-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Andreas Metzler  uploaded new packages for gnutls28 which fixed the
following security problems:

CVE-2014-1959 / DSA 2866-1 / GNUTLS-SA-2014-1
  Suman Jana reported that GnuTLS, deviating from the documented
  behavior considers a version 1 intermediate certificate as a CA
  certificate by default.

For the testing distribution (jessie) and the unstable distribution
(sid), this problem has been fixed in gnutls26/2.12.23-12 and
gnutls28/3.2.11-1.

For the stable distribution this problem has been fixed in
gnutls26/2.12.20-8. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJTCLAZAAoJEKVPAYVDghSE3KIP/ixlMQKA9H/v4FqWB2QOQIeY
QT67kgjrG/UKgEBk3pivvfWU8bSRA8SQ4AJXnKSMrkq6GkAEOBCFV8pVdHZV2pVZ
zUJ25vt4LX9cJHnOmMDSyC5Rrc/MH6/NnJWxIcZryc+XNOrzP0P00WqJ6fRfkZ/M
X7ktaICuNH5FqZ+P5ROdUrx+P8VX2y65vTTMrOTVPDYnn+hQBXXlQBK/7bUj0fkj
xsEP3XBLVqGrfJWzAxMCiOTMFgPzlc1MaQT2tCfIgHsWdATUYgKX8R5Nt+a2PrYo
S8IFrfpuXj9Kgamwj2ODs+lp7vDG2ftVTrTkaT4Mb7Xi0WdsTrM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

intrigeri uploaded new packages for pidgin which fixed the
following security problems:

CVE-2013-6477
  Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by
  sending a message with a timestamp in the distant future.

CVE-2013-6478
  Pidgin could be crashed through overly wide tooltip windows.

CVE-2013-6479
  Jacob Appelbaum discovered that a malicious server or a "man in the middle"
  could send a malformed HTTP header resulting in denial of service.

CVE-2013-6481
  Daniel Atallah discovered that Pidgin could be crashed through malformed
  Yahoo! P2P messages.

CVE-2013-6482
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed MSN messages.

CVE-2013-6483
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed XMPP messages.

CVE-2013-6484
  It was discovered that incorrect error handling when reading the response from
  a STUN server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

intrigeri uploaded new packages for nss which fixed the
following security problems:

CVE-2013-1739 (DSA-2790-1)
  A flaw was found in the way the Mozilla Network Security Service library (nss)
  read uninitialized data when there was a decryption failure. A remote attacker
  could use this flaw to cause a denial of service (application crash) for
  applications linked with the nss library.

CVE-2013-5605 (DSA-2800-1)
  Andrew Tinits reported a potentially exploitable buffer overflow in the
  Mozilla Network Security Service library (nss). With a specially crafted
  request a remote attacker could cause a denial of service or possibly execute
  arbitrary code.

For the squeeze-backports distribution the problems have been fixed in
version 2:3.14.5-1~bpo60+1.

For the oldstable distribution (squeeze), the problems have been fixed in
version 3.12.8-1+squeeze7.

For the stable distribution (wheezy), the problems have been fixed in version
2:3.14.5-1.

For the tes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wouter Verhelst uploaded new packages for nbd which fixed the
following security problems:

CVE-2013-6410
  Incorrect parsing of the access control lists

For the squeeze-backports distribution the problem has been fixed in
version 1:3.2-4~deb7u4~bpo60+1

nbd is not present in any other backports repository.

- -- 
This end should point toward the ground if you want to go to space.

If it starts pointing toward space you are having a bad problem and you
will not go to space today.

  -- http://xkcd.com/1133/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBAgAGBQJSn1DVAAoJEMKUD5Ub3wqd2iYP/i2eHcfBjLuaba7YYCJHXOsr
npcNAZhl4eNaarp7Q5FcFT7Z3VXkjRRC40I/TgAMHofY13z1UjYWS8DpWJjmLaVZ
D4EbnxZk/6fgfeNOLnjakzMMFD8mbgXgN3a9l6TaRc0u7tM/GwmwdxXK18vw2tic
NdrI52H5FfHUKwCYduQyKvwpOLMdoxCMPv7KqQQFwHRfzv3aR4fR+5wjagZdMdwN
K6tfusR9Wgeq8U3Dm4TRQ+9Nmoc0ZgjHl8YkvV5+Rlw56c66ptpwYQOHyO258SKF
4LvpmFRpNU

Updated strongswan packages for squeeze-backports and wheezy-backports
fix the following vulnerabilities:

- CVE-2013-2944: When using the openssl plugin for ECDSA based
  authentication, an empty, zeroed or otherwise invalid signature is
  handled as a legitimate one.

- CVE-2013-6075: DoS vulnerability and potential authorization bypass
  triggered by a crafted ID_DER_ASN1_DN ID payload.

- CVE-2013-6076: DoS vulnerability triggered by crafted IKEv1
  fragmentation payloads.

The squeeze-backports distribution was affected by CVE-2013-2944 and
CVE-2013-6075. These problems have been fixed in version
4.5.2-1.5+deb7u2~bpo60+1.

The wheezy-backports distribution was affected by CVE-2013-6075 and
CVE-2013-6076. These problems have been fixed in version
5.1.0-3~bpo70+1.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : roundcube
Vulnerability  : design error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-6172
Debian Bug     : 727668

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, does not properly sanitize the _session
parameter in steps/utils/save_pref.inc during saving preferences. The
vulnerability can be exploited to overwrite configuration settings and
subsequently allowing random file access, manipulated SQL queries and
even code execution.

roundcube in the oldstable distribution (squeeze) is not affected by
this problem.

For backports for the oldstable distribution (squeeze-backports-sloppy),
this problem has been fixed in 0.9.5-1~bpo60+1.

For the stable distribution (wheezy), this problem has been fixed in
version 0.7.2-9+deb7u1.

For backports for the stable distribution (wheezy-backports),
this problem has been fixed in 0.9.5-1~bpo70+1.

For the unstable distribution (sid), this

Colin Watson uploaded new packages for openssh which fixed the following
security problems:

CVE-2013-4548
  A memory corruption vulnerability exists in the post-authentication
  sshd process when an AES-GCM cipher (aes128-gcm-ZT/51Pfwho1BDgjK7y7TUQ< at >public.gmane.org or
  aes256-gcm-ZT/51Pfwho1BDgjK7y7TUQ< at >public.gmane.org) is selected during kex exchange.

  If exploited, this vulnerability might permit code execution with the
  privileges of the authenticated user and may therefore allow bypassing
  restricted shell/command configurations.

  https://security-tracker.debian.org/tracker/CVE-2013-4548

For the wheezy-backports distribution, this problem has been fixed in
version 1:6.4p1-1~bpo70+1.

For the testing (jessie) and unstable (sid) distributions, this problem
has been fixed in version 1:6.4p1-1.

Other distributions are not vulnerable.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

these means that we are outphasing the relaxed rules for uploading to
squeeze-backports-sloppy (and wheezy-backports) and ask you to only upload
packages that are already in jessie to this suits.

Please (re)read the rules stated in the contribution document[1] to update
your memory.  ;)

Alex - on behalf of the backports ftpmasters

[1] http://backports.debian.org/Contribute/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGHV+sACgkQ01u8mbx9AgpCbQCggo0kQ7CulVDYrr+u2193tPJI
0zYAnAxJlCrb5Px5qLcUtqXVAP92J68R
=inhn
-----END PGP SIGNATURE-----

Package        : postgresql-9.1
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-1899 CVE-2013-1900 CVE-2013-1901
Debian Bug     : 704479 

Several vulnerabilities were discovered in PostgreSQL database server.

CVE-2013-1899

    Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center
    discovered that it was possible for a connection request containing a
    database name that begins with "-" to be crafted that can damage or destroy
    files within a server's data directory. Anyone with access to the port the
    PostgreSQL server listens on can initiate this request.

CVE-2013-1900

    Random numbers generated by contrib/pgcrypto functions may be easy for
    another database user to guess.

CVE-2013-1901

    An unprivileged user could run commands that could interfere with
    in-progress backups

For backports for the stable distribution (squeeze-backports), these
problems have been fixed in version 9.1.9-1~bpo60+1.

For the stable dist

The postgresql-9.0 package on backports.debian.org is no longer
maintained, and was finally removed from the archive now.
postgresql-9.0 will not be part of the next Debian release, and hence
was removed from Debian/testing and unstable. Backports is now
following this move.

There are two options for users of postgresql-9.0:

* Upgrade to postgresql-9.1 which will be shipped with wheezy. This
package is part of backports.debian.org.
* Switch to the PostgreSQL APT archive at apt.postgresql.org, as
detailed in https://wiki.postgresql.org/wiki/Apt. This archive
provides compatible 9.0 packages. (And 9.1 and 9.2.)

postgresql-9.0 is affected by the upcoming security update:
http://www.postgresql.org/about/news/1454/

Please move away from the backports.debian.org version of
postgresql-9.0 as soon as possible.

Christoph