-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear users of the backports service! The Backports Team is pleased to announce the next important step on getting backports more integrated. People who are reading debian-infrastructure-announce will have seen that there was an archive maintenance last weekend: starting with wheezy-backports the packages will be accessible from the regular pool instead of a separate one. == For Users == What exactly does that mean for you? For users of wheezy, the sources.list entry will be different, a simple substitute of squeeze for wheezy won't work. The new format is: deb http://ftp.debian.org/debian/ wheezy-backports main So it is debian instead of debian-backports, and offered through the regular mirror network. Feel invited to check your regular mirror if it carries backports and pull from there. == For Contributers == Please read the mail to debian-devel-announce instead. :) Just one thing mentioned here: technically wheezy-backports a
Category Archives: Debian
Debian Security Advisories
[BSA-079] Security Update for icinga
Jan Wagner uploaded new packages for icinga which fixed the following security problems: CVE-2012-6096 CGI buffer overflows https://security-tracker.debian.org/tracker/CVE-2012-6096 For the squeeze-backports distribution the problems have been fixed in version 1.7.1-5~bpo60+1 of the icinga package. For the testing distribution (wheezy) these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.7.1-5 of the icinga package.
[BSA-078] Security Update for freetype
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I uploaded new packages for freetype which fixed the following security problems: CVE-2012-5668: NULL Pointer Dereference in bdf_free_font. CVE-2012-5669: Out-of-bounds read in _bdf_parse_glyphs. CVE-2012-5670: Out-of-bounds write in _bdf_parse_glyphs. For the squeeze-backports distribution the problems have been fixed in version 2.4.9-1.1~bpo60+1. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJQ7NNzAAoJEDEWul6f+mmjyIYQAKyNZKj2qYFIudH3lAWpOhhb qrY5+oij1HBGmmEeoymgK0waceXF8QfvuqP+3+P+5wsebbpl5Yh4zPFUlK4dvT9u 1/kWJMoqCN3IKh6r6HnsqP7hvLpZ+DpkX+x0t9r82XmIxauwp73mekP/vC2ueSZ/ Jn6jwXet+oy83YJ7fSmmS6uT2DZpeHgdN9S6b6/HyZsAdq3l6RetGbJMikA9P2Mw 3G9dAmsLJ4M060MCe4vJ7MAJHmx8GTbz/1FQn1DBHW/vry47SaiHcHcqHTAGaZFy UQo9Duhe+vGnWrJCHlmtNWeijZDEocNSStiraTP+2JgCq1hCs4KJ/g/WEnT3CKYX n7J1waaL2p8WhgvzXJpbbKQ9hppaM1UZAXHQ3oggx+DsvnLzN17JeKz7m4iT+078 8xwzueiQYCYuO2gtl6pEZ6G55dBuvhVhSfau4vR+cTD3qXguyr4gf/va40AXRvPH xDiP1tkmA5j11+Y1urCpN634fkHruWhipL
[BSA 076] Security update for libreoffice
Rene Engelhard uploaded new packages for libreoffice which fixed the following security problems: CVE-2012-1149 multiple heap-based buffer overflows in OpenOffice.orgs XML manifest encryption tag parsing code For the squeeze-backports distribution the problems have been fixed in version 1:3.5.4-7~bpo60+1.
[BSA-074] Security update for libreoffice
Rene Engelhard uploaded new packages for libreoffice which fixed the following security problem: CVE-2012-1149 Integer overflows in PNG image handling For the squeeze-backports distribution the problems have been fixed in version 1:3.4.6-2~bpo60+2.
[BSA-073] Security Update for strongswan
Micah Anderson uploaded new packages for strongswan which fixed the following security problems: CVE-2012-2388 An authentication bypass issue was discovered by the Codenomicon CROSS project in strongSwan, an IPsec-based VPN solution. When using RSA-based setups, a missing check in the gmp plugin could allow an attacker presenting a forged signature to successfully authenticate against a strongSwan responder. For the squeeze-backports distribution the problems have been fixed in version 4.5.2-1.4~bpo60+1
[BSA-071] Security Update for request-tracker4
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dominic Hargreaves uploaded new packages for request-tracker4 which fixed the following security problems: CVE-2011-2082 The vulnerable-passwords scripts introduced for CVE-2011-0009 failed to correct the password hashes of disabled users. CVE-2011-2083 Several cross-site scripting issues have been discovered. CVE-2011-2084 Password hashes could be disclosed by privileged users. CVE-2011-2085 Several cross-site request forgery vulnerabilities have been found. If this update breaks your setup, you can restore the old behaviour by setting $RestrictReferrer to 0. CVE-2011-4458 The code to support variable envelope return paths allowed the execution of arbitrary code. CVE-2011-4459 Disabled groups were not fully accounted as disabled. CVE-2011-4460 SQL injection vulnerability, only exploitable by privileged users. For the squeeze-backports distribution the problems have been fixed in version 4.0.5-3~bpo60+1. -----BEG
[BSA-069] Security Update for NGINX
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi. I uploaded new packages for nginx which fixed the following security problems: CVE-2012-2089 - nginx -- arbitrary code execution in mp4 pseudo-streaming module A flaw was reported in the nginx standard mp4 pseudo-streaming module. A specially-crafted mp4 file could allow for the overwriting of memory locations in a worker process if ngx_http_mp4_module were used. This could potentially result in arbitrary code execution with the privileges of the unprivileged nginx user. This has been corrected in upstream 1.0.15 and 1.1.9 versions, and only affected versions newer than 1.1.3 and 1.0.7 when built with the ngx_http_mp4_module and had the "mp4" directive set in the configuration file. For the squeeze-backports distribution the problems have been fixed in version 1.1.19-1~bpo60+1 For wheezy (testing) and sid (unstable) this was fixed in version 1.1.19-1 Squeeze (stable) is not vulnerable to this security issue. Thanks. - -- Cyril "Davromani
[BSA-070] Security Update for samba
I uploaded new packages for samba which fixed the following security problem: CVE-2012-1182 PIDL based autogenerated code allows overwriting beyond of allocated array. For the squeeze-backports distribution the problems have been fixed in version 2:3.6.4-1~bpo60+1.
lenny backports discontinued
Following the normal Debian Archive lenny-backports is now discontinued. That means that no upload will be possible anymore and lenny-backports(-sloppy) get moved to archive.debian.org. If you haven't updated yet - now is the time to move to squeeze. Some numbers about lenny-backports and lenny-backports-sloppy: - Source packages: lenny-backports: 667 - sloppy: 21 - Uploads: lenny-backports: 1445 - sloppy: 51 - Contributors: lenny-backports: 146 - sloppy: 17 Without all those contributors lenny-backports wouldn't have been possible. Thank you very much for your support! Alex and Rhonda - backports.debian.org ftpmasters P.S. and of course a big thanks to ganneff, without him we wouldn't be able to run the dak monster :)