrierReleasePointer * Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer (CVE-2017-12179) * Xi: Silence some tautological warnings * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178) * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177) * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) * Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES (CVE-2017-2624) * Xwayland: enable access control and default to just the local user (CVE-2015-3164) zabbix (1:2.2.7+dfsg-2+deb8u3) jessie-security; urgency=medium . * CVE-2017-2824 CVE-2017-2825 ====================================== Sat, 22 Jul 2017 - Debian 8.9 released ====================================== ========================================================================= [Date: Sat, 22 Jul 2017 09:47:36 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: ears | 1.0.1-2.1 | source, all Closed bugs: 862406 ------------------- Reason ------------------- requires unavailable python-musicbrainz ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:48:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: gnuvd | 1.0.12-1 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x gnuvd-gnome | 1.0.12-1 | all Closed bugs: 862486 ------------------- Reason ------------------- broken by upstream site changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:48:46 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: hbro-contrib | 1.1.1.0-1 | source libghc-hbro-contrib-dev | 1.1.1.0-1+b18 | powerpc libghc-hbro-contrib-dev | 1.1.1.0-1+b23 | i386 libghc-hbro-contrib-dev | 1.1.1.0-1+b24 | amd64 libghc-hbro-contrib-doc | 1.1.1.0-1 | all libghc-hbro-contrib-prof | 1.1.1.0-1+b18 | powerpc libghc-hbro-contrib-prof | 1.1.1.0-1+b23 | i386 libghc-hbro-contrib-prof | 1.1.1.0-1+b24 | amd64 Closed bugs: 868811 ------------------- Reason ------------------- build-depends on to-be-removed hbro ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:49:08 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: hbro | 1.1.2.2-2 | source hbro | 1.1.2.2-2+b8 | powerpc hbro | 1.1.2.2-2+b14 | i386 hbro | 1.1.2.2-2+b15 | amd64 libghc-hbro-dev | 1.1.2.2-2+b8 | powerpc libghc-hbro-dev | 1.1.2.2-2+b14 | i386 libghc-hbro-dev | 1.1.2.2-2+b15 | amd64 libghc-hbro-doc | 1.1.2.2-2 | all libghc-hbro-prof | 1.1.2.2-2+b8 | powerpc libghc-hbro-prof | 1.1.2.2-2+b14 | i386 libghc-hbro-prof | 1.1.2.2-2+b15 | amd64 Closed bugs: 862503 ------------------- Reason ------------------- segfaults on all usage ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:49:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: pgsnap | 0.7.0-1 | source, all Closed bugs: 863339 ------------------- Reason ------------------- incompatible with current PostgreSQL versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:49:55 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: lshell | 0.9.16-1 | source, all Closed bugs: 864520 ------------------- Reason ------------------- security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:50:18 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: rant | 0.5.8-8 | source, all Closed bugs: 865383 ------------------- Reason ------------------- broken ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 22 Jul 2017 09:50:44 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: django-authority | 0.5-2 | source python-django-authority | 0.5-2 | all Closed bugs: 865385 ------------------- Reason ------------------- incompatible with Django 1.7 ---------------------------------------------- ========================================================================= 3dchess (0.8.1-18+deb8u1) jessie; urgency=medium . * Team upload. * Add wasteful-CPU-consumption.patch. The game always consumed 100 % CPU resources due to a missing sleep call in its main loop. (Closes: #866378) apache2 (2.4.10-10+deb8u9) jessie-security; urgency=medium . * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw() * CVE-2017-3169: mod_ssl NULL pointer dereference * CVE-2017-7668: Buffer overrun in ap_find_token() * CVE-2017-7679: mod_mime buffer overread apt-cacher (1.7.10+deb8u2) jessie; urgency=medium . * Backport of fix for #786661: ensure /var/run/apt-cacher is created in inetd mode. apt-cacher (1.7.10+deb8u1) jessie; urgency=medium . * Prevent HTTP response splitting with encoded newlines in request. Backport of fix for #858739. base-files (8+deb8u9) oldstable; urgency=low . * Changed /etc/debian_version to 8.9, for Debian 8.9 point release. * Distribution is now oldstable instead of stable. bind9 (1:9.9.5.dfsg-9+deb8u12) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to fix CVE-2017-3042 and CVE-2017-3043 CVE-2017-3042: error in TSIG authentication can permit unauthorized zone transfers. An attacker may be able to circumvent TSIG authentication of AXFR and Notify requests. CVE-2017-3043: error in TSIG authentication can permit unauthorized dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) signature for a dynamic update. bind9 (1:9.9.5.dfsg-9+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Dns64 with "break-dnssec yes;" can result in a assertion failure. (CVE-2017-3136) (Closes: #860224) * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190. If not cherry-picking this change the fix for CVE-2017-3137 can cause an assertion failure to appear in name.c. * Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures (CVE-2017-3137) (Closes: #860225) * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) * Fix regression introduced when handling CNAME to referral below the current domain * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) (Closes: #860226) bitlbee (3.2.2-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team * Patches issues about remote DoS and potential arbitrary code execution (Closes: CVE-2016-10188, CVE-2016-10189) boinc (7.4.23+dfsg-1+deb8u1) jessie; urgency=medium . [ Tom Downes ] * Try both oom_score_adj and oom_adj when adjusting the OOM score (Closes: #843663). . [ Mike Brennan ] * Fix xhost syntax. (Closes: #841665) - the xhost permissions syntax requires a "localuser" keyword for locally specified users. boinc (7.4.23+dfsg-1exp3) experimental; urgency=medium . [ Nelson A. de Oliveira ] * Fix wrong chown binary path (Closes: #768429). boinc (7.4.23+dfsg-1exp2) experimental; urgency=medium . * Fix other dependencies on dbg packages. * Reorder debian patches, drop useless and old ones. * Add pre-depends on shared multiarch packages. * Add service file, tweaked from the fedora one. boinc (7.4.23+dfsg-1exp1) experimental; urgency=medium . * Upload to experimental, with the boinc-server-* packages. c-ares (1.10.0-2+deb8u2) jessie; urgency=medium . * Add patch for CVE-2017-1000381 (Closes: #865360) cfitsio (3.370-2+deb8u1) jessie; urgency=medium . * Add patches/09-memcpy-overlap.diff to use memmove instead of memcpy where memory area might overlap (closes: #800819). chkrootkit (0.50-3.2~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. chkrootkit (0.50-3.1) unstable; urgency=medium . * Non-maintainer upload. * Add missing dependency on openssh-client. Closes: #785322 * Add Built-Using field to track the source package required to rebuild the statically linked binary. Closes: #769353 cqrlog (1.8.2-1.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * tools/cqrlog-apparmor-fix, debian/postrm: Check for /etc/init.d/apparmor before restarting apparmor. (Closes: #864549) debconf (1.5.56+deb8u1) jessie; urgency=medium . [ Niko Tyni ] * Use File::Temp instead of the deprecated POSIX::tmpnam() in Debconf::TmpFile (closes: #863071). debian-archive-keyring (2017.5~deb8u1) jessie; urgency=medium . * Team upload. * Update jessie with 2017.5, closes: #860831, 860830, 863303 debian-installer-netboot-images (20150422+deb8u4.b4) jessie; urgency=medium . * Update to 20150422+deb8u4+b4 images, from jessie-proposed-updates debian-security-support (2017.06.02~deb8u1) jessie; urgency=medium . * Rebuild for jessie. debian-security-support (2017.01.03) unstable; urgency=medium . * Add Teeworlds to security-support-ended.deb7 because games are not * In the test suite, don't use dates past 2038, some archs cannot handle it. Closes: #849650 . debian-security-support (2016.05.30~7) UNRELEASED; urgency=medium . * Team upload . [ Santiago Ruano Rincón ] * Unify msgstrs in check-support-status.in and in debconf templates to avoid duplicated translations. * New po/{Makefile,PACKAGE,POTFILES} files taken from libintl-perl. - debian/rules: clean and install translation files using po/Makefile. * Enable updating po debconf templates during build time: - debian/control: add Build-Depends on po-debconf. - debian/rules: dh_clean: run debconf-updatepo. * Bump Standards-Version: 3.9.8. * Update Italian debconf templates translation. Thanks to Beatrice Torracca (Closes: #825726) * Update Japanese debconf template translation (Closes: #826640) * Avoiding printing blanck lines when there is nothing to report and no --type is specified. (Closes: #819275) . [ Markus Koschany ] * Mark trn as unsupported in Wheezy LTS . [ Salvatore Bonaccorso ] * Update Dutch debconf templates translation. Thanks to Frans Spiesschaert (Closes: #832277) . [ Chris Lamb ] * Add inspircd to unsupported in wheezy. * Add matrixssl to unsupported in Debian 7.0/wheezy. . [ Salvatore Bonaccorso ] * Drop pidgin from packages list with limited security support. Thanks to Raphaël Hertzog (Closes: #838906) * Mark virtualbox as end-of-life for Debian 8 (Jessie) (Closes: #842051) debian-security-support (2016.05.24) unstable; urgency=medium . * Team upload. . [ Santiago Ruano Rincón ] * check-support-status.hook, debian-security-support.postinst: only invoke --type earlyend when running a version that supports it, i.e. >= 2016.03.30. * check-support-status.hook: Make sure to run check-support-status from an accessibe directory. Thanks to Raphaël Hertzog (Closes: #824081). * Include missing earlyend debconf template. * Update Spanish debconf template translation. * Update French debconf template translation. * Mark as not supported in Wheezy LTS: - libv8 - mediawiki (also not supported in Jessie) - vlc * Update Danish debconf templates translation. Thanks to Joe Dalton (Closes: #824467) * Update Telugu debconf templates translation. Thanks to Praveen Illa (Closes: #824638) * Update Polish debconf templates translation. Thanks to Łukasz Dulny (Closes: #824245) * Update Portuguese debconf template translations. Thanks to Américo Monteiro (Closes: #824145) * Updated German debconf template translation. Thanks to Chris Leick (Closes: #824488) * Update Brazilian Portuguese debconf templates translation. Thanks to Adriano Rafael Gomes (Closes: #824643) debootstrap (1.0.67+deb8u1) jessie; urgency=medium . * Add support for buster and bullseye. deluge (1.3.10-3+deb8u1) jessie-security; urgency=medium . * CVE-2017-7178 / new directory traversal (currently CVE-less) dropbear (2014.65-1+deb8u2) stable-security; urgency=high . * Backport security fixes from 2017.75 (closes: #862970): - Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. - Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. drupal7 (7.32-1+deb8u9) jessie-security; urgency=high . * Backported from 7.41: SA-CORE-2015-004: Open redirect (CVE-2015- 7943) * Backported from 7.56: SA-CORE-2017-003: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users. (CVE-2017-6922) (Closes: #865498) * Updated patches noting the CVE IDs they address (many were sent out before a CVE was assigned) eterm (0.9.6-1+deb8u1) jessie; urgency=medium . * QA upload. * Apply patch from Arnaud Ceyrolle to fix problems when starting or stopping the shell caused by an integer overflow. (Closes: #770369) ettercap (1:0.8.1-3+deb8u1) jessie-security; urgency=medium . * SECURITY UPDATE: * debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch: - upstream fix fox CVE-2017-6430 (Closes: #857035) (crash fix when a corrupted filter is used) * debian/patches/803.patch: - fix buffer overflow/underflow with bad filters (Closes: #861604). CVE-2017-8366 (Buffer overflow/underflow issue) - CVE-2017-6430 - CVE-2017-8366 evince (3.14.1-2+deb8u2) jessie-security; urgency=medium . * CVE-2017-1000083 exim4 (4.84.2-2+deb8u4) jessie-security; urgency=medium . * CVE-2017-1000369 expat (2.1.0-6+deb8u4) jessie-security; urgency=high . * Use upstream fix for the following vulnerabilities: - CVE-2017-9233, external entity infinite loop bug, - CVE-2016-9063, undefined behavior from signed integer overflow. flightgear (3.0.0-5+deb8u2) jessie; urgency=high . * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent overriding arbitrary files from the "save-flightplan" FGCommand. Closes: #862689 (CVE-2017-8921). fop (1:1.1.dfsg2-1+deb8u1) jessie-security; urgency=high . * Team upload. * Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567) galternatives (0.13.5+nmu3+deb8u1) jessie; urgency=medium . * Adopt package, switch maintainer information. * Fix the bug which causes properties window blank. Closes: #325172 git (1:2.1.4-2.1+deb8u3) jessie-security; urgency=high . * Do not allow git helpers run via git-shell to launch a pager (CVE-2017-8386). gitolite3 (3.6.1-2+deb8u2) jessie; urgency=medium . * Bug fix: "gitolite3 should depend on openssh-client", thanks to Keller Fuchs (Closes: #834153). glibc (2.19-18+deb8u10) jessie-security; urgency=medium . * debian/patches/any/local-CVE-2017-1000366-rtld-LD_AUDIT.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_LIBRARY_PATH.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_PRELOAD.diff: add patches to protect the dynamic linker against stack clashes (CVE-2017-1000366). * debian/patches/any/cvs-hwcap-AT_SECURE.diff: patch backported from upstream to disable HWCAP for AT_SECURE programs. gnats (4.1.0-3+deb8u1) jessie; urgency=medium . * QA upload. * gnats-user.postrm: Do not fail to purge if /var/lib/gnats/gnats-db is not empty. (Closes: #661015) gnutls28 (3.3.8-6+deb8u7) jessie; urgency=medium . * 57_urandom-use-st_ino-and-st_rdev-to-determine-device-u.patch from upstream gnutls_3_3_x branch: Improve check for /dev/urandom uniqueness. Ensure that when gnutls_global_init() is called for a second time that /dev/urandom is re-opened when the inode or device ID has changed. Closes: #865297 gnutls28 (3.3.8-6+deb8u6) jessie-security; urgency=high . * 56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch 56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch 56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch from upstream gnutls_3_3_x branch: Fix crash upon receiving well-formed status_request extension. GNUTLS-SA-2017-4/CVE-2017-7507 Closes: #864560 graphite2 (1.3.10-1~deb8u1) jessie-security; urgency=high . * rebuild for jessie-security * revert ddeb-migration * revert s/asciidoc, dblatex/asciidoc-dblatex/ in Build-Depends-Indep graphite2 (1.3.9-4) unstable; urgency=medium . * add -ffloat-store to COMPILE_FLAGS; enable awami tests again graphite2 (1.3.9-3) unstable; urgency=medium . * s/asciidoc, dblatex/asciidoc-dblatex/ in Build-Depends-Indep (closes: #850995) graphite2 (1.3.9-2) unstable; urgency=medium . * [30ae987] disable awami tests, rounding errors (suggested by upstream) graphite2 (1.3.9-1) unstable; urgency=medium . * [5ca6f6e] Imported Upstream version 1.3.9 graphite2 (1.3.8-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.7-1) unstable; urgency=medium . * New upstream release . * add debian/watch, update debian/copyright to point to github * add Homepage: (http://graphite.sil.org/) graphite2 (1.3.6-1) unstable; urgency=medium . * New upstream release gtk+2.0 (2.24.25-3+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * debian/patches/100-GtkMenuShell-always-activate-menu-shells.patch: + Backport patch from GTK+3 to fix stuck grabs in some situations. Thanks Colomban Wendling. Closes: #847438. heimdal (1.6~rc2+dfsg-9+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation (Closes: #868208) imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high . * Security fixes various: + CVE-2017-7606: Undefined behavior in rle (Closes: #859771). + CVE-2017-7619: Infinite loop due to rounding error (Closes: #859769). + CVE-2017-7941 memory leak in sgi (Closes: #860734). + CVE-2017-7943 memory leak in svg (Closes: #860736). * Security fixes DOS: + Fix CVE-2017-8343: The ReadAAIImage function in aai.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #862572). + Fix CVE-2017-8344: Fix DOS in PCX file coders. (Closes: #862574). + Fix CVE-2017-8345: The ReadMNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #862573) + Fix CVE-2017-8346: The ReadDCMImage function in dcm.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #862575). + Fix CVE-2017-8347: Fix DOS in EXR file coders. (Closes: #862577). + Fix CVE-2017-8348: Fix DOS in MAT file coders. (Closes: #862578). + Fix CVE-2017-8349: Fix DOS in SWF file coders. (Closes: #862579). + Fix CVE-2017-8350: Fix DOS in png file coders. (Closes: #862587). + Fix CVE-2017-8351: Fix DOS in pcd file coders. (Closes: #862589). + Fix CVE-2017-8352: Fix DOS in xwd file coders. (Closes: #862590). + Fix CVE-2017-8353: Fix DOS in pict file coders. (Closes: #862632). + Fix CVE-2017-8354: Fix DOS in bmp file coders. (Closes: #862633). + Fix CVE-2017-8355: Fix DOS in mtv file coders. (Closes: #862634). + Fix CVE-2017-8356: Fix DOS in sun file coders. (Closes: #862635). + Fix CVE-2017-8357: Fix DOS in ept file coders. (Closes: #862636). + Fix CVE-2017-8765: Fix DOS in icon file coders. (Closes: #862653). + Fix CVE-2017-8830: Fix DOS in bmp file coders. (Closes: #862637). * Security fixes assertion failure and memory leaks: + Check for EOF conditions for RLE image format. (Closes: #863126). Fix CVE-2017-9144. + A crafted file revealed an assertion failure in blob.c. (Closes: #863125). Fix CVE-2017-9142. + A crafted file revealed an assertion failure in profile.c. (Closes: #863124). Fix CVE-2017-9142. + Specially crafted arts file could lead to memory leak. (Closes: #863123). Fix CVE-2017-9143. * Fix an information leak due to the use of uninitialized memory in RLE decoder. (Closes: #862967). Fix CVE-2017-9098. * Fix a regression in memory allocation due to a previous security fix. (Closes: #859772). * Change my mail adress to the debian one. init-select (1.20140921+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * /etc/default/grub.d/init-select.cfg: Check for /usr/lib/init-select/get-init before calling it. The package may have been removed, but not purged. (Closes: #858528) intel-microcode (3.20170707.1~deb8u1) jessie; urgency=high . * Upload to jessie (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 . intel-microcode (3.20170511.1) unstable; urgency=medium . * New upstream microcode datafile 20170511 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + This release fixes undisclosed errata on the desktop, mobile and server processor models from the Haswell, Broadwell, and Skylake families, including even the high-end multi-socket server Xeons + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and similar) on several processor families + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + Likely fix serious or critical Skylake errata: SKL138/144, SKL137/145, SLK149 * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, either this erratum is very-low-hitting, or gcc/clang/icc/msvc won't usually issue the affected opcode pattern and it ends up being rare. SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" * source: remove unneeded intel-ucode/ directory Since release 20170511, upstream ships the microcodes both in .dat format, and as Linux-style split /lib/firmware/intel-ucode files. It is simpler to just use the .dat format file for now, so remove the intel-ucode/ directory. Note: before removal, it was verified that there were no discrepancies between the two microcode sets (.dat and intel-ucode/) * source: remove superseded upstream data file: 20161104 intel-microcode (3.20170707.1~bpo9+1) stretch-backports; urgency=high . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 intel-microcode (3.20170707.1~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes). . intel-microcode (3.20170707.1) unstable; urgency=high . * New upstream microcode datafile 20170707 + New Microcodes: sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby Lake and Skylake processors: Skylake D0/R0 were fixed since the previous upstream release (20170511). This new release adds the fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) * source: remove unneeded intel-ucode/ directory * source: remove superseded upstream data file: 20170511 intel-microcode (3.20170511.1) unstable; urgency=medium . * New upstream microcode datafile 20170511 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + This release fixes undisclosed errata on the desktop, mobile and server processor models from the Haswell, Broadwell, and Skylake families, including even the high-end multi-socket server Xeons + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and similar) on several processor families + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + Likely fix serious or critical Skylake errata: SKL138/144, SKL137/145, SLK149 * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, either this erratum is very-low-hitting, or gcc/clang/icc/msvc won't usually issue the affected opcode pattern and it ends up being rare. SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" * source: remove unneeded intel-ucode/ directory Since release 20170511, upstream ships the microcodes both in .dat format, and as Linux-style split /lib/firmware/intel-ucode files. It is simpler to just use the .dat format file for now, so remove the intel-ucode/ directory. Note: before removal, it was verified that there were no discrepancies between the two microcode sets (.dat and intel-ucode/) * source: remove superseded upstream data file: 20161104 intel-microcode (3.20170511.1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports (no changes) . intel-microcode (3.20170511.1) unstable; urgency=medium . * New upstream microcode datafile 20170511 + Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + This release fixes undisclosed errata on the desktop, mobile and server processor models from the Haswell, Broadwell, and Skylake families, including even the high-end multi-socket server Xeons + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and similar) on several processor families + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + Likely fix serious or critical Skylake errata: SKL138/144, SKL137/145, SLK149 * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, either this erratum is very-low-hitting, or gcc/clang/icc/msvc won't usually issue the affected opcode pattern and it ends up being rare. SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" * source: remove unneeded intel-ucode/ directory Since release 20170511, upstream ships the microcodes both in .dat format, and as Linux-style split /lib/firmware/intel-ucode files. It is simpler to just use the .dat format file for now, so remove the intel-ucode/ directory. Note: before removal, it was verified that there were no discrepancies between the two microcode sets (.dat and intel-ucode/) * source: remove superseded upstream data file: 20161104 intel-microcode (3.20161104.1) unstable; urgency=medium . * New upstream microcode datafile 20161104 + New Microcodes: sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480 sig 0x00050664, pf_mask 0x10, 2016-06-02, rev 0xf00000a, size 21504 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2016-10-07, rev 0x0039, size 32768 sig 0x000406f1, pf_mask 0xef, 2016-10-07, rev 0xb00001f, size 25600 + Removed Microcodes: sig 0x000106e4, pf_mask 0x09, 2013-07-01, rev 0x0003, size 6144 + This update fixes critical errata on Broadwell-DE V2/Y0 (Xeon D-1500 family), including one that can crash VMWare ESXi 6 with #PF (VMWare KB2146388), and could affect Linux as well. This same issue was fixed for the E5v4 Xeons in release 20160607 + This update fixes undisclosed (and likely critical) errata on Broadwell-E Core i7-68xxK/69xxK/6950X, Broadwell-EP/EX B0/R0/M0 Xeon E5v4 and Xeon E7v4, and Haswell-EP Xeon E5v3 + This release deletes the microcode update for the Jasper Forest embedded Xeons (Xeon EC35xx/LC35xx/EC35xx/LC55xx), for undisclosed reasons. The deleted microcode is outdated when compared with the updates for the other Nehalem Xeons * Makefile: always exclude microcode sig 0x206c2 just in case Intel is quite clear in the Intel SA-00030 advisory text that recent revisions (0x14 and later?) of the 0x206c2 microcode updates must be installed along with updated SINIT ACM on vPro systems (i.e. through an UEFI/BIOS firmware update). This is a defensive change so that we don't ship such a microcode update in the future by mistake * source: remove partially superseded upstream data file: 20160714 * source: remove superseded upstream data file: 20101123 * changelog: replace "pf mask" with "pf_mask" * control, compat: switch debhelper compatibility level to 9 * control: bump standards-version, no changes required irssi (0.8.17-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix dcc_request where addr is NULL (CVE-2017-9468) (Closes: #864400) * Fix oob read of one byte in get_file_params_count{,_resume} (CVE-2017-9469) (Closes: #864400) jbig2dec (0.13-4~deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent integer overflow vulnerability (CVE-2017-7885) (Closes: #860460) * Prevent SEGV due to integer overflow (CVE-2017-7975) (Closes: #860788) * Bounds check before reading from image source data (CVE-2017-7976) (Closes: #860787) jython (2.5.3-3+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2016-4000: (Closes: #864859) Unsafe deserialization may lead to arbitrary code execution. kde4libs (4:4.14.2-5+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Sanitize URLs before passing them to FindProxyForURL (CVE-2017-6410) (Closes: #856890) * Verify that whoever is calling us is actually who he says he is (CVE-2017-8422) knot (1.6.0-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches: - 0001-tsig-move-signature-validity-period-check-after-the- added, fix TSIG signature validation bypass (CVE-2017-11104) closes: #865678 libapache2-mod-perl2 (2.0.9~1624218-2+deb8u2) jessie; urgency=medium . * Patch the test suite for apache2_2.4.10-10+deb8u8 compatibility. (Closes: #864316) libcgi-application-plugin-anytemplate-perl (0.18-1+deb8u1) jessie; urgency=medium . * Add missing dependency on libclone-perl | libclone-pp-perl. (Closes: #788008) libclamunrar (0.99-0+deb8u3) jessie; urgency=medium . * Team upload. . [ Sebastian Andrzej Siewior ] * Cherry pick fix for arbitrary memory write. CVE-2012-6706 (Closes: #867223). libdata-faker-perl (0.10-1+deb8u1) jessie; urgency=medium . * Set C locale for tests. Thanks to Chris Lamb for the bug report. (Closes: #808454) libdvdnav (5.0.1-1+deb8u1) jessie; urgency=medium . * debian/control: Uploader e-mail address updated * debian/patches/: new patchset started - 0001-dvdnav_get_position.patch added (Closes: #763279) libffi (3.1-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches: - 01_add_missing_GNU_STACK_markings, fix requirement on an executable stack on x86_32 (CVE-2017-1000376) closes: #751907 * debian/rules: - enable pax_emutramp libgcrypt20 (1.6.3-2+deb8u4) jessie-security; urgency=high . * 22_CVE-2017-752*.patch from upstream 1.7.8 release: Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see . [CVE-2017-7526] libgcrypt20 (1.6.3-2+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * ecc: Store EdDSA session key in secure memory (CVE-2017-9526) * secmem: Fix SEGV and stat calculation libhtml-microformats-perl (0.105-2+deb8u1) jessie; urgency=medium . * Add buildtime and runtime dependency on libmodule-pluggable-perl. (Closes: #783656) libhttp-proxy-perl (0.301-1+deb8u1) jessie; urgency=medium . * Add patch to fix broken custom 'via' handling. (Patch taken from upstream release 0.304.) (Closes: #788350) libmwaw (0.3.1-2+deb8u1) jessie-security; urgency=medium . * backport upstream patch to fix CVE-2017-9433 (closes: #864366) libonig (5.9.5-3.2+deb8u1) jessie; urgency=medium . * New debian/patches/0500-CVE-2017-922[4-9].patch: - Cherrypicked from upstream to correct: + CVE-2017-9224 (Closes: #863312) + CVE-2017-9226 (Closes: #863314) + CVE-2017-9227 (Closes: #863315) + CVE-2017-9228 (Closes: #863316) + CVE-2017-9229 (Closes: #863318) libosinfo (0.2.11-1.1+deb8u1) jessie; urgency=medium . * [4b4388e] Add Debian Jessie and Stretch * [335f18d] Adjust gbp.conf for Debian Jessie libosip2 (4.1.0-2+deb8u1) jessie-security; urgency=medium . * CVE-2016-10324 CVE-2016-10325 CVE-2016-10326 CVE-2017-7853 libsys-syscall-perl (0.25-2+deb8u1) jessie; urgency=medium . * Add patches (from -3, -4, and -6) to support more architectures. aarch64.patch, hppa.patch, mips.patch, ppc64le.patch, s390x.patch. (Closes: #824843, #824936, #826136) libtasn1-6 (4.2-3+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * CVE-2017-6891 (Closes: #863186) two errors in the "asn1_find_node()" function (lib/parser_aux.c) can be exploited to cause a stacked-based buffer overflow. libterralib (4.3.0+dfsg.1-2+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Remove superfluous Conflicts/Replaces: libterralib3 since that causes problems upgrading to stretch which has that package. (Closes: #863885) libtirpc (0.2.5-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-8779 libx11-protocol-other-perl (28-1+deb8u1) jessie; urgency=medium . * Disable t/XSetRoot.t during build and autopkgtest. This test is known to have problems with xvfb. Thanks to Santiago Vila for the bug report. (Closes: #848060) libxstream-java (1.4.7-2+deb8u2) jessie-security; urgency=high . * Fixed CVE-2017-7957: Attempts to create an instance of the primitive type 'void' during unmarshalling lead to a remote application crash. (Closes: #861521) libytnef (1.5-6+deb8u1) jessie-security; urgency=high . * Security upload. * Fixes for the following vulnerabilities: [CVE-2017-6298] Null pointer dereference [CVE-2017-6299] Infinite loop / DoS in TNEFFillMapi function [CVE-2017-6300] Buffer overflow [CVE-2017-6301] Out of bounds read [CVE-2017-6302] Integer overflow [CVE-2017-6303] Invalid write and integer overflow [CVE-2017-6304] Out of bounds read [CVE-2017-6305] Out of bounds read and write [CVE-2017-6306] Directory traversal in SanitizeFilename function [CVE-2017-6800] Invalid memory access (heap overrun) in handling LONG data types [CVE-2017-6801] Missing check for fields of size 0 [CVE-2017-6802] Potential buffer overrun in compressed RTF streams linux (3.16.43-2+deb8u2) jessie-security; urgency=high . * Revert previous fixes for CVE-2017-1000364 (Closes: #865303) * mm: larger stack guard gap, between vmas (CVE-2017-1000364) * mm: fix new crash in unmapped_area_topdown() linux (3.16.43-2+deb8u1) jessie-security; urgency=high . [ Ben Hutchings ] * tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() (CVE-2017-0605) * ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487) * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645) * nfsd4: minor NFSv2/v3 write decoding cleanup * nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895) * media: dvb-usb-v2: avoid use-after-free (CVE-2017-8064) * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890) * USB: serial: io_ti: fix information leak in completion handler (CVE-2017-8924) * USB: serial: omninet: fix reference leaks at open (CVE-2017-8925) * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074) * ipv6: Check ip6_find_1stfragopt() return value properly. * ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() * ipv6: Fix leak in ipv6_gso_segment(). * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075) * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076, CVE-2017-9077) * ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242) . [ Salvatore Bonaccorso ] * mm: enlarge stack guard gap (CVE-2017-1000364) * mm: allow to configure stack gap size * mm, proc: cap the stack gap for unpopulated growing vmas * mm: do not collapse stack gap into THP * fold me "mm: allow to configure stack gap size" lxterminal (0.2.0-1+deb8u1) jessie; urgency=high . * Fix improper use of /tmp for a socket file (CVE-2016-10369) (Closes: #862098) mosquitto (1.3.4-2+deb8u1) jessie-security; urgency=high . * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id set to '+' or '#'. - debian/patches/mosquitto-1.3.4_cve-2017-7650.patch: Reject send/receive of messages to/from clients with a '+', '#' or '/' in their username/client id. - CVE-2017-7650 mysql-connector-java (5.1.42-1~deb8u1) jessie-security; urgency=medium . * Team upload. * Fix CVE-2017-3586 and CVE-2017-3589 by backporting the latest stable release. mysql-connector-java (5.1.41-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches mysql-connector-java (5.1.41-1~deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-3523 by backporting the latest stable release. Difficult to exploit vulnerability allowing low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. mysql-connector-java (5.1.40-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Build with the DH sequencer instead of CDBS * Switch to debhelper level 10 mysql-connector-java (5.1.39-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 3.9.8 (no changes) * Use a secure Vcs-Git URL netcfg (1.131+deb8u2) jessie; urgency=medium . * IPv6 autoconfiguration: fix NTP server name handling, which would be stored as the DHCP-provided hostname, with many thanks to Malcolm Scott for the bug report and the patch (Closes: #862745). * Stop queueing rdnssd's installation with IPv6 setups. This component conflicts with network-manager and installing it from the network configuration step might prevents large parts of desktop environments from being installed. This isn't a perfect solution but this should be way better than the current status quo (Closes: #854801). netcfg (1.131+deb8u1+kbsd8u1) jessie-kfreebsd; urgency=medium . * Run the ISC DHCPv6 client (only used on kfreebsd) with the -1 flag so that it eventually times out. Similar issue to #767188 but having a different cause, this is much more easily fixed. nss (2:3.26-1+debu8u2) jessie-security; urgency=medium . * CVE-2017-5461 CVE-2017-5462 CVE-2017-7502 offlineimap (6.3.4-1+deb8u1) jessie; urgency=medium . * Prevent the usage of maxage. The implementation of maxage is broken in this version of OfflineIMAP (v6.3.4) and may even result in data loss. Document the above behavior in the example conf file and also warn the user every time this feature is being used (Closes: #859478). * Set myself as the maintainer. Package has already been adopted in unstable. openldap (2.4.40+dfsg-1+deb8u3) jessie-security; urgency=high . * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free in the MDB backend on a search including the Paged Results control with a page size of 0. (ITS#8655) (CVE-2017-9287) (Closes: #863563) openvpn (2.3.4-5+deb8u2) jessie-security; urgency=high . * SECURITY UPDATE: authenticated remote DoS vulnerability due to packet ID rollover. CVE-2017-7479. Kudos to Steve Beattie for doing all the backporting work for this patch. - debian/patches/CVE-2017-7479-prereq.patch: merge packet_id_alloc_outgoing() into packet_id_write() - debian/patches/CVE-2017-7479.patch: do not assert when packet ID rollover occurs * SECURITY UPDATE: (Closes: #865480) - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a crash for invalid input data. - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks. os-prober (1.65+deb8u1) jessie; urgency=medium . * os-probes/mounted/x86/05efi: Fix check on ID_PART_ENTRY_SCHEME, to look for "dos" instead of "msdos" (Closes: #817023). * Add -a flag to grep -qs for Windows Vista detection. It appears the file isn't always considered as a text file, so this should be more robust. Thanks to Gianluigi Tiesi for the report and the suggestion (Closes: #791383). * Add support for Windows 10 (otherwise reported as Windows Recovery Environment). Thanks, Philipp Wolfer! (Closes: #801278). otrs2 (3.3.9-3+deb8u1) jessie-security; urgency=high . * Add patch 17-CVE-2017-9324: This fixes OSA-2017-03, also known as CVE-2017-9324: An attacker with agent permission is capable by opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. Closes: #864319 partman-ext3 (84+deb8u1) jessie; urgency=low . [ Christian Perrier ] * Force ext3|ext4 filesystem creation with "-F" so that D-I doesn't "hang" when re-using an existing partition in some situations. Closes: #767682 perl (5.20.2-3+deb8u8) jessie; urgency=medium . * Apply upstream base.pm no-dot-in-inc fix (from 5.24.2-RC1) (Closes: #867170) perl (5.20.2-3+deb8u7) jessie-security; urgency=high . * [CVE-2017-6512] Fix file permissions race condition in File-Path; patch from John Lightsey (Closes: #863870) * Also fix test logic in ExtUtils-MakeMaker required for the above polarssl (1.3.9-2.1+deb8u2) jessie; urgency=high . * Fix CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve. (Closes: #857561) postgresql-9.4 (9.4.12-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. + Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (CVE-2017-7486) + Prevent exposure of statistical information via leaky operators (CVE-2017-7484) + Restore libpq's recognition of the PGREQUIRESSL environment variable (CVE-2017-7485) postgresql-9.4 (9.4.12-0+deb8u1~bpo7+1) wheezy-backports; urgency=medium . * Rebuild for jessie-backports. . postgresql-9.4 (9.4.12-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. + Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (CVE-2017-7486) + Prevent exposure of statistical information via leaky operators (CVE-2017-7484) + Restore libpq's recognition of the PGREQUIRESSL environment variable (CVE-2017-7485) . postgresql-9.4 (9.4.11-0+deb8u2) jessie; urgency=medium . * Paper over ULP regression test differences in the "point" test on 32-bit powerpc on Debian Jessie. The very same code worked previously and in fact continues to work on Debian Sid, so it doesn't seem to be PostgreSQL's fault that these test results now suffer from rounding differences. proftpd-dfsg (1.3.5-1.1+deb8u2) jessie-proposed-updates; urgency=high . * Fix CVE-2017-7418: AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks. Fix proftpd#4295. Closes: #859592 * Fix CVE-2016-3125: TLSDHParamFile directive appears ignored because unexpected DH is chosen. puppet (3.7.2-4+deb8u1) jessie-security; urgency=high . * master: accept facts only in PSON format (CVE-2017-2295). Note that the fix for CVE-2017-2295 unfortunately breaks backward compatibility with agent versions prior to 3.2.2. (Closes: #863212) + Document compatibility issues in d/NEWS. * Add myself to Uploaders. puppet (3.7.2-4+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * d/gbp.conf: set debian branch for wheezy-backports * puppetmaster-passenger: use the correct site name with apache 2.2 and handle config rename for apache 2.4. . puppet (3.7.2-4+deb8u1) jessie-security; urgency=high . * master: accept facts only in PSON format (CVE-2017-2295). Note that the fix for CVE-2017-2295 unfortunately breaks backward compatibility with agent versions prior to 3.2.2. (Closes: #863212) + Document compatibility issues in d/NEWS. * Add myself to Uploaders. python-colorlog (2.4.0-1+deb8u1) jessie; urgency=medium . * Fix python3 dependencies (Closes: #867422) python-plumbum (1.4.2-1+deb8u1) jessie; urgency=medium . * Fix python3 dependencies (Closes: #867449) request-tracker4 (4.2.8-3+deb8u2) jessie-security; urgency=high . * Fix FTBFS due to base.pm changes (Closes: #864302) * Fix multiple security issues: - [CVE-2017-5943] CSRF verification token information leak - [CVE-2016-6127] XSS in file uploads - [CVE-2017-5361] Timing side-channel vulnerability in password verification - [CVE-2017-5944] Remote code execution in dashboard interface - Add check for incorrect RestrictLoginReferrer configuration setting * Work around a DoS vulnerability in Email::Address (CVE-2015-7686) rkhunter (1.4.2-0.4+deb8u1) jessie; urgency=high . * Disable remote updates to fix CVE-2017-7480 and prevent bugs like it in the future (closes: #765895, #866677) rpcbind (0.2.1-6+deb8u2) jessie-security; urgency=medium . * CVE-2017-8779 rt-authen-externalauth (0.25-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload for the security team * [CVE-2017-5361] Fix timing side-channel vulnerability in password verification rtmpdump (2.4+20150115.gita107cef-1+deb8u1) jessie-security; urgency=medium . * CVE-2015-8270 CVE-2015-8271 CVE-2015-8272 samba (2:4.2.14+dfsg-0+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside shadow (1:4.2-3+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Reset pid_child only if waitpid was successful. This is a regression fix for CVE-2017-2616. If su receives a signal like SIGTERM, it is not propagated to the child. (Closes: #862806) shutter (0.92-0.1+deb8u2) jessie; urgency=medium . [ Dominique Dumont ] * add patch to fix CVE-2016-10081 (Closes: #849777) * add patch to secure system() calls spice (0.12.5-1+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-7506: Possible buffer overflow via invalid monitor configurations squirrelmail (2:1.4.23~svn20120406-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team (CVE-2017-7692: post-auth RCE) strongswan (5.2.1-6+deb8u4) jessie-security; urgency=medium . * debian/rules: - revert disabling of vectors test * debian/patches: - 0001-openssl-Don-t-pre-initialize-OpenSSL-HMAC-with-an-em added, backported from upstream, fix HMAC initialization with recent OpenSSL. strongswan (5.2.1-6+deb8u3) jessie-security; urgency=medium . * debian/patches: - CVE-2017-9022_insufficient_input_validation_gmp_plugin added, fix insufficient input validation in gmp plugin which could lead to denial of service (CVE-2017-9022). - CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser added, fix incorrect handling of CHOICE types in ASN.1 parser and x509 plugin whch could lead to an infinite loop and a denial of service (CVE-2017-9023). * debian/rules: - disable the vectors test which is failing right now for unknown reason (maybe due to an OpenSSL regression) sudo (1.8.10p3-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-1000367: Fix parsing of /proc/[pid]/stat tcpdf (6.0.093+dfsg-1+deb8u1) jessie; urgency=medium . * Fix CVE-2017-6100 by disallowing tcpdf calls in HTML (Closes: #814030) tiff (4.0.3-12.3+deb8u4) jessie-security; urgency=high . * Backport fix for the following vulnerabilities: - CVE-2017-9403: fix memory leak in non DEFER_STRILE_LOAD mode, - CVE-2017-9404: memory leak vulnerability was found in the function OJPEGReadHeaderInfoSecTablesQTable(), - CVE-2016-10095 and CVE-2017-9147: add _TIFFCheckFieldIsValidForCodec() and use it in TIFFReadDirectory() (closes: #850316, #863185), - CVE-2017-9936: memory leak in error code path of JBIGDecode() (closes: #866113), - prevent out of memory in gtTileContig() on corrupted files, - CVE-2017-10688, assertion failure in TIFFWriteDirectoryTagCheckedXXXX() (closes: #866611). * Add required _TIFFCheckFieldIsValidForCodec@LIBTIFF_4.0 and _TIFFReadEncodedStripAndAllocBuffer@LIBTIFF_4.0 symbols to the libtiff5 package. tiff (4.0.3-12.3+deb8u3) jessie-security; urgency=high . * Backport fix for the following vulnerabilities: - CVE-2014-8127 and CVE-2016-3658: out-of-bounds read in the tiffset tool, - CVE-2016-9535: replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode, - CVE-2016-10266: divide-by-zero in TIFFReadEncodedStrip, - CVE-2016-10267: divide-by-zero in OJPEGDecodeRaw, - CVE-2016-10269: heap-based buffer overflow in _TIFFmemcpy, - CVE-2016-10270: heap-based buffer overflow in TIFFFillStrip, - CVE-2017-5225: heap buffer overflow via a crafted BitsPerSample value, - CVE-2017-7592: left-shift undefined behavior issue in putagreytile, - CVE-2017-7593: unitialized-memory access from tif_rawdata, - CVE-2017-7594: leak in OJPEGReadHeaderInfoSecTablesAcTable, - CVE-2017-7595: divide-by-zero in JPEGSetupEncode, - CVE-2017-7596, CVE-2017-7597, CVE-2017-7598, CVE-2017-7599, CVE-2017-7600, CVE-2017-7601 and CVE-2017-7602: multiple UBSAN crashes. * Add required _TIFFcalloc@LIBTIFF_4.0 symbol to the libtiff5 package. . [ Tobias Lippert ] * Fix a regression introduced by patch CVE-2014-8128-5 where enabling compression of tif files results in corrupt files (closes: #783555, #818360). tnef (1.4.9-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * CVE-2017-8911 (Closes: #862442) An integer underflow has been identified in the unicode_to_utf8() function in tnef 1.4.14. This might lead to invalid write operations, controlled by an attacker. tomcat7 (7.0.56-3+deb8u11) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-5664. The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. (Closes: #864447) tomcat7 (7.0.56-3+deb8u10) jessie-security; urgency=high . * Team upload. * Fix the following security vulnerabilities: - CVE-2017-5647: A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. - CVE-2017-5648: It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. tomcat8 (8.0.14-1+deb8u10) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-5664. The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. (Closes: #864447) tomcat8 (8.0.14-1+deb8u9) jessie-security; urgency=high . * Team upload. * Fix the following security vulnerabilities: - CVE-2017-5647: A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. - CVE-2017-5648: It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. tor (0.2.5.14-1) jessie-security; urgency=medium . * New upstream version, fixing a hidden service related Denial of Service bug: - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. (closes: #864424) * The previous release, 0.2.5.13, already incorporates the changes made in Debian's updates of the 0.2.5.12 version. Therefore, drop - debian/patches/tor-bug-20384-TROVE-2016-10-001 - debian/patches/tor-bug-21018-TROVE-2016-12-002-CVE-2016-1254 - debian/patches/update-authority-set unrar-nonfree (1:5.2.7-0.1+deb8u1) jessie; urgency=medium . * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters. - Backported from 5.5.5 - CVE-2012-6706 - Closes: #865461 vlc (2.2.6-1~deb8u1) jessie-security; urgency=high . * New upstream release. - subtitle: Fix heap buffer overflows (CVE-2017-8312). - subtitle: Fix invalid double increment (CVE-2017-8311). - flac: Fix potential out-of-band dereference. - mpeg: Fix potential out-of-band reads. - subtitle: Fix infinite loop. - ogg: Fix incorrect memory free. - subtitle: Fix potential out-of-band reads (CVE-2017-8310, CVE-2017-8313). vlc (2.2.5.1-1) experimental; urgency=medium . [ Mateusz Łukasik ] * New upstream release. . [ Sebastian Ramacher ] * debian/patches: Refreshed. vlc (2.2.5.1-1~deb9u2) unstable; urgency=medium . * debian/control: - Bump Breaks + Replaces to 2.2.5.1-1~deb9u1 also in vlc-plugin-qt and vlc-plugin-skins2. Files moved from vlc to those two packages since jessie. - Remove Breaks + Replaces from libvlc-bin. While files moved from vlc-nox to libvlc-bin, they also changed their path. vlc (2.2.5.1-1~deb9u1) unstable; urgency=medium . * New upstream release. * debian/patches/fix-translation.patch: Refreshed. * debian/*.maintscript: Bump all versions to 2.2.5.1-1~z. This is necessary to properly handle symlink to directory conversions once 2.2.5.1 is available in jessie. * debian/control: Bump Breaks + Replaces to 2.2.5.1-1~deb9u1 where necessary to ensure proper upgrades from jessie. (Closes: #862474) vlc (2.2.5-4) experimental; urgency=medium . * debian/rules: Revert "Also enable NEON on arm64". (LP: #1685444) vlc (2.2.5-3) experimental; urgency=medium . * Fix typos in changelog. * debian/rules: Also enable NEON on arm64. * debian/control: Build-Conflict with Qt in experimental to work around #858762. * debian/patches: - Use gbp-pq for patch management. - Apply upstream patch for WebVTT support. (Closes: #858963) vlc (2.2.5-2) experimental; urgency=medium . [ Mateusz Łukasik ] * debian/{control,rules,vlc-plugin-video-output.install}: Disable OpenGL ES 1 support, mesa has dropped it. (Closes: #855117) . [ Sebastian Ramacher ] * debian/: Major package clean up. - Remove vlc-nox binary package. - Update tests to new package layout. - Remove obsolete Breaks+Replaces. * debian/rules: Be explicit about GLES 1 * debian/{rules,libvlc-bin.*}: Fix warning from about non-empty directory (Closes: #854928) vlc (2.2.5-1) unstable; urgency=medium . * New upstream releases. (Closes: #850529) * debian/patches: - fix-translation.patch: Refreshed. - Removed patches taken from upstream included in 2.2.5. * debian/*.maintscript: Bump all versions to 2.2.5-1~z. This is necessary to properly handle symlink to directory conversions once 2.2.5 is available in stretch. w3m (0.5.3-19+deb8u2) jessie; urgency=medium . * Fix multiple vulnerabilities (closes: #850432) - New patch 934_menu.patch to fix buffer overflow (tats/w3m#49) - New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62) - New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63) - New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67) - New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61) - New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58) - New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60) - New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70) - New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71) - New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66) - New patch 944_lineproc0.patch to fix use after free (tats/w3m#65) - New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57) - New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72) - New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69) - New patch 948_getmclen.patch to fix buffer overflow (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84) - New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77) - New patch 950_textarea.patch to fix infinite loop (tats/w3m#85) - New patch 951_lineproc0.patch to fix use after free (tats/w3m#81) - New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82) - New patch 953_formupdateline.patch to fix buffer overflow (tats/w3m#68#issuecomment-266214643) - New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68) wordpress (4.1+dfsg-1+deb8u14) jessie-security; urgency=medium . * Backport patches from 4.7.5 Closes: #862816 - CVE-2017-9062 Improper handling of post meta data values in the XML-RPC API. Changeset 40699 - CVE-2017-9065 Lack of capability checks for post meta data in the XML-RPC API. Changeset 40684 - CVE-2017-9064 A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Changeset 40730 - CVE-2017-9061 A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Changeset 40743 - CVE-2017-9063 A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Changeset 40711 * CVE-2017-9066 not fixed as the relevant code has changed dramatically and there is no upstream patch for it. Insufficient redirect validation in the HTTP class. * CVE-2017-8295 Don't use client-provided data to form password reset from email address, from WordPress ticket #23239 Closes: #862053 xarchiver (1:0.5.4-1+deb8u2) jessie; urgency=medium . [ Chris Lamb ] * Fix data-loss issue where adding files to a tar-based archive removed all existing content when the target filename included shell metacharacters. The test to see whether it already existed to determine whether to create a new archive or simply add a new file incorrectly used an escaped path. Thanks to Nikolaus Rath for the report and Chris Lamb for the patch. (Closes: #862593) xen (4.4.1-9+deb8u9) jessie-security; urgency=medium . Security updates: * XSA-200: Closes:#848081: CVE-2016-9932: x86 emulation operand size * XSA-202: CVE-2016-10024: x86 PV guests may be able to mask interrupts * XSA-204: CVE-2016-10013: x86: Mishandling of SYSCALL singlestep * XSA-212: Closes:#859560: CVE-2017-7228: x86: broken memory_exchange() * XSA-213: Closes:#861659: 64bit PV guest breakout * XSA-214: Closes:#861660: grant transfer PV privilege escalation * XSA-215: Closes:#861662: memory corruption via failsafe callback xfce4-weather-plugin (0.8.3-3) jessie; urgency=medium . * debian/patches: - 0001-Make-plugin-ready-for-met.no-locationforecast-1.2-AP, 0002-Switch-to-met.no-locationforecastLTS-1.2-API-bug-109, 0003-Update-NEWS-and-README, 0004-Update-URL-for-sunrise-API-to-point-to-version-1.1-b, 0005-Update-http-api.yr.no-URLs-to-https-api.met.no, 0006-Bump-LocationforecastLTS-version-to-1.3, 0007-Change-more-URLs-from-http-yr.no-to-https-met.no added, backported from ustream to support met.no new APIs - git_use-locationforecast-1.2 and debian/patches/git_use-locationforecast-1.2 dropped, included in backports above. xorg-server (2:1.16.4-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-10971 CVE-2017-10972 zookeeper (3.4.5+dfsg-2+deb8u2) jessie-security; urgency=medium . * CVE-2017-5637 zziplib (0.13.62-3+deb8u1) jessie-security; urgency=medium . * CVE-2017-5981 CVE-2017-5980 CVE-2017-5979 CVE-2017-5978 CVE-2017-5976 CVE-2017-5975 CVE-2017-5974 ====================================== Sat, 06 May 2017 - Debian 8.8 released ====================================== ========================================================================= [Date: Sat, 06 May 2017 09:49:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cgiemail | 1.6-37 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 852432 ------------------- Reason ------------------- RC buggy, unmaintained ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:50:53 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ccache-dbgsym | 3.1.12-1 | amd64 Closed bugs: 852435 ------------------- Reason ------------------- cruft ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:51:39 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: owncloud-apps | 0~~20141022-1 | source, all Closed bugs: 858103 ------------------- Reason ------------------- unsupportable ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:52:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: owncloud | 7.0.4+dfsg-4~deb8u4 | source, all Closed bugs: 858086 ------------------- Reason ------------------- unsupportable ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:53:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: live-f1 | 0.2.10-1.1 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 860856 ------------------- Reason ------------------- broken due to third party changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:54:18 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libwww-dict-leo-org-perl | 1.39-1 | source, all Closed bugs: 860914 ------------------- Reason ------------------- broken due to upstream changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:55:03 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libapache2-authenntlm-perl | 0.02-7 | source, ppc64el libapache2-authenntlm-perl | 0.02-7+b1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc libapache2-authenntlm-perl | 0.02-7+b3 | s390x Closed bugs: 860973 ------------------- Reason ------------------- broken with Apache 2.4 ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 09:55:53 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: grive | 0.2.0-1.1 | source grive | 0.2.0-1.1+b1 | arm64, ppc64el grive | 0.2.0-1.1+b2 | amd64, armel, armhf, i386, mips, mipsel, powerpc, s390x Closed bugs: 861399 ------------------- Reason ------------------- broken due to Google API changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:06:44 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-dev | 1:45.5.1-1~deb8u1 | armhf ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:06:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-dbg | 1:45.6.0-1~deb8u1 | amd64, arm64, armel, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-dev | 1:45.6.0-1~deb8u1 | amd64, arm64, armel, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:17 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-dbg | 1:45.5.1-1~deb8u1 | armhf ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:30 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceowl-extension | 1:45.5.1-1~deb8u1 | armhf ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove | 1:45.5.1-1~deb8u1 | armhf ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:07:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove | 1:45.6.0-1~deb8u1 | amd64, arm64, armel, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 06 May 2017 10:08:03 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceowl-extension | 1:45.6.0-1~deb8u1 | amd64, arm64, armel, i386, mips, mipsel, powerpc, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] obsolete arch any package ---------------------------------------------- ========================================================================= activemq (4.6.0+dfsg1-4+deb8u3) jessie; urgency=medium . * Team upload. * Fix CVE-2015-7559: DoS in activemq-core via shutdown command. (Closes: #860866) apache2 (2.4.10-10+deb8u8) jessie-security; urgency=medium . * CVE-2016-8743: Enforce more HTTP conformance for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. If this causes problems with non-conforming clients, some checks can be relaxed by adding the new directive 'HttpProtocolOptions unsafe' to the configuration. Differently than the upstream 2.4.25 release which will also be in the Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts underscores in host and domain names even while 'HttpProtocolOptions strict' is in effect. More information is available at http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions * CVE-2016-0736: mod_session_crypto: Prevent padding oracle attack. * CVE-2016-2161: mod_auth_digest: Prevent segfaults when the shared memory space is exhausted. * Activate mod_reqtimeout in new installs and during updates from before 2.4.10-10+deb8u8. It was wrongly not activated in new installs since jessie. This made the default installation vulnerable to some DoS attacks. * Don't run 2.2 to 2.4 upgrade logic again when upgrading from 2.4.10-10+deb8u*. Closes: #836818 apf-firewall (9.7+rev1-3+deb8u1) jessie; urgency=medium . * QA upload. * Set maintainer field to Debian QA Group. * Add patch from Christoph Biedl to make it work with kernel 3.x and newer. (Closes: #701674) apt-xapian-index (0.47+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Remove call to update-python-modules (Closes: #793681) audiofile (0.3.6-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Address several vulnerabilities (Closes: #857651) - Always check the number of coefficients (CVE-2017-6827 CVE-2017-6828 CVE-2017-6832 CVE-2017-6833 CVE-2017-6835 CVE-2017-6837) - clamp index values to fix index overflow in IMA.cpp (CVE-2017-6829) - Check for multiplication overflow in sfconvert (CVE-2017-6830 CVE-2017-6834 CVE-2017-6836 CVE-2017-6838) - Actually fail when error occurs in parseFormat (CVE-2017-6831) - Check for multiplication overflow in MSADPCM decodeSample (CVE-2017-6839) * Fix signature of multiplyCheckOverflow. It returns a bool, not an int * Check for division by zero in BlockCodec::runPull base-files (8+deb8u8) stable; urgency=low . * Changed /etc/debian_version to 8.8, for Debian 8.8 point release. bind9 (1:9.9.5.dfsg-9+deb8u10) jessie-security; urgency=medium . * Fix regression caused by the fix for CVE-2016-8864 (closes: #855540). * Fix CVE-2017-3135: a malicously crafted query can cause named to crash if both DNS64 and RPZ are being used (closes: #855520). bind9 (1:9.9.5.dfsg-9+deb8u9) jessie-security; urgency=medium . * Apply patches from ISC. * CVE-2016-9131: Assertion failure related to caching of TKEY records in upstream DNS responses. * CVE-2016-9147: Processing of RRSIG records in upstream DNS response without corresponding signed data could lead to an assertion failure. * CVE-2016-9444: Missing RRSIG records in the authority section of upstream responses could lead to an assertion failure. * RT #43779: Fix handling of CNAME/DNAME responses. (Regression due to the CVE-2016-8864 fix.) bind9 (1:9.9.5.dfsg-9+deb8u8+kbsd8u1~reallyis+deb8u7) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd * This and the previous upload to jessie-kfreebsd are based off +deb8u7, not +deb8u8 binutils (2.25-5+deb8u1) stable; urgency=medium . * Apply patch from upstream to fix gold on arm64. The ABI specifies using a pagesize of 64k for ELF binaries. Closes: #850814 bouncycastle (1.49+dfsg-3+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2015-6644: An information disclosure vulnerability was discovered in Bouncy Castle, a Java library which consists of various cryptographic algorithms. The Galois/Counter mode (GCM) implementation was missing a boundary check that could enable a local application to gain access to user's private information. ca-certificates (20141019+deb8u3) jessie; urgency=medium . [ Michael Shuler ] * sbin/update-ca-certificates: Update local certificates directory when calling --fresh. Closes: #783615 . [ Andreas Beckmann ] * Backport another commit to make running update-certificates without hooks actually work (instead of showing a usage message). Closes: #825730 chromium-browser (57.0.2987.98-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release. - CVE-2017-5030: Memory corruption in V8. Credit to Brendon Tiszka - CVE-2017-5031: Use after free in ANGLE. Credit to Looben Yang - CVE-2017-5032: Out of bounds write in PDFium. Credit to Ashfaq Ansari - CVE-2017-5029: Integer overflow in libxslt. Credit to Holger Fuhrmannek - CVE-2017-5034: Use after free in PDFium. Credit to Ke Liu - CVE-2017-5035: Incorrect security UI in Omnibox. Credit to Enzo Aguado - CVE-2017-5036: Use after free in PDFium. Credit to Anonymous - CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer. Credit to Yongke Wang - CVE-2017-5039: Use after free in PDFium. Credit to jinmo123 - CVE-2017-5040: Information disclosure in V8. Credit to Choongwoo Han - CVE-2017-5041: Address spoofing in Omnibox. Credit to Jordi Chancel - CVE-2017-5033: Bypass of Content Security Policy in Blink. Credit to Nicolai Grødum - CVE-2017-5042: Incorrect handling of cookies in Cast. Credit to Mike Ruddy - CVE-2017-5038: Use after free in GuestView. Credit to Anonymous - CVE-2017-5043: Use after free in GuestView. Credit to Anonymous - CVE-2017-5044: Heap overflow in Skia. Credit to Kushal Arvind Shah - CVE-2017-5045: Information disclosure in XSS Auditor. Credit to Dhaval Kapil - CVE-2017-5046: Information disclosure in Blink. Credit to Masato Kinugawa * Configure with fieldtrial_testing_like_official_build=true to avoid building with experimental features enabled (closes: #855434). chromium-browser (56.0.2924.76-5) unstable; urgency=medium . * Configure with fieldtrial_testing_like_official_build=true to avoid building with experimental features enabled (closes: #855434). * Do not disable background networking when remote extensions are enabled, since that option also blocks updates to extensions (closes: #841401). - Thanks to Tarmo Huuhka. chromium-browser (56.0.2924.76-4) unstable; urgency=medium . * Do not create a dbgsym package for widevine (closes: #855529). chromium-browser (56.0.2924.76-3) unstable; urgency=medium . * Upload to unstable. chromium-browser (56.0.2924.76-2) experimental; urgency=medium . * Backport upstream bugfix for non-NEON builds, closes: #853108 * Fix seccomp sandboxing on arm64 platforms with DRI3 chromium-browser (56.0.2924.76-1) experimental; urgency=medium . * New upstream stable release: - CVE-2017-5007: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5006: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5008: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5010: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5011: Unauthorised file access in Devtools. Credit to Khalil Zhani - CVE-2017-5009: Out of bounds memory access in WebRTC. Credit to Sean Stanek and Chip Bradford - CVE-2017-5012: Heap overflow in V8. Credit to Gergely Nagy - CVE-2017-5013: Address spoofing in Omnibox. Credit to Haosheng Wang - CVE-2017-5014: Heap overflow in Skia. Credit to sweetchip - CVE-2017-5015: Address spoofing in Omnibox. Credit to Armin Razmdjou - CVE-2017-5019: Use after free in Renderer. Credit to Wadih Matar - CVE-2017-5016: UI spoofing in Blink. Credit to Haosheng Wang - CVE-2017-5017: Uninitialised memory access in webm video. Credit to danberm - CVE-2017-5018: Universal XSS in chrome://apps. Credit to Rob Wu - CVE-2017-5020: Universal XSS in chrome://downloads. Credit to Rob Wu - CVE-2017-5021: Use after free in Extensions. Credit to Rob Wu - CVE-2017-5022: Bypass of Content Security Policy in Blink. Credit to PKAV Team. - CVE-2017-5023: Type confusion in metrics. Credit to the UK's National Cyber Security Centre (NCSC) - CVE-2017-5026: UI spoofing. Credit to Ronni Skansing chromium-browser (56.0.2924.76-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2017-5007: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5006: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5008: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5010: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2017-5011: Unauthorised file access in Devtools. Credit to Khalil Zhani - CVE-2017-5009: Out of bounds memory access in WebRTC. Credit to Sean Stanek and Chip Bradford - CVE-2017-5012: Heap overflow in V8. Credit to Gergely Nagy - CVE-2017-5013: Address spoofing in Omnibox. Credit to Haosheng Wang - CVE-2017-5014: Heap overflow in Skia. Credit to sweetchip - CVE-2017-5015: Address spoofing in Omnibox. Credit to Armin Razmdjou - CVE-2017-5019: Use after free in Renderer. Credit to Wadih Matar - CVE-2017-5016: UI spoofing in Blink. Credit to Haosheng Wang - CVE-2017-5017: Uninitialised memory access in webm video. Credit to danberm - CVE-2017-5018: Universal XSS in chrome://apps. Credit to Rob Wu - CVE-2017-5020: Universal XSS in chrome://downloads. Credit to Rob Wu - CVE-2017-5021: Use after free in Extensions. Credit to Rob Wu - CVE-2017-5022: Bypass of Content Security Policy in Blink. Credit to PKAV Team. - CVE-2017-5023: Type confusion in metrics. Credit to the UK's National Cyber Security Centre (NCSC) - CVE-2017-5026: UI spoofing. Credit to Ronni Skansing * Fix regression in pulseaudio (closes: #848029). chromium-browser (55.0.2883.75-6) unstable; urgency=medium . * Organize patches. * Move widevine package to contrib (closes: #851917). * Conflict with very old versions of libsecret (closes: #838864). * Support --enable-remote-extensions option passed through CHROMIUM_FLAGS (closes: #851927). chromium-browser (55.0.2883.75-5) unstable; urgency=medium . * Fix new lintian warnings. * Fix quoting error in run script (closes: #851634). chromium-browser (55.0.2883.75-4) unstable; urgency=medium . * Add chromium-shell package. * Rename chromedriver package to chromium-driver. * Add chromium-widevine package (closes: #838515). - Thanks to Felix Geyer. * Add initial upstream metadata (closes: #848228). * Set more options at runtime instead of build time. * Install chromedriver to /usr/bin (closes: #845312). * Update webkit copyright information (closes: #849264). - Thanks to Sandro Knauß. * Better handling of browser extensions (closes: #841401). - Only support locally installed extensions by default. - Add new command line flag --enable-remote-extensions, which bypasses the new default, allowing remote extensions and automatic updating. chromium-browser (55.0.2883.75-3) unstable; urgency=medium . * Merge experimental branch. * Respect parallel setting in DEB_BUILD_OPTIONS while bootstrapping gn. * Conflict libnettle4 rather than depend on libnettle6 (closes: #841213). * Disable builtin media router since it only works with official Google Chrome builds, not chromium (closes: #833477). chromium-browser (55.0.2883.75-2+exp3) experimental; urgency=medium . * Correct typo from last build chromium-browser (55.0.2883.75-2+exp2) experimental; urgency=medium . * Set arm_use_neon=false on armhf until we enable a neon-supporting buildd in Debian. chromium-browser (55.0.2883.75-2+exp1) experimental; urgency=medium . * Add patches from upstream for gn builds on arm64 * Enable arm64/armhf builds chromium-browser (55.0.2883.75-2) unstable; urgency=medium . * Don't set FF_API_CONVERGENCE_DURATION since it is not a part of ffmpeg's public API, and when defined leads to crashes (closes: #846648). chromium-browser (55.0.2883.75-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-9651: Private property access in V8. Credit to Guang Gong - CVE-2016-5208: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5207: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5206: Same-origin bypass in PDFium. Credit to Rob Wu - CVE-2016-5205: Universal XSS in Blink. Credit to Anonymous - CVE-2016-5204: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5209: Out of bounds write in Blink. Credit to Giwan Go - CVE-2016-5203: Use after free in PDFium. Credit to Anonymous - CVE-2016-5210: Out of bounds write in PDFium. Credit to Ke Liu - CVE-2016-5212: Local file disclosure in DevTools. Credit to Khalil Zhani - CVE-2016-5211: Use after free in PDFium. Credit to Anonymous - CVE-2016-5213: Use after free in V8. Credit to Khalil Zhani - CVE-2016-5214: File download protection bypass. Credit to Jonathan Birch and MSVR - CVE-2016-5216: Use after free in PDFium. Credit to Anonymous - CVE-2016-5215: Use after free in Webaudio. Credit to Looben Yang - CVE-2016-5217: Use of unvalidated data in PDFium. Credit to Rob Wu - CVE-2016-5218: Address spoofing in Omnibox. Credit to Abdulrahman Alqabandi - CVE-2016-5219: Use after free in V8. Credit to Rob Wu - CVE-2016-5221: Integer overflow in ANGLE. Credit to Tim Becker - CVE-2016-5220: Local file access in PDFium. Credit to Rob Wu - CVE-2016-5222: Address spoofing in Omnibox. Credit to xisigr - CVE-2016-9650: CSP Referrer disclosure. Credit to Jakub Żoczek - CVE-2016-5223: Integer overflow in PDFium. Credit to Hwiwon Lee - CVE-2016-5226: Limited XSS in Blink. Credit to Jun Kokatsu - CVE-2016-5225: CSP bypass in Blink. Credit to Scott Helme - CVE-2016-5224: Same-origin bypass in SVG. Credit to Roeland Krak - CVE-2016-9652: Various fixes from internal audits, fuzzing and other initiatives * Make it possible to pass build flags into gn (closes: #845785). commons-daemon (1.0.15-6+deb8u1) jessie; urgency=medium . * Team upload. * jsvc fails on ppc64el showing "Cannot find any VM in Java Home". (Closes: #856560) crafty (23.4-6+deb8u1) jessie; urgency=medium . * QA upload. * Do not generate CPU specific code. Should fix "Illegal instruction" on some Pentium 4 CPUs. Closes: #850979. debian-edu-doc (1.6~20170429+deb8u4) jessie; urgency=medium . [ Jessie Manual translation updates ] * Norwegian Bokmål: Ingrid Yrvin, Ole-Erik Yrvin, Petter Reinholdtsen. * German: Wolfgang Schweer. * Dutch: Frans Spiesschaert. . [ Wheezy Manual translation updates ] * Norwegian Bokmål: Petter Reinholdtsen. . [ Holger Levsen ] * Merge Jessie and Wheezy manual translation from master branch (which is maintained and uploaded to Stretch now). Starting 2017-03-25, the jessie branch is also the only one where we still maintain the Wheezy manual. debian-installer-netboot-images (20150422+deb8u4.b3) jessie; urgency=medium . * Update to 20150422+deb8u4+b3 images, from jessie-proposed-updates dovecot (1:2.2.13-12~deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Revert "auth: Do not double-expand key in passdb dict when authenticating (CVE-2017-2669)" This reverts the applied patch which resulted in no longer interpreting placeholders in the keys even once with dict-based userdb or passdb. The actual vulnerability was introduced later with "auth-db-dict: Allow key name expansion" in 2.2.26. Thanks to Nick Thomas and Aki Tuomi dovecot (1:2.2.13-12~deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * auth: Do not double-expand key in passdb dict when authenticating (CVE-2017-2669) dropbear (2014.65-1+deb8u1) stable; urgency=medium . * New maintainer. * Backport security fix from 2016.72: If X11 forwarding is enabled a user could bypass any "command=" restrictions in authorized_keys and run any command as their own user (CVE-2016-3116). * Backport security fixes from 2016.74: - Message printout was vulnerable to format string injection (CVE-2016-7406). - dropbearconvert import of OpenSSH keys could run arbitrary code as the local dropbearconvert user when parsing malicious key files (CVE-2016-7407). - dbclient could run arbitrary code as the local dbclient user if particular -m or -c arguments are provided (CVE-2016-7408). eject (2.1.5+deb1+cvs20081104-13.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-6964: Check the return values when dropping privileges (Closes: #858872) erlang (1:17.3-dfsg-4+deb8u1) stable-proposed-updates; urgency=medium . * Applied a patch from the PCRE upstream which fixes CVE-2016-10253 vulnerability (heap overflow while compiling certain regular expressions). The patch is taken from https://github.com/erlang/otp/pull/1108 and modified to match the original patch by PCRE developers (closes: #858313). firebird2.5 (2.5.3.26778.ds4-5+deb8u1) jessie-security; urgency=high . * Add two commits from upstream fixing authenticated remote code execution (CVE-2017-6369 / CORE-5474) (Closes: #858641) firefox-esr (45.9.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-11, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5461, CVE-2017-5459, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5469, CVE-2017-5445, CVE-2017-5462, CVE-2017-5429. . * accessible/generic/ApplicationAccessible.h: Add missing null checks causing crashes with accessibility. Closes: #852149. firefox-esr (45.8.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-06, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5405, CVE-2017-5398. firefox-esr (45.8.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-06, also known as: CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5410, CVE-2017-5408, CVE-2017-5405, CVE-2017-5398. . * debian/browser.desktop.in, debian/rules: Use the application name as StartupWMClass in the desktop file. Along the change to nsAppRunner.cpp, this prevents e.g. GNOME Shell from making Firefox appear as Firefox ESR when both are used. * debian/browser.desktop.in: Remove Encoding key from desktop file. Closes: #812493 * debian/rules, debian/control*: Build with GCC6 on arm*/unstable. Closes: #852009. * debian/rules: - Add -fno-lifetime-dse when building with GCC6. - Build with -fno-schedule-insns on armel and armhf when building with GCC6. Closes: #854640. . * memory/mozjemalloc/jemalloc.c: Don't set 64KB page size on aarch64. bz#1091515. Closes: #819059, #825355. * toolkit/xre/nsAppRunner.cpp: Set program name from the remoting name. * js/src/jit/AtomicOperations.h, js/src/jit/arm64/AtomicOperations-arm64.h: Use jit/arm64/Architecture-arm64.h on non-JIT aarch64. bz#1257055. Closes: #854079. firefox-esr (45.7.0esr-4) unstable; urgency=medium . * debian/rules: Build with -fno-schedule-insns on armel and armhf when building with GCC6. Hopefully closes: #854640. * debian/browser.desktop.in, debian/rules: Followup for the StartupWMClass changes in 45.7.0esr-2: Use the same name in desktop file and application.ini RemotingName. Closes: #854397. . * js/src/jit/AtomicOperations.h, js/src/jit/arm64/AtomicOperations-arm64.h: Use jit/arm64/Architecture-arm64.h on non-JIT aarch64. bz#1257055. Closes: #854079. firefox-esr (45.7.0esr-3) unstable; urgency=medium . * debian/rules: Add -fno-schedule-insns2 back. Closes: #854258. firefox-esr (45.7.0esr-2) unstable; urgency=medium . * debian/browser.desktop.in: - Use the application name as StartupWMClass in the desktop file. Along the change to nsAppRunner.cpp, this prevents e.g. GNOME Shell from making Firefox appear as Firefox ESR when both are used. - Remove Encoding key from desktop file. Closes: #812493 * debian/rules: Remove -fno-schedule-insns2 and add -fno-lifetime-dse when building with GCC6. * debian/rules, debian/control*: Build with GCC6 on arm*. Closes: #852009. AFAIK, that will lead to FTBFS on at least armhf, but let's already see how it goes. . * memory/mozjemalloc/jemalloc.c: Don't set 64KB page size on aarch64. bz#1091515. Closes: #819059, #825355. * toolkit/xre/nsAppRunner.cpp: Set program name from the remoting name. firefox-esr (45.7.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2017-02, also known as: CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5390, CVE-2017-5396, CVE-2017-5383, CVE-2017-5386, CVE-2017-5373. . * debian/upstream.mk: Don't rely on FIREFOX_*_RELEASE tags to pull some files to determine all source urls. * debian/browser.bug-presubj.in: Add a note about submitting crash reports upstream and pasting the url to Debian bug reports. firefox-esr (45.7.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2017-02, also known as: CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5390, CVE-2017-5396, CVE-2017-5383, CVE-2017-5386, CVE-2017-5373. . * debian/upstream.mk: Don't rely on FIREFOX_*_RELEASE tags to pull some files to determine all source urls. * debian/browser.bug-presubj.in: Add a note about submitting crash reports upstream and pasting the url to Debian bug reports. firefox-esr (45.6.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-95, also known as: CVE-2016-9899, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905, CVE-2016-9901, CVE-2016-9902, CVE-2016-9893. . * debian/browser.install.in, browser.mozconfig.in, debian/rules: Don't disable the crash reporter. freetype (2.5.2-3+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Moritz Mühlenhoff ] * CVE-2016-10244 (Closes: #856971) . [ Salvatore Bonaccorso ] * [psaux] Better protect `flex' handling (CVE-2017-8105) (Closes: #861220) * t1_builder_close_contour: Add safety guard (CVE-2017-8287) (Closes: #861308) ghostscript (9.06~dfsg-2+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Avoid divide by 0 in scan conversion code (CVE-2016-10219) (Closes: #859666) * fix crash with bad data supplied to makeimagedevice (CVE-2016-10220) (Closes: #859694) * use the correct param list enumerator (CVE-2017-5951) (Closes: #859696) * Ensure a device has raster memory, before trying to read it (CVE-2017-7207) (Closes: #858350) * -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" substring (CVE-2017-8291) (Closes: #861295) glibc (2.19-18+deb8u9) stable; urgency=medium . * Remove patches/any/cvs-resolv-internal-qtype.diff, it breaks the libnss/libnss-dns ABI. Reopens: #796106. glibc (2.19-18+deb8u8) stable; urgency=medium . [ Aurelien Jarno ] * Update from upstream stable branch: - Fix PowerPC sqrt inaccuracy. Closes: #855606. * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106. gnome-media (3.4.0-2+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Add missing Breaks: gnome-media-common, libgnome-media-dev, libgnome-media0 to match Replaces and not leave mutilated packages behind. (Closes: #861102) gnome-screenshot (3.14.0-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * filename-builder-use-dash-for-time-format-separator.patch: Combination of the patch from upstream bug #698740 and upstream commit aa23783 to achieve the behaviour intended by successive upstream releases. (Closes: #850836) gnome-settings-daemon (3.14.2-3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * screenshot-utils-dont-use-spaces-or-colons-in-file.patch: Patch from upstream: https://bugzilla.gnome.org/show_bug.cgi?id=740520 Screenshots are often uploaded to web services or copied to (possibly FAT) external drives. Don't use characters that would be incompatible with those. (Closes: #850837) gnutls28 (3.3.8-6+deb8u5) jessie; urgency=medium . * Pull multiple fixes from gnutls_3_3_x branch: + 55_00_pkcs12-fixed-the-calculation-of-p_size.patch Fixed issue in PKCS#12 password encoding, which truncated passwords over 32-characters. Reported by Mario Klebsch. + 55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch Fix double free in certificate information printing. If the PKIX extension proxy was set with a policy language set but no policy specified, that could lead to a double free. [GNUTLS-SA-2017-1] CVE-2017-5334 + 55_02_auth-rsa-eliminated-memory-leak-on-pkcs-1-formatting.patch Addressed memory leak in server side error path (issue found using oss-fuzz project) + 55_03_opencdk-Fixes-to-prevent-undefined-behavior-found-wi.patch 55_04_Do-not-infinite-loop-if-an-EOF-occurs-while-skipping.patch 55_05_Attempt-to-fix-a-leak-in-OpenPGP-cert-parsing.patch 55_06_Corrected-a-leak-in-OpenPGP-sub-packet-parsing.patch 55_07_opencdk-read_attribute-added-more-precise-checks-whe.patch 55_08_opencdk-cdk_pk_get_keyid-fix-stack-overflow.patch 55_09_opencdk-added-error-checking-in-the-stream-reading-f.patch 55_10_opencdk-improved-error-code-checking-in-the-stream-r.patch 55_11_opencdk-read-packet.c-corrected-typo-in-type-cast.patch Addressed memory leaks and an infinite loop in OpenPGP certificate parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) Addressed invalid memory accesses in OpenPGP certificate parsing. (issues found using oss-fuzz project) [GNUTLS-SA-2017-2] CVE-2017-5335 / CVE-2017-5336 / CVE-2017-5337 + 55_12_gnutls_pkcs11_obj_list_import_url2-Always-return-an-.patch When returning success, but no elements, gnutls_pkcs11_obj_list_import_url4, could have returned zero number of elements with a pointer that was uninitialized. Ensure that an initialized (i.e., null in that case), pointer is always returned. + 55_13_cdk_pkt_read-enforce-packet-limits.patch Addressed integer overflow resulting to invalid memory write in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A] CVE-2017-7869 + 55_14_opencdk-read_attribute-account-buffer-size.patch Addressed read of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 (This patch is from gnutls_3_5_x branch.) + 55_15_opencdk-do-not-parse-any-secret-keys-in-packet-when-.patch Addressed crashes in OpenPGP certificate parsing, related to private key parser. No longer allow OpenPGP certificates (public keys) to contain private key sub-packets. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B] + 55_16_Enforce-the-max-packet-length-for-OpenPGP-subpackets.patch Addressed large allocation in OpenPGP certificate parsing, that could lead in out-of-memory condition. Issue found using oss-fuzz project, and was fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C] groovy (1.8.6-4+deb8u2) jessie; urgency=medium . * Team upload. * Fix CVE-2016-6814: It was found that a flaw in Apache Groovy, a dynamic language for the Java Virtual Machine, allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. groovy2 (2.2.2+dfsg-3+deb8u2) jessie; urgency=medium . * Team upload. * Fix CVE-2016-6814: It was found that a flaw in Apache Groovy, a dynamic language for the Java Virtual Machine, allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. gst-plugins-bad1.0 (1.4.4-2.1+deb8u2) jessie-security; urgency=medium . * debian/patches/0001-psdemux-Rewrite-PSM-parsing-using-GstByteReader.patch + The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. https://bugzilla.gnome.org/show_bug.cgi?id=777957 . Fixes CVE-2017-5848 . * debian/patches/0002-mxfdemux-Set-stream-tags-to-NULL-after-unreffing.patch + Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unref, (2) gst_tag_list_unref, and (3) gst_mxf_demux_update_essence_tracks functions in GStreamer before 1.10.3 allow remote attackers to cause a denial of service (crash) via vectors involving stream tags, as demonstrated by 02785736.mxf. https://bugzilla.gnome.org/show_bug.cgi?id=777503 . Fixes CVE-2017-5843 . * debian/patches/0003-mpegtssection-Fix-PAT-parsing.patch + The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. https://bugzilla.gnome.org/show_bug.cgi?id=775120 . Fixes CVE-2016-9813 . * debian/patches/0004-mpegtssection-Add-more-section-size-checks.patch + The gst_mpegts_section_new function in the mpegts decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a too small section. https://bugzilla.gnome.org/show_bug.cgi?id=775048 . Fixes CVE-2016-9812 . * debian/patches/0005-h264parse-Ensure-codec_data-has-the-required-size-wh.patch, debian/patches/0006-h265parse-Ensure-codec_data-has-the-required-size-wh.patch: + Off-by-one error in the gst_h264_parse_set_caps function in GStreamer before 1.10.2 allows remote attackers to have unspecified impact via a crafted file, which triggers an out-of-bounds read. https://bugzilla.gnome.org/show_bug.cgi?id=774896 . Fixes CVE-2016-9809 gst-plugins-base1.0 (1.4.4-2+deb8u1) jessie-security; urgency=medium . * debian/patches/0001-riff-media-Check-for-valid-channels-rate-before-usin.patch: + The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted ASF file. https://bugzilla.gnome.org/show_bug.cgi?id=777525 . Fixes CVE-2017-5837 . * debian/patches/0002-riff-media-Don-t-divide-block-align-by-zero-channels.patch: + The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted video file. https://bugzilla.gnome.org/show_bug.cgi?id=777262 . Fixes CVE-2017-5844 . * debian/patches/0003-riff-media-Don-t-recurse-in-for-nested-WAVEFORMATEX.patch: + The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 does not properly limit recursion, which allows remote attackers to cause a denial of service (stack overflow and crash) via vectors involving nested WAVEFORMATEX. https://bugzilla.gnome.org/show_bug.cgi?id=777265 . Fixes CVE-2017-5839 . * debian/patches/0004-samiparse-Check-that-the-string-has-a-non-zero-lengt.patch: + The html_context_handle_element function in gst/subparse/samiparse.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted SMI file, as demonstrated by OneNote_Manager.smi. https://bugzilla.gnome.org/show_bug.cgi?id=777502 . Fixes CVE-2017-5842 . * debian/patches/0005-typefind-bounds-check-windows-ico-detection.patch: + The windows_icon_typefind function in gst-plugins-base in GStreamer before 1.10.2, when G_SLICE is set to always-malloc, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ico file. https://bugzilla.gnome.org/show_bug.cgi?id=774902 . Fixes CVE-2016-9811 gst-plugins-good1.0 (1.4.4-2+deb8u3) jessie-security; urgency=medium . * debian/patches/0001-aacparse-Make-sure-we-have-enough-data-in-the-codec_.patch: + The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted audio file. https://bugzilla.gnome.org/show_bug.cgi?id=775450 . Fixes CVE-2016-10198 . * debian/patches/0002-avidemux-Fix-various-out-of-bounds-reads-when-parsin.patch: + The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving ncdt tags. https://bugzilla.gnome.org/show_bug.cgi?id=777500 . Fixes CVE-2017-5841 . * debian/patches/0003-avidemux-Stop-reading-a-ncdt-sub-tag-if-it-goes-behi.patch: + The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a ncdt sub-tag that "goes behind" the surrounding tag. https://bugzilla.gnome.org/show_bug.cgi?id=777532 . Fixes CVE-2017-5845 . * debian/patches/0004-qtdemux-Fix-out-of-bounds-read-in-tag-parsing-code.patch: + The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted tag value. https://bugzilla.gnome.org/show_bug.cgi?id=775451 . Fixes CVE-2016-10199 . * debian/patches/0005-qtdemux-Increment-current-stts-index-whenever-we-fin.patch: + The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving the current stts index. https://bugzilla.gnome.org/show_bug.cgi?id=777469 . Fixes CVE-2017-5840 gst-plugins-ugly1.0 (1.4.4-2+deb8u1) jessie-security; urgency=medium . * debian/patches/0001-asfdemux-Check-that-we-have-enough-data-available-be.patch: + The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors. https://bugzilla.gnome.org/show_bug.cgi?id=777955 . Fixes CVE-2017-5847 . * debian/patches/0002-asfdemux-Reset-number-of-languages-to-0-when-freeing.patch: + The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors related to the number of languages in a video file. https://bugzilla.gnome.org/show_bug.cgi?id=777937 . Fixes CVE-2017-5846 gstreamer1.0 (1.4.4-2+deb8u1) jessie-security; urgency=high . * debian/patches/0001-datetime-fix-potential-out-of-bound-read-on-malforme.patch: + The gst_date_time_new_from_iso8601_string function in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a malformed datetime string. https://bugzilla.gnome.org/show_bug.cgi?id=777263 . Fixes CVE-2017-5838 guile-2.0 (2.0.11+1-9+deb8u1) jessie; urgency=high . * Fix REPL server vulnerability (CVE-2016-8606). Add 0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch to incorporate the fix. See that file for further information. (Closes: 840555) . * Fix mkdir umask-related vulnerability (CVE-2016-8605). Previously, whenever the second argument to mkdir was omitted, it would temporarily change the umask to 0, a change which would also affect any concurrent threads. Add 0018-Remove-umask-calls-from-mkdir.patch to incorporate the fix. See that file for further information. (Closes: 840556) hunspell-en-us (20070829-6+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Drop unversioned conflict on thunderbird icedove (1:45.8.0-3~deb8u1) jessie-security; urgency=medium . [ Carsten Schoenert ] * New upstream version 45.8.0: CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP CVE-2017-5401: Memory Corruption when handling ErrorResult CVE-2017-5402: Use-after-free working with events in FontFace objects CVE-2017-5404: Use-after-free working with ranges in selections CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping CVE-2017-5408: Cross-origin reading of video captions in violation of CORS CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP CVE-2017-5376: Use-after-free in XSL CVE-2017-5378: Pointer and frame data leakage of Javascript objects CVE-2017-5380: Potential use-after-free during DOM manipulations CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer CVE-2017-5396: Use-after-free with Media Decoder CVE-2017-5383: Location bar spoofing with unicode characters CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7 * debian/rules: don't set MOZ_APP_PROFILE in jessie or wheezy. We don't need a special diffrent default profile folder in jessie or wheezy. We will use always ~/.thunderbird in all available releases. * tb-wrapper: call thunderbird starting with exec . [ Guido Günther ] * Register components in gbp.conf * Drop superfluous iceowl-l10n files * Copy-edit thunderbird-wrapper-helper.sh . icedove (1:45.8.0-3) unstable; urgency=medium . [ Carsten Schoenert ] * [d923505] AppArmor: be more flexible on profile folders (Closes: #858735, #858737) * [1e04099] tb-wrapper: use readlink also on ${ID_PROFILE_FOLDER} (Closes: #858771) * [9f6b771] tb-wrapper: correct check for -dbg package (Closes: #858804) * [8b5271a] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1273020-Add-missing-null-checks-in-ApplicationAccessi.patch . icedove (1:45.8.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [c2a1d77] tb-helper: pass arguments correctly through tb call (Closes: #855334) * [5c49348] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1340724-fix-SMTP-server-name-output-in-SMTP-logging.patch (Closes: #855470) * [9d420c0] Revert "register MIME type application/octet-stream for Thunderbird" (Closes: #857755) * [c9960e5] tb-helper: pass arguments by using a array to TB call . icedove (1:45.8.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3388899] New upstream version 45.8.0 * [24d25e9] tb-helper*: fix up that silly comments behind the if statement (Closes: #857029, #857032, #857098, #857112) * [788b7fa] bash-completion: adding a completion script for /u/b/thunderbird * [9ac9d07] rebuild patch queue from patch-queue branch added patches: - p-arm64/Bug-1091515-Don-t-set-64KB-page-size-on-aarch64.-r-glandi.patch - p-arm64/Bug-1257055-Use-jit-arm64-Architecture-arm64.h-on-non-JIT.patch * [ad0860b] copyright: small updates reflecting upstream changes . [ Christoph Goehre ] * [69577cf] lintian: replace hardlink in thunderbird-dev with symbolic link . icedove (1:45.7.1-2) unstable; urgency=medium . [ Christoph Goehre ] * [5e2c618] crashreporter: build only on amd64, armel, armhf and i386 * [36a922f] Apparmor: replace '·' with spaces (Closes: #855343) * [bbbc917] rebuild patch queue from patch-queue branch added patches: - p-hppa/FTBFS-hppa-xpcshell-segfaulting-during-make-install.patch * [8b5d601] icedove|thunderbird.desktop: update danish (da) translation . [ Carsten Schoenert ] * [f8debbd] debian/control: separate transitional mark by extra line (Closes: #855806) * [583c798] {tb,id}.maintscript: modify start-version (Closes: #854587) * [94e557c] thunderbird: adding x11-utils to Depends (Closes: #854488) * [dc878e7] thunderbird-wrapper.sh: fix command line transfer to TB (Closes: #855334) * [9734349] thunderbird helper: split helper function into extra file (Closes: #855286) * [3089a97] tb-helper*: wrapping X11 dialog calls * [e0331e1] tb-helper*: rework option parsing for wrapper script (Closes: #855872) * [31d9899] thunderbird.postinst: try to remove empty profile folder (Closes: #855228) * [c9e5b70] tb-wrapper*: complete rework and moving over for symlinking (Closes: #855265, #855391, #855501, #856490) * [9ef920f] README.Debian: adopt content to current wrapper script behavior * [4cf88e5] icedove|thunderbird.desktop: adopt binary call * [101e0ad] tb-helper*: call subfunctions not within the case loop * [c061107] register MIME type application/octet-stream for Thunderbird . icedove (1:45.7.1-1) unstable; urgency=medium . * Bye-bye Icedove (Closes: #749965, #776359, #816679, #363811) . [ Carsten Schoenert ] * [90c0d6f] New upstream version 45.7.1 * [a6d21de] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-497488-Implement-verify-mode-in-the-subscribe-dialog-.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit-1.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit.patch (Closes: #837177) removed patches (fixed upstream): - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [8572e34] lintian: adding a semi automated lintian-override * [aa2bda2] crashreporter: enable the reporter for thunderbird * [b96ae57] move icedove.desktop into package icedove (Closes: #850865, #851829) * [304921f] debian/rules: set SHELL explicit to /bin/bash (Closes: #852867) * [072b899] thunderbird: adding extra check while migration * [284912d] debian/README.Debian: update after recent changes * [6dc7e32] icedove-l10n-bn-bd: fix typo in Depends field (Closes: #854135) * [c5d4bf5] {tb,id}.maintscript: modify start-version (Closes: #854587) * [f3d64ae] thunderbird-wrapper.sh: adding extra information window (Closes: #854488) * [6b432c7] README.Debian: hint about issue in global configuration . [ Douglas Bagnall ] * [e2c8a23] Apparmor: allowing exo-open-ixr launcher (Closes: #853929) . [ Christoph Goehre ] * [ef36e0b] thunderbird-wrapper.sh: fix typos * [f98d5d1] thunderbird-wrapper.sh: add small changes from Guido and Carsten * [7dd6841] README.Debian: fix/correct spelling * [e038694] debian/control: remove depends-on-essential-package 'sed' . [ Jens Reyer ] * [ea58e17] thunderbird-wrapper.sh: add extra function for migration (Closes: #849592) . icedove (1:45.6.0-3) experimental; urgency=medium . [ Carsten Schoenert ] * [78b3296] rebuild patch queue from patch-queue branch added patch: - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [a272f85] thunderbird-wrapper.sh: also migrate mimeapps.list (Closes: #850864) * [3d4e303] icedove.desktop: don't use categories and mimetypes (Closes: #850866) * [db15d43] icedove: link icedove to thunderbird * [59a9e05] debian/control: change Replaces and Breaks versions . [ Christoph Goehre ] * [55cce4a] thunderbird-wrapper.sh: remove 'set -e' icedove (1:45.8.0-3~deb7u1) wheezy-security; urgency=medium . * New upstream version 45.8.0: CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP CVE-2017-5401: Memory Corruption when handling ErrorResult CVE-2017-5402: Use-after-free working with events in FontFace objects CVE-2017-5404: Use-after-free working with ranges in selections CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping CVE-2017-5408: Cross-origin reading of video captions in violation of CORS CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP CVE-2017-5376: Use-after-free in XSL CVE-2017-5378: Pointer and frame data leakage of Javascript objects CVE-2017-5380: Potential use-after-free during DOM manipulations CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer CVE-2017-5396: Use-after-free with Media Decoder CVE-2017-5383: Location bar spoofing with unicode characters CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7 * Switch back to debhelper version 9 * dh-exec: avoid multiple spaces around filenames since they break the wheezy version of dh-exec * Drop crash reporter. The syntax is not supported by dh-exec and we don't want to send reports from weezy to Mozilla. * Don't drop deps on libspr,nss * Drop replaces on packages no longer in any release * Copy-edit thunderbird-wrapper-helper.sh . icedove (1:45.8.0-3) unstable; urgency=medium . [ Carsten Schoenert ] * [d923505] AppArmor: be more flexible on profile folders (Closes: #858735, #858737) * [1e04099] tb-wrapper: use readlink also on ${ID_PROFILE_FOLDER} (Closes: #858771) * [9f6b771] tb-wrapper: correct check for -dbg package (Closes: #858804) * [8b5271a] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1273020-Add-missing-null-checks-in-ApplicationAccessi.patch . icedove (1:45.8.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [c2a1d77] tb-helper: pass arguments correctly through tb call (Closes: #855334) * [5c49348] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1340724-fix-SMTP-server-name-output-in-SMTP-logging.patch (Closes: #855470) * [9d420c0] Revert "register MIME type application/octet-stream for Thunderbird" (Closes: #857755) * [c9960e5] tb-helper: pass arguments by using a array to TB call . icedove (1:45.8.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3388899] New upstream version 45.8.0 * [24d25e9] tb-helper*: fix up that silly comments behind the if statement (Closes: #857029, #857032, #857098, #857112) * [788b7fa] bash-completion: adding a completion script for /u/b/thunderbird * [9ac9d07] rebuild patch queue from patch-queue branch added patches: - p-arm64/Bug-1091515-Don-t-set-64KB-page-size-on-aarch64.-r-glandi.patch - p-arm64/Bug-1257055-Use-jit-arm64-Architecture-arm64.h-on-non-JIT.patch * [ad0860b] copyright: small updates reflecting upstream changes . [ Christoph Goehre ] * [69577cf] lintian: replace hardlink in thunderbird-dev with symbolic link . icedove (1:45.7.1-2) unstable; urgency=medium . [ Christoph Goehre ] * [5e2c618] crashreporter: build only on amd64, armel, armhf and i386 * [36a922f] Apparmor: replace '·' with spaces (Closes: #855343) * [bbbc917] rebuild patch queue from patch-queue branch added patches: - p-hppa/FTBFS-hppa-xpcshell-segfaulting-during-make-install.patch * [8b5d601] icedove|thunderbird.desktop: update danish (da) translation . [ Carsten Schoenert ] * [f8debbd] debian/control: separate transitional mark by extra line (Closes: #855806) * [583c798] {tb,id}.maintscript: modify start-version (Closes: #854587) * [94e557c] thunderbird: adding x11-utils to Depends (Closes: #854488) * [dc878e7] thunderbird-wrapper.sh: fix command line transfer to TB (Closes: #855334) * [9734349] thunderbird helper: split helper function into extra file (Closes: #855286) * [3089a97] tb-helper*: wrapping X11 dialog calls * [e0331e1] tb-helper*: rework option parsing for wrapper script (Closes: #855872) * [31d9899] thunderbird.postinst: try to remove empty profile folder (Closes: #855228) * [c9e5b70] tb-wrapper*: complete rework and moving over for symlinking (Closes: #855265, #855391, #855501, #856490) * [9ef920f] README.Debian: adopt content to current wrapper script behavior * [4cf88e5] icedove|thunderbird.desktop: adopt binary call * [101e0ad] tb-helper*: call subfunctions not within the case loop * [c061107] register MIME type application/octet-stream for Thunderbird . icedove (1:45.7.1-1) unstable; urgency=medium . * Bye-bye Icedove (Closes: #749965, #776359, #816679, #363811) . [ Carsten Schoenert ] * [90c0d6f] New upstream version 45.7.1 * [a6d21de] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-497488-Implement-verify-mode-in-the-subscribe-dialog-.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit-1.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit.patch (Closes: #837177) removed patches (fixed upstream): - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [8572e34] lintian: adding a semi automated lintian-override * [aa2bda2] crashreporter: enable the reporter for thunderbird * [b96ae57] move icedove.desktop into package icedove (Closes: #850865, #851829) * [304921f] debian/rules: set SHELL explicit to /bin/bash (Closes: #852867) * [072b899] thunderbird: adding extra check while migration * [284912d] debian/README.Debian: update after recent changes * [6dc7e32] icedove-l10n-bn-bd: fix typo in Depends field (Closes: #854135) * [c5d4bf5] {tb,id}.maintscript: modify start-version (Closes: #854587) * [f3d64ae] thunderbird-wrapper.sh: adding extra information window (Closes: #854488) * [6b432c7] README.Debian: hint about issue in global configuration . [ Douglas Bagnall ] * [e2c8a23] Apparmor: allowing exo-open-ixr launcher (Closes: #853929) . [ Christoph Goehre ] * [ef36e0b] thunderbird-wrapper.sh: fix typos * [f98d5d1] thunderbird-wrapper.sh: add small changes from Guido and Carsten * [7dd6841] README.Debian: fix/correct spelling * [e038694] debian/control: remove depends-on-essential-package 'sed' . [ Jens Reyer ] * [ea58e17] thunderbird-wrapper.sh: add extra function for migration (Closes: #849592) . icedove (1:45.6.0-3) experimental; urgency=medium . [ Carsten Schoenert ] * [78b3296] rebuild patch queue from patch-queue branch added patch: - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [a272f85] thunderbird-wrapper.sh: also migrate mimeapps.list (Closes: #850864) * [3d4e303] icedove.desktop: don't use categories and mimetypes (Closes: #850866) * [db15d43] icedove: link icedove to thunderbird * [59a9e05] debian/control: change Replaces and Breaks versions . [ Christoph Goehre ] * [55cce4a] thunderbird-wrapper.sh: remove 'set -e' icedove (1:45.8.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [c2a1d77] tb-helper: pass arguments correctly through tb call (Closes: #855334) * [5c49348] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1340724-fix-SMTP-server-name-output-in-SMTP-logging.patch (Closes: #855470) * [9d420c0] Revert "register MIME type application/octet-stream for Thunderbird" (Closes: #857755) * [c9960e5] tb-helper: pass arguments by using a array to TB call icedove (1:45.8.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3388899] New upstream version 45.8.0 * [24d25e9] tb-helper*: fix up that silly comments behind the if statement (Closes: #857029, #857032, #857098, #857112) * [788b7fa] bash-completion: adding a completion script for /u/b/thunderbird * [9ac9d07] rebuild patch queue from patch-queue branch added patches: - p-arm64/Bug-1091515-Don-t-set-64KB-page-size-on-aarch64.-r-glandi.patch - p-arm64/Bug-1257055-Use-jit-arm64-Architecture-arm64.h-on-non-JIT.patch * [ad0860b] copyright: small updates reflecting upstream changes . [ Christoph Goehre ] * [69577cf] lintian: replace hardlink in thunderbird-dev with symbolic link icedove (1:45.7.1-2) unstable; urgency=medium . [ Christoph Goehre ] * [5e2c618] crashreporter: build only on amd64, armel, armhf and i386 * [36a922f] Apparmor: replace '·' with spaces (Closes: #855343) * [bbbc917] rebuild patch queue from patch-queue branch added patches: - p-hppa/FTBFS-hppa-xpcshell-segfaulting-during-make-install.patch * [8b5d601] icedove|thunderbird.desktop: update danish (da) translation . [ Carsten Schoenert ] * [f8debbd] debian/control: separate transitional mark by extra line (Closes: #855806) * [583c798] {tb,id}.maintscript: modify start-version (Closes: #854587) * [94e557c] thunderbird: adding x11-utils to Depends (Closes: #854488) * [dc878e7] thunderbird-wrapper.sh: fix command line transfer to TB (Closes: #855334) * [9734349] thunderbird helper: split helper function into extra file (Closes: #855286) * [3089a97] tb-helper*: wrapping X11 dialog calls * [e0331e1] tb-helper*: rework option parsing for wrapper script (Closes: #855872) * [31d9899] thunderbird.postinst: try to remove empty profile folder (Closes: #855228) * [c9e5b70] tb-wrapper*: complete rework and moving over for symlinking (Closes: #855265, #855391, #855501, #856490) * [9ef920f] README.Debian: adopt content to current wrapper script behavior * [4cf88e5] icedove|thunderbird.desktop: adopt binary call * [101e0ad] tb-helper*: call subfunctions not within the case loop * [c061107] register MIME type application/octet-stream for Thunderbird icedove (1:45.7.1-1) unstable; urgency=medium . * Bye-bye Icedove (Closes: #749965, #776359, #816679, #363811) . [ Carsten Schoenert ] * [90c0d6f] New upstream version 45.7.1 * [a6d21de] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-497488-Implement-verify-mode-in-the-subscribe-dialog-.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit-1.patch - fixes/Bug-497488-RSS-feeds-with-an-invalid-certificate-fail-wit.patch (Closes: #837177) removed patches (fixed upstream): - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [8572e34] lintian: adding a semi automated lintian-override * [aa2bda2] crashreporter: enable the reporter for thunderbird * [b96ae57] move icedove.desktop into package icedove (Closes: #850865, #851829) * [304921f] debian/rules: set SHELL explicit to /bin/bash (Closes: #852867) * [072b899] thunderbird: adding extra check while migration * [284912d] debian/README.Debian: update after recent changes * [6dc7e32] icedove-l10n-bn-bd: fix typo in Depends field (Closes: #854135) * [c5d4bf5] {tb,id}.maintscript: modify start-version (Closes: #854587) * [f3d64ae] thunderbird-wrapper.sh: adding extra information window (Closes: #854488) * [6b432c7] README.Debian: hint about issue in global configuration . [ Douglas Bagnall ] * [e2c8a23] Apparmor: allowing exo-open-ixr launcher (Closes: #853929) . [ Christoph Goehre ] * [ef36e0b] thunderbird-wrapper.sh: fix typos * [f98d5d1] thunderbird-wrapper.sh: add small changes from Guido and Carsten * [7dd6841] README.Debian: fix/correct spelling * [e038694] debian/control: remove depends-on-essential-package 'sed' . [ Jens Reyer ] * [ea58e17] thunderbird-wrapper.sh: add extra function for migration (Closes: #849592) . icedove (1:45.6.0-3) experimental; urgency=medium . [ Carsten Schoenert ] * [78b3296] rebuild patch queue from patch-queue branch added patch: - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [a272f85] thunderbird-wrapper.sh: also migrate mimeapps.list (Closes: #850864) * [3d4e303] icedove.desktop: don't use categories and mimetypes (Closes: #850866) * [db15d43] icedove: link icedove to thunderbird * [59a9e05] debian/control: change Replaces and Breaks versions . [ Christoph Goehre ] * [55cce4a] thunderbird-wrapper.sh: remove 'set -e' . icedove (1:45.6.0-1) experimental; urgency=medium . [ Carsten Schoenert ] * [26f8f2d] New upstream version 45.6.0 * [15b7797] iceowl-l10n-*: rearrange Recommends field for various packages (Closes: #824727, #824750, #824763, #824764, #824768, #824780) * [3f75b56] debian/vendor.js: adjust to new version related wiki site * [6bd7f89] d/c-id-l10n: adjusting download URL for stable versions * [f15d1a2] icedove-l10n-all: change Section into metapackages (Closes: #824785) * [25c3ba1] debian/README.source: info about import of multitarballs * [3ebcf59] debian/control: adding Recommends to icedove-l10n-uk (Closes: #825806) * [3e57d5e] debian/control: Icedove, adding dependency on libatk-adaptor * [e19c59d] debian/control: rework Recommends for icedove-l10n-* * [4741d80] debian/control: small fixup Recommends on iceowl-l10n-* * [f9f5193] debian/control: sort iceowl-l10n-* alphabetical * [5220187] de-branding: move iceowl* back to lightning* * [6e28ce5] de-branding: remove Icedove naming from icedove-l10n* * [3dc3b4b] de-branding: remove Icedove branding in the main binary * [8b715cf] de-branding: remove hard name branding in addon managger * [9f609fa] de-branding: adopting dh files for icedove package * [caba322] de-branding: adopting dh files for icedove-dev package * [6538f66] de-branding: change debian/rules to reflect appname change * [871588d] de-branding: adopting dh files for iceowl-extension package * [a0b20e7] debian/tests/*: adopt change of the binary icedove * [29025cc] de-branding: adjust icedove-l10n installation folder * [2b8dd99] de-branding: adjust iceowl-l10n installation folder * [1f3043c] de-branding: remove the Debian visual branding * [272e420] de-branding: removing icedove branding files and folder * [093bc58] de-branding: revitalize *.desktop file with Thunderbird * [4a35d9d] de-branding: move iceowl-l10n-* into lightning-l10n-* * [68d8d79] de-branding: adding transitional iceowl-l10n packages * [4b2febd] de-branding: adding 'Breaks', 'Replaces', 'Provides' to lightning-l10n-* * [9cdb427] de-branding: rework d/r to reflect changes for lightning-l10n * [ec3b427] de-branding: move icedove-l10n-* into thunderbird-l10n-* * [387bfa2] de-branding: adding transitional icedove-l10n packages * [f3cfecb] de-branding: adding 'Breaks', 'Replaces', 'Provides' to thunderbird-l10n-* * [03b222e] de-branding: rework d/r to reflect changes for thunderbird-l10n * [0c9a6ab] de-branding: (re)adding a wrapper script for TB starting * [f9c8aef] de-branding: move icedove-dev to thunderbird-dev * [a4313e6] de-branding: adding transitional icedove-dev package * [0508866] de-branding: rework d/r to reflect changes for thunderbird-dev * [048b29f] de-branding: move icedove-dbg to thunderbird-dbg * [da01077] de-branding: adding transitional icedove-dbg package * [a371079] de-branding: rework d/r to reflect changes for thunderbird-dbg * [b34b8f8] de-branding: move iceowl-extension to lightning * [fa8f9b3] de-branding: adding transitional iceowl-extension package * [848f178] de-branding: rework d/r to reflect changes for lightning * [a708c35] de-branding: move icedove to thunderbird * [cccef90] de-branding: moving icedove dh files into thunderbird * [8c2b27d] de-branding: rework icedove.1 into thunderbird.1 * [19406fe] de-branding: transition of mozconfig.* * [88ed684] de-branding: rework d/r to reflect changes for thunderbird * [c8011d3] de-branding: adding transitional icedove package * [5e399aa] de-branding: adjusting package calendar-google-provider * [a03329c] debian/tests/help.sh: use absolute path for binary call * [10adb34] move old icedove graphic stuff into own folder * [abc6c8c] create various thunderbird png graphics from SVG file * [a2067ae] debian/copyright: update copyright information * [a9c6f9f] de-branding: add own created thunderbird icons to install * [1d8b524] mozconfig.default: enable the official brandind * [9f3a673] debian/control: adding dh-exec to the Build-Depends * [cddbc63] move Thunderbird install files into thunderbird.install * [5037bb5] de-branding: transition of apparmor profile for TB * [14f094d] de-branding: remove extra URL for What's New inside * [c2a06db] manpage thunderbird; adjust and correct manpage entries * [8fa3365] debian/control: adding package dpkg to Build-Depends * [ba84ede] thunderbird: switching dpkg-maintscript-helper to *.maintscript * [d0e675b] debian/thunderbird.postinst: adding some moving mechanism * [cbae415] de-branding: let helper scripts reflect thunderbird change * [da402a4] thunderbird-wrapper.sh: adding fixing inside mimeTypes.rdf (Closes: #837516) * [030d49e] de-branding: adding some hints about the debranding * [662f7af] debian/README.source: adjusting hints due name changes * [8fbedc1] debian/thunderbird.install: install additional icedove.desktop * [9089d9f] debian/*lintian-overrides: adopt name changes * [b9b7665] debian/rules: use the old profile folder for wheezy and jessie * [f9c137e] fix *.desktop files for proper GNOME app mechanism (Closes: #817973, #832302) * [1c85ff7] debian/rules: chmod certain *.py tb-devel files * [356694a] thunderbird.links: linking the default TB icon to u/s/p . [ Guido Günther ] * [24bbee9] Wrap and sort control information (Closes: #825806) * [fcfe4ac] Add minimalistic autopkgtest * [f7a32e8] Add autopkgtest to test header and typelib generation * [189d835] Add autopkgtest to smoke test xpcshell . [ Christoph Goehre ] * [354f836] turn the reduce of memory usage of the linker on again * [5e48e17] don't build dbgsym packages on unreleased builds * [09679eb] rebuild patch queue from patch-queue branch (Closes: #808183) * [ec3a50b] debian/NEWS: change urgency to medium icedove (1:45.6.0-3) experimental; urgency=medium . [ Carsten Schoenert ] * [78b3296] rebuild patch queue from patch-queue branch added patch: - debian-hacks/icu.m4-adding-extra-bracket-to-not-confuse-grep.patch * [a272f85] thunderbird-wrapper.sh: also migrate mimeapps.list (Closes: #850864) * [3d4e303] icedove.desktop: don't use categories and mimetypes (Closes: #850866) * [db15d43] icedove: link icedove to thunderbird * [59a9e05] debian/control: change Replaces and Breaks versions . [ Christoph Goehre ] * [55cce4a] thunderbird-wrapper.sh: remove 'set -e' icedove (1:45.6.0-2) unstable; urgency=medium . [ Carsten Schoenert ] * [26f8f2d] New upstream version 45.6.0 (Closes: #850164) * [2d1d517] rebuild patch queue from patch-queue branch icedove (1:45.6.0-1) experimental; urgency=medium . [ Carsten Schoenert ] * [26f8f2d] New upstream version 45.6.0 * [15b7797] iceowl-l10n-*: rearrange Recommends field for various packages (Closes: #824727, #824750, #824763, #824764, #824768, #824780) * [3f75b56] debian/vendor.js: adjust to new version related wiki site * [6bd7f89] d/c-id-l10n: adjusting download URL for stable versions * [f15d1a2] icedove-l10n-all: change Section into metapackages (Closes: #824785) * [25c3ba1] debian/README.source: info about import of multitarballs * [3ebcf59] debian/control: adding Recommends to icedove-l10n-uk (Closes: #825806) * [3e57d5e] debian/control: Icedove, adding dependency on libatk-adaptor * [e19c59d] debian/control: rework Recommends for icedove-l10n-* * [4741d80] debian/control: small fixup Recommends on iceowl-l10n-* * [f9f5193] debian/control: sort iceowl-l10n-* alphabetical * [5220187] de-branding: move iceowl* back to lightning* * [6e28ce5] de-branding: remove Icedove naming from icedove-l10n* * [3dc3b4b] de-branding: remove Icedove branding in the main binary * [8b715cf] de-branding: remove hard name branding in addon managger * [9f609fa] de-branding: adopting dh files for icedove package * [caba322] de-branding: adopting dh files for icedove-dev package * [6538f66] de-branding: change debian/rules to reflect appname change * [871588d] de-branding: adopting dh files for iceowl-extension package * [a0b20e7] debian/tests/*: adopt change of the binary icedove * [29025cc] de-branding: adjust icedove-l10n installation folder * [2b8dd99] de-branding: adjust iceowl-l10n installation folder * [1f3043c] de-branding: remove the Debian visual branding * [272e420] de-branding: removing icedove branding files and folder * [093bc58] de-branding: revitalize *.desktop file with Thunderbird * [4a35d9d] de-branding: move iceowl-l10n-* into lightning-l10n-* * [68d8d79] de-branding: adding transitional iceowl-l10n packages * [4b2febd] de-branding: adding 'Breaks', 'Replaces', 'Provides' to lightning-l10n-* * [9cdb427] de-branding: rework d/r to reflect changes for lightning-l10n * [ec3b427] de-branding: move icedove-l10n-* into thunderbird-l10n-* * [387bfa2] de-branding: adding transitional icedove-l10n packages * [f3cfecb] de-branding: adding 'Breaks', 'Replaces', 'Provides' to thunderbird-l10n-* * [03b222e] de-branding: rework d/r to reflect changes for thunderbird-l10n * [0c9a6ab] de-branding: (re)adding a wrapper script for TB starting * [f9c8aef] de-branding: move icedove-dev to thunderbird-dev * [a4313e6] de-branding: adding transitional icedove-dev package * [0508866] de-branding: rework d/r to reflect changes for thunderbird-dev * [048b29f] de-branding: move icedove-dbg to thunderbird-dbg * [da01077] de-branding: adding transitional icedove-dbg package * [a371079] de-branding: rework d/r to reflect changes for thunderbird-dbg * [b34b8f8] de-branding: move iceowl-extension to lightning * [fa8f9b3] de-branding: adding transitional iceowl-extension package * [848f178] de-branding: rework d/r to reflect changes for lightning * [a708c35] de-branding: move icedove to thunderbird * [cccef90] de-branding: moving icedove dh files into thunderbird * [8c2b27d] de-branding: rework icedove.1 into thunderbird.1 * [19406fe] de-branding: transition of mozconfig.* * [88ed684] de-branding: rework d/r to reflect changes for thunderbird * [c8011d3] de-branding: adding transitional icedove package * [5e399aa] de-branding: adjusting package calendar-google-provider * [a03329c] debian/tests/help.sh: use absolute path for binary call * [10adb34] move old icedove graphic stuff into own folder * [abc6c8c] create various thunderbird png graphics from SVG file * [a2067ae] debian/copyright: update copyright information * [a9c6f9f] de-branding: add own created thunderbird icons to install * [1d8b524] mozconfig.default: enable the official brandind * [9f3a673] debian/control: adding dh-exec to the Build-Depends * [cddbc63] move Thunderbird install files into thunderbird.install * [5037bb5] de-branding: transition of apparmor profile for TB * [14f094d] de-branding: remove extra URL for What's New inside * [c2a06db] manpage thunderbird; adjust and correct manpage entries * [8fa3365] debian/control: adding package dpkg to Build-Depends * [ba84ede] thunderbird: switching dpkg-maintscript-helper to *.maintscript * [d0e675b] debian/thunderbird.postinst: adding some moving mechanism * [cbae415] de-branding: let helper scripts reflect thunderbird change * [da402a4] thunderbird-wrapper.sh: adding fixing inside mimeTypes.rdf (Closes: #837516) * [030d49e] de-branding: adding some hints about the debranding * [662f7af] debian/README.source: adjusting hints due name changes * [8fbedc1] debian/thunderbird.install: install additional icedove.desktop * [9089d9f] debian/*lintian-overrides: adopt name changes * [b9b7665] debian/rules: use the old profile folder for wheezy and jessie * [f9c137e] fix *.desktop files for proper GNOME app mechanism (Closes: #817973, #832302) * [1c85ff7] debian/rules: chmod certain *.py tb-devel files * [356694a] thunderbird.links: linking the default TB icon to u/s/p . [ Guido Günther ] * [24bbee9] Wrap and sort control information (Closes: #825806) * [fcfe4ac] Add minimalistic autopkgtest * [f7a32e8] Add autopkgtest to test header and typelib generation * [189d835] Add autopkgtest to smoke test xpcshell . [ Christoph Goehre ] * [354f836] turn the reduce of memory usage of the linker on again * [5e48e17] don't build dbgsym packages on unreleased builds * [09679eb] rebuild patch queue from patch-queue branch (Closes: #808183) * [ec3a50b] debian/NEWS: change urgency to medium icedove (1:45.6.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [26f8f2d] New upstream version 45.6.0 - MFSA 2016-96 aka CVE-2016-9899, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905, CVE-2016-9893 icedove (1:45.5.1-1) unstable; urgency=medium . [ Carsten Schoenert ] * [efe836f] New upstream version 45.5.1 * [48999ac] rebuild patch queue from patch-queue branch icedove (1:45.5.1-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [efe836f] New upstream version 45.5.1 - MFSA 2016-92 aka CVE-2016-9079 - MFSA 2016-93 aka CVE-2016-5296, CVE-2016-5294, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-9074, CVE-2016-5290 icedove (1:45.5.0-1) unstable; urgency=medium . [ Guido Günther ] * [d077f46] Copy edit README.source * [52269b9] repack.py: Improve help output . [ Carsten Schoenert ] * [dcd7d9f] New upstream version 45.5.0 * [03c11f1] debian/control: increase B-D on libnss3-dev * [a6cabae] lintian-overrides: expand and move source overrides * [7532930] debhelper: increase version and compatibility to v9 icedove (1:45.4.0-1) unstable; urgency=medium . [ Guido Günther ] * [a159bc9] autopkgtests: let xfvb-run pick the port to avoid clashes with already running servers * [a159bc9] autopkgtests: let xfvb-run pick the port * [5384838] Snapshot 1:45.3.0-1~1.gbpa159bc * [8d3ac18] autopkgtest: Dont print on stderr * [8afc7be] Put test deps on a simgle line . [ Carsten Schoenert ] * [99e9c40] New upstream version 45.4.0 (Closes: #835866, #836798, #837107) * [6195d7b] debian/README.source: update instructions for importing * [5150624] debian/icedove.js: disabling baselinejit functionality (Closes: #837930) icedove (1:45.4.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [99e9c40] New upstream version 45.4.0 * [d68e169] debian/icedove.js: disabling baselinejit functionality (Closes: #837930) icedove (1:45.3.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3cc29ee] Imported Upstream version 45.3.0 * [ed8cf89] Imported icedove-l10n Upstream version 45.3.0 * [bc20676] Imported iceowl-l10n Upstream version 45.3.0 * [54bd9c4] debian/README.source: fix up some hints * [756ec86] mozconfig.default: enable build of PIE binaries * [1cef6f8] rebuild patch queue from patch-queue branch added patch: - porting-mips/libyuv_disable-mips-assembly-for-MIPS64.patch (Closes: #836400) * [7a1ec74] AppArmor: grant access to local mailboxes and enigmail(2) (Closes: #837656) icoutils (0.31.0-2+deb8u3) jessie-security; urgency=medium . * CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 icoutils (0.31.0-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * wrestool: Make check_offset more stringent (CVE-2017-5331) * prevent access to unallocated memory in wrestool (CVE-2017-5332) * wrestool: Fix an index, additional check (CVE-2017-5332 CVE-2017-5333) icoutils (0.31.0-2+deb8u1) jessie-security; urgency=medium . * Fix security issue in wrestool, patch by Colin Watson icu (52.1-8+deb8u5) jessie-security; urgency=high . * Backport upstream security fix for CVE-2017-7867 and CVE-2017-7868, heap-buffer-overflow in utf8TextAccess. ikiwiki (3.20141016.4) jessie-security; urgency=high . * Reference CVE-2016-4561 in 3.20141016.3 changelog * Security: force CGI::FormBuilder->field to scalar context where necessary, avoiding unintended function argument injection analogous to CVE-2014-1572. - passwordauth: prevent authentication bypass via multiple name parameters (CVE-2017-0356, OVE-20170111-0001) - passwordauth: prevent userinfo forgery via repeated email parameter (also CVE-2017-0356) - comments, editpage: prevent commit metadata forgery (CVE-2016-9646, OVE-20161226-0001) - CGI, attachment, comments, editpage, notifyemail, passwordauth, po, rename: harden against similar issues that are not believed to be exploitable * t/passwordauth.t: new automated test for CVE-2017-0356 * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following bugs, including one minor security vulnerability: - Security: try revert operations before approving them. Previously, automatic rename detection could result in a revert writing outside the wiki srcdir or altering a file that the reverting user should not be able to alter, an authorization bypass. (CVE-2016-10026 represents the original vulnerability.) The incomplete fix released in 3.20161219 was not effective for git versions prior to 2.8.0rc0. (CVE-2016-9645 represents that incomplete solution. Debian stable was never vulnerable to this one.) - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such file or directory" seen in the initial fixes for those security issues - If no committer identity is known, set it to "IkiWiki " in .git/config. This resolves commit errors in versions of git that require a non-trivial committer identity. - Use git log --no-renames to generate recentchanges, fixing the git test-case with git 2.9 (Closes: #835612) - Don't issue a warning if the rcsinfo CGI parameter is undefined - Do not fail to commit changes with a recent git version and an anonymous committer - Do not fail on filenames starting with a dash (patch from Florian Wagner) - Don't add a redundant "--" and run "git rev-list ... -- -- ..." * Backport t/git-cgi.t from 3.20170110 to have automated test coverage for using the CGI with git, including tests for CVE-2016-10026 - Build-depend on libipc-run-perl for better build-time test coverage * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression in 3.20141016.3: - img: ignore the case of the extension when detecting image format, fixing the regression that *.JPG etc. would not be displayed (patch from Amitai Schleier) * Backport tests' installed-test (autopkgtest) support from 3.20160121, adjusted for compatibility with the older pkg-perl-autopkgtest in jessie - d/control: add enough build-dependencies to run all tests, except for non-git VCSs imagemagick (8:6.8.9.9-5+deb8u8) jessie-security; urgency=high . * Fix a few security bugs: + Assertion failure in TGA coder (Closes: #856878). Fix CVE-2017-6498. + Out of bound in sun file coder (Closes: #856879). Fix CVE-2017-6500. + Memory leak in libmagick++ library (Closes: #856880). Fix CVE-2017-6499. + Missing null pointer check in xcf coder (Closes: #856881) and psd coder (Closes: #856882). Fix CVE-2017-6501 and CVE-2017-6497. + Fix a memory leak in options handler (Closes: #857426, LP: #1671630) * Fix a regression in jessie, Fix artefacts running -sharpen on CMYK images (Closes: #844594). imagemagick (8:6.8.9.9-5+deb8u7) jessie-security; urgency=medium . * Fix Ipl file missing malloc check (Closes: #851483). Fix CVE-2016-10145. * Fix wpg file off by one (Closes: #851483). Fix CVE-2016-10145. * Fix a memory leak in caption coders (Closes: #851380). Fix CVE-2016-10146. * Fix possible buffer overflow when writing compressed TIFFS. (Closes: #848139). Fix CVE-2016-8707. * Fix a double free in profile due to overflow (Closes: #851383). Fix CVE-2017-5506. * Fix memory leak in MPC file handling (Closes: #851382). Fix CVE-2017-5507 * Fix Heap-Buffer-Overflow in TIFF coder (Closes: #851381). Fix CVE-2017-5508 * Fix improper cast that could cause an overflow. (Closes: #851374). Fix CVE-2017-5511. * Fix memory corruption heap overflow in psb file. (Closes: #851376). Fix CVE-2017-5510. * Detect write error in ReadGROUP4Image. (Closes: #849439). Fix CVE-2016-10062 initramfs-tools (0.120+deb8u3) jessie; urgency=medium . * [6661d01] hook-functions: Include drivers for all keyboards when MODULES=dep (Closes: #639876) * [6afc19f] auto_add_modules: Include most USB host drivers (Closes: #762634) * [eb35e9a] auto_add_modules: Include all bus driver modules * [c9636d5] Remove code that prunes 'broken' symlinks and sometimes /etc/mtab (Closes: #845581) * [50b90a9] auto_add_modules: Add all I2C bus and mux drivers when MODULES=most (Closes: #825687) * [94d23b8] hook-functions: Stop force-loading drivers found through sysfs when MODULES=dep (Closes: #792910) installation-guide (20150423+deb8u3) jessie; urgency=medium . [ Matt Kraai ] * Fix Instructions for creating syslinux.cfg according to syslinux 5.00 change. Closes: #803267. . [ Cyril Brulebois ] * Mass-update po translations (install-methods.po) so that the syslinux example is correct (see #803267): el es fi hu ko ru sv vi zh_CN zh_TW ioquake3 (1.36+u20140802+gca9eebb-2+deb8u1) jessie-security; urgency=high . * d/gbp.conf: switch branch to debian/jessie * d/patches: Add patches from upstream fixing security vulnerabilities - refuse to load potentially auto-downloadable .pk3 files as ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers (mitigation: auto-downloading is off by default, and in Debian we do not dlopen libcurl anyway) - refuse to load default configuration file names from a .pk3 file - protect cl_renderer, cl_curllib, s_aldriver configuration variables so game code cannot set them - refuse to overwrite files other than *.txt with the dump console command - refuse to overwrite files other than *.cfg with the writeconfig console command (Closes: #857699; CVE-2017-6903) irqbalance (1.0.6-3+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Only warn once for affinity hint subset empty irqs (Closes: #784391) jasper (1.900.1-debian1-2.4+deb8u3) jessie-security; urgency=medium . * CVE-2016-9591 CVE-2016-10249 CVE-2016-10251 jasper (1.900.1-debian1-2.4+deb8u2) jessie-security; urgency=medium . * CVE-2016-1867 CVE-2016-8654 CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8882 CVE-2016-9560 jbig2dec (0.13-4~deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the Debian Security Team. * Backport latest upstream release to Jessie. * Fixes CVE-2016-9601 and many other unreported issues. * Drop licensecheck from build-depends as it was part of devscripts in the past (and we don't need such a check in stable/oldstable). * Disable multiarch support to not introduce unexpected regression. jbig2dec (0.13-3) unstable; urgency=medium . * Add patch cherry-picked upstream to prevent checking too early for buffer overrun. * Modernize CDBS: Build-depend on licensecheck (not devscripts). jbig2dec (0.13-2) unstable; urgency=medium . * Fix mark libjbig2dec0 as multi-ach: same. Closes: Bug#799916. Thanks to Jacek Szafarkiewicz and Yuriy M. Kaminskiy. * Add patch 2001 to avoid compile unrelated and unusable Memento memory debugging code. Closes: Bug#824483. Thanks to Yuriy M. Kaminskiy. * Drop symbols for dropped Memento code. Thanks to Yuriy M. Kaminskiy. jbig2dec (0.13-1) unstable; urgency=medium . [ upstream ] * New bugfix release. . [ Jonas Smedegaard ] * Update watch file: + Bump file format to version 4. + Mangle scanned page to get tarball URLs from tags, and adapt URL pattern. + Mangle download filename. + Mention gbp in usage comment. * Use https protocol in Vcs-Git URL. * Declare compliance with Debian Policy 3.9.8. * Update copyright info: + Extend coverage for main author to include recent years. + Extend copyright of packaging to cover current year. * Update git-buildpackage config: Filter any .gitignore file. * Drop patch 2001: Applied upstream. * Drop 3 symbols (unused, according to http://codesearch.debian.net/). * Fix remove old lintian overrides file. jbig2dec (0.12+20150918-1) unstable; urgency=medium . [ upstream ] * Snapshot. + Tidy build configuration. + Update for modern libpng. + Commit of build_consolidation branch. + Fixes for Windows build with VS 2015. + Check that cloned image exists before proceeding further. + Release huffman table memory properly. . [ Jonas Smedegaard ] * Fix lintian overrides. * Unfuzz all patches. jbig2dec (0.12-2) unstable; urgency=medium . * Move package maintenance to printing team. * Suppress lintian warning about build-depending unversioned on debhelper. * Update copyright info: Fix strip stray License field. jbig2dec (0.12-1) unstable; urgency=medium . * Update README.source to emphasize that control.in file is *not* a show-stopper for contributions, referring to wiki page for details. * Update upstream URLs to reflect move to git.ghostscript.com and lack of tarball releases. * Declare compliance with Debian Policy 3.9.6. * Update Vcs-* fields. * Bump debhelper compatibility level to 9. * Update copyright info: + Extend coverage for myself. + Bump packaging license to GPL-3+. + Fix use SPDX shortname for X11 license. Thanks to Paul Richards Tagliamonte. + Use file format 1.0. + Use license short-name public-domain. + Bump main license to AGPL-3+. Add NEWS file about that change. + Drop unused Files and License sections for autotools files. + Use License-Grant and License-Reference fields. Thanks to Ben Finney. * Use newest autotools. Build-depend automake (not automake1.11) and on recent cdbs. * Drop patches 1002 1003 applied upstream. * Improve patch 1004: Remove extracted file from script to detect upstream code changes. * Add debian/patches/README documenting patch naming micro-policy. * Add patch 2001 to avoid including problematic and seemingly uneeded pngstruct.h. * Let CDBS move aside upstream cruft during build. * Cleanup more autotools files. * Add symbols file. Closes: bug#694899. Thanks to Logan Rosen. * Fix tie d-shlibs target also to development package (not only library package). * Add lintian overrides regarding license in License-Reference field. See bug#786450. * Update package relations: + Build-depend unversioned on d-shlibs: Needed version satisfied even in oldstable. * Install into multiarch paths. jhead (1:2.97-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3822: Fix possible out of bounds access (Closes: #858213) kup (0.3.2-2) jessie; urgency=medium . * kup: Backport changes needed to work with kernel.org in future (Closes: #859143): - Add support for subcmd config option - Make sure we use sanitized KUP_SUBCMD lcms2 (2.6-3+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Added an extra check to MLU bounds (CVE-2016-10165) (Closes: #852627) libav (6:11.9-1~deb8u1) jessie-security; urgency=medium . * New upstream release. - mpegvideo_parser: avoid signed overflow in bitrate calculation. (CVE-2016-9821) - mpeg12dec: avoid signed overflow in bitrate calculation. (CVE-2016-9822) * debian/patches/mpegvideo_motion-Handle-edge-emulation-even-without-.patch: Removed, included upstream. libdatetime-timezone-perl (1:1.75-2+2017b) jessie; urgency=medium . * Update to Olson database version 2017b. This update contains contemporary changes for Haiti. libdatetime-timezone-perl (1:1.75-2+2017a) jessie; urgency=medium . * Update to Olson database version 2017a. This update contains contemporary changes to Mongolia and Chile. libevent (2.0.21-stable-2+deb8u1) jessie-security; urgency=high . * Fix three vulnerabilites (Closes: #854092): - DNS remote stack overread vulnerability (CVE-2016-10195) - (Stack) buffer overflow in evutil_parse_sockaddr_port() (CVE-2016-10196) - Out-of-bounds read in search_make_new() (CVE-2016-10197) * Add myself as an uploader libgd2 (2.1.0-5+deb8u9) jessie-security; urgency=high . * [CVE-2016-6906]: Fix OOB reads of the TGA decompression buffer * [CVE-2016-6912]: Fix double-free in gdImageWebPtr() * [CVE-2016-10166]: Fix potential unsigned underflow * [CVE-2016-10167]: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() * [CVE-2016-6906]: Fix OOB reads of the TGA decompression buffer * [CVE-2016-9317]: Check for oversized images * [CVE-2016-10168]: Fix signed integer Overflow gd_io.c libindicate (0.6.92-2+deb8u1) jessie; urgency=medium . * QA upload. * Set maintainer to the QA group. * libindicate-gtk3-dev: Depend on libindicate-gtk3-3 instead of libindicate-gtk3, thanks to Andreas Beckmann for finding this bug. (Closes: #715066) libmateweather (1.8.0-2+deb8u2) jessie-proposed-updates; urgency=medium . [ ZenWalker ] * debian/patches: + Add 002_rename-rangoon-timezone-to-yangon.patch. Follow tzdata 2016g change. (Closes: #848742). libphp-swiftmailer (5.2.2-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2016-10074: The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer allowed remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the From, ReturnPath, or Sender header. libquicktime (2:1.2.4-7+deb8u1) jessie-security; urgency=medium . * Team Upload * Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399) (Closes: #855099) libreoffice (1:4.3.3-2+deb8u7) jessie-security; urgency=high . * debian/patches/CVE-2017-7870.diff: fix CVE-2017-7870 libreoffice (1:4.3.3-2+deb8u6) jessie-security; urgency=high . * debian/patches/olefix.diff: fix CVE-2017-3157 libreoffice (1:4.3.3-2+deb8u6~bpo70+1) wheezy-backports; urgency=high . * Rebuild for wheezy-backports. . * debian/rules: - comment out some conditionals and they don't exactly do what we want on wheezy-backports and use hardcoded values - fix coinmp conditional, use internal one on wheezy... - use internal icu - see https://bugs.freedesktop.org/show_bug.cgi?id=82229#c38 - bump libgraphite2-dev build-dep to ensure fixed version from wheezy-lts * debian/rules, debian/shlibs.local.coin: add shlibs.local.coin to override all the internal coin dynamic libraries.... * debian/shlibs.override.icu: update to actual current SOVERSION * debian/rules, debian/shlibs.override.libc: revert libc hack again * debian/patches/icu-icudata-link-fix-armhf.diff: fix internal icu build on armhf ("stolen" from icu package) . libreoffice (1:4.3.3-2+deb8u6) jessie-security; urgency=high . * debian/patches/olefix.diff: fix CVE-2017-3157 . libreoffice (1:4.3.3-2+deb8u5) jessie-security; urgency=medium . * debian/patches/CVE-2016-4324.diff: fix "LibreOffice RTF Stylesheet Code Execution Vulnerability" (TALOS-CAN-0126 / CVE-2016-4324) . libreoffice (1:4.3.3-2+deb8u4) jessie; urgency=medium . * debian/patches/ppc64el-jdk-paths.diff: fix ppc64el FTBFS due to changed OpenJDK paths, thanks Slavek Banko (closes: #819375) . * debian/rules: - fix logic to not install sound files (closes: #780497) libvirt (1.2.9-9+deb8u4) jessie; urgency=medium . [ Guido Günther ] * [7e378ce] Make sure the cgroup update notice is also shown in backports * [bd11c4c] Unbreak compilation of qemuhelptest . [ Hilko Bengen ] * [fffb132] Add patch to improve qemu v2.6+ compatibility (Closes: #841291) libvorbisidec (1.0.2+svn18153-1~deb8u1) jessie; urgency=medium . * QA upload. * Rebuild for jessie. libxpm (1:3.5.12-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 3.5.12 - Fix abs() usage - Fix out out boundary read on unknown colors - Gracefully handle EOF while parsing files - Avoid OOB write when handling malicious XPM files (CVE-2016-10164) - Handle size_t in file/buffer length libxslt (1.1.28-2+deb8u3) jessie; urgency=medium . * Non-maintainer upload. * Check for integer overflow in xsltAddTextString (CVE-2017-5029) (Closes: #858546) linux (3.16.43-2) jessie; urgency=high . * mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" backport (Closes: #861313) linux (3.16.43-1) jessie; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.40 - [x86] drm/i915/vlv: Make intel_crt_reset() per-encoder - [x86] drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init() - fbdev/efifb: Fix 16 color palette entry calculation - [s390*] zfcp: fix fc_host port_type with NPIV - [s390*] zfcp: fix ELS/GS request&response length for hardware data router - [s390*] zfcp: close window with unblocked rport during rport gone - [s390*] zfcp: retain trace level for SCSI and HBA FSF response records - [s390*] zfcp: restore: Dont use 0 to indicate invalid LUN in rec trace - [s390*] zfcp: trace on request for open and close of WKA port - [s390*] zfcp: restore tracing of handle for port and LUN with HBA records - [s390*] zfcp: fix D_ID field with actual value on tracing SAN responses - [s390*] zfcp: fix payload trace length for SAN request&response - [s390*] zfcp: trace full payload of all SAN records (req,resp,iels) - clk: divider: Fix clk_divider_round_rate() to use clk_readl() - [x86] dumpstack: Fix x86_32 kernel_stack_pointer() previous stack access - PCI: Mark Atheros AR9580 to avoid bus reset - netfilter: restart search if moved to other chain - uio: fix dmem_region_start computation - platform: don't return 0 from platform_get_irq[_byname]() on error - [arm64] debug: avoid resetting stepping state machine when TIF_SINGLESTEP - ASoC: dapm: Fix value setting for _ENUM_DOUBLE MUX's second channel - genirq/generic_chip: Add irq_unmap callback - rtlwifi: Update regulatory database - rtlwifi: Fix missing country code for Great Britain - pwm: Unexport children before chip removal - cx231xx: don't return error on success - cx231xx: fix GPIOs for Pixelview SBTVD hybrid - ext4: reinforce check of i_dtime when clearing high fields of uid and gid - pstore/core: drop cmpxchg based updates - pstore/ram: Use memcpy_toio instead of memcpy - pstore/ram: Use memcpy_fromio() to save old buffer - ipv4: accept u8 in IP_TOS ancillary data - [armhf] phy: sun4i-usb: Use spinlock to guard phyctl register access - dm: mark request_queue dead before destroying the DM device - dm mpath: check if path's request_queue is dying in activate_path() - ext4: bugfix for mmaped pages in mpage_release_unused_pages() - [armhf] dts: exynos: Fix mismatched value for SD4 pull up/down configuration on exynos4210 - reiserfs: Unlock superblock before calling reiserfs_quota_on_mount() - sctp: do not return the transmit err back to sctp_sendmsg - pkt_sched: fq: use proper locking in fq_dump_stats() - [x86] iommu/amd: Free domain id when free a domain of struct dma_ops_domain - [powerpc*] nvram: Fix an incorrect partition merge - ALSA: ali5451: Fix out-of-bound position reporting - usb: misc: legousbtower: Fix NULL pointer deference - net/mlx4_en: Fix wrong indentation - net/mlx4_core: Fix deadlock when switching between polling and event fw commands - drm/radeon: narrow asic_init for virtualization - [powerpc*] eeh: Null check uses of eeh_pe_bus_get - ALSA: usb-audio: Extend DragonFly dB scale quirk to cover other variants - netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes - netfilter: nf_tables: validate maximum value of u32 netlink attributes - svcrdma: Tail iovec leaves an orphaned DMA mapping - blkcg: Annotate blkg_hint correctly - ALSA: hda - Adding one more ALC255 pin definition for headset problem - mmc: block: don't use CMD23 with very old MMC cards - [powerpc*] KVM: Book3S: Treat VTB as a per-subcore register, not per-thread - [powerpc*] KVM: BookE: Fix a sanity check - [powerpc*] KVM: Book3s PR: Allow access to unprivileged MMCR2 register - NFSv4: Open state recovery must account for file permission changes - Revert "usbtmc: convert to devm_kzalloc" - drm/radeon/si/dpm: fix phase shedding setup - [powerpc*/*64*] vdso64: Use double word compare on pointers - ext4: release bh in make_indexed_dir - [s390*] con3270: fix use of uninitialised data - [s390*] con3270: fix insufficient space padding - fuse: invalidate dir dentry after chmod - fuse: fix killing s[ug]id in setattr - fuse: listxattr: verify xattr list - crypto: gcm - Fix IV buffer size in crypto_gcm_setkey - staging: rtl8188eu: fix missing unlock on error in rtw_resume_process() - staging: rtl8188eu: fix double unlock error in rtw_resume_process() - UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header - ubi: Deal with interrupted erasures in WL - ubi: Fix races around ubi_refill_pools() - ubi: Fix Fastmap's update_vol() - i40e: avoid NULL pointer dereference and recursive errors on early PCI error - [powerpc*] powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data() - mfd: rtsx_usb: Avoid setting ucr->current_sg.status - async_pq_val: fix DMA memory leak - mm: filemap: fix mapping->nrpages double accounting in fuse - netlink: do not enter direct reclaim from netlink_dump() - IB/srp: Fix infinite loop when FMR sg[0].offset != 0 - [x86] Input: elantech - add Fujitsu Lifebook E556 to force crc_enabled - mm/hugetlb: fix memory offline with hugepage size > memory block size - mm/hugetlb: check for reserved hugepages during memory offline - vfs,mm: fix a dead loop in truncate_inode_pages_range() - [powerpc*] pseries: Fix stack corruption in htpe code - [powerpc*/*64*] Fix incorrect return value from __copy_tofrom_user - [x86] panic: replace smp_send_stop() with kdump friendly version in panic path - [mips*] panic: replace smp_send_stop() with kdump friendly version in panic path - compiler: Allow 1- and 2-byte smp_load_acquire() and smp_store_release() - ipc: remove use of seq_printf return value - ipc/sem.c: fix complex_count vs. simple op race - [mips*] ptrace: Fix regs_return_value for kernel context - cifs: Display number of credits available - cifs: Limit the overall credit acquired - cifs: Set previous session id correctly on SMB3 reconnect - cifs: SMB3: GUIDs should be constructed as random but valid uuids - cifs: Clarify locking of cifs file and tcon structures and make more granular - cifs: Do not send SMB3 SET_INFO request if nothing is changing - cifs: Cleanup missing frees on some ioctls - fs/super.c: fix race between freeze_super() and thaw_super() - scsi: Fix use-after-free - mac80211: discard multicast and 4-addr A-MSDUs - jbd2: fix incorrect unlock on j_list_lock - drm/radeon: change vblank_time's calculation method to reduce computational error. - ipv6: correctly add local routes when lo goes up - [s390*] scsi: zfcp: spin_lock_irqsave() is not nestable - mmc: sdhci: cast unsigned int to unsigned long long to avoid unexpeted error - mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused - mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led - memstick: rtsx_usb_ms: Runtime resume the device when polling for cards - memstick: rtsx_usb_ms: Manage runtime PM when accessing the device - [arm64] kernel: Init MDCR_EL2 even in the absence of a PMU - netfilter: nf_tables: underflow in nft_parse_u32_check() - ALSA: hda - allow 40 bit DMA mask for NVidia devices - isofs: Do not return EACCES for unknown filesystems - bridge: multicast: restore perm router ports on multicast enable - hwrng: core - Don't use a stack buffer in add_early_randomness() - [x86] Input: i8042 - add XMG C504 to keyboard reset table - ubifs: Fix xattr_names length in exit paths - ubifs: Abort readdir upon error - target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT REACHABLE - target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code - [x86] xhci: add restart quirk for Intel Wildcatpoint PCH - xhci: workaround for hosts missing CAS bit - USB: serial: fix potential NULL-dereference at probe - drm/radeon/si_dpm: Limit clocks on HD86xx part - [arm64] KVM: Take S1 walks into account when determining S2 write faults - [powerpc*] Convert cmp to cmpd in idle enter sequence - ipv4: use the right lock for ping_group_range - ACPI / APEI: Fix incorrect return value of ghes_proc() - dm table: fix missing dm_put_target_type() in dm_table_add_target() - [x86] mei: txe: don't clean an unprocessed interrupt cause. - scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices - [x86] hv: do not lose pending heartbeat vmbus packets - ALSA: hda - Fix surround output pins for ASRock B150M mobo - drm/radeon: drop register readback in cayman_cp_int_cntl_setup - drm/radeon/si_dpm: workaround for SI kickers - scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded - scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware - tty: vt, fix bogus division in csi_J - tty: limit terminal size to 4M chars - vt: clear selection before resizing - netfilter: nf_conntrack_sip: extend request line validation - netfilter: nf_tables: fix type mismatch with error return from nft_parse_u32_check - btrfs: fix races on root_log_ctx lists - lib/genalloc.c: start search from start of chunk - [s390*] hypfs: Use get_free_page() instead of kmalloc to ensure page alignment - [x86] KVM: fix wbinvd_dirty_mask use-after-free - GenWQE: Fix bad page access during abort of resource allocation - ubifs: Fix regression in ubifs_readdir() - md: be careful not lot leak internal curr_resync value into metadata. - net/mlx5: Avoid passing dma address 0 to firmware - packet: on direct_xmit, limit tso and csum to supported devices - net/mlx4_core: Fix the resource-type enum in res tracker to conform to FW spec - net/mlx4_en: Resolve dividing by zero in 32-bit system - net/mlx4_en: Process all completions in RX rings after port goes up - net/mlx4_en: Fix potential deadlock in port statistics flow - [x86] iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions - virtio: console: Unlock vqs while freeing buffers - netfilter: nf_tables: destroy the set if fail to add transaction - [x86] mei: bus: fix received data size check in NFC fixup - ipv6: Don't use ufo handling on later transformed packets - can: bcm: fix warning in bcm_connect/proc_register - bgmac: stop clearing DMA receive control register right after it is set - uwb: fix device reference leaks - [armel,armhf] gpio/mvebu: Use irq_domain_add_linear - PM / sleep: fix device reference leak in test_suspend - ip6_tunnel: Clear IP6CB in ip6tunnel_xmit() - firewire: net: fix fragmented datagram_size off-by-one - ipv4: allow local fragmentation in ip_finish_output_gso() - i2c: core: fix NULL pointer dereference under race condition - iio: hid-sensors: Fix compilation warning - iio: hid-sensors: Increase the precision of scale to fix wrong reading interpretation. - [armhf] net: ethernet: ti: cpsw: fix device and of_node leaks - scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression - rtnl: reset calcit fptr in rtnl_unregister() - USB: cdc-acm: fix TIOCMIWAIT - PM / sleep: don't suspend parent when async child suspend_{noirq, late} fails - [x86] ALSA: hda - Fix mic regression by ASRock mobo fixup - swapfile: fix memory corruption via malformed swapfile - coredump: fix unfreezable coredumping task - dib0700: fix nec repeat handling - scsi: mpt3sas: Fix secure erase premature termination - neigh: check error pointer instead of NULL for ipv4_neigh_lookup() - ipv4: use new_gw for redirect neigh lookup - fuse: fix fuse_write_end() if zero bytes were copied - [armhf] usb: chipidea: move the lock initialization to core file - rtnetlink: fix rtnl_vfinfo_size - mfd: core: Fix device reference leak in mfd_clone_cell - nvme/pci: Don't free queues on error - IB/uverbs: Fix leak of XRC target QPs - IB/cm: Mark stale CM id's whenever the mad agent was unregistered - IB/core: Avoid unsigned int overflow in sg_alloc_table - IB/mlx5: Use cache line size to select CQE stride - IB/mlx5: Resolve soft lock on massive reg MRs - IB/mlx5: Fix NULL pointer dereference on debug print - IB/mlx4: Fix create CQ error flow - mwifiex: printk() overflow with 32-byte SSIDs - of_mdio: fix node leak in of_phy_register_fixed_link error path - cfg80211: limit scan results cache size - [armhf] net: ethernet: ti: cpsw: fix bad register access in probe error path - [armhf] net: ethernet: ti: cpsw: fix mdio device reference leak - [armhf] net: ethernet: ti: cpsw: fix secondary-emac probe error path - KVM: Disable irq while unregistering user notifier - [x86] KVM: fix missed SRCU usage in kvm_lapic_set_vapic_addr - ext4: sanity check the block and cluster size at mount time - l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (CVE-2016-10200) - apparmor: fix change_hat not finding hat after policy replacement - [x86] traps: Ignore high word of regs->cs in early_fixup_exception() - xc2028: Fix use-after-free bug properly - [armhf] net: ethernet: mvneta: Remove IFF_UNICAST_FLT which is not implemented - net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode to device managed flow steering - pwm: Fix device reference leak - netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel - [powerpc*] eeh: Fix deadlock when PE frozen state can't be cleared - batman-adv: Check for alloc errors when preparing TT local data - locking/rtmutex: Prevent dequeue vs. unlock race - ipv4: Set skb->protocol properly for local output - ipv6: Set skb->protocol properly for local output - tipc: check minimum bearer MTU - [x86] perf: Fix full width counter, counter overflow - fuse: fix clearing suid, sgid for chown() - can: raw: raw_setsockopt: limit number of can_filter that can be set - can: peak: fix bad memory access and free sequence - ser_gigaset: return -ENOMEM on error instead of success - vfs,mm: fix return value of read() at s_maxbytes https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.41 - mnt: Add a per mount namespace limit on the number of mounts (CVE-2016-6213) - ext4: validate s_first_meta_bg at mount time (CVE-2016-10208) https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.42 - net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames - ite-cir: initialize use_demodulator before using it - usb: gadget: composite: correctly initialize ep->maxpacket - usb: gadget: composite: always set ep->mult to a sensible value - [armhf] usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs - [amd64] drm/gma500: Add compat ioctl - enic: set skb->hash type properly - xfs: fix up xfs_swap_extent_forks inline extent handling - scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits for 30secs before reset - PCI: Check for PME in targeted sleep state - USB: UHCI: report non-PME wakeup signalling for Intel hardware - [armhf] dts: imx6q-cm-fx6: fix fec pinctrl - [powerpc] ibmebus: Fix device reference leaks in sysfs interface - [powerpc] ibmebus: Fix further device reference leaks - [powerpc*] pci/rpadlpar: Fix device reference leaks - usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL - dm rq: fix a race condition in rq_completed() - ext4: fix mballoc breakage with 64k block size - ext4: fix stack memory corruption with 64k block size - IB/core: Save QP in ib_flow structure - IB/mlx5: Put non zero value in max_ah - IB/mlx5: Wait for all async command completions to complete - IB/IPoIB: Remove can't use GFP_NOIO warning - IB/mlx4: Set traffic class in AH - IB/mlx4: Put non zero value in max_ah device attribute - IB/mlx4: Fix port query for 56Gb Ethernet links - scsi: mvsas: fix command_active typo - ssb: Fix error routine when fallback SPROM fails - usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices - [armhf] USB: phy: am335x-control: fix device and of_node leaks - ext4: fix in-superblock mount options processing - ext4: use more strict checks for inodes_per_block on mount - ext4: add sanity checking to count_overhead() - [powerpc*] KVM: Book3S HV: Save/restore XER in checkpointed register state - dm crypt: mark key as invalid until properly loaded - f2fs: set ->owner for debugfs status file's file_operations - xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing - ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() - md/raid5: limit request size according to implementation limits - thermal: hwmon: Properly report critical temperature in sysfs - USB: serial: kl5kusb105: fix open error path - USB: serial: kl5kusb105: abort on open exception path - [powerpc] ps3: Fix system hang with GCC 5 builds - Btrfs: fix tree search logic when replaying directory entry deletes - [armhf,arm64] bus: vexpress-config: fix device reference leak - block: protect iterate_bdevs() against concurrent close - NFS: Fix a performance regression in readdir - xfs: set AGI buffer type in xlog_recover_clear_agi_bucket - mmc: sdhci: Fix recovery from tuning timeout - CIFS: Fix missing nls unload in smb2_reconnect() - CIFS: Fix a possible memory corruption in push locks - CIFS: Fix a possible memory corruption during reconnect - [x86] ALSA: hda - Add inverted internal mic for Asus Aspire 4830T - [x86] ALSA: hda - Add the top speaker pin config for HP Spectre x360 - [x86] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO - drm/radeon: Hide the HW cursor while it's out of bounds - drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor - drm/radeon: add additional pci revision to dpm workaround - [armhf] xen: Use alloc_percpu rather than __alloc_percpu - clk: clk-wm831x: fix a logic error - hotplug: Make register and unregister notifier API symmetric - iw_cxgb4: Fix error return code in c4iw_rdev_open() - dm space map metadata: fix 'struct sm_metadata' leak on failed create - md: MD_RECOVERY_NEEDED is set for mddev->recovery - cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts - hwmon: (ds620) Fix overflows seen when writing temperature limits - [i386] ftrace: Set ftrace_stub to weak to prevent gcc from using short jumps to it - fgraph: Handle a case where a tracer ignores set_graph_notrace - nfs_write_end(): fix handling of short copies - ext4: reject inodes with negative size - ext4: return -ENOMEM instead of success - [s390*] vmlogrdr: fix IUCV buffer allocation - [armhf] hwmon: (g762) Fix overflows and crash seen when writing limit attributes - ALSA: hiface: Fix M2Tech hiFace driver sampling rate change - libceph: verify authorize reply on connect - fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes - fsnotify: Fix possible use-after-free in inode iteration on umount - IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs - IB/mlx4: Fix out-of-range array index in destroy qp flow - Btrfs: delayed-inode: replace root args iff only fs_info used - btrfs: limit async_work allocation and worker func duration - block_dev: don't test bdev->bd_contains when it is not stable - IB/mad: Fix an array index check - IPoIB: Avoid reading an uninitialized member variable - IB/multicast: Check ib_find_pkey() return value - [s390x] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF - [s390x] scsi: zfcp: do not trace pure benign residual HBA responses at default level - [s390x] scsi: zfcp: fix rport unblock race with LUN recovery - scsi: avoid a permanent stop of the scsi device's request queue - target/iscsi: Fix double free in lio_target_tiqn_addtpg() - [x86] drivers/gpu/drm/ast: Fix infinite loop if read fails - NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success. - [x86] drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating - fs: exec: apply CLOEXEC before changing dumpable task flags - [x86] Input: i8042 - add Pegatron touchpad to noloop table - net, sched: fix soft lockup in tc_classify - [armhf] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open - [armhf net: stmmac: Fix error path after register_netdev move - net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach - net/mlx4_en: Fix bad WQE issue - net/mlx4: Remove BUG_ON from ICM allocation routine - [armhf] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb() - [armhf] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb() - [armhf] usb: dwc3: gadget: always unmap EP0 requests - [armhf] usb: gadget: composite: Test get_alt() presence instead of set_alt() - [armhf] usb: gadgetfs: restrict upper bound on device configuration size - [armhf] USB: gadgetfs: fix unbounded memory allocation bug - [armhf] USB: gadgetfs: fix use-after-free bug - [armhf] USB: gadgetfs: fix checks of wTotalLength in config descriptors - btrfs: fix error handling when run_delayed_extent_op fails - btrfs: fix locking when we put back a delayed ref that's too new - xhci: free xhci virtual devices with leaf nodes first - usb: xhci: fix possible wild pointer - usb: host: xhci: Fix possible wild pointer when handling abort command - xhci: Handle command completion and timeout race - usb: xhci: hold lock over xhci_abort_cmd_ring() - USB: serial: cyberjack: fix NULL-deref at open - USB: serial: garmin_gps: fix memory leak on failed URB submit - USB: serial: io_edgeport: fix NULL-deref at open - USB: serial: io_ti: fix NULL-deref at open - USB: serial: io_ti: fix another NULL-deref at open - USB: serial: iuu_phoenix: fix NULL-deref at open - USB: serial: keyspan_pda: verify endpoints at probe - USB: serial: kobil_sct: fix NULL-deref in write - USB: serial: mos7720: fix NULL-deref at open - USB: serial: mos7720: fix use-after-free on probe errors - USB: serial: mos7720: fix parport use-after-free on probe errors - USB: serial: mos7720: fix parallel probe - USB: serial: mos7840: fix NULL-deref at open - USB: serial: mos7840: fix misleading interrupt-URB comment - USB: serial: omninet: fix NULL-derefs at open and disconnect - USB: serial: oti6858: fix NULL-deref at open - USB: serial: pl2303: fix NULL-deref at open - USB: serial: quatech2: fix sleep-while-atomic in close - USB: serial: spcp8x5: fix NULL-deref at open - USB: serial: ti_usb_3410_5052: fix NULL-deref at open - [x86] iommu/amd: Fix the left value check of cmd buffer - [x86] mei: move write cb to completion on credentials failures - ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL - [x86] cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option - [armhf] usb: musb: Fix trying to free already-free IRQ 4 - usb: hub: Move hub_port_disable() to fix warning if PM is disabled - USB: fix problems with duplicate endpoint addresses - selftests: do not require bash to run netsocktests testcase - HID: hid-cypress: validate length of report (CVE-2017-7273) - ata: sata_mv:- Handle return value of devm_ioremap. - drm/radeon: drop verde dpm quirks - [x86] boot: Add missing declaration of string functions - USB: ch341: remove redundant close from open error path - USB: ch341: set tty baud speed according to tty struct - USB: serial: ch341: add register and USB request definitions - USB: serial: ch341: reinitialize chip on reconfiguration - USB: serial: ch341: fix initial modem-control state - USB: serial: ch341: fix open and resume after B0 - USB: serial: ch341: fix modem-control and B0 handling - USB: serial: ch341: fix open error handling - USB: serial: ch341: fix resume after reset - USB: serial: ch341: fix baud rate and line-control handling - gro: Enter slow-path if there is no tailroom - gro: Disable frag0 optimization on IPv6 ext headers - ocfs2: fix crash caused by stale lvb with fsdlm plugin - mm/hugetlb.c: fix reservation race when freeing surplus pages - sysrq: attach sysrq handler correctly for 32-bit kernel - USB: serial: ch341: fix control-message error handling - gro: use min_t() in skb_gro_reset_offset() - [x86] PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F - xhci: fix deadlock at host remove by running watchdog correctly - [x86] KVM: flush pending lapic jump label updates on module unload - i2c: fix kernel memory disclosure in dev interface - svcrpc: don't leak contexts on PROC_DESTROY - netfilter: rpfilter: fix incorrect loopback packet judgment - be2net: fix status check in be_cmd_pmac_add() - net/mlx4_core: Fix racy CQ (Completion Queue) free - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV - clocksource/exynos_mct: Clear interrupt when cpu is shut down - ubifs: Fix journal replay wrt. xattr nodes - qla2xxx: Fix crash due to null pointer access - can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer - ceph: fix bad endianness handling in parse_reply_info_extra - [arm64] ptrace: Preserve previous registers for short regset write - [arm64] ptrace: Avoid uninitialised struct padding in fpr_set() - [arm64] ptrace: Reject attempts to set incomplete hardware breakpoint fields - net: fix harmonize_features() vs NETIF_F_HIGHDMA - [arm64] avoid returning from bad_mode - tcp: initialize max window for a new fastopen socket - nbd: fix use-after-free of rq/bio in the xmit path - nbd: only set MSG_MORE when we have more to send - [powerpc*] ptrace: Preserve previous fprs/vsrs on short regset write - [powerpc*] Ignore reserved field in DCSR and PVR reads and writes - [x86] platform: intel_mid_powerbtn: Set IRQ_ONESHOT - crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg - [arm64] crypto: aes-blk - honour iv_out requirement in CBC and CTR modes - [powerpc*] Add missing error check to prom_find_boot_cpu() - nfs: Don't increment lock sequence ID after NFS4ERR_MOVED - ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() - SUNRPC: cleanup ida information when removing sunrpc module - netfilter: nft_log: restrict the log prefix length to 127 - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp - [x86] drm/i915: Don't leak edid in intel_crt_detect_ddc() - sysctl: fix proc_doulongvec_ms_jiffies_minmax() - nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED" - can: bcm: fix hrtimer/tasklet termination in bcm op removal - perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory - [armel,armhf] 8643/3: ptrace: Preserve previous registers for short regset write - drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval - mmc: sdhci: Ignore unexpected CARD_INT interrupts - svcrpc: fix oops in absence of krb5 module - net: use a work queue to defer net_disable_timestamp() work - mm, fs: check for fatal signals in do_generic_file_read() - netlabel: out of bound access in cipso_v4_validate() - mac80211: Fix adding of mesh vendor IEs - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done() - [x86] drm/i915: fix use-after-free in page_flip_completed() - ALSA: seq: Fix race at creating a queue - target: Use correct SCSI status during EXTENDED_COPY exception - target: Fix early transport_generic_handle_tmr abort scenario - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls - ping: fix a null pointer dereference - [s390x] scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() - l2tp: do not use udp_ioctl() - futex: Move futex_init() to core_initcall - mmc: core: fix multi-bit bus width without high-speed mode - vfs: fix uninitialized flags in splice_to_pipe() - packet: call fanout_release, while UNREGISTERING a netdev - packet: Do not call fanout_release from atomic contexts - printk: use rcuidle console tracepoint - sg: Fix missing sanity check in /dev/sg - sched/cputime: Fix invalid gtime in proc - decnet: Do not build routes to devices without decnet private data. - route: do not cache fib route info on local routes with oif - sch_htb: update backlog as well - sch_dsmark: update backlog as well - netem: Segment GSO packets on enqueue - [x86] VSOCK: do not disconnect socket when peer has shutdown SEND only - net: bridge: fix old ioctl unlocked net device walk - udp: prevent skbs lingering in tunnel socket queues - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid - sit: correct IP protocol used in ipip6_err - ipmr/ip6mr: Initialize the last assert time of mfc entries. - net: alx: Work around the DMA RX overflow issue - cdc_ncm: workaround for EM7455 "silent" data interface - bonding: set carrier off for devices created through netlink - net: fix sk_mem_reclaim_partial() - tcp: fix overflow in __tcp_retransmit_skb() - net: avoid sk_forward_alloc overflows - tcp: fix wrong checksum calculation on MTU probing - net: Add netdev all_adj_list refcnt propagation to fix panic - net: sctp, forbid negative length - net: clear sk_err_soft in sk_clone_lock() - net: mangle zero checksum in skb_checksum_help() - dccp: do not send reset to already closed sockets - dccp: fix out of bound access in dccp_v4_err() - ipv6: dccp: fix out of bound access in dccp_v6_err() - ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped - sctp: assign assoc_id earlier in __sctp_connect - sock: fix sendmmsg for partial sendmsg - ip6_tunnel: disable caching when the traffic class is inherited - net: sky2: Fix shutdown crash - net/sched: pedit: make sure that offset is valid - net/dccp: fix use-after-free in dccp_invalid_packet - [x86] netvsc: reduce maximum GSO size - ipv6: handle -EFAULT from skb_copy_bits - drop_monitor: add missing call to genlmsg_end - drop_monitor: consider inserted data in genlmsg_end - igmp: Make igmp group member RFC 3376 compliant - r8152: fix the sw rx checksum is unavailable - tcp: fix tcp_fastopen unaligned access complaints on sparc - ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock - net: socket: fix recvmmsg not returning error from sock_error - can: Fix kernel panic at security_sock_rcv_skb - ipv6: fix ip6_tnl_parse_tlv_enc_lim() - ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() - tcp: fix 0 divide in __tcp_select_window() - tun: Fix TUN_PKT_STRIP setting - tun: read vnet_hdr_sz once - macvtap: read vnet_hdr_size once - mlx4: Invoke softirqs after napi_reschedule - sit: fix a double free on error path - igmp: do not remove igmp souce list info when set link down - mld: do not remove mld souce list info when set link down - igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() - [x86] Revert "KVM: x86: expose MSR_TSC_AUX to userspace" (regression in 3.16.7-ckt24) https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.43 - crypto: improve gcc optimization flags for serpent and wp512 - mmc: sunxi: avoid invalid pointer calculation - [mips*] Zero variable read by get_user / __get_user in case of an error. - netlink: remove mmapped netlink support - vfs: Commit to never having exectuables on proc and sysfs. - aio: mark AIO pseudo-fs noexec (CVE-2016-10044) - keys: Guard against null match function in keyring_search_aux() (CVE-2017-2647 / CVE-2017-6951) . [ Ben Hutchings ] * locking/mutex: Don't assume TASK_RUNNING (Closes: #841171) * can, tcp: Ignore ABI changes * [arm64] ptrace: Avoid ABI change in 3.16.42 * [x86] Revert "x86/panic: replace smp_send_stop() with kdump friendly version in panic path" to avoid ABI change * net: Avoid ABI change for "net: fix sk_mem_reclaim_partial()" * vfs: Avoid ABI change for "mnt: Add a per mount namespace limit ..." * mmc: Avoid ABI change for "mmc: core: Annotate cmd_hdr as __le32" * ext4: fix fencepost in s_first_meta_bg validation (regression in 3.16.41) * timer: Restrict timer_stats to initial PID namespace (CVE-2017-5967) * mbcache: Reschedule before restarting iteration in mb_cache_entry_alloc() (mitigates CVE-2015-8952) * [powerpc/powerpc64,ppc64*] Enable SCSI_IBMVFC as module (Closes: #859523) - udeb: Add ibmvfc to scsi-modules * mm: Make PIE address randomisation independent of mmap (Closes: #797530) - [armel,armhf] factor out mmap ASLR into mmap_rnd - [arm64] ASLR: Don't randomise text when randomise_va_space == 0 - [arm64] standardize mmap_rnd() usage - [mips*] extract logic for mmap_rnd() - [powerpc*] Use generic PIE randomization - [powerpc*] standardize mmap_rnd() usage - [s390*] Change randomize_et_dyn() to take void and use mmap_rnd() - [s390*] standardize mmap_rnd() usage - mm: expose arch_mmap_rnd when available - [s390*] redefine randomize_et_dyn for ELF_ET_DYN_BASE - mm: split ET_DYN ASLR from mmap ASLR - mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE * ping: implement proper locking (CVE-2017-2671) * xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (CVE-2017-7184) * xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184) * [x86] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() (CVE-2017-7261) * [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294) * net/packet: Fix integer overflow in various range checks (CVE-2017-7308) * mm/mempolicy.c: fix error handling in set_mempolicy and mbind (CVE-2017-7616) * crypto: ahash - Fix EINPROGRESS notification callback (CVE-2017-7618) * USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188) * ixgbe: do not call check_link for ethtool in ixgbe_get_settings() (Closes: #851952) * Fix bugs in ipv6 peer address cleanup (Closes: #854348): - ipv6: fix a refcnt leak with peer addr - ipv6: use addrconf_get_prefix_route() to remove peer addr * KEYS: special dot prefixed keyring name bug fix * KEYS: Reinstate EPERM for a key type name beginning with a '.' * KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (CVE-2016-9604) * KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings (CVE-2017-7472) . [ Salvatore Bonaccorso ] * sunrpc: fix refcounting problems with auth_gss messages. Thanks to Raphael Geissert (Closes: #852708) linux (3.16.39-1+deb8u2) jessie-security; urgency=high . [ Salvatore Bonaccorso ] * ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669) * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986) * sctp: deny peeloff operation on asocs with threads sleeping on it (CVE-2017-6353) * tcp: avoid infinite loop in tcp_splice_read() (CVE-2017-6214) * net/sock: Add sock_efree() function * net/llc: avoid BUG_ON() in skb_orphan() (CVE-2017-6345) * packet: fix races in fanout_add() (CVE-2017-6346) * TTY: n_hdlc, fix lockdep false positive * tty: n_hdlc: get rid of racy n_hdlc.tbuf (CVE-2017-2636) . [ Ben Hutchings ] * [x86] kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (CVE-2016-9588) * irda: Fix locking in hashbin_delete() (CVE-2017-6348) linux (3.16.39-1+deb8u1) jessie-security; urgency=high . [ Salvatore Bonaccorso ] * perf: Fix event->ctx locking (CVE-2016-6786 CVE-2016-6787) * perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (CVE-2017-6001) * dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074) . [ Ben Hutchings ] * perf: Do not double free (dependency of fix for CVE-2017-6001) * fbdev: color map copying bounds checking (CVE-2016-8405) * sysctl: Drop reference added by grab_header in proc_sys_readdir (CVE-2016-9191) * [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583) * [x86] KVM: Introduce segmented_write_std (CVE-2017-2584) * selinux: fix off-by-one in setprocattr (CVE-2017-2618) * USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549) * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551) * ip6_gre: fix ip6gre_err() invalid reads (CVE-2017-5897) * [x86] kvm: fix page struct leak in handle_vmon (CVE-2017-2596) * ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970) linux (3.16.39-1+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy: - Disable architectures that weren't part of wheezy - Use gcc-4.6 for all architectures - Change ABI number to 0.bpo.4 - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) - linux-image: Depend on initramfs-tools without any alternatives, so that neither apt nor aptitude will automatically switch to dracut . linux (3.16.39-1+deb8u1) jessie-security; urgency=high . [ Salvatore Bonaccorso ] * perf: Fix event->ctx locking (CVE-2016-6786 CVE-2016-6787) * perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (CVE-2017-6001) * dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074) . [ Ben Hutchings ] * perf: Do not double free (dependency of fix for CVE-2017-6001) * fbdev: color map copying bounds checking (CVE-2016-8405) * sysctl: Drop reference added by grab_header in proc_sys_readdir (CVE-2016-9191) * [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583) * [x86] KVM: Introduce segmented_write_std (CVE-2017-2584) * selinux: fix off-by-one in setprocattr (CVE-2017-2618) * USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549) * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551) * ip6_gre: fix ip6gre_err() invalid reads (CVE-2017-5897) * [x86] kvm: fix page struct leak in handle_vmon (CVE-2017-2596) * ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970) logback (1:1.1.2-1+deb8u1) jessie; urgency=high . * Team upload. * Fix CVE-2017-5929: It was discovered that logback, a flexible logging library for Java, would deserialize data from untrusted sockets. This issue has been resolved by adding a whitelist to use only trusted classes. (Closes: #857343) lxc (1:1.0.6-6+deb8u6) jessie; urgency=medium . * CVE-2017-5985: Ensure target netns is caller-owned (Closes: #857295) mapserver (6.4.1-5+deb8u3) jessie-security; urgency=high . * Add upstream patch to fix CVE-2017-5522 (stack buffer overflow). mariadb-10.0 (10.0.30-0+deb8u2) jessie; urgency=medium . * Remove the excessive server stopping and only-cleanup on purge when this is the last MySQL package (Closes: #858941) mariadb-10.0 (10.0.30-0+deb8u1) jessie-security; urgency=high . * New upstream release 10.0.30. Includes fixes for the following security vulnerabilities: - CVE-2017-3313 - CVE-2017-3302 * New upstream also includes fix to logrotate so that it no longer risks interrupting binary/relay log processing on the server. https://github.com/MariaDB/server/commit/156cf86defdc59353f37f6 mariadb-10.0 (10.0.29-0+deb8u1) jessie-security; urgency=high . * New upstream release 10.0.29. Includes fixes for the following security vulnerabilities (Closes: #851755, #842895): - CVE-2017-3318 - CVE-2017-3317 - CVE-2017-3312 - CVE-2017-3291 - CVE-2017-3265 - CVE-2017-3258 - CVE-2017-3257 - CVE-2017-3244 - CVE-2017-3243 - CVE-2017-3238 - CVE-2016-6664 mariadb-10.0 (10.0.28-3) unstable; urgency=low . [ Otto Kekäläinen ] * Move libmariadbd and -dev next to each other for a more logical flow in d/control * Move mariadb-test to last in file for a more logical flow in d/control * Clean away unused Lintian overrides * Add Lintian override for impossible mysql_config multi-arch requirement * Update Debian copyright based on the 2016 git log author list * Remove unnecessary /var/lib/mysql-upgrade (Closes: #848620) . [ Vicențiu Ciorbaru ] * Fix connect.upd test in armhf * Fix mroonga/storage.index_read_multiple_double test in armhf mariadb-10.0 (10.0.28-2) unstable; urgency=low . [ Samuel Thibault ] * patches/hurd_socket.patch: Also avoid non-working socket path length check on hurd-i386. * rules: Drop symbols on hurd-i386 too (Closes: #842696). . [ Daniel Black ] * Don't install private mysql header files in libmariadbclient-dev . [ Otto Kekäläinen ] * Update libmariadbd18 description and contents to match latest upstream * Mark missing Multi-Arch as suggested by Multiarch hinter * Move plugins to $ARCH/*/mariadb18 to meet multiarch needs (Closes: #739452) mariadb-10.0 (10.0.28-1) unstable; urgency=low . [ Vicențiu Ciorbaru ] * Fix tokudb jemalloc linking . [ Otto Kekäläinen ] * New upstream release 10.0.28. Includes fixes for the following security vulnerabilities: - CVE-2016-8283 - CVE-2016-7440 - CVE-2016-6663 - CVE-2016-5629 - CVE-2016-5626 - CVE-2016-5624 - CVE-2016-5616 - CVE-2016-5584 - CVE-2016-3492 * Drop 4 patches that have been applied upstream. * Delete runnable files from mariadb-test-data as they were only needed at build time to generate tests. mariadb-10.0 (10.0.28-0+deb8u1) jessie-security; urgency=high . * New upstream release 10.0.28. Includes fixes for the following security vulnerabilities: - CVE-2016-8283 - CVE-2016-7440 - CVE-2016-6663 - CVE-2016-5629 - CVE-2016-5626 - CVE-2016-5624 - CVE-2016-5616 - CVE-2016-5584 - CVE-2016-3492 * Update old changelog entries to include new CVE identifiers mariadb-10.0 (10.0.27-2) unstable; urgency=low . [ Dieter Adriaenssens ] * Fix typo in README.Contributor * Improve documentation on how to clean the build env . [ James Cowgill ] * Mips build and testsuite fixes (Closes: #838557, Closes: #838914) - Permit 93 as a valid value of the ENOTEMPTY error in the testsuite - Correctly fix mips64 multiplication in taocrypt - Ensure groonga is built with libatomic - Handle unaligned buffers in connect's TYPBLK class - Fix DEFAULT_MACHINE on mips - Remove various tests from unstable-tests which now pass on MIPS - Update debian/unstable-tests.mips* . [ Kristian Nielsen ] * Fix missing path for perl in autopkgtest (Closes: #809022) * Fix test failures on hppa due to wrong enoempty (Closes: #837369) mariadb-10.0 (10.0.27-1) unstable; urgency=low . * New upstream release 10.0.27 * Remove 3 patches after 10.0.27 import as they have been applied upstream. minicom (2.7-1+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Add ARRAY_SIZE macro * CVE-2017-7467: Out of bounds write in vt100.c (Closes: #860940) modsecurity-crs (2.2.9-1+deb8u1) stable; urgency=medium . * Fix typo in modsecurity_crs_16_session_hijacking.conf. (Closes: #838009) mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium . * Redact key and nonce from auth attempt logs (Closes: #833087) * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908) munin (2.0.25-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * cgi: use Scalar::Util::looks_like_number. Fix regression, causing munin-cgi-graph to spam munin logs with Perl warnings of uninitialized value use for $size_x, $size_y, $upper_limit or $lower_limit. (Closes: #856536) munin (2.0.25-1+deb8u3~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Revert c2628d67 to not use dh-systemd, which is not available in wheezy. . munin (2.0.25-1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * cgi: use Scalar::Util::looks_like_number. Fix regression, causing munin-cgi-graph to spam munin logs with Perl warnings of uninitialized value use for $size_x, $size_y, $upper_limit or $lower_limit. (Closes: #856536) . munin (2.0.25-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * cgi: handle the empty string in CGI arguments. Fix regression in zooming functionality via munin-cgi-graph introduced by the original fix for CVE-2017-6188. (Closes: #856455) munin (2.0.25-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * cgi: handle the empty string in CGI arguments. Fix regression in zooming functionality via munin-cgi-graph introduced by the original fix for CVE-2017-6188. (Closes: #856455) munin (2.0.25-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix wrong parameter expansion in CGI (CVE-2017-6188) Fixes local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the user running the CGI script. Thanks to Tomaž Šolc (Closes: #855705) munin (2.0.25-1+deb8u1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Revert c2628d67 to not use dh-systemd, which is not available in wheezy. . munin (2.0.25-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix wrong parameter expansion in CGI (CVE-2017-6188) Fixes local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the user running the CGI script. Thanks to Tomaž Šolc (Closes: #855705) mupdf (1.5-1+deb8u2) jessie-security; urgency=high . * CVE-2016-8674: heap-use-after-free in pdf_to_num (pdf-object.c) (Closes: #840957) * CVE-2017-5896: use-after-free in fz_subsample_pixmap() (Closes: #854734) * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject() mysql-5.5 (5.5.55-0+deb8u1) jessie-security; urgency=high . * Imported upstream version 5.5.55 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html - CVE-2017-3302 CVE-2017-3305 CVE-2017-3308 CVE-2017-3309 - CVE-2017-3329 CVE-2017-3453 CVE-2017-3456 CVE-2017-3461 - CVE-2017-3462 CVE-2017-3463 CVE-2017-3464 CVE-2017-3600 (Closes: #860544, #854713) * d/patches: refreshed 62_disable_tests.patch * d/patches: dropped fix_test_events_2.patch. Issue fixed upstream mysql-5.5 (5.5.54-0+deb8u1) jessie-security; urgency=high . * Imported upstream version 5.5.54 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html - CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258 - CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 - CVE-2017-3317 CVE-2017-3318 (Closes: #851233) * Fix failing test main.events_2 The test was failing due to hardcoded date (2017-01-01). Added patch pending upstream fix. ndisc6 (1.0.1-1+deb8u1) jessie; urgency=medium . * Use upstream default merge hook when resolvconf is not available (Closes: #767071) ndoutils (1.4b9-1.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * postrm purge: Check for ucf before calling it. (Closes: #677065) * control: Drop DMUA. ntfs-3g (1:2014.2.15AR.2-1+deb8u3) jessie-security; urgency=high . * Fix CVE-2017-0358: modprobe influence vulnerability via environment variables. nvidia-graphics-drivers (340.102-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.102 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855277) . [ Andreas Beckmann ] * unregister_proc_on_failure.patch: New, unregister procfs entries during error unwind if loading the module failed. (Closes: #764639) * Upload to jessie. . [ Luca Boccassi ] * Add deprecated-cpu-events.patch and vmf-address.patch to fix kernel module build on Linux 4.10 and newer. nvidia-graphics-drivers (340.102-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-drivers (340.102-1) jessie; urgency=medium . * New upstream legacy 340xx branch release 340.102 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855277) . [ Andreas Beckmann ] * unregister_proc_on_failure.patch: New, unregister procfs entries during error unwind if loading the module failed. (Closes: #764639) * Upload to jessie. . [ Luca Boccassi ] * Add deprecated-cpu-events.patch and vmf-address.patch to fix kernel module build on Linux 4.10 and newer. nvidia-graphics-drivers-legacy-304xx (304.135-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.135 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855279) . [ Luca Boccassi ] * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.135-2: - Add deprecated-cpu-events.patch and update disable-mtrr.patch to fix kernel module build on Linux 4.10 and newer. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.134-2: - Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.135-1~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . nvidia-graphics-drivers-legacy-304xx (304.135-1) jessie; urgency=medium . * New upstream legacy 304xx branch release 304.135 (2017-02-14). * Fixed CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0318, CVE-2017-0321. (Closes: #855279) . [ Luca Boccassi ] * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.135-2: - Add deprecated-cpu-events.patch and update disable-mtrr.patch to fix kernel module build on Linux 4.10 and newer. * Synchronize packaging with nvidia-graphics-drivers-legacy-304xx 304.134-2: - Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) * Upload to jessie. nvidia-graphics-drivers-legacy-304xx (304.134-2) unstable; urgency=medium . [ Andreas Beckmann ] * Merge changes from 304.134-0~deb8u1 (jessie). * Add ${nvidia:Deb-Version-After:jessie} substvar to simplify adjusting Breaks/Replaces for new upstream releases in stable. * Switch to debhelper compat level 10. . [ Luca Boccassi ] * Add drm-driver-legacy.patch to fix nvidia kernel module load issue on Linux 4.9 and newer. (Closes: #852152) nvidia-graphics-drivers-legacy-304xx (304.134-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.134 (2016-12-14). * Fixed CVE-2016-8826. (Closes: #848197) - Added support for X.Org xserver ABI 23 (xorg-server 1.19) (Closes: #845639) * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Synchronize packaging with nvidia-graphics-drivers 370.28-2: - Overhaul package descriptions. * Add xorg-video-abi-23 as alternative dependency (375.20-1). nvidia-graphics-drivers-legacy-304xx (304.134-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . nvidia-graphics-drivers-legacy-304xx (304.134-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.134 (2016-12-14). * Fixed CVE-2016-8826. (Closes: #848197) - Added support for X.Org xserver ABI 23 (xorg-server 1.19) * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.101-1: * Synchronize packaging with nvidia-graphics-drivers 370.28-2: - Overhaul package descriptions. * Add xorg-video-abi-23 as alternative dependency. (Closes: #845639) . nvidia-graphics-drivers-legacy-304xx (304.132-1) unstable; urgency=medium . * New upstream legacy 304xx branch release 304.132 (2016-09-26). * Fixed CVE-2016-7382, CVE-2016-7389. (Closes: #846333) - Added /var/log/dmesg to the list of paths which are searched by nvidia-bug-report.sh for kernel messages. - Fixed a bug that caused kernel panics when using the NVIDIA driver on v4.5 and newer Linux kernels built with CONFIG_DEBUG_VM_PGFLAGS. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * page-cache-release.patch, get-user-pages.patch: Drop, fixed upstream. * Synchronize packaging with nvidia-graphics-drivers-legacy-340xx 340.98-1: * Synchronize packaging with nvidia-graphics-drivers 358.16-1: - get-orig-source: Generate .orig-$ARCH.tar.gz for each architecture. nvidia-graphics-modules (340.102+3.16.0+1) jessie; urgency=medium . * Use nvidia-kernel-source 340.102. * Upload to jessie. openchange (1:2.2-6+deb8u1) jessie; urgency=medium . * Use version -6+ instead of -5+ because samba-libs conflicts with openchangeproxy (<< 1:2.2-6), making openchangeproxy -5+ uninstallable. * Include upstream patch to fix FTBFS with samba 4.2 openchange (1:2.2-6) unstable; urgency=medium . * Add dependency on pidl 2:4.1.17+dfsg-4, which has reproducible output. * Bump standards version to 3.9.6 (no changes). * Make openchange-dbg Multi-Arch: same. openjpeg2 (2.1.0-2+deb8u2) jessie-security; urgency=medium . * CVE-2016-5159 CVE-2016-8332 CVE-2016-9572 CVE-2016-9573 openmpi (1.6.5-9.1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * libopenmpi1.6: Fix two incorrect soname links. (Closes: #736675) * libopenmpi1.6: Use versioned Conflicts: libopenmpi2 (<< 1.6) to not interfere with upgrades to stretch. (Closes: #859986) openssl (1.0.1t-1+deb8u6) jessie-security; urgency=medium . * Fix CVE-2016-8610 * Fix CVE-2017-3731 * Fix CVE-2016-7056 pdns (3.4.1-4+deb8u7) jessie-security; urgency=high . * Security upload. * Improve TSIG signature check to avoid MITM attacks on AXFR inbound AXFR transfers. CVE-2016-7073 and CVE-2016-7074. * Handle all possible exceptions in webserver thread, avoiding crash of main process when an attacker exhausts file descriptors on the webserver thread. CVE-2016-7072 * Drop incoming queries that contain more than one record, avoiding extra CPU usage. CVE-2016-7068 * Improve validation of unhandled record types, avoiding a crash on outbound query processing. CVE-2016-2120 * Improve handling of invalid TSIG records in packets. (Required prerequisite patch for the above.) pdns-recursor (3.6.2-2+deb8u3) jessie-security; urgency=high . * Security upload. * Drop incoming queries that contain more than one record, avoiding extra CPU usage. CVE-2016-7068 php5 (5.6.30+dfsg-0+deb8u1) jessie-security; urgency=medium . * Allow relaxed ; priority= parsing (Closes: #783246) * New upstream version 5.6.30+dfsg - [CVE-2016-10158] FPE when parsing a tag format. - [CVE-2016-10159] Crash while loading hostile phar archive - [CVE-2016-10160] Memory corruption when loading hostile phar - [CVE-2016-10161] Heap out of bounds read on unserialize in finish_nested_data() * Rebase patches on top of PHP 5.6.30 pidgin (2.11.0-0+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-2640: Out-of-bound memory access fixed by ported upstream patch from 2.12.0 plv8 (1.4.2.ds-2+deb8u1) jessie; urgency=high . * Security bugfix picked from 1.4.9: Check for permission to call functions. postfix (2.11.3-1+deb8u2) stable; urgency=medium . * Add fixes in makedefs to recognize Linux 4 as the LINUX3 system type so the package will build with both jessie and jessie-bpo/stretch kernels postfix (2.11.3-1+deb8u1) stable; urgency=medium . * Add delmap to .prerm for all packages that contain map data types exposed through external .so files so that upgrades to stretch (where the associated files have moved) will be functional (Closes: #859805) postgresql-9.4 (9.4.11-0+deb8u2) jessie; urgency=medium . * Paper over ULP regression test differences in the "point" test on 32-bit powerpc on Debian Jessie. The very same code worked previously and in fact continues to work on Debian Sid, so it doesn't seem to be PostgreSQL's fault that these test results now suffer from rounding differences. postgresql-9.4 (9.4.11-0+deb8u1) jessie; urgency=medium . * New upstream version. . + Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane) . If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows inserted or updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update. postgresql-9.4 (9.4.11-0+deb8u1~bpo7+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. * Drop logical/reorderbuffer patch. . postgresql-9.4 (9.4.11-0+deb8u1) jessie; urgency=medium . * New upstream version. . + Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane) . If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows inserted or updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update. . postgresql-9.4 (9.4.10-0+deb8u1) jessie; urgency=medium . * New upstream version. . If your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted free space maps. . + Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas) . It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like could not read block XXX: read only 0 of 8192 bytes. Checksum failures in the visibility map are also possible, if checksumming is enabled. . Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems. . postgresql-9.4 (9.4.9-0+deb8u1) jessie-security; urgency=medium . * New upstream security release. . + Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane) . A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423) . + Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier) . Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout. . Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation. . Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts. . pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet. . These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424) . postgresql-9.4 (9.4.8-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release. python-bottle (0.12.7-1+deb8u2) jessie-security; urgency=medium . * Add patch for string type bug (Closes: #850176) python-cryptography (0.6.1-1+deb8u1) stable; urgency=high . * Stable update. * Backport the fix for CVE-2016-9243 (HKDF returns an empty byte string for small key sizes). * Fix FTBFS due to SSL2 method detection (closes: #849802). python-django (1.7.11-1+deb8u2) jessie-security; urgency=high . * SECURITY UPDATE: - CVE-2016-9013: User with hardcoded password created when running tests on Oracle - CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (Closes: #842856) - CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (Closes: #859515) - CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (Closes: #859516) python-pysaml2 (2.0.0-1+deb8u1) jessie-security; urgency=medium . * Fix XXE issues on anything where pysaml2 parses XML directly: - CVE-2016-10127: backporting upstream patch (Closes: #850716). - add python-defusedxml as runtime depends. - switch debian/gbp.conf to use debian/jessie as packaging branch. * Add python-pymongo as (build-)depends. r-base (3.1.1-1+deb8u1) jessie-security; urgency=high . * src/library/grDevices/src/devPS.c: Apply upstream commits r71664 and r71667 related to CVE-2016-8714 reported as TALOS-2016-0227 rabbitmq-server (3.3.5-1.1+deb8u1) jessie-security; urgency=medium . * CVE-2016-9877: apply backported upstream patch (Closes: #849849). radare2 (0.9.6-3.1+deb8u1) stable; urgency=medium . * Add patches to fix security bug (Closes: #856063) - CVE-2017-6197 The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by the r_read_le32 function. ruby-archive-tar-minitar (0.5.2-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-10173: directory traversal vulnerability (Closes: #853249) ruby-zip (1.1.6-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Antonio Terceiro ] * debian/patches/ftbfs-jessie.patch: fix build failure on jessie . [ Salvatore Bonaccorso ] * CVE-2017-5946: directory traversal vulnerability in Zip::File component (Closes: #856269) samba (2:4.2.14+dfsg-0+deb8u5) jessie-security; urgency=high . * This is a security release in order to fix regressions from CVE-2017-2619 * Fix "follow symlink = no" (Closes: #858564) - s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619). - s3: smbd: Fix "follow symlink = no" regression part 2. - s3: smbd: Fix "follow symlink = no" regression part 2. * Fix shadow_copy2 (Closes: #858648, #858590) - vfs_shadow_copy: handle non-existant files and wildcards - vfs_shadow_copy2: fix crash in 4.2.x backport - vfs_shadow_copy2: add a blackbox test suite - s3: libsmb: Correctly align create contexts in a create call. - s3: libsmb: Add return args to clistr_is_previous_version_path(). - s3: libsmb: Add cli_smb2_shadow_copy_data() function that gets shadow copy info over SMB2. - s3: libsmb: Plumb new SMB2 shadow copy call into cli_shadow_copy_data(). - s3: libsmb: Add the capability to find a @GMT- path in an SMB2 create and transform to a timewarp token. - s2-selftest: run shadow_copy2 test both in NT1 and SMB3 modes - selftest: add content to files created during shadow_copy2 test - selftest: check file readability in shadow_copy2 test - selftest: test listing directories inside snapshots * Fix `net ads join` freeze when run a second time (Closes: #859101) since 4.2 - libads: Fix deadlock when re-joining a domain and updating keytab samba (2:4.2.14+dfsg-0+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add additional changes required for the CVE-2017-2619 fix - s3/smbd: re-open directory after dptr_CloseDir() - s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag samba (2:4.2.14+dfsg-0+deb8u3) jessie-security; urgency=high . * This is a security release in order to address the following defects: - CVE-2017-2619: symlink race permits opening files outside share directory * CVE-2017-2619 requires the following changes: - s3: vfs: dirsort doesn't handle opendir of "." correctly. - s3: smbd: Correctly canonicalize any incoming shadow copy path. - s3: lib: Add canonicalize_absolute_path(). - s3: smbd: Make set_conn_connectpath() call canonicalize_absolute_path(). - s3: VFS: shadow_copy2: Correctly initialize timestamp and stripped variables. - s3: VFS: shadow_copy2: Ensure pathnames for parameters are correctly relative and terminated. - s3: VFS: shadow_copy2: Fix length comparison to ensure we don't overstep a length. - s3: VFS: shadow_copy2: Add two new variables to the config data. Not yet used. - s3: VFS: shadow_copy2: Add a wrapper function to call the original shadow_copy2_strip_snapshot(). - s3: VFS: shadow_copy2: Change a parameter name. - s3: VFS: shadow_copy2: Add two currently unused functions to make pathnames absolute or relative to $cwd. - s3: VFS: shadow_copy2: Fix chdir to store off the needed private variables. - vfs_shadow_copy2: add shadow_copy2_do_convert() - vfs_shadow_copy2: fix case where snapshots are outside the share - s3: VFS: Allow shadow_copy2_connectpath() to return the cached path derived from $cwd. - s3: VFS: Ensure shadow:format cannot contain a / path separator. - s3: VFS: Add utility function check_for_converted_path(). - s3: VFS: shadow_copy2: Fix module to work with variable current working directory. - s3: VFS: shadow_copy2: Fix a memory leak in the connectpath function. - s3: VFS: shadow_copy2: Fix usage of saved_errno to only set errno on error. - s3: VFS: Don't allow symlink, link or rename on already converted paths. - s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck(). - vfs_streams_xattr: use fsp, not base_fsp - s3: vfs: streams_depot. Use conn->connectpath not conn->cwd. - s3: smbd: Create wrapper function for OpenDir in preparation for making robust. - s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed. - s3: smbd: Create and use open_dir_safely(). Use from OpenDir(). - s3: smbd: OpenDir_fsp() use early returns. - s3: smbd: OpenDir_fsp() - Fix memory leak on error. - s3: smbd: Move the reference counting and destructor setup to just before retuning success. - s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system. - s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing. - s3: smbd: Move special handling of symlink errno's into a utility function. - s3: smbd: Add the core functions to prevent symlink open races. - s3: smbd: Use the new non_widelink_open() function. sane-backends (1.0.24-8+deb8u2) stable; urgency=medium . * CVE-2017-6318: - New debian/patches/0500-CVE-2017-6318.patch + cherry-picked from upstream to fix memory corruption and information leakage (Closes: #854804). sendmail (8.14.4-8+deb8u2) jessie; urgency=medium . * QA upload. * Only touch files as smmsp:smmsp in /var/run/sendmail/stampdir (writable by group smmsp) to avoid possible privilege escalation. (Closes: #841257) * Use lockfile-create (from lockfile-progs) instead of touch to manage the cronjob lockfiles. * sendmail-base: Add Depends: netbase for /etc/services. shadow (1:4.2-3+deb8u3) jessie-security; urgency=high . * Fix integer overflow in getulong.c (CVE-2016-6252) (Closes: #832170) * Refresh patches * Add myself to uploaders replacing Nicolas FRANCOIS (Nekral) shadow (1:4.2-3+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * su: properly clear child PID (CVE-2017-2616) (Closes: #855943) sitesummary (0.1.17+deb8u3) jessie; urgency=medium . [ Wolfgang Schweer ] * Fix d/sitesummary.prerm and provide mandatory facilities. Cherrypicked from commit 3cff262 (master branch / 0.1.21 release). (Closes: #823688). sitesummary (0.1.17+deb8u2) jessie-security; urgency=high . * Backport RC fix from unstable. . [ Wolfgang Schweer ] * Adjust sitesummary-upload to use CRLF (\r\n) line endings to be compliant with apache 2.4.25 security fixes for HTTP requests. (Closes: #852623). smemstat (0.01.10-2) stable; urgency=medium . * Fix null ptr dereference when UID can't be read (Closes: #852070) spice (0.12.5-1+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent possible DoS attempts during protocol handshake (CVE-2016-9578) * Prevent integer overflows in capability checks (CVE-2016-9578) * main-channel: Prevent overflow reading messages from client (CVE-2016-9577) spip (3.0.17-2+deb8u3) jessie; urgency=medium . * Document CVE in previous changelog entry * Update security screen to 1.3.0 * Backport security fixes from 3.0.23 - Multiple XSS issues * Backport security fixes from 3.0.24 - Server side request forgery (SSRF) attacks via the var_url parameter [CVE-2016-7999] - Directory traversal vulnerability in ecrire/exec/valider_xml.php [CVE-2016-7982] - Execution of arbitrary PHP code by authenticated users [CVE-2016-7998] - Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php [CVE-2016-7980] - Cross-site scripting (XSS) vulnerability in valider_xml.php [CVE-2016-7981] * Backport security fixes from 3.2-alpha-1 - Reflected Cross Site Scripting Vulnerabilities in /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641) - Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php [CVE-2016-9152] (Closes: #847156) * Backport security fix from 3.0.25 - Execution of arbitrary PHP code sus (7.20161013~deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Rebuild for jessie. * Revert debhelper to compat level 9. . sus (7.20161013) unstable; urgency=medium . * New upstream release: contains SUSv4 TC2; update checksum (Closes: #840318) * urgency=medium since susv4 is no longer installable * debian/compat: Use debheloper v10 * debian/control: - Bump Standards-Version to 3.9.8 (No changes needed) sus (7.20160312) unstable; urgency=medium . * The upstream tarball for SUSv4 TC1 changed; update checksum (Closes: #817819) * urgency=medium since susv4 is no longer installable * debian/control: - Bump Standards-Version to 3.9.7 (No changes needed) svgsalamander (0~svn95-1+deb8u1) jessie-security; urgency=high . * Team upload. * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF). (closes: #853134) synergy (1.4.16-1+deb8u1) jessie; urgency=medium . * Added ensure_non00_cursor.patch to fix a crash when synergyc starts. Closes: #854567 systemd (215-17+deb8u7) stable; urgency=medium . * bus: Fix bus_print_property() to use "int" for booleans. This fixes the problem that on big endian architectures, like mips or powerpc, boolean properties that were retrieved via sd-bus were always set to 0 (no). (Closes: #774430) * systemctl: Add is-enabled support for SysV init scripts. The update-rc.d utility does not provide is-enabled, so implement it ourselves in systemctl using the same logic as systemd-sysv-install from Stretch. (Closes: #809405) * core: If the start command vanishes during runtime don't hit an assert. This can happen when the configuration is changed and reloaded while we are executing a service. Let's not hit an assert in this case. (Closes: #856985) * automount: If an automount unit is masked, don't react to activation anymore. Otherwise we'll hit an assert sooner or later. (Closes: #856035) tcpdump (4.9.0-1~deb8u1) jessie-security; urgency=high . * Backport to jessie: + Re-enable crypto support. + Disable tests that require newer libpcap features: Geneve (1.7) and file format version checks (1.8), and relax B-D on libpcap0.8-dev. . tcpdump (4.9.0-1) unstable; urgency=high . * New upstream security release, fixing the following: + CVE-2016-7922: buffer overflow in print-ah.c:ah_print(). + CVE-2016-7923: buffer overflow in print-arp.c:arp_print(). + CVE-2016-7924: buffer overflow in print-atm.c:oam_print(). + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print(). + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print(). + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print(). + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print(). + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header(). + CVE-2016-7930: buffer overflow in print-llc.c:llc_print(). + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print(). + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum(). + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print(). + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print(). + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print(). + CVE-2016-7936: buffer overflow in print-udp.c:udp_print(). + CVE-2016-7937: buffer overflow in print-udp.c:vat_print(). + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame(). + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions. + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions. + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions. + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions. + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print(). + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print(). + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print(). + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print(). + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions. + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print(). + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print(). + CVE-2016-8575: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print(). + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print(). + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print(). + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print(). + CVE-2017-5341: buffer overflow in print-otv.c:otv_print(). + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). + CVE-2017-5482: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse(). + CVE-2017-5484: buffer overflow in print-atm.c:sig_print(). + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap(). + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print(). * Re-enable all tests and bump build-dep on libpcap0.8-dev to >= 1.8 accordingly. * Switch Vcs-Git URL to the https one. * Adjust lintian override name about dh 9. . tcpdump (4.8.1-2) unstable; urgency=medium . * Disable new HNCP test, which fails on some buildds for some as-of-yet unexplained reason. . tcpdump (4.8.1-1) unstable; urgency=medium . * New upstream release. * Re-enable Geneve tests (disabled in 4.7.4-1) and bump build-dep on libpcap0.8-dev to >= 1.7 accordingly. * Disable new pcap version tests which require libpcap 1.8+. . tcpdump (4.7.4-3) unstable; urgency=medium . * Use dh-autoreconf instead of calling autoconf directly and patching config.{guess,sub}. * Call dh_auto_configure instead of configure in override target, patch by Helmut Grohne (closes: #837951). . tcpdump (4.7.4-2) unstable; urgency=medium . * Disable crypto support as it causes FTBFS with OpenSSL 1.1.x and we don't have a working fix upstream yet (closes: #828569). * Bump Standards-Version to 3.9.8. * Use cgit URL for Vcs-Browser. . tcpdump (4.7.4-1) unstable; urgency=medium . * New upstream release. * Disable two geneve tests that require libpcap 1.7+. * Bump Standards-Version to 3.9.6. tcpdump (4.8.1-2) unstable; urgency=medium . * Disable new HNCP test, which fails on some buildds for some as-of-yet unexplained reason. tcpdump (4.8.1-1) unstable; urgency=medium . * New upstream release. * Re-enable Geneve tests (disabled in 4.7.4-1) and bump build-dep on libpcap0.8-dev to >= 1.7 accordingly. * Disable new pcap version tests which require libpcap 1.8+. tcpdump (4.7.4-3) unstable; urgency=medium . * Use dh-autoreconf instead of calling autoconf directly and patching config.{guess,sub}. * Call dh_auto_configure instead of configure in override target, patch by Helmut Grohne (closes: #837951). tcpdump (4.7.4-2) unstable; urgency=medium . * Disable crypto support as it causes FTBFS with OpenSSL 1.1.x and we don't have a working fix upstream yet (closes: #828569). * Bump Standards-Version to 3.9.8. * Use cgit URL for Vcs-Browser. tcpdump (4.7.4-1) unstable; urgency=medium . * New upstream release. * Disable two geneve tests that require libpcap 1.7+. * Bump Standards-Version to 3.9.6. tcpdump (4.7.4-1~bpo70+1) wheezy-backports-sloppy; urgency=low . * Rebuild for wheezy-backports-sloppy. tcpdump (4.7.4-1~bpo8+1) jessie-backports; urgency=low . * Rebuild for jessie-backports. texlive-base (2014.20141024-2+deb8u1) jessie-security; urgency=high . * remove mpost from list of shell_escape_commands (CVE-2016-10243) tiff (4.0.3-12.3+deb8u2) jessie-security; urgency=high . * Backport fix for the following vulnerabilities: - CVE-2016-5314 , CVE-2016-5315 , CVE-2016-5316, CVE-2016-5317: several out of bound writes in the rgb2ycbcr tool (closes: #830700), - CVE-2016-5320, rgb2ycbcr: command excution, - CVE-2016-5875, heap-based buffer overflow when using the PixarLog compression format, - CVE-2016-6223, information leak in libtiff/tif_read.c (closes: #842270), - CVE-2016-5321: DumpModeDecode() DoS, - CVE-2016-5323: _TIFFFax3fillruns() NULL pointer dereference, - CVE-2016-3945: out-of-bounds write in the tiff2rgba tool, - CVE-2016-3990: out-of-bounds write in horizontalDifference8() in tiffcp tool (closes: #836570), - CVE-2016-3991: heap-based buffer overflow in the loadImage function in the tiffcrop tool, - CVE-2016-5322: extractContigSamplesBytes: out-of-bounds read in the tiffcrop tool, - CVE-2016-3623: rgb2ycbcr tool DoS by setting the (1) '-v' or (2) '-h' parameter to 0 , - CVE-2016-9533: PixarLog horizontalDifference heap-buffer-overflow, - CVE-2016-9534: TIFFFlushData1 heap-buffer-overflow, - CVE-2016-9535: Predictor heap-buffer-overflow, - CVE-2016-9536: t2p_process_jpeg_strip heap-buffer-overflow, - CVE-2016-9537: out-of-bounds write vulnerabilities in buffers of tiffcrop, - CVE-2016-9538: read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow, - CVE-2016-9540: out-of-bounds write on tiled images, - CVE-2016-3624: rgb2ycbcr tool DoS by setting the '-v' option to -1 , - CVE-2016-3622: divide-by-zero error in the tiff2rgba tool (closes: #820365), - CVE-2016-5652: fix write buffer overflow of 2 bytes on JPEG compressed images (closes: #842361), - CVE-2016-9453: out-of-bounds write memcpy in tiff2pdf tool, - CVE-2016-9273: read outsize of array in tiffsplit tool (closes: #844013), - CVE-2016-9532: heap buffer overflow via writeBufferToSeparateStrips in the tiffcrop tool (closes: #844057), - CVE-2016-9297: potential read outside buffer in _TIFFPrintField() (closes: #844226), - CVE-2016-9448: invalid read of size 1 in TIFFFetchNormalTag, regression of CVE-2016-9297 , - CVE-2016-10092: heap-buffer-overflow in tiffcrop, - CVE-2016-10093: uint32 underflow/overflow that can cause heap-based buffer overflow in tiffcp, - CVE-2016-10094: off-by-one error in tiff2pdf. * Fix CVE-2015-8668 (closes: #842046), CVE-2016-3619 (closes: #820362), CVE-2016-3620 (closes: #820363), CVE-2016-3621 (closes: #820364) and CVE-2016-5319 with removing bmp2tiff. * Fix CVE-2016-3186 (closes: #819972) and CVE-2016-5102 with removing gif2tiff. * Fix CVE-2016-3631 (closes: #820366), CVE-2016-3632 , CVE-2016-3633 , CVE-2016-3634 and CVE-2016-8331 with removing thumbnail. * Remove no longer supported ras2tiff tool. tnef (1.4.9-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * while fixing the CVEs, upstream introduced a regression fix-regression-1.patch and fix-regression-2.patch take care of that (Closes: #857342) tnef (1.4.9-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. (Closes: #856117) * CVE-2017-6307 An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker. * CVE-2017-6308 An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation. * CVE-2017-6309 An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker. * CVE-2017-6310 An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker. tomcat7 (7.0.56-3+deb8u9) jessie-security; urgency=high . * Team upload. * Add BZ57544-infinite-loop-part2.patch. Fix regression due to an incomplete fix for CVE-2017-6056. See #854551 for further information. tomcat7 (7.0.56-3+deb8u8) jessie-security; urgency=high . * Team upload. * Add BZ57544-infinite-loop.patch: It was found that https GET requests could trigger an infinite loop and thus cause a denial-of-service. (Closes: #854551) tomcat8 (8.0.14-1+deb8u8) jessie-security; urgency=high . * Team upload. * Add BZ57544-infinite-loop-part2.patch. Fix regression (400 HTTP errors) due to an incomplete fix for CVE-2017-6056. See #854551 for further information. tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high . * Team upload. * Add BZ57544-infinite-loop.patch: It was found that https GET requests could trigger an infinite loop and thus cause a denial-of-service. (Closes: #851304) transmissionrpc (0.11-1+deb8u1) stable; urgency=medium . * Add dependency to python{3,}-six (Closes: #851247) tryton-server (3.4.0-3+deb8u3) jessie-security; urgency=high . * Add 05_CVE-2017-0360_sanitize_file_open.patch (CVE-2017-0360). Sanitize path in file_open against suffix. The patch for CVE-2016-1242 did not cover all cases. Indeed there is a case where an external file could be retrieved if it is stored in a folder next to the root of trytond starting with the same name but with a suffix. Example: '../trytond_suffix'. tzdata (2017b-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future timestamp: - Haiti resumed observance of DST in 2017. tzdata (2017a-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - Mongolia no longer observes DST. - Magallanes region diverges from Santiago starting 2017-05-13, the America/Punta_Arenas zone has been added. * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #849234. * Update Japanese debconf translation, by victory . * Update French debconf translation, by Baptiste Jammet. Closes: #851589. * Remove /etc/localtime on purge. Closes: #854141. * Update Danish debconf translation, by Joe Hansen. Closes: #856785. tzdata (2017a-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future timestamp: - Mongolia no longer observes DST. - Magallanes region diverges from Santiago starting 2017-05-13, the America/Punta_Arenas zone has been added. * Allow partially translated choices in debconf templates. * Update translations from the sid package. tzdata (2016j-2) unstable; urgency=medium . [ Aurelien Jarno ] * Allow partially translated choices in debconf templates. * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #845691. tzdata (2016j-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. * Update templates and translations. unzip (6.0-16+deb8u3) jessie; urgency=medium . * Update patch 12-cve-2014-9636-test-compr-eb to follow revised patch "unzip-6.0_overflow3.diff" from mancha (patch author). * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485. Patch by the author. * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486. Patch by the author. uwsgi (2.0.7-1+deb8u1) jessie; urgency=medium . * Add patch cherry-picked upstream to fix compilation with recent glibc. Closes: Bug#854535. Thanks to Masahiro Yamada. uzbek-wordlist (0.6-3.2+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Drop unversioned conflict on thunderbird viewvc (1.1.22-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload * [SECURITY] Fix "CVE-2017-5938" (escape nav_data name to avoid XSS attack) vim (2:7.4.488-7+deb8u3) jessie; urgency=medium . * Backport upstream patches v8.0.0377 & v8.0.0378, to fix buffer overflows when reading corrupted undo files. (Closes: #856266, CVE-2017-6349, CVE-2017-6350) vim (2:7.4.488-7+deb8u2) jessie-security; urgency=high . * Backport patch 8.0.0322 to fix a buffer overflow if a spellfile has an invalid length in it. (Closes: #854969, CVE-2017-5953) vlc (2.2.5-1~deb8u1) jessie; urgency=medium . * New upstream release. - adpcm: Fix heap corruption. - dvd: Fix heap corruption. - asf: Fix integer overflow. - mp4: Fix divide-by-zero error and heap buffer overflow. - flac: Fix integer overflow and NULL pointer dereference. - ftp: Fix scan string injection. - voc: Fix divide-by-zero error. - xa: Fix divide-by-zero error. - smf: Fix divide-by-zero error. - nsvf: Fix infinite loop. - aiff: Fix infinite loop. vlc (2.2.4-14) unstable; urgency=medium . [ Mateusz Łukasik ] * Update to ffmpeg 2.8.11. vlc (2.2.4-13) unstable; urgency=medium . * debian/control: Switch to libopenmpt's libmodplug comat layer. vlc (2.2.4-12) unstable; urgency=medium . * Update to ffmpeg 2.8.10. vlc (2.2.4-11) unstable; urgency=medium . * debian/patches: Apply upstream to fix VLSub incorrectly announcing HTTP 1.1 support. (Closes: #847559) * debian/control: Make vlc-plugin-skins2 depend on vlc-plugin-qt. vlc (2.2.4-10) unstable; urgency=medium . * debian/{control,*.links,*.install}: Move qvlc and svlc binaries to vlc-plugin-qt and vlc-plugin-skins2. Also add vlc-bin to Recommends. (Closes: #841530) * Update to ffmpeg 2.8.9. vlc (2.2.4-9) unstable; urgency=medium . * debian/control: Drop dh_buildinfo. This is now automatically recorded by dpkg. * debian/bug-control: Update list of packages. * debian/{control,rules,vlc-plugin-base.install}: Remove libschroedinger plugin since the library is about to be removed. See #845037 for details. vlc (2.2.4-8) unstable; urgency=medium . * debian/NEWS: Remove NEWS entry on package split. On upgrade, new Recommends are installed by apt anyway. * debian/control: - Switch from liblircclient-dev to liblirc-dev. - Remove shlibs:Depends from vlc's Depends. * debian/rules: Add --disable-neon when building with noopt. * debian/patches: - drop-check-qt-check.patch: Remove obsolete patches. - multiple: Add upstream patches to generate default skins2 skin reproducibly. (Closes: #841525) vlc (2.2.4-7) unstable; urgency=medium . * Split plugins and binaries into different packages. (Closes: #513177) - libvlc-bin: constains vlc-cache-gen and triggers plugin cache generation. - vlc-bin: the VLC binaries. - vlc-plugin-base: "base" set of plugins. - vlc-plugin-qt: the Qt interface. - vlc-plugin-skins2: the Skins2 interface. - vlc-plugin-access-extra: extra access plugins. - vlc-plugin-visualization: visualization plugins. - vlc-plugin-video-splitter: video splitter plugins. - vlc-plugin-video-output: video output plugins. - vlc-l10n: translations. - vlc: contains desktop integration and pulls in most plugins as before. - vlc-nox: transitional dummy package * Move libraries and plugins to multi-arch locations. - debian/control: + Add M-A: same for library and plugin packages. + Remove most Breaks and Replaces as they are now obsolete. - debian/rules: Do not override libdir. - debian/*.{lintian-overrides,install}: Update paths for M-A locations. vlc (2.2.4-6) unstable; urgency=medium . * debian/*.maintscript: Bump all versions to fix symlink-to-directory conversions. (Closes: #814646) vlc (2.2.4-5) unstable; urgency=medium . * Update ffmpeg to 2.8.8. vlc (2.2.4-4) unstable; urgency=medium . [ Pino Toscano ] * Install solid actions in Frameworks location. (Closes: #834884) . [ Sebastian Ramacher ] * Bump debhelper compat to 10. vlc (2.2.4-3) unstable; urgency=medium . [ Mateusz Łukasik ] * debian/control: - Remove Clément Stenac from Uploaders. Thanks for your job! . [ Sebastian Ramacher ] * debian/patches/{vlc_atomic*,Fix-build-using-old-GCC-intrinsics}.patch: Fix FTBFS with GCC 6 (Closes: #831199) vlc (2.2.4-2) unstable; urgency=medium . * Build ffmpeg without libopenjpeg (Closes: #826827) - debian/control: Remove libopenjpeg-dev from B-D. - debian/rules: Build ffmpeg with --disable-libopenjpeg. * debian/rules: Revert workaround for zsh completion build failures on powerpc. The underlying issue seems to be fixed. vlc (2.2.4-1) unstable; urgency=medium . * New upstream release. * debian/patches: - g711-fix-dangling-pointer-fixes-16909.patch, adpcm-reject-invalid-QuickTime-IMA-files.patch, zsh-completion.patch, frenchtv-links.patch, fix-Hurd-build.patch, the-Hurd-also-uses-the-.so-extension-for-libraries.patch: Removed, all included upstream. - generated-mimetypes.patch: Upstream patch for auto-generated list of mime types. (Closes: #822245) * debian/{rules,vlc-nox.install}: No longer install old BluRay access plugin. (LP: #864933) * debian/rules: No longer disable i686 optimization on i386 architectures. webissues-server (0.8.5-3+deb8u1) jessie; urgency=medium . * QA Upload. * postrm purge: Check for ucf before calling it. (Closes: #677062) weechat (1.0.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121) weechat (1.0.1-1+deb8u1~bpo70+1) wheezy-backports; urgency=low . * Rebuild for wheezy-backports. . weechat (1.0.1-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * irc: fix parsing of DCC filename (CVE-2017-8073) (Closes: #861121) wget (1.16-1+deb8u2) jessie; urgency=medium . * added upstream patch to fix CVE-2017-6508 closes: Bug#857073 wireshark (1.12.1+g01b65bf-4+deb8u11) jessie-security; urgency=high . [ Balint Reczey ] * security fixes from Wireshark 2.0.10: - The ASTERIX dissector could go into an infinite loop. Discovered by Antti Levomäki and Christian Jalio, Forcepoint. (CVE-2017-5596) - The DHCPv6 dissector could go into a large loop. Discovered by Antti Levomäki and Christian Jalio, Forcepoint.(CVE-2017-5597) * security fixes from Wireshark 2.0.11: - The NetScaler file parser could enter an infinite loop (CVE-2017-6467) - The NetScaler file parser could crash (CVE-2017-6468) - The LDSS dissector could crash (CVE-2017-6469) - The IAX2 dissector could enter an infinite loop (CVE-2017-6470) - The WSP dissector could enter an infinite loop (CVE-2017-6471) - The K12 file parser could crash (CVE-2017-6473) - The NetScaler file parser could enter an infinite loop (CVE-2017-6474) * security fixes from Wireshark 2.2.5: - The RTMPT dissector could enter an infinite loop (CVE-2017-6472) . [ Chris Lamb ] * CVE-2017-6014: Fix memory exhausion/infinite loop via malformed STANAG 4607 capture file. (Closes: #855408) wordpress (4.1+dfsg-1+deb8u13) jessie-security; urgency=medium . * Backport patches from 4.7.3 Closes: #857026 - CVE-2017-6814 Cross-site scripting (XSS) via media file metadata. Changeset 40155 - CVE-2017-6815 Control characters can trick redirect URL validation. Changeset 40190 - CVE-2017-6816 Unintended files can be deleted by administrators using the plugin deletion functionality. Changeset 40176 - CVE-2017-6817 Cross-site scripting (XSS) via video URL in YouTube embeds. Chamgeset 40167 * Not vulnerable: - CVE-2017-6819 Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Press This introduced in 4.2 - CVE-2017-6818 Cross-site scripting (XSS) via taxonomy term names. wordpress (4.1+dfsg-1+deb8u12) jessie-security; urgency=high . * Backport patches from 4.7.1 Closes: #851310 - CVE-2016-10066 Potential Remote Command Execution (RCE) in PHPMailer - CVE-2017-5488 Authenticated Cross-Site scripting (XSS) in update-core.php - CVE-2017-5490 Stored Cross-Site Scripting (XSS) via Theme Name fallback - CVE-2017-5491 Post via Email Checks mail.example.com by Default - CVE-2017-5492 Accessibility Mode Cross-Site Request Forgery (CSRF) - CVE-2017-5493 Cryptographically Weak Pseudo-Random Number Generator - CVE-2017-5489 Cross-Site Request Forgery (CSRF) via Flash Upload Changesets 39838 and 39857, thanks Seb * Backport patches from 4.7.2 Closes: #852767 - CVE-2017-5610 The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Changeset 39976 - CVE-2017-5611 WP_Query is vulnerable to a SQL injection (SQLi) Changeset 39962 - CVE-2017-5612 XSS in the posts list table Changeset 39985 * Not vulnerable - CVE-2017-5487 User Information Disclosure via REST API - API doesn't exist xmobar (0.22-1+deb8u1) jessie; urgency=medium . * Update weather feed URL (Closes: #835547) xshisen (1:1.51-4.1+deb8u1) jessie; urgency=medium . * QA upload. * Set maintainer to the QA team. * Fix frequent segfault on start, thanks Alexey Shilin. (Closes: #765504) yara (3.1.0-2+deb8u1) jessie; urgency=high . * Add patches for CVE-2016-10210, CVE-2016-10211, CVE-2017-5923, CVE-2017-5924 (Closes: #859821) zabbix (1:2.2.7+dfsg-2+deb8u2) jessie-security; urgency=medium . * CVE-2016-10134 (Closes: #850936) ====================================== Sat, 14 Jan 2017 - Debian 8.7 released ====================================== ========================================================================= [Date: Sat, 14 Jan 2017 10:51:10 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ctdb | 2.5.4+debian0-4+deb8u1 | source ------------------- Reason ------------------- [auto-cruft] obsolete source package ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:38:25 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-l10n | 1:38.0.1-1~deb8u1 | source icedove-l10n-all | 1:38.0.1-1~deb8u1 | all icedove-l10n-ar | 1:38.0.1-1~deb8u1 | all icedove-l10n-ast | 1:38.0.1-1~deb8u1 | all icedove-l10n-be | 1:38.0.1-1~deb8u1 | all icedove-l10n-bg | 1:38.0.1-1~deb8u1 | all icedove-l10n-bn-bd | 1:38.0.1-1~deb8u1 | all icedove-l10n-br | 1:38.0.1-1~deb8u1 | all icedove-l10n-ca | 1:38.0.1-1~deb8u1 | all icedove-l10n-cs | 1:38.0.1-1~deb8u1 | all icedove-l10n-da | 1:38.0.1-1~deb8u1 | all icedove-l10n-de | 1:38.0.1-1~deb8u1 | all icedove-l10n-el | 1:38.0.1-1~deb8u1 | all icedove-l10n-en-gb | 1:38.0.1-1~deb8u1 | all icedove-l10n-es-ar | 1:38.0.1-1~deb8u1 | all icedove-l10n-es-es | 1:38.0.1-1~deb8u1 | all icedove-l10n-et | 1:38.0.1-1~deb8u1 | all icedove-l10n-eu | 1:38.0.1-1~deb8u1 | all icedove-l10n-fi | 1:38.0.1-1~deb8u1 | all icedove-l10n-fr | 1:38.0.1-1~deb8u1 | all icedove-l10n-fy-nl | 1:38.0.1-1~deb8u1 | all icedove-l10n-ga-ie | 1:38.0.1-1~deb8u1 | all icedove-l10n-gd | 1:38.0.1-1~deb8u1 | all icedove-l10n-gl | 1:38.0.1-1~deb8u1 | all icedove-l10n-he | 1:38.0.1-1~deb8u1 | all icedove-l10n-hr | 1:38.0.1-1~deb8u1 | all icedove-l10n-hu | 1:38.0.1-1~deb8u1 | all icedove-l10n-hy-am | 1:38.0.1-1~deb8u1 | all icedove-l10n-id | 1:38.0.1-1~deb8u1 | all icedove-l10n-is | 1:38.0.1-1~deb8u1 | all icedove-l10n-it | 1:38.0.1-1~deb8u1 | all icedove-l10n-ja | 1:38.0.1-1~deb8u1 | all icedove-l10n-ko | 1:38.0.1-1~deb8u1 | all icedove-l10n-lt | 1:38.0.1-1~deb8u1 | all icedove-l10n-nb-no | 1:38.0.1-1~deb8u1 | all icedove-l10n-nl | 1:38.0.1-1~deb8u1 | all icedove-l10n-nn-no | 1:38.0.1-1~deb8u1 | all icedove-l10n-pa-in | 1:38.0.1-1~deb8u1 | all icedove-l10n-pl | 1:38.0.1-1~deb8u1 | all icedove-l10n-pt-br | 1:38.0.1-1~deb8u1 | all icedove-l10n-pt-pt | 1:38.0.1-1~deb8u1 | all icedove-l10n-rm | 1:38.0.1-1~deb8u1 | all icedove-l10n-ro | 1:38.0.1-1~deb8u1 | all icedove-l10n-ru | 1:38.0.1-1~deb8u1 | all icedove-l10n-si | 1:38.0.1-1~deb8u1 | all icedove-l10n-sk | 1:38.0.1-1~deb8u1 | all icedove-l10n-sl | 1:38.0.1-1~deb8u1 | all icedove-l10n-sq | 1:38.0.1-1~deb8u1 | all icedove-l10n-sr | 1:38.0.1-1~deb8u1 | all icedove-l10n-sv-se | 1:38.0.1-1~deb8u1 | all icedove-l10n-ta-lk | 1:38.0.1-1~deb8u1 | all icedove-l10n-tr | 1:38.0.1-1~deb8u1 | all icedove-l10n-uk | 1:38.0.1-1~deb8u1 | all icedove-l10n-vi | 1:38.0.1-1~deb8u1 | all icedove-l10n-zh-cn | 1:38.0.1-1~deb8u1 | all icedove-l10n-zh-tw | 1:38.0.1-1~deb8u1 | all Closed bugs: 838090 ------------------- Reason ------------------- RoQA; superseded by icedove ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:38:47 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: iceowl-l10n | 4.0.0.1-1~deb8u1 | source iceowl-l10n-bg | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ca | 4.0.0.1-1~deb8u1 | all iceowl-l10n-cs | 4.0.0.1-1~deb8u1 | all iceowl-l10n-da | 4.0.0.1-1~deb8u1 | all iceowl-l10n-de | 4.0.0.1-1~deb8u1 | all iceowl-l10n-en-gb | 4.0.0.1-1~deb8u1 | all iceowl-l10n-es-ar | 4.0.0.1-1~deb8u1 | all iceowl-l10n-es-es | 4.0.0.1-1~deb8u1 | all iceowl-l10n-et | 4.0.0.1-1~deb8u1 | all iceowl-l10n-eu | 4.0.0.1-1~deb8u1 | all iceowl-l10n-fr | 4.0.0.1-1~deb8u1 | all iceowl-l10n-fy-nl | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ga-ie | 4.0.0.1-1~deb8u1 | all iceowl-l10n-hr | 4.0.0.1-1~deb8u1 | all iceowl-l10n-hu | 4.0.0.1-1~deb8u1 | all iceowl-l10n-is | 4.0.0.1-1~deb8u1 | all iceowl-l10n-it | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ja | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ko | 4.0.0.1-1~deb8u1 | all iceowl-l10n-nl | 4.0.0.1-1~deb8u1 | all iceowl-l10n-nn-no | 4.0.0.1-1~deb8u1 | all iceowl-l10n-pl | 4.0.0.1-1~deb8u1 | all iceowl-l10n-ru | 4.0.0.1-1~deb8u1 | all iceowl-l10n-sk | 4.0.0.1-1~deb8u1 | all iceowl-l10n-sv-se | 4.0.0.1-1~deb8u1 | all iceowl-l10n-zh-cn | 4.0.0.1-1~deb8u1 | all iceowl-l10n-zh-tw | 4.0.0.1-1~deb8u1 | all Closed bugs: 838091 ------------------- Reason ------------------- RoQA; superseded by iceowl ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:38:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedtea-7-jre-jamvm | 7u75-2.5.4-2 | mips Closed bugs: 838092 ------------------- Reason ------------------- RoQA; NBS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:39:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedtea-7-jre-jamvm | 7u79-2.5.6-1~deb8u1 | mipsel Closed bugs: 838093 ------------------- Reason ------------------- RoQA; NBS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:39:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: openjdk-7-jre-zero | 7u79-2.5.6-1~deb8u1 | arm64 Closed bugs: 838094 ------------------- Reason ------------------- RoQA; NBS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:40:12 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ctdb-dbg | 2.5.4+debian0-4+deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x ctdb-pcp-pmda | 2.5.4+debian0-4+deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x libctdb-dev | 2.5.4+debian0-4+deb8u1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 838962 ------------------- Reason ------------------- RoQA; NBS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:40:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: dotclear | 2.6.4+dfsg-1 | source, all Closed bugs: 844695 ------------------- Reason ------------------- RoST; multiple security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 14 Jan 2017 10:40:52 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: sogo | 2.2.9+git20141017-1 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x sogo-common | 2.2.9+git20141017-1 | all sogo-dbg | 2.2.9+git20141017-1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x sogo-openchange | 2.2.9+git20141017-1 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x Closed bugs: 850105 ------------------- Reason ------------------- RoST; multiple security issues ---------------------------------------------- ========================================================================= akonadi (1.13.0-2+deb8u2) jessie-security; urgency=medium . * Add patch from kubuntu: kubuntu_disable_secure_file_priv_check.diff - fix compatibility with stricter defaults in mysql security update. (Closes: 843534) Thanks to fld for the report and Marc Deslauriers for the patch. apt (1.0.9.8.4) jessie-security; urgency=high . * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252) Thanks to Jann Horn, Google Project Zero for reporting the issue (LP: #1647467) ark (4:4.14.2-2+deb8u1) jessie; urgency=medium . * Add new upstream patch: Stop-crashing-on-exit-when-being-used-solely-as-a-KPart.patch. Thanks to Nick Leverton for reporting (Closes: 800021, 770840) asterisk (1:11.13.1~dfsg-2+deb8u2) jessie; urgency=medium . * AST-2016-009: non-printable ASCII chars treated as whitespace (CVE-2016-9938) (Closes: #847668) asterisk (1:11.13.1~dfsg-2+deb8u1) jessie-security; urgency=high . [ Tzafrir Cohen ] * Add a placeholder conf in manager.c (Closes: #776080) . [ Bernhard Schmidt ] * AST-2016-007: Fix RTP Resource Exhaustion (CVE-2016-7551) (Closes: #838832) * AST-2015-003: Fix TLS Certificate Common name NULL byte exploit (CVE-2015-3008) (Closes: #782411) * AST-2016-003: Fix crash in UDPTL (CVE-2016-2232) * AST-2016-002: File descriptor exhaustion in chan_sip (CVE-2016-2316) * AST-2016-001: BEAST vulnerability in HTTP server (CVE-2011-3389) asused (3.72-11+deb8u1) stable-proposed-updates; urgency=medium . * Use created fields instead of changed (Closes: #799919) Thanks Matthias! base-files (8+deb8u7) stable; urgency=low . * Changed /etc/debian_version to 8.7, for Debian 8.7 point release. bash (4.3-11+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * CVE-2016-0634: Arbitrary code execution via malicious hostname * CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows command substitution bind9 (1:9.9.5.dfsg-9+deb8u8) jessie-kfreebsd; urgency=medium . * Upload to jessie-kfreebsd bind9 (1:9.9.5.dfsg-9+deb8u8) jessie-security; urgency=medium . * CVE-2016-8864: Fix assertion failure in DNAME processing with patch provided by ISC. bind9 (1:9.9.5.dfsg-9+deb8u7) jessie-security; urgency=high . * CVE-2016-2775: lwresd crash with long query name. Backport of upstream commit 38cc2d14e218e536e0102fa70deef99461354232. Closes: #831796. * CVE-2016-2776: assertion failure due to unspecified crafted query. Fix based on 43139-9-9.patch from ISC. Closes: #839010. c-ares (1.10.0-2+deb8u1) jessie-security; urgency=high . * Apply patch for CVE-2016-5180 (Closes: #839151) ca-certificates (20141019+deb8u2) stable; urgency=medium . [ Michael Shuler ] * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.9. Thanks for the initial 2.7 patch, Jonathan Wiltshire. Closes: #828845 The following certificate authorities were added (+): + "Certplus Root CA G1" + "Certplus Root CA G2" + "Certum Trusted Network CA 2" + "Hellenic Academic and Research Institutions ECC RootCA 2015" + "Hellenic Academic and Research Institutions RootCA 2015" + "ISRG Root X1" + "OpenTrust Root CA G1" + "OpenTrust Root CA G2" + "OpenTrust Root CA G3" + "SZAFIR ROOT CA2" The following certificate authorities were removed (-): - "CA Disig" - "NetLock Business (Class B) Root" - "NetLock Express (Class C) Root" - "NetLock Notary (Class A) Root" - "NetLock Qualified (Class QA) Root" - "Sonera Class 1 Root CA" - "Staat der Nederlanden Root CA" - "Verisign Class 1 Public Primary Certification Authority - G2" - "Verisign Class 3 Public Primary Certification Authority" - "Verisign Class 3 Public Primary Certification Authority - G2" . [ Andreas Beckmann ] * debian/postinst: Run update-certificates without hooks to initially populate /etc/ssl/certs. (The hooks are deferred to the noawait trigger.) Closes: #825730 cairo (1.14.0-2.1+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * CVE-2016-9082: DoS attack based on using SVG to generate invalid pointers from a _cairo_image_surface in write_png. (Closes: #842289) ceph (0.80.7-2+deb8u2) jessie; urgency=medium . * [78329e] Upstream fix for CVE-2016-9579 (short CORS request) (Closes: #849048) * [514d48] Upstream fix for CVE-2016-5009 (mon DoS) (Closes: #829661) * [7ae81b] Upstream fix for CVE-2016-7031 (anonymous read on ACL) (Closes: #838026) * [86ac46] Upstream fix for CVE-2016-8626 (RGW DoS) (Closes: #844200) chirp (0.4.0-1+deb8u1) jessie; urgency=medium . * Disables reporting of telemetry without informed consent (Closes: #829494) chromium-browser (55.0.2883.75-1~deb8u1) jessie-security; urgency=medium . * New upstream stable release: - CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous - CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go - CVE-2016-5183: Use after free in PDFium. Credit to Anonymous - CVE-2016-5184: Use after free in PDFium. Credit to Anonymous - CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer - CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman - CVE-2016-5187: URL spoofing. Credit to Luan Herrera - CVE-2016-5188: UI spoofing. Credit to Luan Herrera haojunhou@gmail.com - CVE-2016-5189: URL spoofing. Credit to xisigr Alqabandi - CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen - CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes - CVE-2016-5192: Cross-origin bypass in Blink. Credit to - CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU - CVE-2016-5194: Various fixes from internal audits, fuzzing and other initiatives - CVE-2016-5198: Out of bounds memory access in V8. Credit to Tencent Keen Security Lab - CVE-2016-5200: Out of bounds memory access in V8. Credit to Choongwoo Han - CVE-2016-5201: Info leak in extensions. Credit to Rob Wu - CVE-2016-5202: Various fixes from internal audits, fuzzing and other initiatives - CVE-2016-5203: Use after free in PDFium. Credit to Anonymous - CVE-2016-5204: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5205: Universal XSS in Blink. Credit to Anonymous - CVE-2016-5206: Same-origin bypass in PDFium. Credit to Rob Wu - CVE-2016-5207: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5208: Universal XSS in Blink. Credit to Mariusz Mlynski - CVE-2016-5209: Out of bounds write in Blink. Credit to Giwan Go - CVE-2016-5210: Out of bounds write in PDFium. Credit to Ke Liu - CVE-2016-5211: Use after free in PDFium. Credit to Anonymous - CVE-2016-5212: Local file disclosure in DevTools. Credit to Khalil Zhani - CVE-2016-5213: Use after free in V8. Credit to Khalil Zhani - CVE-2016-5214: File download protection bypass. Credit to Jonathan Birch and MSVR - CVE-2016-5215: Use after free in Webaudio. Credit to Looben Yang - CVE-2016-5216: Use after free in PDFium. Credit to Anonymous - CVE-2016-5217: Use of unvalidated data in PDFium. Credit to Rob Wu - CVE-2016-5218: Address spoofing in Omnibox. Credit to Abdulrahman Alqabandi - CVE-2016-5219: Use after free in V8. Credit to Rob Wu - CVE-2016-5220: Local file access in PDFium. Credit to Rob Wu - CVE-2016-5221: Integer overflow in ANGLE. Credit to Tim Becker - CVE-2016-5222: Address spoofing in Omnibox. Credit to xisigr - CVE-2016-5223: Integer overflow in PDFium. Credit to Hwiwon Lee - CVE-2016-5224: Same-origin bypass in SVG. Credit to Roeland Krak - CVE-2016-5225: CSP bypass in Blink. Credit to Scott Helme - CVE-2016-5226: Limited XSS in Blink. Credit to Jun Kokatsu - CVE-2016-9650: CSP Referrer disclosure. Credit to Jakub Żoczek - CVE-2016-9651: Private property access in V8. Credit to Guang Gong - CVE-2016-9652: Various fixes from internal audits, fuzzing and other initiatives - Certificate validity is now independent of the browser build date (closes: #844631). - No longer supports gyp build system, so update to use gn instead. chromium-browser (54.0.2840.101-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous - CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go - CVE-2016-5183: Use after free in PDFium. Credit to Anonymous - CVE-2016-5184: Use after free in PDFium. Credit to Anonymous - CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer - CVE-2016-5187: URL spoofing. Credit to Luan Herrera - CVE-2016-5188: UI spoofing. Credit to Luan Herrera - CVE-2016-5192: Cross-origin bypass in Blink. Credit to haojunhou@gmail.com - CVE-2016-5189: URL spoofing. Credit to xisigr - CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman Alqabandi - CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes - CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen - CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU - CVE-2016-5194: Various fixes from internal audits, fuzzing and other initiatives - CVE-2016-5198: Out of bounds memory access in V8. Credit to Tencent Keen Security Lab - CVE-2016-5200: Out of bounds memory access in V8. Credit to Choongwoo Han - CVE-2016-5201: Info leak in extensions. Credit to Rob Wu - CVE-2016-5202: Various fixes from internal audits, fuzzing and other initiatives * Remove libxslt symlinks from the upstream taball. * Drop cups patch that's been applied upstream. * Build using gn and drop gyp dependency. * Update debian/copyright. chromium-browser (53.0.2785.143-1+exp1) experimental; urgency=medium . * armhf and arm64 build added, (closes: #799939) * debian/scripts/chromium: Do the sse2 check only on X86 archs chromium-browser (53.0.2785.143-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-5177: Use after free in V8. Credit to Anonymous - CVE-2016-5178: Various fixes from internal audits, fuzzing and other initiatives. * Change StartupWMClass in the desktop file to chromium (closes: #813079). * Support building with cups 2.2 (closes: #839377). * Update debian/copyright. chromium-browser (53.0.2785.143-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-5177: Use after free in V8. Credit to Anonymous - CVE-2016-5178: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (53.0.2785.113-1) unstable; urgency=medium . * New upstream security release: - CVE-2016-5170: Use after free in Blink. Credit to Anonymous - CVE-2016-5171: Use after free in Blink. Credit to Anonymous - CVE-2016-5172: Arbitrary Memory Read in v8. Credit to Choongwoo Han - CVE-2016-5173: Extension resource access. Credit to Anonymous - CVE-2016-5174: Popup not correctly suppressed. Credit to Andrey Kovalev - CVE-2016-5175: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (53.0.2785.113-1~deb8u1) jessie-security; urgency=medium . * New upstream security release: - CVE-2016-5170: Use after free in Blink. Credit to Anonymous - CVE-2016-5171: Use after free in Blink. Credit to Anonymous - CVE-2016-5172: Arbitrary Memory Read in v8. Credit to Choongwoo Han - CVE-2016-5173: Extension resource access. Credit to Anonymous - CVE-2016-5174: Popup not correctly suppressed. Credit to Andrey Kovalev - CVE-2016-5175: Various fixes from internal audits, fuzzing and other initiatives. chromium-browser (53.0.2785.92-3) unstable; urgency=medium . * Add -fno-delete-null-pointer checks to the build flags (closes: #833501). chromium-browser (53.0.2785.92-2) unstable; urgency=medium . * Build with gcc 6 (closes: #835943). * Add versioned harfbuzz dependency (closes: #833953). chromium-browser (53.0.2785.92-1) unstable; urgency=medium . * New upstream stable release. * Support building with glibc 2.24 (closes: #836611). chromium-browser (53.0.2785.89-1) unstable; urgency=medium . * New upstream stable release: - CVE-2016-5147: Universal XSS in Blink. Credit to anonymous - CVE-2016-5148: Universal XSS in Blink. Credit to anonymous - CVE-2016-5149: Script injection in extensions. Credit to Max Justicz - CVE-2016-5150: Use after free in Blink. Credit to anonymous - CVE-2016-5151: Use after free in PDFium. Credit to anonymous - CVE-2016-5152: Heap overflow in PDFium. Credit to GiWan Go of Stealien - CVE-2016-5153: Use after destruction in Blink. Credit to Atte Kettunen - CVE-2016-5154: Heap overflow in PDFium. Credit to anonymous - CVE-2016-5155: Address bar spoofing. Credit to anonymous - CVE-2016-5156: Use after free in event bindings. Credit to jinmo123 - CVE-2016-5157: Heap overflow in PDFium. Credit to anonymous - CVE-2016-5158: Heap overflow in PDFium. Credit to GiWan Go - CVE-2016-5159: Heap overflow in PDFium. Credit to GiWan Go - CVE-2016-5160: Extensions web accessible resources bypass. Credit to @l33terally - CVE-2016-5161: Type confusion in Blink. - CVE-2016-5162: Extensions web accessible resources bypass. Credit to Nicolas Golubovic - CVE-2016-5163: Address bar spoofing. Credit to Rafay Baloch - CVE-2016-5164: Universal XSS using DevTools. Credit to anonymous - CVE-2016-5165: Script injection in DevTools. Credit to Gregory Panakkal - CVE-2016-5166: SMB Relay Attack via Save Page As. Credit to Gregory Panakkal - CVE-2016-5167: Various fixes from internal audits, fuzzing and other initiatives. collectd (5.4.1-6+deb8u1) jessie-security; urgency=high . * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network plugin. Emilien Gaspar has identified a heap overflow in parse_packet(), the function used by the network plugin to parse incoming network packets. Thanks to Florian Forster for reporting the bug in Debian. (Closes: #832507, CVE-2016-6254) * debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of gcry_control. A team of security researchers at Columbia University and the University of Virginia discovered that GCrypt's gcry_control is sometimes called without checking its return value for an error. This may cause the program to be initialized without the desired, secure settings. (Closes: #832577) curl (7.38.0-4+deb8u5) jessie-security; urgency=high . * Fix cookie injection for other servers as per CVE-2016-8615 https://curl.haxx.se/docs/adv_20161102A.html * Fix case insensitive password comparison as per CVE-2016-8616 https://curl.haxx.se/docs/adv_20161102B.html * Fix OOB write via unchecked multiplication as per CVE-2016-8617 https://curl.haxx.se/docs/adv_20161102C.html * Fix double-free in curl_maprintf as per CVE-2016-8618 https://curl.haxx.se/docs/adv_20161102D.html * Fix double-free in krb5 code as per CVE-2016-8619 https://curl.haxx.se/docs/adv_20161102E.html * Fix glob parser write/read out of bounds as per CVE-2016-8620 https://curl.haxx.se/docs/adv_20161102F.html * Fix curl_getdate read out of bounds as per CVE-2016-8621 https://curl.haxx.se/docs/adv_20161102G.html * Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622 https://curl.haxx.se/docs/adv_20161102H.html * Fix use-after-free via shared cookies as per CVE-2016-8623 https://curl.haxx.se/docs/adv_20161102I.html * Fix invalid URL parsing with '#' as per CVE-2016-8624 https://curl.haxx.se/docs/adv_20161102J.html cyrus-imapd-2.4 (2.4.17+nocaldav-0+deb8u2) jessie; urgency=medium . * Proper fix for LIST GROUP broken (Closes: #831554) darktable (1.4.2-1+deb8u1) stable; urgency=medium . * Cherry pick upstream commit 0f809ca5048. Fix for CVE-2015-3885 (Closes: #786792) dbus (1.8.22-0+deb8u1) jessie; urgency=medium . * New upstream bugfix release - fix a potential format string vulnerability, which is not believed to be exploitable in practice * dbus.prerm: ensure that dbus.socket is stopped before removal, so that a new connection to the bus won't cause dbus.service to be restarted (Closes: #813970) dbus (1.8.20-1) unstable; urgency=medium . * New upstream bugfix release - fix a memory leak when GetConnectionCredentials is called - stop dbus-monitor replying to org.freedesktop.DBus.Peer messages, including those that another process should have replied to dcmtk (3.6.0-15+deb8u1) jessie-security; urgency=medium . * Team upload * d/p/0001: Add patch to fix CVE-2015-8979, Closes: #848830 The patch was taken from v 3.6.0-6+deb7u1 where the same security vunerability was fixed by the wheezy LST team. debian-edu-doc (1.6~20161129+deb8u3) jessie; urgency=medium . * Update Debian Edu Jessie manual from the wiki. . [ Wolfgang Schweer ] * Fix (da|nl) Jessie manual PO files to get the PDF manuals built. . [ Jessie Manual translation updates ] * German: Wolfgang Schweer. * Norwegian Bokmål: Ingrid Yrvin, Ole-Erik Yrvin and Petter Reinholdtsen. * Dutch: Frans Spiesschaert. * Italian: Claudio Carboncini. . [ Wheezy Manual translation updates ] * Norwegian Bokmål: Petter Reinholdtsen, Ingrid Yrvin. debian-edu-install (1.821+deb8u2) jessie; urgency=medium . * Update version number to 8+edu1 in preparation of our second Debian Edu release based on Debian Jessie. debian-installer-netboot-images (20150422+deb8u4.b2) jessie; urgency=medium . * Update to 20150422+deb8u4+b2 images, from jessie-proposed-updates drupal7 (7.32-1+deb8u8) jessie-security; urgency=high . * Backported from 7.52: SA-CORE-2016-005: Multiple security vulnerabilities (CVEs not yet issued): - Inconsistent name for term access query can lead to information disclosure - Confirmation form allows external URL injection duck (0.7+deb8u1) jessie; urgency=high . * Fix CVE-2016-1239: Load code from untrusted local dir . * Update Maintainer email to my Debian email address. ebook-speaker (2.8.1-1+deb8u1) jessie; urgency=medium . * Team upload. * Fix hint about installing html2text to read html files (Closes: #841714). elog (2.9.2+2014.05.11git44800a7-2+deb8u1) jessie; urgency=medium . * Added patch 0005_elogd_CVE-2016-6342_fix to fix posting entry as arbitrary username (Closes: #836505, CVE-2016-6342) evolution-data-server (3.12.9~git20141128.5242b0-2+deb8u3) jessie; urgency=medium . * Non-maintainer upload. * d/p/06_787398_bae0c64_fix_connection_drop.patch: cherry-pick commit bae0c64 from upstream git to fix premature drop of connection with reduced TCP window sizes and resulting loss of data. Closes: #787398. exim4 (4.84.2-2+deb8u3) jessie; urgency=medium . * 94_Fix-memory-leak-on-Gnu-TLS-close.patch from upstream exim-4_84_2+fixes branch: Fix GnuTLS memory leak. (Thanks, Heiko Schlittermann!) Closes: #845569 exim4 (4.84.2-2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-9963: DKIM information leakage file (1:5.22+15-2+deb8u3) stable; urgency=medium . * Fix memory leak in magic loader. Closes: #840754 firefox-esr (45.6.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-95, also known as: CVE-2016-9899, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905, CVE-2016-9901, CVE-2016-9902, CVE-2016-9893. . * debian/browser.install.in, browser.mozconfig.in, debian/rules: Don't disable the crash reporter. firefox-esr (45.5.1esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-92, also known as CVE-2016-9079. firefox-esr (45.5.1esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-92, also known as CVE-2016-9079. firefox-esr (45.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-90, also known as: CVE-2016-5296, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290. firefox-esr (45.5.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-90, also known as: CVE-2016-5296, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290. firefox-esr (45.4.0esr-2) unstable; urgency=medium . * debian/control*: Force build against libnss3-dev >= 2:3.26-2~, which fixed its symbols file. Closes: #833719. firefox-esr (45.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2016-86, also known as: CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) . * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) firefox-esr (45.4.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-86, also known as: CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) * debia