On Mon, February 11, 2013 10:40, Thijs Kinkhorst wrote:
> On Sun, February 10, 2013 17:25, Adam D. Barratt wrote:
>> We're somewhat overdue with the next Squeeze point release (6.0.7) and
>> it'd be good to get it done before the wheezy release, so that we can
>> pull in some upgrade fixes.
>
> Attached are
Classic.
Thijs
ia32-libs (20130211) stable; urgency=low
* Packages updated
[ cups (1.4.4-7+squeeze2) stable-security; urgency=high ]
* Backport upstream configuration files split:
- Add split-configuration-files-STR4223.dpatch
- Install the new cups-files.conf
Fixes: CVE-2012-5519 (#692791)
* Make cupsd.conf a non-conffile, as it is managed by cups itself.
- On new installs, set it up from cupsd.conf.default.
- On upgrades, move it away in preinst and move it back in postinst.
- On aborted upgrades, move the file back in place.
- On purge, delete it too.
* Document changes in cups.NEWS.
[ libexif (0.6.19-1+squeeze1) stable-security; urgency=high ]
* Non-maintainer upload by the Security Team.
* Cherry pick changes for CVE-2012-2814, CVE-2012-2840, CVE-2012-2813,
CVE-2012-2812, CVE-2012-2841, CVE-2012-2836, CVE-2012-2837.
(backport patches for fix-CVE-2012-2814, fix-CVE-2012-2836,
fix-CVE-2012-2837)
[ libxml2 (2.7.8.dfsg-2+squeeze6) stable-security; urgency=high ]
[ Daniel Veillard ]
* Fix potential out of bound access
CVE-2012-5134, #694521.
[ libxslt (1.1.26-6+squeeze2) stable-security; urgency=high ]
* Patch to fix three CVEs (#689422):
- CVE-2012-2870 by Daniel Veillard and Chris Evans
- CVE-2012-2871 by Daniel Veillard
- CVE-2012-2893 by Chris Evans
[ libxslt (1.1.26-6+squeeze1) stable; urgency=low ]
[ Daniel Veillard ]
* Fix generate-id() to not expose object addresses
CVE-2011-1202, #617413.
[ Abhishek Arya ]
* Fix some case of pattern parsing errors
CVE-2011-3970, #660650.
[ Chris Evans ]
* [PATCH] Fix crash with unexpected DTD nodes in XSLT.
CVE-2012-2825, #679283.
[ nss (3.12.8-1+squeeze6) stable-security; urgency=low ]
* Explicitly distrust two intermediate CA certificates mis-issued by
TURKTRUST.
[ tiff (3.9.4-5+squeeze8) stable-security; urgency=high ]
* Add fix for CVE-2012-5581, reimplementing DOTRANGE handling to make it
safer. Thanks to Red Hat security team for backporting the fix.
[ tiff (3.9.4-5+squeeze7) stable-security; urgency=high ]
* Add fix for CVE-2012-4564, a heap-buffer overflow. Thanks Adrian La
Duca for doing all the work to prepare this upload. (#692345)
[ tiff (3.9.4-5+squeeze6) stable-security; urgency=high ]
* Add fix for CVE-2012-4447, a buffer overrun. (#688944)
* CVE-2012-2088 was actually included in previous version but not listed
in the change log.
[ tiff (3.9.4-5+squeeze5) stable-security; urgency=high ]
* Added several additional security patches taken from the Ubuntu Natty
(11.04) tiff package. (#678140)
CVE-2010-2482
CVE-2010-2595
CVE-2010-2597
CVE-2010-2630
CVE-2010-4665
CVE-2012-2113
CVE-2012-3401
-- Thijs Kinkhorst <th...@debian.org> Mon, 11 Feb 2013 09:43:13 +0100ia32-libs-core (20130211) stable; urgency=low
* Packages updated
[ bzip2 (1.0.5-6+squeeze1) stable; urgency=low ]
* Non-maintainer upload by the Security Team
* Fix CVE-2011-4089, thanks to vladz (#632862)
[ eglibc (2.11.3-4) stable; urgency=low ]
* Enable patches/any/cvs-dlopen-tls.diff, not enabled by mistake.
#637239.
* patches/any/cvs-FORTIFY_SOURCE-format-strings.diff: new patch from
upstream to fix FORTIFY_SOURCE format string protection bypass.
#660611.
* patches/any/local-sunrpc-dos.diff: fix a DoS in RPC implementation
(CVE-2011-4609). #671478.
[ eglibc (2.11.3-3) stable; urgency=low ]
* patches/any/cvs-tzfile.diff: fix integer overflow in timezone code.
(CVE-2009-5029). #650790.
* patches/any/submitted-resolv-first-query-failure.diff: new patch to fix
resolving issues with broken servers returning NOTIMP or FORMERR to AAAA
queries. #658171.
* local/manpages/gai.conf.5: update from latest RedHat version.
#659504.
[ eglibc (2.11.3-2) stable; urgency=low ]
* Add patches/arm/cvs-tls-unallocated.diff and
patches/mips/cvs-tls-unallocated.diff to fix FTBFS on armel, mips
and mipsel.
[ eglibc (2.11.3-1) stable; urgency=low ]
* Update from stable upstream version, and update from the upstream
stable branch:
- fix wrong memmove/bcopy optimization with gcc-4.6. #619963.
- fix an integer overflow in fnmatch() (CVE-2011-1659). #626370.
- fix spurious warning in bswap_16() with -Wconversion. #561249.
- fix auxiliary cache file creation. #588218.
- fix memory corruption in fnmatch() that can lead to code execution
(CVE-2011-1071). #615120
- fix strchr() on x86-64 CPU with SSE4.2. #635885
* Update patches:
- patches/locale/locale-print-LANGUAGE.diff
- patches/hppa/local-stack-grows-up.diff
- patches/m68k/cvs-tls-support.patch
- patches/any/local-disable-test-tgmath2.diff
- patches/any/submitted-longdouble.diff
- patches/any/submitted-bits-fcntl_h-at.diff
- patches/kfreebsd/local-readdir_r.diff
* Drop obsolete patches:
- patches/any/cvs-redirect-throw.diff
- patches/any/cvs-flush-cache-textrels.diff
- patches/hurd-i386/cvs-linkat.diff
- patches/hurd-i386/cvs-select.diff
- patches/sparc/submitted-epoll.diff
- patches/any/cvs-dont-expand-dst-twice.diff
- patches/amd64/cvs-avx-tcb-alignment.diff
- patches/any/submitted-etc-resolv.conf.diff
- patches/any/cvs-audit-suid.diff
* kfreebsd/local-sysdeps.diff, update to r3763 (from squeeze glibc-bsd).
- fixes LD_PRELOAD with a kfreebsd-9 kernel. #630695.
- uses upstream RFTSIGZMB for exit signal selection when available.
- fixes a crash in if_nameindex() with more than 3 interfaces.
- alter faccessat() X_OK tests similarly as access(). See #640334.
- fix __libc_sa_len() for AF_LOCAL. See #645527.
* Fix preinst script wrt 3.0 kernel. Patch by Colin Watson.
#630077.
* Update submitted-resolv.conf-thread.diff from upstream to fix a
deadlock in some rare cases.
* Add patches/any/cvs-resolv-different-nameserver.diff and
patches/any/submitted-resolv-assert.diff to try a different
nameserver if the first one returns REFUSED. #535504.
* Add patches/any/cvs-getaddrinfo-single-lookup.diff to fix fallback to
single lookup dns requests. #541167.
* Add patches/any/cvs-pthread-setgroups.diff to fix setgroups() with
multiple threads.
* Add debian/patches/cvs-dl_close-scope-handling.diff from upstream to
fix issues with dl_close() when resolving locally-defined symbols.
#625250.
* patches/i386/local-cpuid-level2.diff: fix a typo. #609389.
* patches/any/cvs-nptl-pthread-race.diff: fix a race in NPTL code that
sometimes causes a deadlock when calling fork() from a thread.
* patches/amd64/cvs-avx-detection.diff: do not use AVX if hardware support
is present, but not enabled in the kernel. #646549.
* patches/any/cvs-statvfs-mount-flags.diff: get the mount flags directly
from the kernel when possible instead of parsing /proc/mounts.
#639897.
* patches/any/cvs-dlopen-tls.diff: fix handling of static TLS in
dlopen'ed objects. #637239.
[ icu (4.4.1-8) stable-security; urgency=high ]
* Add patch to address CVE-2011-4599, a potential buffer overflow.
-- Thijs Kinkhorst <th...@debian.org> Mon, 11 Feb 2013 09:23:49 +0000
