[ Diff: List of accepted packages updated, added list about covered DSAs ]
Preparation of Debian GNU/Linux 4.0r5
=====================================
We are preparing the next revision of the current stable Debian
distribution (etch) and will frequently send reports so people can
actually comment on it and intervene whenever this is required.
If you disagree with one bit or another, please reply to this mail and
explain why these things should be handled differently.
An ftpmaster still has to give the final approval for each package
since ftpmasters are responsible for the archive. However, we are
trying to make their work as easy as possible in hope to get the next
revision out properly and without any hassle.
If you would like to get a package updated in the stable release, you
are advised to talk to the stable release managers first (see
<http://www.debian.org/intro/organization>).
Accepted Packages
-----------------
These packages will be installed into the stable Debian distribution
and will be part of the next revision.
Sourceful update of phpmyadmin:
version in stable: 4:2.9.1.1-7
version in updates: 4:2.9.1.1-8
Rationales:
- 2.9.1.1-8: DSA 1641 phpmyadmin - several vulnerabilities
Sourceful update of wdiff:
version in stable: 0.5-16
version in updates: 0.5-16etch1
Rationales:
- 0.5-16etch1: wdiff - fix a race condition related to temporary files (#425254)
Sourceful update of dist:
version in stable: 3.70-31
version in updates: 3.70-31etch1
Rationales:
- 3.70-31etch1: dist - Fix insecure temp file usage
Sourceful update of libxml2:
version in stable: 2.6.27.dfsg-2
version in updates: 2.6.27.dfsg-5
Rationales:
- 2.6.27.dfsg-3: DSA 1631 libxml2 - denial of service
- 2.6.27.dfsg-4: DSA 1631 libxml2 - denial of service
- 2.6.27.dfsg-5: DSA 1654 libxml2 - Fix execution of arbitrary code
Sourceful update of squid:
version in stable: 2.6.5-6etch1
version in updates: 2.6.5-6etch4
Rationales:
- 2.6.5-6etch2: DSA 1646 squid - Fix array bounds check
- 2.6.5-6etch4: DSA 1646 squid - Fix array bounds check
Sourceful update of linux-2.6.24:
version in stable: 2.6.24-6~etchnhalf.4
version in updates: 2.6.24-6~etchnhalf.6
Rationales:
- 2.6.24-6~etchnhalf.5: DSA 1636 linux-2.6.24 - denial of service/information leak
- 2.6.24-6~etchnhalf.6: DSA 1655 linux-2.6.24 - Fix several vulnerabilities
Sourceful update of icedove:
version in stable: 1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1
version in updates: 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1
Rationales:
- 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1: DSA 1621 icedove - several vulnerabilities
Sourceful update of opensc:
version in stable: 0.11.1-2
version in updates: 0.11.1-2etch2
Rationales:
- 0.11.1-2etch1: DSA 1627 opensc - smart card vulnerability
- 0.11.1-2etch2: DSA 1627 opensc - smart card vulnerability
Sourceful update of twiki:
version in stable: 1:4.0.5-9.1
version in updates: 1:4.0.5-9.1etch1
Rationales:
- 4.0.5-9.1etch1: DSA 1639 twiki - arbitrary code execution
Sourceful update of apache2-mpm-itk:
version in stable: 2.2.3-01-2
version in updates: 2.2.3-01-2+etch1
Rationales:
- 2.2.3-01-2+etch1: apache2-mpm-itk - rebuild against apache2 2.2.3-4+etch6, fix hanging processes on restart/shutdown
Sourceful update of libxslt:
version in stable: 1.1.19-2
version in updates: 1.1.19-3
Rationales:
- 1.1.19-3: DSA 1624 libxslt - arbitrary code execution
Sourceful update of mon:
version in stable: 0.99.2-9
version in updates: 0.99.2-9+etch2
Rationales:
- 0.99.2-9+etch2: DSA 1648 mon - Fix insecure temporary files
Sourceful update of jumpnbump:
version in stable: 1.50-6
version in updates: 1.50-6+etch1
Rationales:
- 1.50-6+etch1: jumpnbump - Fix insecure handling of /tmp (#500611)
Sourceful update of wordnet:
version in stable: 1:2.1-4
version in updates: 1:2.1-4+etch2
Rationales:
- 2.1-4+etch1: DSA 1634 wordnet - stack and heap overflows
- 2.1-4+etch2: DSA 1634 wordnet - arbitrary code execution
Sourceful update of ruby1.8:
version in stable: 1.8.5-4etch2
version in updates: 1.8.5-4etch3
Rationales:
- 1.8.5-4etch3: DSA 1651 ruby1.8 - several vulnerabilities
Sourceful update of ruby1.9:
version in stable: 1.9.0+20060609-1etch1
version in updates: 1.9.0+20060609-1etch3
Rationales:
- 1.9.0+20060609-1etch2: DSA 1618 ruby1.9 - several vulnerabilities
- 1.9.0+20060609-1etch3: DSA 1652 ruby1.9 - several vulnerabilities
Sourceful update of newsx:
version in stable: 1.6-2
version in updates: 1.6-2etch1
Rationales:
- 1.6-2etch1: DSA 1622 newsx - arbitrary code execution
Sourceful update of python-django:
version in stable: 0.95.1-1etch1
version in updates: 0.95.1-1etch2
Rationales:
- 0.95.1-1etch2: DSA 1640 python-django - several vulnerabilities
Sourceful update of openldap2.3:
version in stable: 2.3.30-5+etch1
version in updates: 2.3.30-5+etch2
Rationales:
- 2.3.30-5+etch2: DSA 1650 openldap2.3 - Fix denial of service
Sourceful update of apache2:
version in stable: 2.2.3-4+etch5
version in updates: 2.2.3-4+etch6
Rationales:
- 2.2.3-4+etch6: apache2 - fix various issues (CVE-2007-6388, CVE-2008-2939, CVE-2008-2364, #489899, #470652)
Sourceful update of tzdata:
version in stable: 2007k-1etch1
version in updates: 2008e-1etch3
Rationales:
- 2008e-1etch1: tzdata - updates to several timezones
- 2008e-1etch2: tzdata - Adjust to several timezone and DST setting
- 2008e-1etch3: tzdata - Adjust to several timezone and DST setting
Sourceful update of user-mode-linux:
version in stable: 2.6.18-1um-2etch.21
version in updates: 2.6.18-1um-2etch.23
Rationales:
- 2.6.18-1um-2etch.22etch1: DSA 1630 linux-2.6 - several vulnerabilities
- 2.6.18-1um-2etch.22etch2: DSA 1630 linux-2.6 - several vulnerabilities
- 2.6.18-1um-2etch.22etch3: DSA 1653 linux-2.6 - several vulnerabilities
- 2.6.18-1um-2etch.23: linux-2.6 - fix xfs corruption / Xen crash
Sourceful update of xulrunner:
version in stable: 1.8.0.15~pre080323b-0etch2
version in updates: 1.8.0.15~pre080614d-0etch1
Rationales:
- 1.8.0.15~pre080614d-0etch1: DSA 1615 xulrunner - several vulnerabilities
Sourceful update of feta:
version in stable: 1.4.15
version in updates: 1.4.15+etch1
Rationales:
- 1.4.15+etch1: DSA 1643 feta - Fix insecure temp file usage
Sourceful update of tiff:
version in stable: 3.8.2-7
version in updates: 3.8.2-7+etch1
Rationales:
- 3.8.2-7+etch1: DSA 1632 tiff - arbitrary code execution
Sourceful update of php5:
version in stable: 5.2.0-8+etch11
version in updates: 5.2.0-8+etch13
Rationales:
- 5.2.0-8+etch13: DSA 1647 php5 - Fix several vulnerabilities
Sourceful update of blosxom:
version in stable: 2.0-14
version in updates: 2.0-14+etch1
Rationales:
- 2.0-14+etch1: blosxom - Fix XSS (CVE-2008-2236, #500873)
Sourceful update of git-core:
version in stable: 1:1.4.4.4-2
version in updates: 1:1.4.4.4-3
Rationales:
- 1.4.4.4-3: git-core - support download of packs v2 through dumb transports
Sourceful update of refpolicy:
version in stable: 0.0.20061018-5
version in updates: 0.0.20061018-5.1+etch1
Rationales:
- 0.0.20061018-5.1+etch1: DSA 1617 refpolicy - incompatible policy
Sourceful update of slash:
version in stable: 2.2.6-8
version in updates: 2.2.6-8etch1
Rationales:
- 2.2.6-8etch1: DSA 1633 slash - multiple vulnerabilities
Sourceful update of horde3:
version in stable: 3.1.3-4etch3
version in updates: 3.1.3-4etch4
Rationales:
- 3.1.3-4etch4: DSA 1642 horde3 - cross site scripting
Sourceful update of lighttpd:
version in stable: 1.4.13-4etch10
version in updates: 1.4.13-4etch11
Rationales:
- 1.4.13-4etch11: DSA 1645 lighttpd - various problems
Sourceful update of clamav:
version in stable: 0.90.1dfsg-3etch11
version in updates: 0.90.1dfsg-3.1+etch14
Rationales:
- 0.90.1dfsg-3.1+etch14: DSA 1616 clamav - fix denial of service
- 0.90.1dfsg-3etch13: DSA 1616 clamav - fix denial of service
Sourceful update of python-dns:
version in stable: 2.3.0-5.1
version in updates: 2.3.0-5.2+etch2
Rationales:
- 2.3.0-5.2+etch1: DSA 1619 python-dns - DNS response spoofing
- 2.3.0-5.2+etch2: DSA 1619 python-dns - DNS response spoofing
Sourceful update of libpam-pwdfile:
version in stable: 0.99-3
version in updates: 0.99-3etch1
Rationales:
- 0.99-3etch1: libpam_pwdfile - use gcc instead of ld (#499203)
Sourceful update of python2.5:
version in stable: 2.5-5
version in updates: 2.5-5+etch1
Rationales:
- 2.5-5+etch1: DSA 1620 python2.5 - several vulnerabilities
Sourceful update of net6:
version in stable: 1:1.3.1-3
version in updates: 1:1.3.1-4
Rationales:
- 1.3.1-4: net6 - fix object access after deallocation
Sourceful update of pdns:
version in stable: 2.9.20-8
version in updates: 2.9.20-8+etch1
Rationales:
- 2.9.20-8+etch1: DSA 1628 pdns - DNS response spoofing
Sourceful update of iceweasel:
version in stable: 2.0.0.15-0etch1
version in updates: 2.0.0.17-0etch1
Rationales:
- 2.0.0.16-0etch1: DSA 1614 iceweasel - several vulnerabilities
- 2.0.0.17-0etch1: DSA 1649 iceweasel - Fix several vulnerabilities
Sourceful update of postgresql-8.1:
version in stable: 8.1.11-0etch1
version in updates: 8.1.13-0etch1
Rationales:
- 8.1.13-0etch1: postgresql-8.1 - upstream bugfix release 8.1.13
Sourceful update of trac:
version in stable: 0.10.3-1etch3
version in updates: 0.10.3-1etch4
Rationales:
- 0.10.3-1etch4: trac - fix multiple vulnerabilities (CVE-2008-3328, CVE-2008-2951)
Sourceful update of postfix:
version in stable: 2.3.8-2
version in updates: 2.3.8-2+etch1
Rationales:
- 2.3.8-2+etch1: DSA 1629 postfix - programming error
- 2.3.8-2etch1: DSA 1629 postfix - programming error
Sourceful update of irqbalance:
version in stable: 0.12-7
version in updates: 0.12-7etch1
Rationales:
- 0.12-7etch1: irqbalance - Fix segfault when /proc/interrupts contains an interrupt with a number of 256 or larger
Sourceful update of myspell:
version in stable: 1:3.0+pre3.1-18
version in updates: 1:3.0+pre3.1-18etch1
Rationales:
- 3.0+pre3.1-18etch1: myspell - fix insecure temp file usage (#496392)
Sourceful update of httrack:
version in stable: 3.40.4-3.1
version in updates: 3.40.4-3.1+etch1
Rationales:
- 3.40.4-3.1+etch1: DSA 1626 httrack - arbitrary code execution
Sourceful update of dnsmasq:
version in stable: 2.35-1
version in updates: 2.35-1+etch4
Rationales:
- 2.35-1+etch4: DSA 1623 dnsmasq - cache poisoning
Sourceful update of mt-daapd:
version in stable: 0.2.4+r1376-1.1+etch1
version in updates: 0.2.4+r1376-1.1+etch2
Rationales:
- 0.2.4+r1376-1.1+etch2: DSA 1597 mt-daapd - fix several vulnerabilities (fixes for regression)
Sourceful update of openssh:
version in stable: 1:4.3p2-9etch2
version in updates: 1:4.3p2-9etch3
Rationales:
- 4.3p2-9etch3: DSA 1638 openssh - denial of service
Sourceful update of cupsys:
version in stable: 1.2.7-4etch3
version in updates: 1.2.7-4etch4
Rationales:
- 1.2.7-4etch4: DSA 1625 cupsys - arbitrary code execution
Sourceful update of mplayer:
version in stable: 1.0~rc1-12etch3
version in updates: 1.0~rc1-12etch5
Rationales:
- 1.0~rc1-12etch5: DSA 1644 mplayer - Fix integer overflows
binNMU for source package obby:
- libobby-0.4-0 0.4.1-2+b2 i386
- libobby-0.4-0 0.4.1-2+b1 s390 amd64 sparc powerpc arm mips ia64 alpha mipsel hppa
- libobby-0.4-dev 0.4.1-2+b2 i386
- libobby-0.4-dev 0.4.1-2+b1 s390 amd64 sparc powerpc arm mips ia64 alpha mipsel hppa
- libobby-0.4-0-dbg 0.4.1-2+b2 i386
- libobby-0.4-0-dbg 0.4.1-2+b1 s390 amd64 sparc powerpc arm mips ia64 alpha mipsel hppa
Rationale: Rebuild against net6.
Rationale: Rebuild against net6.
Requires further Investigation
------------------------------
These packages need further investigation. One reason the package is
listed here could be that I'm not yet convinced this package should go
into stable, but don't want to reject it entirely at the moment.
Another reason could be that released and updated architectures are
not yet in sync.
Sourceful update of fai-kernels:
version in stable: 1.17+etch.21
version in updates: 1.17+etch.23
Rationales:
- 1.17+etch.22etch2: DSA 1630 linux-2.6 - several vulnerabilities
- 1.17+etch.22etch3: DSA 1653 linux-2.6 - several vulnerabilities
- 1.17+etch.23: linux-2.6 - fix xfs corruption / Xen crash
Problems: powerpc build of 1.17+etch.23 missing
Sourceful update of yaird:
version in stable: 0.0.12-18
version in updates: 0.0.12-18etch1
Rationales:
- 0.0.12-18etch1: yaird - backported for etch+0.5 kernel
Problems: builds missing for alpha, i386, mips{,el}, powerpc
Sourceful update of linux-2.6:
version in stable: 2.6.18.dfsg.1-22
version in updates: 2.6.18.dfsg.1-23
Rationales:
- 2.6.18.dfsg.1-22etch1: DSA 1630 linux-2.6 - several vulnerabilities
- 2.6.18.dfsg.1-22etch2: DSA 1630 linux-2.6 - several vulnerabilities
- 2.6.18.dfsg.1-22etch3: DSA 1653 linux-2.6 - several vulnerabilities
- 2.6.18.dfsg.1-23: linux-2.6 - fix xfs corruption / Xen crash
Problems: builds missing for alpha, mips{,el}, powerpc
binNMU for source package sobby:
- sobby 0.4.1-1+b2 s390 amd64 powerpc arm sparc mips ia64 alpha mipsel hppa
Rationale: Rebuild against net6.
Problems: i386 build missing (built)
binNMU for source package gobby:
- gobby 0.4.1-2+b1 s390 amd64 powerpc arm sparc mips ia64 alpha mipsel hppa
Rationale: Rebuild against net6.
Problems: i386 build missing (built)
Removed Packages
----------------
These packages will be removed from the stable Debian distribution.
This normally only a result of license problems when the license
prohibits their distribution.
Removal of source package f-prot-installer:
Rationale: #495171: f-prot-installer - RoM, RoQA; obsolete
To be removed:
f-prot-installer | 0.5.22 | stable/contrib | source, i386
debian-installer Decrufting
---------------------------
The following builds of debian-installer should be removed from the
stable tree. Builds of r0 are normally kept, others might be removed
at point release time.
- 20070308etch2
Covered DSAs
------------
The following DSAs are incorporated into this point release.
DSA 1597 | mt-daapd | fix several vulnerabilities (fixes for regression)
DSA 1614 | iceweasel | several vulnerabilities
DSA 1615 | xulrunner | several vulnerabilities
DSA 1616 | clamav | fix denial of service
DSA 1616 | clamav | fix denial of service
DSA 1617 | refpolicy | incompatible policy
DSA 1618 | ruby1.9 | several vulnerabilities
DSA 1619 | python-dns | DNS response spoofing
DSA 1619 | python-dns | DNS response spoofing
DSA 1620 | python2.5 | several vulnerabilities
DSA 1621 | icedove | several vulnerabilities
DSA 1622 | newsx | arbitrary code execution
DSA 1623 | dnsmasq | cache poisoning
DSA 1624 | libxslt | arbitrary code execution
DSA 1625 | cupsys | arbitrary code execution
DSA 1626 | httrack | arbitrary code execution
DSA 1627 | opensc | smart card vulnerability
DSA 1627 | opensc | smart card vulnerability
DSA 1628 | pdns | DNS response spoofing
DSA 1629 | postfix | programming error
DSA 1629 | postfix | programming error
DSA 1630 | fai-kernels | several vulnerabilities
DSA 1630 | linux-2.6 | several vulnerabilities
DSA 1630 | linux-2.6 | several vulnerabilities
DSA 1630 | user-mode-linux | several vulnerabilities
DSA 1630 | user-mode-linux | several vulnerabilities
DSA 1631 | libxml2 | denial of service
DSA 1631 | libxml2 | denial of service
DSA 1632 | tiff | arbitrary code execution
DSA 1633 | slash | multiple vulnerabilities
DSA 1634 | wordnet | arbitrary code execution
DSA 1634 | wordnet | stack and heap overflows
DSA 1636 | linux-2.6.24 | denial of service/information leak
DSA 1638 | openssh | denial of service
DSA 1639 | twiki | arbitrary code execution
DSA 1640 | python-django | several vulnerabilities
DSA 1641 | phpmyadmin | several vulnerabilities
DSA 1642 | horde3 | cross site scripting
DSA 1643 | feta | Fix insecure temp file usage
DSA 1644 | mplayer | Fix integer overflows
DSA 1645 | lighttpd | various problems
DSA 1646 | squid | Fix array bounds check
DSA 1646 | squid | Fix array bounds check
DSA 1647 | php5 | Fix several vulnerabilities
DSA 1648 | mon | Fix insecure temporary files
DSA 1649 | iceweasel | Fix several vulnerabilities
DSA 1650 | openldap2.3 | Fix denial of service
DSA 1651 | ruby1.8 | several vulnerabilities
DSA 1652 | ruby1.9 | several vulnerabilities
DSA 1653 | fai-kernels | several vulnerabilities
DSA 1653 | linux-2.6 | several vulnerabilities
DSA 1653 | user-mode-linux | several vulnerabilities
DSA 1654 | libxml2 | Fix execution of arbitrary code
DSA 1655 | linux-2.6.24 | Fix several vulnerabilities
Disclaimer
----------
This list intends to help the ftp-masters releasing 4.0r5. They have the
final power to accept a package or not. If you want to comment on
this list, please send a mail to the debian release mailing list
<debian-release@lists.debian.org>.
Last updated 2008/10/17 13:06 CEST
Attachment:
signature.asc
Description: Digital signature