Preparation of Debian GNU/Linux 4.0r6 =====================================
We are preparing the next revision of the current stable Debian distribution (etch) and will send reports so people can actually comment on it and intervene whenever this is required. If you disagree with one bit or another, please reply to this mail and explain why these things should be handled differently. An ftpmaster still has to give the final approval for each package since ftpmasters are responsible for the archive. However, we are trying to make their work as easy as possible in hope to get the next revision out properly and without any hassle. If you would like to get a package updated in the stable release, you are advised to talk to the stable release managers first (see <http://www.debian.org/intro/organization>). Accepted Packages ----------------- These packages will be installed into the stable Debian distribution and will be part of the next revision. Sourceful update of postgresql-7.4: version in stable: 1:7.4.19-0etch1 version in updates: 1:7.4.23-0etch1 Rationales: - 7.4.23-0etch1: postgresql-7.4 - incorporate bug fix releases 7.4.20, 7.4.21, 7.4.22 and 7.4.23 Sourceful update of tdiary: version in stable: 2.0.2+20060303-5 version in updates: 2.0.2+20060303-6 Rationales: - 2.0.2+20060303-6: tdiary - Fix a Cross Site Scripting vulnerability (#464778) Sourceful update of openoffice.org: version in stable: 2.0.4.dfsg.2-7etch5 version in updates: 2.0.4.dfsg.2-7etch6 Rationales: - 2.0.4.dfsg.2-7etch6: DSA 1661 openoffice.org - several vulnerabilities Sourceful update of libxml2: version in stable: 2.6.27.dfsg-5 version in updates: 2.6.27.dfsg-6 Rationales: - 2.6.27.dfsg-6: DSA 1666 libxml2 - several vulnerabilities Sourceful update of libhdate: version in stable: 1.4.8-1 version in updates: 1.4.8-2 Rationales: - 1.4.8-2: libhdate - drop binary package libhdate-pascal using fp-compiler (#506977) Sourceful update of spamassassin: version in stable: 3.1.7-2 version in updates: 3.1.7-2etch1 Rationales: - 3.1.7-2etch1: spamassassin - fix for CVE-2007-2873, remove DSBL and SECURITYSAGE blacklists (#505162) Sourceful update of linux-2.6.24: version in stable: 2.6.24-6~etchnhalf.6 version in updates: 2.6.24-6~etchnhalf.7 Rationales: - 2.6.24-6~etchnhalf.7: DSA 1681 linux-2.6.24 - several vulnerabilities Sourceful update of qemu: version in stable: 0.8.2-4etch1 version in updates: 0.8.2-4etch2 Rationales: - 0.8.2-4etch2: DSA 1657 qemu - denial of service Sourceful update of blender: version in stable: 2.42a-7.1+etch1 version in updates: 2.42a-8 Rationales: - 2.42a-8: blender - sanitize Python's default import path (#503632) Sourceful update of enscript: version in stable: 1.6.4-11 version in updates: 1.6.4-11.1 Rationales: - 1.6.4-11.1: DSA 1670 enscript - arbitrary code execution Sourceful update of net-snmp: version in stable: 5.2.3-7etch2 version in updates: 5.2.3-7etch4 Rationales: - 5.2.3-7etch3: DSA 1663 net-snmp - several vulnerabilities (CVE-2008-2292, CVE-2008-0960) - 5.2.3-7etch4: DSA 1663 net-snmp - several vulnerabilities (CVE-2008-4309) Sourceful update of glibc: version in stable: 2.3.6.ds1-13etch7 version in updates: 2.3.6.ds1-13etch8 Rationales: - 2.3.6.ds1-13etch8: glibc - Keep ld.so in optimized libraries (#501433) Sourceful update of jailer: version in stable: 0.4-9 version in updates: 0.4-9+etch1 Rationales: - 0.4-9+etch1: DSA 1674 jailer - denial of service Sourceful update of perl: version in stable: 5.8.8-7etch3 version in updates: 5.8.8-7etch4 Rationales: - 5.8.8-7etch4: perl - Fix Time::HiRes with kernels >= 2.6.22 (including etch-n-half) (#502435) Sourceful update of websvn: version in stable: 1.61-20 version in updates: 1.61-21 Rationales: - 1.61-21: websvn - fix potential PHP code execution (#503330) Sourceful update of xulrunner: version in stable: 1.8.0.15~pre080614d-0etch1 version in updates: 1.8.0.15~pre080614h-0etch1 Rationales: - 1.8.0.15~pre080614h-0etch1: DSA 1669 xulrunner - several vulnerabilities Sourceful update of streamripper: version in stable: 1.61.27-1 version in updates: 1.61.27-1+etch1 Rationales: - 1.61.27-1+etch1: DSA 1683 streamripper - potential code execution Sourceful update of flamethrower: version in stable: 0.1.8-1 version in updates: 0.1.8-1+etch1 Rationales: - 0.1.8-1+etch1: DSA 1676 flamethrower - denial of service Sourceful update of wireshark: version in stable: 0.99.4-5.etch.2 version in updates: 0.99.4-5.etch.3 Rationales: - 0.99.4-5.etch.3: DSA 1673 wireshark - several vulnerabilities Sourceful update of freetype: version in stable: 2.2.1-5+etch2 version in updates: 2.2.1-5+etch3 Rationales: - 2.2.1-5+etch3: DSA 1635 freetype - multiple vulnerabilities Sourceful update of refpolicy: version in stable: 0.0.20061018-5 version in updates: 0.0.20061018-5.1+etch1 Rationales: - 0.0.20061018-5.1+etch1: DSA 1617 refpolicy - incompatible policy Sourceful update of dbus: version in stable: 1.0.2-1+etch1 version in updates: 1.0.2-1+etch2 Rationales: - 1.0.2-1+etch2: DSA 1658 dbus - denial of service Sourceful update of clamav: version in stable: 0.90.1dfsg-3.1+etch14 version in updates: 0.90.1dfsg-4etch16 Rationales: - 0.90.1dfsg-4etch15: DSA 1660 clamav - denial of service - 0.90.1dfsg-4etch16: DSA 1680 clamav - potential code execution Sourceful update of mysql-dfsg-5.0: version in stable: 5.0.32-7etch6 version in updates: 5.0.32-7etch8 Rationales: - 5.0.32-7etch8: DSA 1662 mysql-dfsg-5.0 - authorization bypass Sourceful update of python2.4: version in stable: 2.4.4-3+etch1 version in updates: 2.4.4-3+etch2 Rationales: - 2.4.4-3+etch2: DSA 1667 python2.4 - several vulnerabilities Sourceful update of imlib2: version in stable: 1.3.0.0debian1-4+etch1 version in updates: 1.3.0.0debian1-4+etch2 Rationales: - 1.3.0.0debian1-4+etch2: DSA 1672 imlib2 - arbitrary code execution Sourceful update of cupsys: version in stable: 1.2.7-4etch4 version in updates: 1.2.7-4etch6 Rationales: - 1.2.7-4etch5: DSA 1656 cupsys - several vulnerabilities - 1.2.7-4etch6: DSA 1677 cupsys - arbitrary code execution Sourceful update of hf: version in stable: 0.7.3-4 version in updates: 0.7.3-4etch1 Rationales: - 0.7.3-4etch1: DSA 1668 hf - execution of arbitrary code Sourceful update of dpkg: version in stable: 1.13.25 version in updates: 1.13.26 Rationales: - 1.13.26: dpkg - do not treat two symlinks to the same directory as a conflict (#377682), reenable no-debsig (#311843) Sourceful update of iceweasel: version in stable: 2.0.0.17-0etch1 version in updates: 2.0.0.18-0etch1 Rationales: - 2.0.0.18-0etch1: DSA 1671 iceweasel - several vulnerabilities Sourceful update of epiphany-browser: version in stable: 2.14.3-7 version in updates: 2.14.3-8 Rationales: - 2.14.3-8: epiphany-browser - Allow the deletion of certificates (#393837) Sourceful update of postgresql-8.1: version in stable: 8.1.13-0etch1 version in updates: 8.1.15-0etch1 Rationales: - 8.1.15-0etch1: postgresql-8.1 - incorporate bug fix releases 8.1.14 and 8.1.15 Sourceful update of ekg: version in stable: 1:1.7~rc2-1etch1 version in updates: 1:1.7~rc2-1etch2 Rationales: - 1.7~rc2-1etch2: DSA 1664 ekg - fix denial of service Sourceful update of awstats: version in stable: 6.5+dfsg-1 version in updates: 6.5+dfsg-1+etch1 Rationales: - 6.5+dfsg-1+etch1: DSA 1679 awstats - cross-site scripting Sourceful update of libspf2: version in stable: 1.2.5-4 version in updates: 1.2.5-4+etch1 Rationales: - 1.2.5-4+etch1: DSA 1659 libspf2 - potential remote code execution Sourceful update of libcdaudio: version in stable: 0.99.12p2-2 version in updates: 0.99.12p2-2+etch1 Rationales: - 0.99.12p2-2+etch1: DSA 1665 libcdaudio - heap overflow Sourceful update of newsx: version in stable: 1.6-2 version in updates: 1.6-2etch1 Rationales: - 1.6-2etch1: DSA 1622 newsx - arbitrary code execution Requires further Investigation ------------------------------ These packages need further investigation. One reason the package is listed here could be that I'm not yet convinced this package should go into stable, but don't want to reject it entirely at the moment. Another reason could be that released and updated architectures are not yet in sync. Sourceful update of devscripts: version in stable: 2.9.26 version in updates: 2.9.26etch1 Rationales: - 2.9.26etch1: devscripts - Allow signing of changes files produced by dpkg versions >= 1.14.17 (#474949) Problems: mipsel build missing Sourceful update of graphviz: version in stable: 2.8-2.4 version in updates: 2.8-3+etch1 Rationales: - 2.8-3+etch1: graphviz - fix stack overflow (CVE-2008-4555) Problems: ia64 and mipsel builds missing Sourceful update of perl: version in updates: 5.8.8-7etch4 version in updates-NEW: 5.8.8-7etch5 Rationales: - 5.8.8-7etch5: DSA 1678 perl - fix privilege escalation Problems: FTBFS on hppa Packages Waiting for Investigation ---------------------------------- glpi | 0.68.2-1etch0.2 phpmyadmin | 2.9.1.1-9 squirrelmail | 1.4.9a-3 uw-imap | 2002edebian1-13.1+etch1 Removed Packages ---------------- These packages will be removed from the stable Debian distribution. This normally only a result of license problems when the license prohibits their distribution. Removal of source packages fpc, gearhead, imapcopy: Rationale: #506977: Copyright infringement in fp-compiler; needs to be removed with rdepends and build-rdeps To be removed: fp-compiler | 2.0.0-4 | amd64, i386, powerpc, sparc fp-docs | 2.0.0-4 | all fp-ide | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-base | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-db | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-fcl | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-fv | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-gfx | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-gnome1 | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-gtk | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-gtk2 | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-misc | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-net | 2.0.0-4 | amd64, i386, powerpc, sparc fp-units-rtl | 2.0.0-4 | amd64, i386, powerpc, sparc fp-utils | 2.0.0-4 | amd64, i386, powerpc, sparc fpc | 2.0.0-4 | source gearhead | 1.010-1 | source, amd64, i386, powerpc, sparc gearhead-data | 1.010-1 | all imapcopy | 1.01+20060420-1 | source, amd64, i386, powerpc, sparc Removal of source package astrolog: Rationale: #507239: astrolog - RoQA; orphaned long time, non-free, contains potentially undistributable code To be removed: astrolog | 5.40-3 | source, alpha, i386 Removal of source package youtube-dl: Rationale: #439363: youtube-dl - RoQA; broken To be removed: youtube-dl | 2006.11.12-1 | source, all Covered DSAs ------------ The following DSAs are incorporated into this point release. DSA 1661 | openoffice.org | several vulnerabilities DSA 1666 | libxml2 | several vulnerabilities DSA 1681 | linux-2.6.24 | several vulnerabilities DSA 1657 | qemu | denial of service DSA 1670 | enscript | arbitrary code execution DSA 1663 | net-snmp | several vulnerabilities (CVE-2008-2292, CVE-2008-0960) DSA 1663 | net-snmp | several vulnerabilities (CVE-2008-4309) DSA 1622 | newsx | arbitrary code execution DSA 1674 | jailer | denial of service DSA 1669 | xulrunner | several vulnerabilities DSA 1683 | streamripper | potential code execution DSA 1676 | flamethrower | denial of service DSA 1673 | wireshark | several vulnerabilities DSA 1635 | freetype | multiple vulnerabilities DSA 1617 | refpolicy | incompatible policy DSA 1680 | clamav | potential code execution DSA 1660 | clamav | denial of service DSA 1662 | mysql-dfsg-5.0 | authorization bypass DSA 1667 | python2.4 | several vulnerabilities DSA 1672 | imlib2 | arbitrary code execution DSA 1677 | cupsys | arbitrary code execution DSA 1656 | cupsys | several vulnerabilities DSA 1668 | hf | execution of arbitrary code DSA 1671 | iceweasel | several vulnerabilities DSA 1664 | ekg | fix denial of service DSA 1658 | dbus | denial of service DSA 1659 | libspf2 | potential remote code execution DSA 1665 | libcdaudio | heap overflow DSA 1679 | awstats | cross-site scripting Disclaimer ---------- This list intends to help the ftp-masters releasing 4.0r6. They have the final power to accept a package or not. If you want to comment on this list, please send a mail to the debian release mailing list <debian-release@lists.debian.org>. Last updated 2008/12/13 16:31 CEST
signature.asc
Description: Digital signature
