[ Diff: List of accepted packages updated, added list about covered DSAs ] Preparation of Debian GNU/Linux 4.0r5 =====================================
We are preparing the next revision of the current stable Debian distribution (etch) and will frequently send reports so people can actually comment on it and intervene whenever this is required. If you disagree with one bit or another, please reply to this mail and explain why these things should be handled differently. An ftpmaster still has to give the final approval for each package since ftpmasters are responsible for the archive. However, we are trying to make their work as easy as possible in hope to get the next revision out properly and without any hassle. If you would like to get a package updated in the stable release, you are advised to talk to the stable release managers first (see <http://www.debian.org/intro/organization>). Accepted Packages ----------------- These packages will be installed into the stable Debian distribution and will be part of the next revision. Sourceful update of phpmyadmin: version in stable: 4:2.9.1.1-7 version in updates: 4:2.9.1.1-8 Rationales: - 2.9.1.1-8: DSA 1641 phpmyadmin - several vulnerabilities Sourceful update of wdiff: version in stable: 0.5-16 version in updates: 0.5-16etch1 Rationales: - 0.5-16etch1: wdiff - fix a race condition related to temporary files (#425254) Sourceful update of dist: version in stable: 3.70-31 version in updates: 3.70-31etch1 Rationales: - 3.70-31etch1: dist - Fix insecure temp file usage Sourceful update of libxml2: version in stable: 2.6.27.dfsg-2 version in updates: 2.6.27.dfsg-5 Rationales: - 2.6.27.dfsg-3: DSA 1631 libxml2 - denial of service - 2.6.27.dfsg-4: DSA 1631 libxml2 - denial of service - 2.6.27.dfsg-5: DSA 1654 libxml2 - Fix execution of arbitrary code Sourceful update of squid: version in stable: 2.6.5-6etch1 version in updates: 2.6.5-6etch4 Rationales: - 2.6.5-6etch2: DSA 1646 squid - Fix array bounds check - 2.6.5-6etch4: DSA 1646 squid - Fix array bounds check Sourceful update of linux-2.6.24: version in stable: 2.6.24-6~etchnhalf.4 version in updates: 2.6.24-6~etchnhalf.6 Rationales: - 2.6.24-6~etchnhalf.5: DSA 1636 linux-2.6.24 - denial of service/information leak - 2.6.24-6~etchnhalf.6: DSA 1655 linux-2.6.24 - Fix several vulnerabilities Sourceful update of icedove: version in stable: 1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1 version in updates: 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1 Rationales: - 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1: DSA 1621 icedove - several vulnerabilities Sourceful update of opensc: version in stable: 0.11.1-2 version in updates: 0.11.1-2etch2 Rationales: - 0.11.1-2etch1: DSA 1627 opensc - smart card vulnerability - 0.11.1-2etch2: DSA 1627 opensc - smart card vulnerability Sourceful update of twiki: version in stable: 1:4.0.5-9.1 version in updates: 1:4.0.5-9.1etch1 Rationales: - 4.0.5-9.1etch1: DSA 1639 twiki - arbitrary code execution Sourceful update of apache2-mpm-itk: version in stable: 2.2.3-01-2 version in updates: 2.2.3-01-2+etch1 Rationales: - 2.2.3-01-2+etch1: apache2-mpm-itk - rebuild against apache2 2.2.3-4+etch6, fix hanging processes on restart/shutdown Sourceful update of libxslt: version in stable: 1.1.19-2 version in updates: 1.1.19-3 Rationales: - 1.1.19-3: DSA 1624 libxslt - arbitrary code execution Sourceful update of mon: version in stable: 0.99.2-9 version in updates: 0.99.2-9+etch2 Rationales: - 0.99.2-9+etch2: DSA 1648 mon - Fix insecure temporary files Sourceful update of jumpnbump: version in stable: 1.50-6 version in updates: 1.50-6+etch1 Rationales: - 1.50-6+etch1: jumpnbump - Fix insecure handling of /tmp (#500611) Sourceful update of wordnet: version in stable: 1:2.1-4 version in updates: 1:2.1-4+etch2 Rationales: - 2.1-4+etch1: DSA 1634 wordnet - stack and heap overflows - 2.1-4+etch2: DSA 1634 wordnet - arbitrary code execution Sourceful update of ruby1.8: version in stable: 1.8.5-4etch2 version in updates: 1.8.5-4etch3 Rationales: - 1.8.5-4etch3: DSA 1651 ruby1.8 - several vulnerabilities Sourceful update of ruby1.9: version in stable: 1.9.0+20060609-1etch1 version in updates: 1.9.0+20060609-1etch3 Rationales: - 1.9.0+20060609-1etch2: DSA 1618 ruby1.9 - several vulnerabilities - 1.9.0+20060609-1etch3: DSA 1652 ruby1.9 - several vulnerabilities Sourceful update of newsx: version in stable: 1.6-2 version in updates: 1.6-2etch1 Rationales: - 1.6-2etch1: DSA 1622 newsx - arbitrary code execution Sourceful update of python-django: version in stable: 0.95.1-1etch1 version in updates: 0.95.1-1etch2 Rationales: - 0.95.1-1etch2: DSA 1640 python-django - several vulnerabilities Sourceful update of openldap2.3: version in stable: 2.3.30-5+etch1 version in updates: 2.3.30-5+etch2 Rationales: - 2.3.30-5+etch2: DSA 1650 openldap2.3 - Fix denial of service Sourceful update of apache2: version in stable: 2.2.3-4+etch5 version in updates: 2.2.3-4+etch6 Rationales: - 2.2.3-4+etch6: apache2 - fix various issues (CVE-2007-6388, CVE-2008-2939, CVE-2008-2364, #489899, #470652) Sourceful update of tzdata: version in stable: 2007k-1etch1 version in updates: 2008e-1etch3 Rationales: - 2008e-1etch1: tzdata - updates to several timezones - 2008e-1etch2: tzdata - Adjust to several timezone and DST setting - 2008e-1etch3: tzdata - Adjust to several timezone and DST setting Sourceful update of user-mode-linux: version in stable: 2.6.18-1um-2etch.21 version in updates: 2.6.18-1um-2etch.23 Rationales: - 2.6.18-1um-2etch.22etch1: DSA 1630 linux-2.6 - several vulnerabilities - 2.6.18-1um-2etch.22etch2: DSA 1630 linux-2.6 - several vulnerabilities - 2.6.18-1um-2etch.22etch3: DSA 1653 linux-2.6 - several vulnerabilities - 2.6.18-1um-2etch.23: linux-2.6 - fix xfs corruption / Xen crash Sourceful update of xulrunner: version in stable: 1.8.0.15~pre080323b-0etch2 version in updates: 1.8.0.15~pre080614d-0etch1 Rationales: - 1.8.0.15~pre080614d-0etch1: DSA 1615 xulrunner - several vulnerabilities Sourceful update of feta: version in stable: 1.4.15 version in updates: 1.4.15+etch1 Rationales: - 1.4.15+etch1: DSA 1643 feta - Fix insecure temp file usage Sourceful update of tiff: version in stable: 3.8.2-7 version in updates: 3.8.2-7+etch1 Rationales: - 3.8.2-7+etch1: DSA 1632 tiff - arbitrary code execution Sourceful update of php5: version in stable: 5.2.0-8+etch11 version in updates: 5.2.0-8+etch13 Rationales: - 5.2.0-8+etch13: DSA 1647 php5 - Fix several vulnerabilities Sourceful update of blosxom: version in stable: 2.0-14 version in updates: 2.0-14+etch1 Rationales: - 2.0-14+etch1: blosxom - Fix XSS (CVE-2008-2236, #500873) Sourceful update of git-core: version in stable: 1:1.4.4.4-2 version in updates: 1:1.4.4.4-3 Rationales: - 1.4.4.4-3: git-core - support download of packs v2 through dumb transports Sourceful update of refpolicy: version in stable: 0.0.20061018-5 version in updates: 0.0.20061018-5.1+etch1 Rationales: - 0.0.20061018-5.1+etch1: DSA 1617 refpolicy - incompatible policy Sourceful update of slash: version in stable: 2.2.6-8 version in updates: 2.2.6-8etch1 Rationales: - 2.2.6-8etch1: DSA 1633 slash - multiple vulnerabilities Sourceful update of horde3: version in stable: 3.1.3-4etch3 version in updates: 3.1.3-4etch4 Rationales: - 3.1.3-4etch4: DSA 1642 horde3 - cross site scripting Sourceful update of lighttpd: version in stable: 1.4.13-4etch10 version in updates: 1.4.13-4etch11 Rationales: - 1.4.13-4etch11: DSA 1645 lighttpd - various problems Sourceful update of clamav: version in stable: 0.90.1dfsg-3etch11 version in updates: 0.90.1dfsg-3.1+etch14 Rationales: - 0.90.1dfsg-3.1+etch14: DSA 1616 clamav - fix denial of service - 0.90.1dfsg-3etch13: DSA 1616 clamav - fix denial of service Sourceful update of python-dns: version in stable: 2.3.0-5.1 version in updates: 2.3.0-5.2+etch2 Rationales: - 2.3.0-5.2+etch1: DSA 1619 python-dns - DNS response spoofing - 2.3.0-5.2+etch2: DSA 1619 python-dns - DNS response spoofing Sourceful update of libpam-pwdfile: version in stable: 0.99-3 version in updates: 0.99-3etch1 Rationales: - 0.99-3etch1: libpam_pwdfile - use gcc instead of ld (#499203) Sourceful update of python2.5: version in stable: 2.5-5 version in updates: 2.5-5+etch1 Rationales: - 2.5-5+etch1: DSA 1620 python2.5 - several vulnerabilities Sourceful update of net6: version in stable: 1:1.3.1-3 version in updates: 1:1.3.1-4 Rationales: - 1.3.1-4: net6 - fix object access after deallocation Sourceful update of pdns: version in stable: 2.9.20-8 version in updates: 2.9.20-8+etch1 Rationales: - 2.9.20-8+etch1: DSA 1628 pdns - DNS response spoofing Sourceful update of iceweasel: version in stable: 2.0.0.15-0etch1 version in updates: 2.0.0.17-0etch1 Rationales: - 2.0.0.16-0etch1: DSA 1614 iceweasel - several vulnerabilities - 2.0.0.17-0etch1: DSA 1649 iceweasel - Fix several vulnerabilities Sourceful update of postgresql-8.1: version in stable: 8.1.11-0etch1 version in updates: 8.1.13-0etch1 Rationales: - 8.1.13-0etch1: postgresql-8.1 - upstream bugfix release 8.1.13 Sourceful update of trac: version in stable: 0.10.3-1etch3 version in updates: 0.10.3-1etch4 Rationales: - 0.10.3-1etch4: trac - fix multiple vulnerabilities (CVE-2008-3328, CVE-2008-2951) Sourceful update of postfix: version in stable: 2.3.8-2 version in updates: 2.3.8-2+etch1 Rationales: - 2.3.8-2+etch1: DSA 1629 postfix - programming error - 2.3.8-2etch1: DSA 1629 postfix - programming error Sourceful update of irqbalance: version in stable: 0.12-7 version in updates: 0.12-7etch1 Rationales: - 0.12-7etch1: irqbalance - Fix segfault when /proc/interrupts contains an interrupt with a number of 256 or larger Sourceful update of myspell: version in stable: 1:3.0+pre3.1-18 version in updates: 1:3.0+pre3.1-18etch1 Rationales: - 3.0+pre3.1-18etch1: myspell - fix insecure temp file usage (#496392) Sourceful update of httrack: version in stable: 3.40.4-3.1 version in updates: 3.40.4-3.1+etch1 Rationales: - 3.40.4-3.1+etch1: DSA 1626 httrack - arbitrary code execution Sourceful update of dnsmasq: version in stable: 2.35-1 version in updates: 2.35-1+etch4 Rationales: - 2.35-1+etch4: DSA 1623 dnsmasq - cache poisoning Sourceful update of mt-daapd: version in stable: 0.2.4+r1376-1.1+etch1 version in updates: 0.2.4+r1376-1.1+etch2 Rationales: - 0.2.4+r1376-1.1+etch2: DSA 1597 mt-daapd - fix several vulnerabilities (fixes for regression) Sourceful update of openssh: version in stable: 1:4.3p2-9etch2 version in updates: 1:4.3p2-9etch3 Rationales: - 4.3p2-9etch3: DSA 1638 openssh - denial of service Sourceful update of cupsys: version in stable: 1.2.7-4etch3 version in updates: 1.2.7-4etch4 Rationales: - 1.2.7-4etch4: DSA 1625 cupsys - arbitrary code execution Sourceful update of mplayer: version in stable: 1.0~rc1-12etch3 version in updates: 1.0~rc1-12etch5 Rationales: - 1.0~rc1-12etch5: DSA 1644 mplayer - Fix integer overflows binNMU for source package obby: - libobby-0.4-0 0.4.1-2+b2 i386 - libobby-0.4-0 0.4.1-2+b1 s390 amd64 sparc powerpc arm mips ia64 alpha mipsel hppa - libobby-0.4-dev 0.4.1-2+b2 i386 - libobby-0.4-dev 0.4.1-2+b1 s390 amd64 sparc powerpc arm mips ia64 alpha mipsel hppa - libobby-0.4-0-dbg 0.4.1-2+b2 i386 - libobby-0.4-0-dbg 0.4.1-2+b1 s390 amd64 sparc powerpc arm mips ia64 alpha mipsel hppa Rationale: Rebuild against net6. Rationale: Rebuild against net6. Requires further Investigation ------------------------------ These packages need further investigation. One reason the package is listed here could be that I'm not yet convinced this package should go into stable, but don't want to reject it entirely at the moment. Another reason could be that released and updated architectures are not yet in sync. Sourceful update of fai-kernels: version in stable: 1.17+etch.21 version in updates: 1.17+etch.23 Rationales: - 1.17+etch.22etch2: DSA 1630 linux-2.6 - several vulnerabilities - 1.17+etch.22etch3: DSA 1653 linux-2.6 - several vulnerabilities - 1.17+etch.23: linux-2.6 - fix xfs corruption / Xen crash Problems: powerpc build of 1.17+etch.23 missing Sourceful update of yaird: version in stable: 0.0.12-18 version in updates: 0.0.12-18etch1 Rationales: - 0.0.12-18etch1: yaird - backported for etch+0.5 kernel Problems: builds missing for alpha, i386, mips{,el}, powerpc Sourceful update of linux-2.6: version in stable: 2.6.18.dfsg.1-22 version in updates: 2.6.18.dfsg.1-23 Rationales: - 2.6.18.dfsg.1-22etch1: DSA 1630 linux-2.6 - several vulnerabilities - 2.6.18.dfsg.1-22etch2: DSA 1630 linux-2.6 - several vulnerabilities - 2.6.18.dfsg.1-22etch3: DSA 1653 linux-2.6 - several vulnerabilities - 2.6.18.dfsg.1-23: linux-2.6 - fix xfs corruption / Xen crash Problems: builds missing for alpha, mips{,el}, powerpc binNMU for source package sobby: - sobby 0.4.1-1+b2 s390 amd64 powerpc arm sparc mips ia64 alpha mipsel hppa Rationale: Rebuild against net6. Problems: i386 build missing (built) binNMU for source package gobby: - gobby 0.4.1-2+b1 s390 amd64 powerpc arm sparc mips ia64 alpha mipsel hppa Rationale: Rebuild against net6. Problems: i386 build missing (built) Removed Packages ---------------- These packages will be removed from the stable Debian distribution. This normally only a result of license problems when the license prohibits their distribution. Removal of source package f-prot-installer: Rationale: #495171: f-prot-installer - RoM, RoQA; obsolete To be removed: f-prot-installer | 0.5.22 | stable/contrib | source, i386 debian-installer Decrufting --------------------------- The following builds of debian-installer should be removed from the stable tree. Builds of r0 are normally kept, others might be removed at point release time. - 20070308etch2 Covered DSAs ------------ The following DSAs are incorporated into this point release. DSA 1597 | mt-daapd | fix several vulnerabilities (fixes for regression) DSA 1614 | iceweasel | several vulnerabilities DSA 1615 | xulrunner | several vulnerabilities DSA 1616 | clamav | fix denial of service DSA 1616 | clamav | fix denial of service DSA 1617 | refpolicy | incompatible policy DSA 1618 | ruby1.9 | several vulnerabilities DSA 1619 | python-dns | DNS response spoofing DSA 1619 | python-dns | DNS response spoofing DSA 1620 | python2.5 | several vulnerabilities DSA 1621 | icedove | several vulnerabilities DSA 1622 | newsx | arbitrary code execution DSA 1623 | dnsmasq | cache poisoning DSA 1624 | libxslt | arbitrary code execution DSA 1625 | cupsys | arbitrary code execution DSA 1626 | httrack | arbitrary code execution DSA 1627 | opensc | smart card vulnerability DSA 1627 | opensc | smart card vulnerability DSA 1628 | pdns | DNS response spoofing DSA 1629 | postfix | programming error DSA 1629 | postfix | programming error DSA 1630 | fai-kernels | several vulnerabilities DSA 1630 | linux-2.6 | several vulnerabilities DSA 1630 | linux-2.6 | several vulnerabilities DSA 1630 | user-mode-linux | several vulnerabilities DSA 1630 | user-mode-linux | several vulnerabilities DSA 1631 | libxml2 | denial of service DSA 1631 | libxml2 | denial of service DSA 1632 | tiff | arbitrary code execution DSA 1633 | slash | multiple vulnerabilities DSA 1634 | wordnet | arbitrary code execution DSA 1634 | wordnet | stack and heap overflows DSA 1636 | linux-2.6.24 | denial of service/information leak DSA 1638 | openssh | denial of service DSA 1639 | twiki | arbitrary code execution DSA 1640 | python-django | several vulnerabilities DSA 1641 | phpmyadmin | several vulnerabilities DSA 1642 | horde3 | cross site scripting DSA 1643 | feta | Fix insecure temp file usage DSA 1644 | mplayer | Fix integer overflows DSA 1645 | lighttpd | various problems DSA 1646 | squid | Fix array bounds check DSA 1646 | squid | Fix array bounds check DSA 1647 | php5 | Fix several vulnerabilities DSA 1648 | mon | Fix insecure temporary files DSA 1649 | iceweasel | Fix several vulnerabilities DSA 1650 | openldap2.3 | Fix denial of service DSA 1651 | ruby1.8 | several vulnerabilities DSA 1652 | ruby1.9 | several vulnerabilities DSA 1653 | fai-kernels | several vulnerabilities DSA 1653 | linux-2.6 | several vulnerabilities DSA 1653 | user-mode-linux | several vulnerabilities DSA 1654 | libxml2 | Fix execution of arbitrary code DSA 1655 | linux-2.6.24 | Fix several vulnerabilities Disclaimer ---------- This list intends to help the ftp-masters releasing 4.0r5. They have the final power to accept a package or not. If you want to comment on this list, please send a mail to the debian release mailing list <debian-release@lists.debian.org>. Last updated 2008/10/17 13:06 CEST
signature.asc
Description: Digital signature