It was discovered that the Ruby OpenSSL extension, part of the interpreter
for the Ruby language, did not properly implement hostname matching, in
violation of RFC 6125. This could allow remote attackers to perform a
man-in-the-middle attack via crafted SSL certificates.

It was discovered that the Ruby OpenSSL extension, part of the interpreter
for the Ruby language, did not properly implement hostname matching, in
violation of RFC 6125. This could allow remote attackers to perform a
man-in-the-middle attack via crafted SSL certificates.

Multiple vulnerabilities were discovered in ownCloud, a cloud storage
web service for files, music, contacts, calendars and many more.

Tilmann Haak from xing.com discovered that XML::LibXML, a Perl interface
to the libxml2 library, did not respect the expand_entities parameter to
disable processing of external entities in some circumstances. This may
allow attackers to gain read access to otherwise protected resources,
depending on how the library is used.

Several vulnerabilities were discovered in the chromium web browser:

It was discovered that cURL, an URL transfer library, if configured to
use a proxy server with the HTTPS protocol, by default could send to the
proxy the same HTTP headers it sends to the destination server, possibly
leaking sensitive information.

Juliane Holzt discovered that Icecast2, a streaming media server, could
dereference a NULL pointer when URL authentication is configured and the
stream_auth URL is trigged by a client without setting any credentials.
This could allow remote attackers to cause a denial of service (crash).

John Heasman discovered that the site plugin handling of the
Elasticsearch search engine was susceptible to directory traversal.

Rene Engelhard uploaded new packages for libreoffice which fixed the
following security problem:

CVE-2015-1774:
   It was discovered that missing input sanitising in Libreoffice's filter
   for HWP documents may result in the execution of arbitrary code if a
   malformed document is opened.

For the squeeze-backports distribution the problem has been fixed in
version 1:3.5.4+dfsg2-0deb7u4~bpo60+1.

For the wheezy-backports distribution the problem has been fixed in
version 1:4.3.3-2+deb8u1~bpo70+1.

      Dear users of the backports service!

 With the release of Jessie (coming up) we are pleased to open the doors
for jessie-backports and wheezy-backports-sloppy (mostly all
architectures are already buildable there, too).  Whee!

 But, PLEASE DO READ ON, there are some changes in the process that we
would like to do for the new upload pockets.


== What to upload where ==

 As a reminder, uploads to a release-backports pocket are to be taken
from release + 1, uploads to a release-backports-sloppy pocket are to be
taken from release + 2.  Which means:

 Source Distribution | Backports Distribution | Sloppy Distribution
---------------------|------------------------|--------------------------
 stretch             | jessie-backports       | wheezy-backports-sloppy
 jessie              | wheezy-backports       | squeeze-backports-sloppy


== We drop -v switch hard requirement ==

 We required uploads to contain the changelog entries since the former
version in stable in the changes file.  This was quite con