From jamie at ubuntu.com Fri Feb 3 20:50:22 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Fri, 03 Feb 2012 20:50:22 -0000 Subject: [ubuntu/maverick-updates] mozvoikko 2.0.1-0ubuntu0.10.10.1 (Accepted) Message-ID: <20120203205022.887.49638.launchpad@ackee.canonical.com> mozvoikko (2.0.1-0ubuntu0.10.10.1) maverick-security; urgency=low * Update to the 2.0 rewrite - Now uses js-ctypes (yay, good riddance evil binary extension) - Fixes LP: #914706 - can't select any other spell-check language in Firefox with mozvoikko installed - see LP: #923319 for USN information * Drop firefox-dev, libvoikko-dev, pkg-config and lsb-release build-depends - update debian/control * Make xul-ext-mozvoikko Arch: all - update debian/control * Drop debian/patches/fix_sdk_build.patch * Drop debian/patches/port_to_latest_firefox.patch * Drop everything related to the old build system from debian/rules Date: 2012-01-29 14:40:46.369133+00:00 Changed-By: Chris Coulson Signed-By: Jamie Strandboge https://launchpad.net/ubuntu/maverick/+source/mozvoikko/2.0.1-0ubuntu0.10.10.1 -------------- next part -------------- Sorry, changesfile not available. From jamie at ubuntu.com Fri Feb 3 20:50:24 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Fri, 03 Feb 2012 20:50:24 -0000 Subject: [ubuntu/maverick-security] mozvoikko 2.0.1-0ubuntu0.10.10.1 (Accepted) Message-ID: <20120203205024.887.84880.launchpad@ackee.canonical.com> mozvoikko (2.0.1-0ubuntu0.10.10.1) maverick-security; urgency=low * Update to the 2.0 rewrite - Now uses js-ctypes (yay, good riddance evil binary extension) - Fixes LP: #914706 - can't select any other spell-check language in Firefox with mozvoikko installed - see LP: #923319 for USN information * Drop firefox-dev, libvoikko-dev, pkg-config and lsb-release build-depends - update debian/control * Make xul-ext-mozvoikko Arch: all - update debian/control * Drop debian/patches/fix_sdk_build.patch * Drop debian/patches/port_to_latest_firefox.patch * Drop everything related to the old build system from debian/rules Date: 2012-01-29 14:40:46.369133+00:00 Changed-By: Chris Coulson Signed-By: Jamie Strandboge https://launchpad.net/ubuntu/maverick/+source/mozvoikko/2.0.1-0ubuntu0.10.10.1 -------------- next part -------------- Sorry, changesfile not available. From jamie at ubuntu.com Fri Feb 3 20:52:23 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Fri, 03 Feb 2012 20:52:23 -0000 Subject: [ubuntu/maverick-updates] firefox 10.0+build1-0ubuntu0.10.10.1 (Accepted) Message-ID: <20120203205223.887.8823.launchpad@ackee.canonical.com> firefox (10.0+build1-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream stable release (FIREFOX_10_0_BUILD1) - see LP: #923319 for USN information [ Chris Coulson ] * Update patches for PRBool -> bool transition - refresh debian/patches/firefox-kde.patch - refresh debian/patches/mozilla-kde.patch - refresh debian/patches/ubuntu-ua-string-changes.patch * Drop some more hanging IPC xpcshell tests - update debian/build/testsuite.mk * Remove prerm hook for cleaning up pyc files in the apport package-hooks folder. Nothing creates these - update debian/firefox.prerm.in * Set up alternatives in the postinst script on abort-remove too - update debian/firefox.postinst.in * Imporove maintainer script magic for removing obsolete conffiles when upgrading from 3.6, by doing what dpkg-maintscripts-helper does - update debian/firefox.postinst.in - update debian/firefox.postrm.in - update debian/firefox.preinst.in * Only run the Apparmor stuff in the postinst script on configure, and in the preinst script on install or upgrade, so it handles upgrade failures gracefully - update debian/firefox.postinst.in - update debian/firefox.preinst.in * Drop the Ubuntuzilla workarounds now - update debian/firefox.postinst.in * Refresh patches - update debian/patches/allow-lockPref-everywhere.patch - update debian/patches/ubuntu_bookmarks.patch * Turn off Network Manager integration for now, as it causes Firefox to always start in offline mode. In any case, probing Network Manager isn't the most reliable way to test if there is a connection - update debian/vendor.js * Update after landing of bmo: #701875 - Rename omni.jar to omni.ja - update debian/firefox.install.in * Disable the tests on powerpc, because it sucks too much to run them - update debian/rules * "Fix" LP: #897794 - some websites expect "X11" to be the first token of the platform component in the UA string - update debian/patches/ubuntu-ua-string-changes.patch * Defuzz ubuntu-codes-google.patch * Refresh shipped locales (adds Assamese and Kashubian) - refresh debian/config/locales.shipped - refresh debian/control * Update KDE patches for removal of nsCStringArray - update debian/firefox-kde.patch - update debian/mozilla-kde.patch * Backport changes to allow per-release/per-arch patches - add debian/build/enable-dist-patches.pl - update debian/rules * Fix LP: #908508 - Add patch from upstream to fix powerpc build failure. Only apply this patch on powerpc to avoid compromising the quality of the architectures that we care about - add debian/patches/fix-build-failure-without-yarr-jit2.patch - update debian/patches/series * Also make the previous powerpc build fix apply on ppc only - update debian/patches/series [ Micah Gersten ] * Rebase patches for PRBool -> bool transition (bmo: 675553) - update debian/patches/allow-lockPref-everywhere.patch - update debian/patches/mozilla-kde.patch * Drop patch after upstream landing of (bmo: 690432) aka Logging.h passes a string directly to printf - drop debian/patches/printf-fix.patch - update debian/patches/series [ Adam Conrad ] * Add missing build-dep on non-essential locales, since we use it. - update debian/control{,.in} Date: 2012-01-29 14:16:27.883965+00:00 Changed-By: Chris Coulson Signed-By: Jamie Strandboge https://launchpad.net/ubuntu/maverick/+source/firefox/10.0+build1-0ubuntu0.10.10.1 -------------- next part -------------- Sorry, changesfile not available. From jamie at ubuntu.com Fri Feb 3 20:53:26 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Fri, 03 Feb 2012 20:53:26 -0000 Subject: [ubuntu/maverick-security] firefox 10.0+build1-0ubuntu0.10.10.1 (Accepted) Message-ID: <20120203205326.887.78480.launchpad@ackee.canonical.com> firefox (10.0+build1-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream stable release (FIREFOX_10_0_BUILD1) - see LP: #923319 for USN information [ Chris Coulson ] * Update patches for PRBool -> bool transition - refresh debian/patches/firefox-kde.patch - refresh debian/patches/mozilla-kde.patch - refresh debian/patches/ubuntu-ua-string-changes.patch * Drop some more hanging IPC xpcshell tests - update debian/build/testsuite.mk * Remove prerm hook for cleaning up pyc files in the apport package-hooks folder. Nothing creates these - update debian/firefox.prerm.in * Set up alternatives in the postinst script on abort-remove too - update debian/firefox.postinst.in * Imporove maintainer script magic for removing obsolete conffiles when upgrading from 3.6, by doing what dpkg-maintscripts-helper does - update debian/firefox.postinst.in - update debian/firefox.postrm.in - update debian/firefox.preinst.in * Only run the Apparmor stuff in the postinst script on configure, and in the preinst script on install or upgrade, so it handles upgrade failures gracefully - update debian/firefox.postinst.in - update debian/firefox.preinst.in * Drop the Ubuntuzilla workarounds now - update debian/firefox.postinst.in * Refresh patches - update debian/patches/allow-lockPref-everywhere.patch - update debian/patches/ubuntu_bookmarks.patch * Turn off Network Manager integration for now, as it causes Firefox to always start in offline mode. In any case, probing Network Manager isn't the most reliable way to test if there is a connection - update debian/vendor.js * Update after landing of bmo: #701875 - Rename omni.jar to omni.ja - update debian/firefox.install.in * Disable the tests on powerpc, because it sucks too much to run them - update debian/rules * "Fix" LP: #897794 - some websites expect "X11" to be the first token of the platform component in the UA string - update debian/patches/ubuntu-ua-string-changes.patch * Defuzz ubuntu-codes-google.patch * Refresh shipped locales (adds Assamese and Kashubian) - refresh debian/config/locales.shipped - refresh debian/control * Update KDE patches for removal of nsCStringArray - update debian/firefox-kde.patch - update debian/mozilla-kde.patch * Backport changes to allow per-release/per-arch patches - add debian/build/enable-dist-patches.pl - update debian/rules * Fix LP: #908508 - Add patch from upstream to fix powerpc build failure. Only apply this patch on powerpc to avoid compromising the quality of the architectures that we care about - add debian/patches/fix-build-failure-without-yarr-jit2.patch - update debian/patches/series * Also make the previous powerpc build fix apply on ppc only - update debian/patches/series [ Micah Gersten ] * Rebase patches for PRBool -> bool transition (bmo: 675553) - update debian/patches/allow-lockPref-everywhere.patch - update debian/patches/mozilla-kde.patch * Drop patch after upstream landing of (bmo: 690432) aka Logging.h passes a string directly to printf - drop debian/patches/printf-fix.patch - update debian/patches/series [ Adam Conrad ] * Add missing build-dep on non-essential locales, since we use it. - update debian/control{,.in} firefox (9.0.1+build1-0ubuntu0.10.10.2) maverick-proposed; urgency=low [ Chris Coulson ] * Fix LP: #907666 - readd missing kubuntu-firefox-installer Replaces - update debian/control [ Micah Gersten ] * Fix LP: #917529 - Make sure new transitional packages have a versioned dependency on Firefox so as to not break Firefox during partial upgrades - update debian/control{,.in} firefox (9.0.1+build1-0ubuntu0.10.10.1) maverick-proposed; urgency=low * New upstream stable release (FIREFOX_9_0_1_BUILD1) (LP: #904594) firefox (9.0+build1-0ubuntu0.10.10.1) maverick-proposed; urgency=low * New upstream stable release (FIREFOX_9_0_BUILD1) [ Chris Coulson ] * Install the Apport hook as a source package hook - rename debian/apport/firefox.py.in => debian/apport/source_firefox.py.in - update debian/firefox.install.in - update debian/rules * Don't unconditionally overwrite SourcePackage when reporting bugs with the nightly apport hook - update debian/apport/source_firefox.py.in * Set "Channel = Unavailable" if channel-prefs.js doesn't contain a channel name - update debian/apport/source_firefox.py.in * Ensure that create-tarball can handle there not being a locale blacklist - update debian/build/create-tarball.py * Drop xpt.py and xpidl from $LIBDIR. xpidl is gone, and xpt.py isn't included there in the upstream SDK - update debian/firefox-dev.links.in * Fix LP: #901838 - Ugly busy pointer, due to libxcursor no longer matching the cursor bitmap to a nice themed pointer - add debian/patches/fix-cursor-handling.patch - update debian/patches/series * Don't disable our bundled addons on upgrade - update debian/vendor.js * Modify the UA string to add "Ubuntu" to the platform component - add debian/patches/ubuntu-ua-string-changes.patch - update debian/patches/series - update debian/rules * Move custom scripts to debian/build - move debian/get-xpi-id.py to debian/build/get-xpi-id.py - move debian/refresh-supported-locales.pl to debian/build/refresh-supported-locales.pl - move debian/extract-file.py to debian/build/extract-file.py - update debian/rules - move debian/testsuite.mk to debian/build/testsuite.mk * Dropped patches that are obsolete or fixed upstream: - remove debian/patches/lp512615_cairo_lcd_filter.patch - remove debian/patches/lp185622_system_path_default_browser.patch - remove debian/patches/bz386904_config_rules_install_dist_files.patch - remove debian/patches/bz532198_lp488354_ns_invokebyindex_not_thumb2_safe.patch - remove debian/patches/bzXXX_libxul_sdk_nspr.patch - remove debian/patches/drop_bz418016.patch - remove debian/patches/firefox-fsh - remove debian/patches/firefox-profilename - remove debian/patches/ubuntu_no_app_updates.patch - update debian/patches/series * Refresh patches: - update debian/patches/firefox-kde.patch - update debian/patches/mozilla-kde.patch - update debian/patches/ubuntu-codes-google.patch - update debian/patches/reload-new-plugins.patch - update debian/patches/plugin-for-mimetype-pref.patch - update debian/patches/add-syspref-dir.patch - update debian/patches/allow-lockPref-everywhere.patch - update debian/patches/distro-locale-searchplugins.patch - update debian/patches/ubuntu-bookmarks.patch * Shrink the default mozconfig right down so that we use mostly upstream defaults, rather than overriding them with our own options. It is still possible to override them though. We also drop the pkg-config checks in debian/rules which allowed a fallback build configuration when dependencies aren't satisfied. Really, the build should just fail here rather than continuing in some undesirable fallback mode - update debian/firefox-dev.install.in - update debian/firefox-dev.links.in - update debian/mozconfig.in - update debian/pkgconfig/libxul.pc.in - update debian/control.in - update debian/rules * Refresh build-depends, as this hasn't been done for a while: - Drop patchutils, libxft-dev, libxinerama-dev, libgnome2-dev and bzip2. These aren't needed - Drop liborbit2-dev - only required if there is no libidl - Add libglib2.0-dev, libext-dev, libfontconfig1-dev and libpango1.0-dev, as the configure script checks for these directly - Add minimum versions to libgconf2-dev, libgnomevfs2-dev, yasm and libgnomeui-dev - Specify minimum versions for libnspr4-dev, libcairo2-dev, libsqlite3-dev and libnss3-dev when using system versions of those libs * Introduce a branch config file (debian/config/branch.mk) which holds settings which shouldn't be merged between branches (eg, whether the crash reporter should be enabled) - add debian/config/branch.mk - update debian/rules * Move debian/locales.* to debian/config - move debian/locales.shipped => debian/config/locales.shipped - move debian/locales.unavail => debian/config/locales.unavail - move debian/locales.blacklist => debian/config/locales.blacklist - update debian/rules - update debian/build/refresh-supported-locales.pl * Don't open about:blank from the New Window quicklist entry - update debian/firefox.desktop.in * Touch debian/control.in during clean to force a refresh of debian/control, so we can check if it is out-of-date and fail if it is - update debian/rules * Drop the mozilla-devscripts dependency. We were only using this for creating tarballs anyway. Instead, implement our own get-orig-source target, which also fixes some problems we were having - update debian/control.in - remove debian/moz-rev.sh - update debian/rules - remove debian/mozclient/firefox.mk - remove debian/mozclient/firefox.conf - update debian/config/branch.mk - add debian/build/create-source - add debian/build/get-orig-source.mk * Lots of workflow improvements for dealing with language packs: - update debian/rules - add debian/build/extract-file.py - add debian/build/dump-langpack-control-entries.pl - update debian/build/refresh-supported-locales.pl - add debian/config/locales.all - update debian/config/locales.shipped - remove debian/config/locales.unavailable - update debian/control - update debian/build/create-tarball.py * Turn off the one-time addon selection dialog (LP: #888307) - update debian/vendor.js * Add Mongolian and Swahili to locale blacklist. These aren't meant to be built on the release channel, but they still appear in the upstream shipped-locales - update debian/locales.blacklist * Rewrite the apport hook to be more useful - update debian/apport/firefox.py.in * Ship a file in /etc/apport/native-origins.d to enable bug reporting on PPA branches - add debian/apport/native-origins.in - rename debian/apport/firefox.in => debian/apport/blacklist.in - update debian/rules - update debian/firefox.install.in - update debian/firefox.dirs.in * Update the apport blacklist file now that the binary name has changed - update debian/apport/firefox.in * Look in the correct location for the staged langpack xpi's. They moved from dist/install to dist/linux-$(DEB_HOST_GNU_CPU) - update debian/rules * Simplify firefox-dev.install a bit by installing everything in /usr/include - update debian/firefox-dev.install.in * Handle video/webm mimetypes - update debian/firefox.desktop.in * Fix check-sync-dirs.py test failure - ensure config/system-headers and js/src/config/system-headers are kept in sync - update debian/patches/unity-globalmenu-build-support-patch * Fix browserGlue_distribution.js and browserGlue_smartBookmarks.js xpcshell test failures. Update DEFAULT_BOOKMARKS_ON_MENU with the correct number of default bookmarks - update debian/patches/ubuntu-bookmarks.patch * Fix jsreftest failures by setting the correct timezone and locale - update debian/testsuite.mk * Switch off debian/patches/fix-selection-drag-autoscroll.patch for now. It doesn't apply and needs a rethink - update debian/patches/series * Fix "format not a string literal and no format arguments" error - add debian/patches/printf-fix.patch - update debian/patches/series * Update for the binary name change - update debian/firefox.install.in - update debian/firefox.sh.in * Ensure we install dependentlibs.list so that Firefox knows which libs to dlopen before libxul - update debian/firefox.install.in * Get rid of some more hanging IPC xpcshell tests - update debian/testsuite.mk * Now Firefox lazy loads libxul, drop the LD_LIBRARY_PATH hack from the shell wrapper (LP: #561124) - update debian/firefox.sh.in * Only install channel-prefs.js on aurora/beta, where we need it for Test Pilot. We don't set a channel name on other branches anyway, so we just end up with a nonsense channel name ("default") appearing in the About dialog - update debian/rules - update debian/firefox.install.in - update debian/apport/firefox.py.in * Don't error out whilst creating the source package if mozilla-devscripts or cdbs aren't installed. This enables us to create source packages on machines which don't have these available - update debian/rules - update debian/mozclient/firefox.mk * Unconditionally build with --disable-elf-hack. It's basically a noop on Ubuntu, as we don't get any of the nice space saving and startup time improvements that upstream builds get with it. Enabling it is problematic (it fails to build on all architectures in Ubuntu from Firefox 7 onwards, and is problematic on armel when building on older Ubuntu versions) - update debian/rules - update debian/mozconfig.in * Don't unconditionally set -fshort-wchar in the libxul.pc pkgconfig file. It's no longer needed with newer toolchains which support gnu++0x, and defining it breaks the mozvoikko build - update debian/pkgconfig/libxul.pc.in - update debian/rules * Drop the profile migrator, as it doesn't really make any sense with the new release cycle. In Firefox 7, we want to drop the shell wrapper script anyway - remove debian/migrator/xulapp-profilemigrator - update debian/firefox.sh.in - update debian/firefox.install.in - update debian/rules - update debian/control.in * xpt_link and xpt_dump have been replaced by xpt.py - update debian/firefox-dev.install.in - update debian/firefox-dev.links.in * Add support for the system provided hyphenation patterns, by linking @MOZ_LIBDIR@/hyphenation to /usr/share/hyphen - update debian/firefox.links.in * Drop the special "kde.js" file handling from the pref service. It hasn't had the desired effect since Firefox 4, as the specialfile handling doesn't apply to pref files inside the omni.jar. Moving kde.js back in to defaults/pref isn't an option, as these are always read after the prefs in the omni.jar, which would mean that all users would get the KDE specific prefs. Note, we only override one pref in kde.js anyway, it can go elsewhere if really required - update debian/patches/mozilla-kde.patch - update debian/patches/firefox-kde.patch - note, this doesn't change any behaviour from Firefox 4 and 5, but the code this patch touched was rewritten in Firefox 6, so it makes more sense to just remove it now rather than refactor it and it stil not work * Drop abrowser. The abrowser branding doesn't work since Firefox 4, and is going to be difficult to maintain going forwards. The Firefox logo is freely licensed now, which was the main reason for the existance of abrowser. Current abrowser users will be migrated to Firefox - remove debian/abrowser.desktop - update debian/control - update debian/rules - remove debian/ubuntu-abrowser.js.tmpl - remove debian/patches/awesome_browser_branding_install.patch - update debian/patches/series - remove debian/patches/browser_branding.patch - remove debian/patches/abrowser_run_mozilla.patch * Auto-generate debhelper and other files at build-time - rename debian/firefox.dirs => debian/firefox.dirs.in - rename debian/firefox.install => debian/firefox.install.in - rename debian/firefox.links => debian/firefox.links.in - rename debian/firefox.menu => debian/firefox.menu.in - rename debian/firefox.xml => debian/firefox.xml.in - rename debian/firefox-gnome-support.install => debian/firefox-gnome-support.install.in - rename debian/apport/firefox.py => debian/apport/firefox.py.in - rename debian/firefox-restart-required.update-notifier => debian/firefox-restart-required.update-notifier.in - add debian/firefox-mozsymbols.in - update debian/firefox.dirs.in - update debian/firefox.install.in - update debian/firefox.links.in - update debian/firefox.menu.in - update debian/firefox-gnome-support.install.in - update debian/apport/firefox.py.in - update debian/firefox-restart-required.update-notifier.in * Update apport hook to work with packed extensions - update debian/apport/firefox.py.in * Drop firefox-gnome-support maintainer scripts, as they aren't needed now. Touching .autoreg on install doesn't do anything, and registering the gnome-www-browser alternative has moved to firefox - remove debian/firefox-gnome-support.postinst.in - remove debian/firefox-gnome-support.prerm.in - update debian/firefox.postinst.in - update debian/firefox.prerm.in * Tidy up the branding selection to auto-select based on the channel. Also drop obsolete desktop files - update debian/rules - remove debian/firefox-minefield.desktop - remove debian/firefox-namoroka.desktop * Build language packs directly from the firefox source + Fixes LP: #294187 - Firefox Locales should install locale specific search plugins + Rip out the bits to create a en-US.xpi - update debian/rules - remove debian/translation-support/install.rdf.in + Include compare-locales FIREFOX_5_0b1_BUILD1 from http://hg.mozilla.org/build/compare-locales. It's needed for merging en-US strings with incomplete locales + Pull l10n data in to tarball from bzr - update debian/mozclient/firefox.conf + Configure build for creating language packs by configuring with "--with-l10n-base=" - update debian/mozconfig.in + Store the list of locales to ship, and provide a way of automatically generating that list and the control file entries from the upstream source. Also provide a way to blacklist languages. We map languages to package names using langpack-o-matic (and also get descriptions from there too) - update debian/rules - add debian/locales.shipped - add debian/control.langpacks - update debian/control.in - add debian/locale.blacklist - add debian/refresh-supported-locales.pl + Add common-build-indep hook to build the translation xpi's - update debian/rules + Add common-binary-post-install-indep to install the xpi's and searchplugins in to the correct debian packages - update debian/rules - add debian/get-xpi-id.py + When rebuilding debian/control in the clean target, fail the build if the control file was out-of-date. This ensures that we don't accidentally drop language packs, and forces me to maintain an up-to-date control file in bzr - update debian/rules + Apply vendor patches to localized searchplugins too - update debian/patches/ubuntu-codes-amazon.patch - add debian/patches/ubuntu-codes-baidu.patch - update debian/patches/ubuntu-codes-google.patch + Add languages that are currently dropped in FF5 (compared with FF3.6) to locales.unavailable. Having transitional packages now will make transitioning easier later on if they come back - add debian/locales.unavailable * Build with "make -f client.mk" and using a mozconfig, rather than the autoconf/configure/make steps used previously. The client.mk contains the sequencing for doing PGO builds - add debian/mozconfig.in - update debian/rules * Prevent LP: #643899 - Firefox sending header "Accept-Language: chrome://global/locale/intl.properties" because the intl.accept_languages preference is messed up. Drop a patch which causes the preferences system to save a user preference when changing a preference value to equal the system default value (and revert to the original behaviour where the preference is just discarded). This should hopefully stop Firefox Sync from breaking localized preferences where they haven't been modified by the user, but does regress LP: #548866 - update debian/patches/series * Prevent LP: #744580 - Firefox doesn't autoscroll when selecting content downwards - add debian/patches/fix-selection-drag-autoscroll.patch - update debian/patches/series * Run the Mozilla test suite at build time. Test-suite failures won't break the build just yet - add debian/testsuite.mk - update debian/rules - update debian/control.in * Build using the versioned yasm-1 binary backported to Lucid - add debian/patches/use-new-yasm-in-lucid.patch - update debian/patches/series - update debian/control.in - refresh debian/control * Add a firefox-dev package. We need this for mozvoikko - update debian/control.in - add debian/firefox-dev.install.in - add debian/firefox-dev.links.in - add debian/pkgconfig/libxul.pc.in - add debian/pkgconfig/mozilla-nspr.pc.in - add debian/pkgconfig/mozilla-plugin.pc.in - update debian/rules - refresh debian/control - update debian/patches/series * Restore global preference folder (/etc/firefox/pref) - add debian/patches/add-syspref-dir.patch - update debian/patches/series - update debian/firefox.links.in [ Brian Murray ] * Fix LP: #758111 - update ubuntulinux.org bookmark - thanks to Jonathan Rothwell for the patch [ Micah Gersten ] * Add patch from upstream to fix PowerPC FTBFS (bmo: 703534) aka Build failure on platforms without YARR JIT - add debian/patches/fix-build-failure-without-yarr-jit.patch - update debian/patches/series Date: 2012-01-29 14:16:27.883965+00:00 Changed-By: Chris Coulson Signed-By: Jamie Strandboge https://launchpad.net/ubuntu/maverick/+source/firefox/10.0+build1-0ubuntu0.10.10.1 -------------- next part -------------- Sorry, changesfile not available. From jamie at ubuntu.com Fri Feb 3 23:46:32 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Fri, 03 Feb 2012 23:46:32 -0000 Subject: [ubuntu/maverick-updates] chromium-browser 16.0.912.77~r118311-0ubuntu0.10.10.1 (Accepted) Message-ID: <20120203234632.503.32020.launchpad@ackee.canonical.com> chromium-browser (16.0.912.77~r118311-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream release from the Stable Channel (LP: #923602) This release fixes the following security issues: - [106484] High CVE-2011-3924: Use-after-free in DOM selections. Credit to Arthur Gerkis. - [107182] Critical CVE-2011-3925: Use-after-free in Safe Browsing navigation. Credit to Chamal de Silva. - [108461] High CVE-2011-3928: Use-after-free in DOM handling. Credit to wushi of team509 reported through ZDI (ZDI-CAN-1415). - [108605] High CVE-2011-3927: Uninitialized value in Skia. Credit to miaubiz. - [109556] High CVE-2011-3926: Heap-buffer-overflow in tree builder. Credit to Arthur Gerkis. chromium-browser (16.0.912.75~r116452-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream release from the Stable Channel (LP: #914648, #889711) This release fixes the following security issues: - [106672] High CVE-2011-3921: Use-after-free in animation frames. Credit to Boris Zbarsky of Mozilla. - [107128] High CVE-2011-3919: Heap-buffer-overflow in libxml. Credit to Jüri Aedla. - [108006] High CVE-2011-3922: Stack-buffer-overflow in glyph handling. Credit to Google Chrome Security Team (Cris Neckar). This upload also includes the following security fixes from 16.0.912.63: - [81753] Medium CVE-2011-3903: Out-of-bounds read in regex matching. Credit to David Holloway of the Chromium development community. - [95465] Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to Google Chrome Security Team (Inferno). - [98809] Medium CVE-2011-3906: Out-of-bounds read in PDF parser. Credit to Aki Helin of OUSPG. - [99016] High CVE-2011-3907: URL bar spoofing with view-source. Credit to Luka Treiber of ACROS Security. - [100863] Low CVE-2011-3908: Out-of-bounds read in SVG parsing. Credit to Aki Helin of OUSPG. - [101010] Medium CVE-2011-3909: [64-bit only] Memory corruption in CSS property array. Credit to Google Chrome Security Team (scarybeasts) and Chu. - [101494] Medium CVE-2011-3910: Out-of-bounds read in YUV video frame handling. Credit to Google Chrome Security Team (Cris Neckar). - [101779] Medium CVE-2011-3911: Out-of-bounds read in PDF. Credit to Google Chrome Security Team (scarybeasts) and Robert Swiecki of the Google Security Team. - [102359] High CVE-2011-3912: Use-after-free in SVG filters. Credit to Arthur Gerkis. - [103921] High CVE-2011-3913: Use-after-free in Range handling. Credit to Arthur Gerkis. - [104011] High CVE-2011-3914: Out-of-bounds write in v8 i18n handling. Credit to Sławomir Błażek. - [104529] High CVE-2011-3915: Buffer overflow in PDF font handling. Credit to Atte Kettunen of OUSPG. - [104959] Medium CVE-2011-3916: Out-of-bounds reads in PDF cross references. Credit to Atte Kettunen of OUSPG. - [105162] Medium CVE-2011-3917: Stack-buffer-overflow in FileWatcher. Credit to Google Chrome Security Team (Marty Barbella). - [107258] High CVE-2011-3904: Use-after-free in bidi handling. Credit to Google Chrome Security Team (Inferno) and miaubiz. This upload also includes the following security fixes from 15.0.874.121: - [103259] High CVE-2011-3900: Out-of-bounds write in v8. Credit to Christian Holler. This upload also includes the following security fixes from 15.0.874.120: - [100465] High CVE-2011-3892: Double free in Theora decoder. Credit to Aki Helin of OUSPG. - [100492] [100543] Medium CVE-2011-3893: Out of bounds reads in MKV and Vorbis media handlers. Credit to Aki Helin of OUSPG. - [101172] High CVE-2011-3894: Memory corruption regression in VP8 decoding. Credit to Andrew Scherkus of the Chromium development community. - [101458] High CVE-2011-3895: Heap overflow in Vorbis decoder. Credit to Aki Helin of OUSPG. - [101624] High CVE-2011-3896: Buffer overflow in shader variable mapping. Credit to Ken “strcpy” Russell of the Chromium development community. - [102242] High CVE-2011-3897: Use-after-free in editing. Credit to pa_kt reported through ZDI (ZDI-CAN-1416). [ Brandon Snider ] * Refresh patch - update debian/patches/chromium_useragent.patch.in chromium-browser (15.0.874.106~r107270-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream release from the Stable Channel (LP: #881786) This release fixes the following security issues: - [86758] High CVE-2011-2845: URL bar spoof in history handling. Credit to Jordi Chancel. - [88949] Medium CVE-2011-3875: URL bar spoof with drag+drop of URLs. Credit to Jordi Chancel. - [90217] Low CVE-2011-3876: Avoid stripping whitespace at the end of download filenames. Credit to Marc Novak. - [91218] Low CVE-2011-3877: XSS in appcache internals page. Credit to Google Chrome Security Team (Tom Sepez) plus independent discovery by Juho Nurminen. - [94487] Medium CVE-2011-3878: Race condition in worker process initialization. Credit to miaubiz. - [95374] Low CVE-2011-3879: Avoid redirect to chrome scheme URIs. Credit to Masato Kinugawa. - [95992] Low CVE-2011-3880: Don’t permit as a HTTP header delimiter. Credit to Vladimir Vorontsov, ONsec company. - [96047] [96885] [98053] [99512] [99750] High CVE-2011-3881: Cross-origin policy violations. Credit to Sergey Glazunov. - [96292] High CVE-2011-3882: Use-after-free in media buffer handling. Credit to Google Chrome Security Team (Inferno). - [96902] High CVE-2011-3883: Use-after-free in counter handling. Credit to miaubiz. - [97148] High CVE-2011-3884: Timing issues in DOM traversal. Credit to Brian Ryner of the Chromium development community. - [97599] [98064] [98556] [99294] [99880] [100059] High CVE-2011-3885: Stale style bugs leading to use-after-free. Credit to miaubiz. - [98773] [99167] High CVE-2011-3886: Out of bounds writes in v8. Credit to Christian Holler. - [98407] Medium CVE-2011-3887: Cookie theft with javascript URIs. Credit to Sergey Glazunov. - [99138] High CVE-2011-3888: Use-after-free with plug-in and editing. Credit to miaubiz. - [99211] High CVE-2011-3889: Heap overflow in Web Audio. Credit to miaubiz. - [99553] High CVE-2011-3890: Use-after-free in video source handling. Credit to Ami Fischman of the Chromium development community. - [100332] High CVE-2011-3891: Exposure of internal v8 functions. Credit to Steven Keuchel of the Chromium development community plus independent discovery by Daniel Divricean. [ Chris Coulson ] * Refresh patches - update debian/patches/dlopen_sonamed_gl.patch - update debian/patches/webkit_rev_parser.patch [ Fabien Tassin ] * Disable NaCl until we figure out what to do with the private toolchain - update debian/rules * Do not install the pseudo_locales files in the debs - update debian/rules * Add python-simplejson to Build-depends. This is needed by NaCl even with NaCl disabled, so this is a temporary workaround to unbreak the build, it must be fixed upstream - update debian/control Date: 2012-01-30 06:10:26.631849+00:00 Changed-By: Micah Gersten Maintainer: Fabien Tassin Signed-By: Jamie Strandboge https://launchpad.net/ubuntu/maverick/+source/chromium-browser/16.0.912.77~r118311-0ubuntu0.10.10.1 -------------- next part -------------- Sorry, changesfile not available. From jamie at ubuntu.com Fri Feb 3 23:46:41 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Fri, 03 Feb 2012 23:46:41 -0000 Subject: [ubuntu/maverick-security] chromium-browser 16.0.912.77~r118311-0ubuntu0.10.10.1 (Accepted) Message-ID: <20120203234641.503.96767.launchpad@ackee.canonical.com> chromium-browser (16.0.912.77~r118311-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream release from the Stable Channel (LP: #923602) This release fixes the following security issues: - [106484] High CVE-2011-3924: Use-after-free in DOM selections. Credit to Arthur Gerkis. - [107182] Critical CVE-2011-3925: Use-after-free in Safe Browsing navigation. Credit to Chamal de Silva. - [108461] High CVE-2011-3928: Use-after-free in DOM handling. Credit to wushi of team509 reported through ZDI (ZDI-CAN-1415). - [108605] High CVE-2011-3927: Uninitialized value in Skia. Credit to miaubiz. - [109556] High CVE-2011-3926: Heap-buffer-overflow in tree builder. Credit to Arthur Gerkis. chromium-browser (16.0.912.75~r116452-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream release from the Stable Channel (LP: #914648, #889711) This release fixes the following security issues: - [106672] High CVE-2011-3921: Use-after-free in animation frames. Credit to Boris Zbarsky of Mozilla. - [107128] High CVE-2011-3919: Heap-buffer-overflow in libxml. Credit to Jüri Aedla. - [108006] High CVE-2011-3922: Stack-buffer-overflow in glyph handling. Credit to Google Chrome Security Team (Cris Neckar). This upload also includes the following security fixes from 16.0.912.63: - [81753] Medium CVE-2011-3903: Out-of-bounds read in regex matching. Credit to David Holloway of the Chromium development community. - [95465] Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to Google Chrome Security Team (Inferno). - [98809] Medium CVE-2011-3906: Out-of-bounds read in PDF parser. Credit to Aki Helin of OUSPG. - [99016] High CVE-2011-3907: URL bar spoofing with view-source. Credit to Luka Treiber of ACROS Security. - [100863] Low CVE-2011-3908: Out-of-bounds read in SVG parsing. Credit to Aki Helin of OUSPG. - [101010] Medium CVE-2011-3909: [64-bit only] Memory corruption in CSS property array. Credit to Google Chrome Security Team (scarybeasts) and Chu. - [101494] Medium CVE-2011-3910: Out-of-bounds read in YUV video frame handling. Credit to Google Chrome Security Team (Cris Neckar). - [101779] Medium CVE-2011-3911: Out-of-bounds read in PDF. Credit to Google Chrome Security Team (scarybeasts) and Robert Swiecki of the Google Security Team. - [102359] High CVE-2011-3912: Use-after-free in SVG filters. Credit to Arthur Gerkis. - [103921] High CVE-2011-3913: Use-after-free in Range handling. Credit to Arthur Gerkis. - [104011] High CVE-2011-3914: Out-of-bounds write in v8 i18n handling. Credit to Sławomir Błażek. - [104529] High CVE-2011-3915: Buffer overflow in PDF font handling. Credit to Atte Kettunen of OUSPG. - [104959] Medium CVE-2011-3916: Out-of-bounds reads in PDF cross references. Credit to Atte Kettunen of OUSPG. - [105162] Medium CVE-2011-3917: Stack-buffer-overflow in FileWatcher. Credit to Google Chrome Security Team (Marty Barbella). - [107258] High CVE-2011-3904: Use-after-free in bidi handling. Credit to Google Chrome Security Team (Inferno) and miaubiz. This upload also includes the following security fixes from 15.0.874.121: - [103259] High CVE-2011-3900: Out-of-bounds write in v8. Credit to Christian Holler. This upload also includes the following security fixes from 15.0.874.120: - [100465] High CVE-2011-3892: Double free in Theora decoder. Credit to Aki Helin of OUSPG. - [100492] [100543] Medium CVE-2011-3893: Out of bounds reads in MKV and Vorbis media handlers. Credit to Aki Helin of OUSPG. - [101172] High CVE-2011-3894: Memory corruption regression in VP8 decoding. Credit to Andrew Scherkus of the Chromium development community. - [101458] High CVE-2011-3895: Heap overflow in Vorbis decoder. Credit to Aki Helin of OUSPG. - [101624] High CVE-2011-3896: Buffer overflow in shader variable mapping. Credit to Ken “strcpy” Russell of the Chromium development community. - [102242] High CVE-2011-3897: Use-after-free in editing. Credit to pa_kt reported through ZDI (ZDI-CAN-1416). [ Brandon Snider ] * Refresh patch - update debian/patches/chromium_useragent.patch.in chromium-browser (15.0.874.106~r107270-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream release from the Stable Channel (LP: #881786) This release fixes the following security issues: - [86758] High CVE-2011-2845: URL bar spoof in history handling. Credit to Jordi Chancel. - [88949] Medium CVE-2011-3875: URL bar spoof with drag+drop of URLs. Credit to Jordi Chancel. - [90217] Low CVE-2011-3876: Avoid stripping whitespace at the end of download filenames. Credit to Marc Novak. - [91218] Low CVE-2011-3877: XSS in appcache internals page. Credit to Google Chrome Security Team (Tom Sepez) plus independent discovery by Juho Nurminen. - [94487] Medium CVE-2011-3878: Race condition in worker process initialization. Credit to miaubiz. - [95374] Low CVE-2011-3879: Avoid redirect to chrome scheme URIs. Credit to Masato Kinugawa. - [95992] Low CVE-2011-3880: Don’t permit as a HTTP header delimiter. Credit to Vladimir Vorontsov, ONsec company. - [96047] [96885] [98053] [99512] [99750] High CVE-2011-3881: Cross-origin policy violations. Credit to Sergey Glazunov. - [96292] High CVE-2011-3882: Use-after-free in media buffer handling. Credit to Google Chrome Security Team (Inferno). - [96902] High CVE-2011-3883: Use-after-free in counter handling. Credit to miaubiz. - [97148] High CVE-2011-3884: Timing issues in DOM traversal. Credit to Brian Ryner of the Chromium development community. - [97599] [98064] [98556] [99294] [99880] [100059] High CVE-2011-3885: Stale style bugs leading to use-after-free. Credit to miaubiz. - [98773] [99167] High CVE-2011-3886: Out of bounds writes in v8. Credit to Christian Holler. - [98407] Medium CVE-2011-3887: Cookie theft with javascript URIs. Credit to Sergey Glazunov. - [99138] High CVE-2011-3888: Use-after-free with plug-in and editing. Credit to miaubiz. - [99211] High CVE-2011-3889: Heap overflow in Web Audio. Credit to miaubiz. - [99553] High CVE-2011-3890: Use-after-free in video source handling. Credit to Ami Fischman of the Chromium development community. - [100332] High CVE-2011-3891: Exposure of internal v8 functions. Credit to Steven Keuchel of the Chromium development community plus independent discovery by Daniel Divricean. [ Chris Coulson ] * Refresh patches - update debian/patches/dlopen_sonamed_gl.patch - update debian/patches/webkit_rev_parser.patch [ Fabien Tassin ] * Disable NaCl until we figure out what to do with the private toolchain - update debian/rules * Do not install the pseudo_locales files in the debs - update debian/rules * Add python-simplejson to Build-depends. This is needed by NaCl even with NaCl disabled, so this is a temporary workaround to unbreak the build, it must be fixed upstream - update debian/control Date: 2012-01-30 06:10:26.631849+00:00 Changed-By: Micah Gersten Maintainer: Fabien Tassin Signed-By: Jamie Strandboge https://launchpad.net/ubuntu/maverick/+source/chromium-browser/16.0.912.77~r118311-0ubuntu0.10.10.1 -------------- next part -------------- Sorry, changesfile not available. From marc.deslauriers at ubuntu.com Wed Feb 8 18:46:48 2012 From: marc.deslauriers at ubuntu.com (Marc Deslauriers) Date: Wed, 08 Feb 2012 18:46:48 -0000 Subject: [ubuntu/maverick] acroread 9.4.7-1maverick1 (Accepted) Message-ID: <20120208184648.1284.20165.launchpad@cocoplum.canonical.com> acroread (9.4.7-1maverick1) maverick; urgency=low * New upstream release, addresses security issues: - http://www.adobe.com/support/security/bulletins/apsb11-30.html - CVE-2011-2462 - CVE-2011-4369 * This is an English only release. The -deu, -fra, -jpn packages still contain 9.4.2, as more recent versions are not available for those languages. Date: Tue, 07 Feb 2012 14:14:37 -0500 Changed-By: Marc Deslauriers Maintainer: Brian Thomason https://launchpad.net/ubuntu/maverick/+source/acroread/9.4.7-1maverick1 -------------- next part -------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Feb 2012 14:14:37 -0500 Source: acroread Binary: acroread adobereader-deu adobereader-fra adobereader-jpn acroread-common Architecture: source Version: 9.4.7-1maverick1 Distribution: maverick Urgency: low Maintainer: Brian Thomason Changed-By: Marc Deslauriers Description: acroread - Adobe Reader acroread-common - Adobe Reader - Common Files adobereader-deu - Adobe Reader adobereader-fra - Adobe Reader adobereader-jpn - Adobe Reader Changes: acroread (9.4.7-1maverick1) maverick; urgency=low . * New upstream release, addresses security issues: - http://www.adobe.com/support/security/bulletins/apsb11-30.html - CVE-2011-2462 - CVE-2011-4369 * This is an English only release. The -deu, -fra, -jpn packages still contain 9.4.2, as more recent versions are not available for those languages. Checksums-Sha1: c25ced62020d9ff52a47aff1a414d6e8634890e5 1955 acroread_9.4.7-1maverick1.dsc e141c98897b71185fc27077fab99285ecfc52763 267218579 acroread_9.4.7.orig.tar.gz 143fc04d0fcb314b55bc5df8601c65989819f0f0 20771 acroread_9.4.7-1maverick1.debian.tar.gz Checksums-Sha256: 70968952c40e5316318ae15b9b34b8504f6e4021341d0b87daf2a5cf4ff5c198 1955 acroread_9.4.7-1maverick1.dsc 7ae0879748f81f06ebdc217098bbebf0af2ab8530174720626d34069be3006b3 267218579 acroread_9.4.7.orig.tar.gz 47e8b4a6e305fcd5172859acb5e67245edc7cf99f7fa32de09a5c48d23d51697 20771 acroread_9.4.7-1maverick1.debian.tar.gz Files: 12de5a4369c620a9ef33f5b98d8a04fe 1955 partner/text extra acroread_9.4.7-1maverick1.dsc d81ca67801f1cff258655797a554aed2 267218579 partner/text extra acroread_9.4.7.orig.tar.gz f2cd1e3600c2685c3ba400c100821dff 20771 partner/text extra acroread_9.4.7-1maverick1.debian.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCgAGBQJPMrzQAAoJEGVp2FWnRL6TcxwP/2pU7HEzeyYqY6F4+gwIqziG IG8OxLfMoOKEyrMtXRAlLXnIUj3HZHvdsZ/6Jd14MKEXdsAN+dDTtYJTfPzDND5Q iMcpG4raVHvCd5tE5D8WTYg69oSIYp0l72hhp76WLm8C8tX80JmyhcLKUaW/RHU/ z20fbDMgzp26SHqEyYbP1aQRfW1X5/YB975eslyfT4yJG2VUgBBJf05qXwgjeduV GsoCcEWMgnYN5d0hA5xdyma0ByVq+/KZH9B83IYWo8QeuQqmllZ3q1Caa7LNUUTv DfECx8LPg8/22y0DAD5Fd3oNEI1HK3o3KvD7c6hyZ7+eU8QwhSy+sb+2rkpWWcvn DleVuas04Nr4VqtRBNHMMQtH5stXjyoFlRREyCW+5vk6TKYwIPHcASWxbubmRQKF CEWWJbdPtmApKnPpaQ8RVELq+YwnbN44QL/4LSqmr4/bH27e/QXLz+UPI05+E5w+ o8276crryX3Fy/8YbRSo0x6wkjx/saqQ4d/ZqIdpDkmma2XFn0Q9iq+zDVOXbOH5 FK8ImZ76G0L0T3fKuvVUBd9w8M9bn4EeFYK7HijVuYG3OdWr8L7X2Qsn6FFzzHHQ cwV7Gq7MfpER97ef1/XAkP/RQuCEu8Pfwt2A3lyLP8C0iendSyC3Fqf5haDW35xr 3px1Szuv2hIe9XG+eSuT =eP3Y -----END PGP SIGNATURE----- From sbeattie at ubuntu.com Thu Feb 9 21:36:12 2012 From: sbeattie at ubuntu.com (Steve Beattie) Date: Thu, 09 Feb 2012 21:36:12 -0000 Subject: [ubuntu/maverick-security] php5, php5_5.3.3-1ubuntu9.9_amd64_translations.tar.gz, php5_5.3.3-1ubuntu9.9_i386_translations.tar.gz, php5_5.3.3-1ubuntu9.9_armel_translations.tar.gz, php5_5.3.3-1ubuntu9.9_powerpc_translations.tar.gz 5.3.3-1ubuntu9.9 (Accepted) Message-ID: <20120209213612.1766.34177.launchpad@cocoplum.canonical.com> php5 (5.3.3-1ubuntu9.9) maverick-security; urgency=low * SECURITY UPDATE: memory allocation failure denial of service - debian/patches/php5-CVE-2011-4153.patch: check result of zend_strdup() and calloc() for failed allocations - CVE-2011-4153 * SECURITY UPDATE: predictable hash collision denial of service (LP: #910296) - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars directive with default limit of 1000 - ATTENTION: this update changes previous php5 behavior by limiting the number of external input variables to 1000. This may be increased by adding a "max_input_vars" directive to the php.ini configuration file. See http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars for more information. - CVE-2011-4885 * SECURITY UPDATE: remote code execution vulnerability introduced by the fix for CVE-2011-4885 (LP: #925772) - debian/patches/php5-CVE-2012-0830.patch: return rather than continuing if max_input_vars limit is reached - CVE-2012-0830 * SECURITY UPDATE: XSLT arbitrary file overwrite attack - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets - CVE-2012-0057 * SECURITY UPDATE: PDORow session denial of service - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when attempting to serialize PDORow instances - CVE-2012-0788 * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability - debian/patches/php5-CVE-2012-0831.patch: always restore magic_quote_gpc on request shutdown - CVE-2012-0831 Date: Wed, 08 Feb 2012 20:59:18 -0800 Changed-By: Steve Beattie Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/php5/5.3.3-1ubuntu9.9 -------------- next part -------------- Format: 1.8 Date: Wed, 08 Feb 2012 20:59:18 -0800 Source: php5 Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-intl php5-ldap php5-mysql php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl Architecture: source Version: 5.3.3-1ubuntu9.9 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Steve Beattie Description: libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module) libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo php-pear - PEAR - PHP Extension and Application Repository php5 - server-side, HTML-embedded scripting language (metapackage) php5-cgi - server-side, HTML-embedded scripting language (CGI binary) php5-cli - command-line interpreter for the php5 scripting language php5-common - Common files for packages built from the php5 source php5-curl - CURL module for php5 php5-dbg - Debug symbols for PHP5 php5-dev - Files for PHP5 module development php5-enchant - Enchant module for php5 php5-fpm - server-side, HTML-embedded scripting language (FPM-CGI binary) php5-gd - GD module for php5 php5-gmp - GMP module for php5 php5-intl - internationalisation module for php5 php5-ldap - LDAP module for php5 php5-mysql - MySQL module for php5 php5-odbc - ODBC module for php5 php5-pgsql - PostgreSQL module for php5 php5-pspell - pspell module for php5 php5-recode - recode module for php5 php5-snmp - SNMP module for php5 php5-sqlite - SQLite module for php5 php5-sybase - Sybase / MS SQL Server module for php5 php5-tidy - tidy module for php5 php5-xmlrpc - XML-RPC module for php5 php5-xsl - XSL module for php5 Launchpad-Bugs-Fixed: 910296 925772 Changes: php5 (5.3.3-1ubuntu9.9) maverick-security; urgency=low . * SECURITY UPDATE: memory allocation failure denial of service - debian/patches/php5-CVE-2011-4153.patch: check result of zend_strdup() and calloc() for failed allocations - CVE-2011-4153 * SECURITY UPDATE: predictable hash collision denial of service (LP: #910296) - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars directive with default limit of 1000 - ATTENTION: this update changes previous php5 behavior by limiting the number of external input variables to 1000. This may be increased by adding a "max_input_vars" directive to the php.ini configuration file. See http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars for more information. - CVE-2011-4885 * SECURITY UPDATE: remote code execution vulnerability introduced by the fix for CVE-2011-4885 (LP: #925772) - debian/patches/php5-CVE-2012-0830.patch: return rather than continuing if max_input_vars limit is reached - CVE-2012-0830 * SECURITY UPDATE: XSLT arbitrary file overwrite attack - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets - CVE-2012-0057 * SECURITY UPDATE: PDORow session denial of service - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when attempting to serialize PDORow instances - CVE-2012-0788 * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability - debian/patches/php5-CVE-2012-0831.patch: always restore magic_quote_gpc on request shutdown - CVE-2012-0831 Checksums-Sha1: 47cf81adf7844f8552df4352a5e51398da77838b 3268 php5_5.3.3-1ubuntu9.9.dsc bdb6dcf9bb43c0d4915a737d5faa5ffa99a4ccd3 248089 php5_5.3.3-1ubuntu9.9.diff.gz Checksums-Sha256: 9064ec585992ad89685d85cd1ea2f156589cd1851e73ec64652831dd71fe1ba0 3268 php5_5.3.3-1ubuntu9.9.dsc db39b479567fb8e7d1aa2c73e8f913aff2faa0e055c614bec959183d8a0e51b9 248089 php5_5.3.3-1ubuntu9.9.diff.gz Files: 87ae75afffdb1e7e4fc7d673cbc9fc9e 3268 php optional php5_5.3.3-1ubuntu9.9.dsc 682387bdcd36a2a38b3b7910e756ed04 248089 php optional php5_5.3.3-1ubuntu9.9.diff.gz Original-Maintainer: Debian PHP Maintainers From sbeattie at ubuntu.com Thu Feb 9 21:37:12 2012 From: sbeattie at ubuntu.com (Steve Beattie) Date: Thu, 09 Feb 2012 21:37:12 -0000 Subject: [ubuntu/maverick-security] openssl_0.9.8o-1ubuntu4.6_armel_translations.tar.gz, openssl_0.9.8o-1ubuntu4.6_i386_translations.tar.gz, openssl_0.9.8o-1ubuntu4.6_powerpc_translations.tar.gz, openssl, openssl_0.9.8o-1ubuntu4.6_amd64_translations.tar.gz 0.9.8o-1ubuntu4.6 (Accepted) Message-ID: <20120209213712.1766.13409.launchpad@cocoplum.canonical.com> openssl (0.9.8o-1ubuntu4.6) maverick-security; urgency=low * SECURITY UPDATE: ECDSA private key timing attack - debian/patches/CVE-2011-1945.patch: compute with fixed scalar length - CVE-2011-1945 * SECURITY UPDATE: ECDH ciphersuite denial of service - debian/patches/CVE-2011-3210.patch: fix memory usage for thread safety - CVE-2011-3210 * SECURITY UPDATE: DTLS plaintext recovery attack - debian/patches/CVE-2011-4108.patch: perform all computations before discarding messages - CVE-2011-4108 * SECURITY UPDATE: policy check double free vulnerability - debian/patches/CVE-2011-4019.patch: only free domain policyin one location - CVE-2011-4019 * SECURITY UPDATE: SSL 3.0 block padding exposure - debian/patches/CVE-2011-4576.patch: clear bytes used for block padding of SSL 3.0 records. - CVE-2011-4576 * SECURITY UPDATE: malformed RFC 3779 data denial of service attack - debian/patches/CVE-2011-4577.patch: prevent malformed RFC3779 data from triggering an assertion failure - CVE-2011-4577 * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service - debian/patches/CVE-2011-4619.patch: Only allow one SGC handshake restart for SSL/TLS. - CVE-2011-4619 * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack - debian/patches/CVE-2012-0050.patch: improve handling of DTLS MAC - CVE-2012-0050 * debian/patches/openssl-fix_ECDSA_tests.patch: fix ECDSA tests * debian/libssl0.9.8.postinst: Only issue the reboot notification for servers by testing that the X server is not running (LP: #244250) Date: Tue, 31 Jan 2012 01:37:33 -0800 Changed-By: Steve Beattie Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/openssl/0.9.8o-1ubuntu4.6 -------------- next part -------------- Format: 1.8 Date: Tue, 31 Jan 2012 01:37:33 -0800 Source: openssl Binary: openssl openssl-doc libssl0.9.8 libcrypto0.9.8-udeb libssl0.9.8-udeb libssl-dev libssl0.9.8-dbg Architecture: source Version: 0.9.8o-1ubuntu4.6 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Steve Beattie Description: libcrypto0.9.8-udeb - crypto shared library - udeb (udeb) libssl-dev - SSL development libraries, header files and documentation libssl0.9.8 - SSL shared libraries libssl0.9.8-dbg - Symbol tables for libssl and libcrypto libssl0.9.8-udeb - ssl shared library - udeb (udeb) openssl - Secure Socket Layer (SSL) binary and related cryptographic tools openssl-doc - Secure Socket Layer (SSL) documentation Launchpad-Bugs-Fixed: 244250 Changes: openssl (0.9.8o-1ubuntu4.6) maverick-security; urgency=low . * SECURITY UPDATE: ECDSA private key timing attack - debian/patches/CVE-2011-1945.patch: compute with fixed scalar length - CVE-2011-1945 * SECURITY UPDATE: ECDH ciphersuite denial of service - debian/patches/CVE-2011-3210.patch: fix memory usage for thread safety - CVE-2011-3210 * SECURITY UPDATE: DTLS plaintext recovery attack - debian/patches/CVE-2011-4108.patch: perform all computations before discarding messages - CVE-2011-4108 * SECURITY UPDATE: policy check double free vulnerability - debian/patches/CVE-2011-4019.patch: only free domain policyin one location - CVE-2011-4019 * SECURITY UPDATE: SSL 3.0 block padding exposure - debian/patches/CVE-2011-4576.patch: clear bytes used for block padding of SSL 3.0 records. - CVE-2011-4576 * SECURITY UPDATE: malformed RFC 3779 data denial of service attack - debian/patches/CVE-2011-4577.patch: prevent malformed RFC3779 data from triggering an assertion failure - CVE-2011-4577 * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service - debian/patches/CVE-2011-4619.patch: Only allow one SGC handshake restart for SSL/TLS. - CVE-2011-4619 * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack - debian/patches/CVE-2012-0050.patch: improve handling of DTLS MAC - CVE-2012-0050 * debian/patches/openssl-fix_ECDSA_tests.patch: fix ECDSA tests * debian/libssl0.9.8.postinst: Only issue the reboot notification for servers by testing that the X server is not running (LP: #244250) Checksums-Sha1: 744452e8f3bfb6c3ec178f0c23a27890d06d0e92 2116 openssl_0.9.8o-1ubuntu4.6.dsc 295e935a6df10d5a030c59b84dc29fa775538459 101595 openssl_0.9.8o-1ubuntu4.6.debian.tar.gz Checksums-Sha256: 7737d287cdfb436c3ee572aa24ed66eb2e1c796225c628984e5d6cfe04034892 2116 openssl_0.9.8o-1ubuntu4.6.dsc 784d2e84fd60d3e353fb091520335a2c5eae110fbff013b15426b40a40807991 101595 openssl_0.9.8o-1ubuntu4.6.debian.tar.gz Files: 7cefbd198bfdf1abeb158a70e24f31a4 2116 utils optional openssl_0.9.8o-1ubuntu4.6.dsc 04704de6f164eca11dbb7f5f0a312699 101595 utils optional openssl_0.9.8o-1ubuntu4.6.debian.tar.gz Original-Maintainer: Debian OpenSSL Team From martin.pitt at ubuntu.com Fri Feb 10 06:40:18 2012 From: martin.pitt at ubuntu.com (Martin Pitt) Date: Fri, 10 Feb 2012 06:40:18 -0000 Subject: [ubuntu/maverick-updates] lxc 0.7.2-1ubuntu1 (Accepted) Message-ID: <20120210064018.11607.5993.launchpad@ackee.canonical.com> lxc (0.7.2-1ubuntu1) maverick-proposed; urgency=low [ Serge Hallyn ] * debian/rules: add -r (--no-restart-on-upgrade) to DEB_DH_INSTALLINIT_ARGS to prevent upgrading lxc from forcing lxc autostart containers to stop and restart. (LP: #753308) * debian/control: set ubuntu maintainer. Date: 2011-09-13 00:45:11.604920+00:00 Changed-By: Clint Byrum Signed-By: Martin Pitt https://launchpad.net/ubuntu/maverick/+source/lxc/0.7.2-1ubuntu1 -------------- next part -------------- Sorry, changesfile not available. From steve.langasek at canonical.com Fri Feb 10 17:51:25 2012 From: steve.langasek at canonical.com (Steve Langasek) Date: Fri, 10 Feb 2012 17:51:25 -0000 Subject: [ubuntu/maverick-updates] linux 2.6.35-32.65 (Accepted) Message-ID: <20120210175125.26793.3080.launchpad@ackee.canonical.com> linux (2.6.35-32.65) maverick-proposed; urgency=low [Brad Figg] * Release Tracking Bug - LP: #920677 [ Upstream Kernel Changes ] * fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message, CVE-2011-3353 - LP: #905058 - CVE-2011-3353 * KVM: x86: Prevent starting PIT timers in the absence of irqchip support - LP: #911303 - CVE-2011-4622 * sched, x86: Avoid unnecessary overflow in sched_clock - LP: #805341 * use cache type functions for arch_get_unmapped_area - LP: #861296 * topdown mmap support - LP: #861296 * xfs: validate acl count - LP: #917706 - CVE-2012-0038 * xfs: fix acl count validation in xfs_acl_from_disk() - LP: #917706 - CVE-2012-0038 * drm: integer overflow in drm_mode_dirtyfb_ioctl() - LP: #917838 - CVE-2012-0044 * x86/PCI: amd: factor out MMCONFIG discovery - LP: #647043 * PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB - LP: #647043 Date: 2012-01-24 13:45:45.975524+00:00 Changed-By: Brad Figg Signed-By: Steve Langasek https://launchpad.net/ubuntu/maverick/+source/linux/2.6.35-32.65 -------------- next part -------------- Sorry, changesfile not available. From steve.langasek at canonical.com Fri Feb 10 17:51:45 2012 From: steve.langasek at canonical.com (Steve Langasek) Date: Fri, 10 Feb 2012 17:51:45 -0000 Subject: [ubuntu/maverick-updates] linux-ti-omap4 2.6.35-903.30 (Accepted) Message-ID: <20120210175145.26793.37773.launchpad@ackee.canonical.com> linux-ti-omap4 (2.6.35-903.30) maverick-proposed; urgency=low * Release Tracking Bug - LP: #921471 [ Upstream Kernel Changes ] * Sched: fix skip_clock_update optimization - LP: #911401 - CVE-2011-4621 * xfs: validate acl count - LP: #917706 - CVE-2012-0038 * xfs: fix acl count validation in xfs_acl_from_disk() - LP: #917706 - CVE-2012-0038 * drm: integer overflow in drm_mode_dirtyfb_ioctl() - LP: #917838 - CVE-2012-0044 Date: 2012-01-26 15:51:04.998765+00:00 Changed-By: Paolo Pisati Signed-By: Steve Langasek https://launchpad.net/ubuntu/maverick/+source/linux-ti-omap4/2.6.35-903.30 -------------- next part -------------- Sorry, changesfile not available. From steve.langasek at canonical.com Fri Feb 10 17:51:56 2012 From: steve.langasek at canonical.com (Steve Langasek) Date: Fri, 10 Feb 2012 17:51:56 -0000 Subject: [ubuntu/maverick-updates] linux-meta 2.6.35.32.42 (Accepted) Message-ID: <20120210175156.26793.77045.launchpad@ackee.canonical.com> linux-meta (2.6.35.32.42) maverick-proposed; urgency=low * Add back omap and versatile meta packages, we have kernels for them built now. Reported by Tobin Davis. Date: 2012-02-03 18:15:46.232949+00:00 Changed-By: "Herton R. Krzesinski" Signed-By: Steve Langasek https://launchpad.net/ubuntu/maverick/+source/linux-meta/2.6.35.32.42 -------------- next part -------------- Sorry, changesfile not available. From steve.langasek at canonical.com Fri Feb 10 18:21:20 2012 From: steve.langasek at canonical.com (Steve Langasek) Date: Fri, 10 Feb 2012 18:21:20 -0000 Subject: [ubuntu/maverick-updates] linux-firmware 1.38.10 (Accepted) Message-ID: <20120210182120.6164.32722.launchpad@ackee.canonical.com> linux-firmware (1.38.10) maverick-proposed; urgency=low * ath3k-fw: Fix EEPROM radio table issue. LP: #882685 linux-firmware (1.38.9) maverick-proposed; urgency=low * Added firmware files to support compat-wireless linux-firmware: add new firmware for RTL8168E-VL linux-firmware: update firmware for RTL8111E linux-firmware: Add firmware for RTL8168/8111E linux-firmware: Add firmware for RTL8105E rtl_nic: Add firmware for RTL8111D(L) -LP: #804671 linux-firmware (1.38.8) maverick-proposed; urgency=low * Added carl9170.fw for Atheros wireless AR9170 based devices. -LP: #713987 linux-firmware (1.38.7) maverick-proposed; urgency=low * Added iwlwifi-1000-5.ucode -LP: #752829 Date: 2011-10-28 16:05:11.600664+00:00 Changed-By: Tim Gardner Signed-By: Steve Langasek https://launchpad.net/ubuntu/maverick/+source/linux-firmware/1.38.10 -------------- next part -------------- Sorry, changesfile not available. From gimre at narancs.net Fri Feb 10 20:33:58 2012 From: gimre at narancs.net (Imre Gergely) Date: Fri, 10 Feb 2012 20:33:58 -0000 Subject: [ubuntu/maverick-security] pdns_2.9.22-5ubuntu0.1_armel_translations.tar.gz, pdns, pdns_2.9.22-5ubuntu0.1_i386_translations.tar.gz, pdns_2.9.22-5ubuntu0.1_amd64_translations.tar.gz, pdns_2.9.22-5ubuntu0.1_powerpc_translations.tar.gz 2.9.22-5ubuntu0.1 (Accepted) Message-ID: <20120210203358.2189.70096.launchpad@cocoplum.canonical.com> pdns (2.9.22-5ubuntu0.1) maverick-security; urgency=low * SECURITY UPDATE: temporary DoS with specially crafted packets (LP: #918588) - debian/patches/CVE-2012-0206: prevent the auth servers from entering a packet loop. Based on upstream suggestion. - CVE-2012-0206 Date: Wed, 08 Feb 2012 23:32:38 +0200 Changed-By: Imre Gergely Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/pdns/2.9.22-5ubuntu0.1 -------------- next part -------------- Format: 1.8 Date: Wed, 08 Feb 2012 23:32:38 +0200 Source: pdns Binary: pdns-server pdns-doc pdns-backend-pipe pdns-backend-ldap pdns-backend-geo pdns-backend-mysql pdns-backend-pgsql pdns-backend-sqlite pdns-backend-sqlite3 Architecture: source Version: 2.9.22-5ubuntu0.1 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Imre Gergely Description: pdns-backend-geo - geo backend for PowerDNS pdns-backend-ldap - LDAP backend for PowerDNS pdns-backend-mysql - generic MySQL backend for PowerDNS pdns-backend-pgsql - generic PostgreSQL backend for PowerDNS pdns-backend-pipe - pipe/coprocess backend for PowerDNS pdns-backend-sqlite - sqlite backend for PowerDNS pdns-backend-sqlite3 - sqlite backend for PowerDNS pdns-doc - PowerDNS manual pdns-server - extremely powerful and versatile nameserver Launchpad-Bugs-Fixed: 918588 Changes: pdns (2.9.22-5ubuntu0.1) maverick-security; urgency=low . * SECURITY UPDATE: temporary DoS with specially crafted packets (LP: #918588) - debian/patches/CVE-2012-0206: prevent the auth servers from entering a packet loop. Based on upstream suggestion. - CVE-2012-0206 Checksums-Sha1: 1874ff19317cec1f1f1903618a0d8c6ddec5fa17 2201 pdns_2.9.22-5ubuntu0.1.dsc 555455e68087a796a0ccee4f5a247c3552a35943 38651 pdns_2.9.22-5ubuntu0.1.debian.tar.gz Checksums-Sha256: 10f050581106d960839c94b8277fb42290fc81c6ab480f99b346012b9092b011 2201 pdns_2.9.22-5ubuntu0.1.dsc 1d25a994e9514526cc05a2d05367771dd07ef2d454c3c73c354448811da94417 38651 pdns_2.9.22-5ubuntu0.1.debian.tar.gz Files: 158689be32df06e3f333ad9f267f21b0 2201 net extra pdns_2.9.22-5ubuntu0.1.dsc c2e6e27cdd7ae8591312430c766f74d5 38651 net extra pdns_2.9.22-5ubuntu0.1.debian.tar.gz Original-Maintainer: Matthijs Mohlmann From tyhicks at canonical.com Fri Feb 10 20:34:07 2012 From: tyhicks at canonical.com (Tyler Hicks) Date: Fri, 10 Feb 2012 20:34:07 -0000 Subject: [ubuntu/maverick-security] atop 1.23-1+squeeze1build0.10.10.1 (Accepted) Message-ID: <20120210203407.2189.50994.launchpad@cocoplum.canonical.com> atop (1.23-1+squeeze1build0.10.10.1) maverick-security; urgency=low * fake sync from Debian atop (1.23-1+squeeze1) stable; urgency=high * Non-maintainer upload. * Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and acctproc.c (Closes: #622794) Date: Fri, 10 Feb 2012 13:01:13 -0600 Changed-By: Tyler Hicks Maintainer: Edelhard Becker https://launchpad.net/ubuntu/maverick/+source/atop/1.23-1+squeeze1build0.10.10.1 -------------- next part -------------- Format: 1.8 Date: Fri, 10 Feb 2012 13:01:13 -0600 Source: atop Binary: atop Architecture: source Version: 1.23-1+squeeze1build0.10.10.1 Distribution: maverick-security Urgency: high Maintainer: Edelhard Becker Changed-By: Tyler Hicks Description: atop - Monitor for system resources and process activity Closes: 622794 Changes: atop (1.23-1+squeeze1build0.10.10.1) maverick-security; urgency=low . * fake sync from Debian . atop (1.23-1+squeeze1) stable; urgency=high . * Non-maintainer upload. * Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and acctproc.c (Closes: #622794) Checksums-Sha1: 29aa2e291faa1e2304a988c26c4d26f43d9928db 1729 atop_1.23-1+squeeze1build0.10.10.1.dsc 45ef8d0c02fb879834f458da6fe21189b8f9e368 7171 atop_1.23-1+squeeze1build0.10.10.1.diff.gz Checksums-Sha256: ac8cfb7d096af5f1b0088f94220b6a3d2d0a7290a4abfeb69f8a105e61cb65c6 1729 atop_1.23-1+squeeze1build0.10.10.1.dsc acbb3b3596507fe8464c2848011e98895ec66e3c1e26e53e2cd83fce6cb94937 7171 atop_1.23-1+squeeze1build0.10.10.1.diff.gz Files: 7bf26c0920e567431e54ffbd426b868d 1729 admin optional atop_1.23-1+squeeze1build0.10.10.1.dsc 9cb78a5f8ec135d66b0b07107aaca8a2 7171 admin optional atop_1.23-1+squeeze1build0.10.10.1.diff.gz From martin.pitt at ubuntu.com Mon Feb 13 06:28:15 2012 From: martin.pitt at ubuntu.com (Martin Pitt) Date: Mon, 13 Feb 2012 06:28:15 -0000 Subject: [ubuntu/maverick-updates] youtube-dl 2011.08.04-1~maverick0.1 (Accepted) Message-ID: <20120213062815.14875.98698.launchpad@ackee.canonical.com> youtube-dl (2011.08.04-1~maverick0.1) maverick-proposed; urgency=low * Backport new upstream release to Maverick to fix changes in Youtube. (LP: #915029) Date: 2012-01-11 21:15:19.131774+00:00 Changed-By: Evan Broder Maintainer: =?utf-8?q?Rog=C3=A9rio_Theodoro_de_Brito?= Signed-By: Martin Pitt https://launchpad.net/ubuntu/maverick/+source/youtube-dl/2011.08.04-1~maverick0.1 -------------- next part -------------- Sorry, changesfile not available. From sbeattie at ubuntu.com Mon Feb 13 17:06:19 2012 From: sbeattie at ubuntu.com (Steve Beattie) Date: Mon, 13 Feb 2012 17:06:19 -0000 Subject: [ubuntu/maverick-security] php5, php5_5.3.3-1ubuntu9.10_powerpc_translations.tar.gz, php5_5.3.3-1ubuntu9.10_i386_translations.tar.gz, php5_5.3.3-1ubuntu9.10_amd64_translations.tar.gz, php5_5.3.3-1ubuntu9.10_armel_translations.tar.gz 5.3.3-1ubuntu9.10 (Accepted) Message-ID: <20120213170619.17857.70306.launchpad@cocoplum.canonical.com> php5 (5.3.3-1ubuntu9.10) maverick-security; urgency=low * debian/patches/php5-CVE-2012-0831-regression.patch: fix magic_quotes_gpc ini setting regression introduced by patch for CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115) Date: Fri, 10 Feb 2012 15:02:46 -0800 Changed-By: Steve Beattie Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/php5/5.3.3-1ubuntu9.10 -------------- next part -------------- Format: 1.8 Date: Fri, 10 Feb 2012 15:02:46 -0800 Source: php5 Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-intl php5-ldap php5-mysql php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl Architecture: source Version: 5.3.3-1ubuntu9.10 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Steve Beattie Description: libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module) libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo php-pear - PEAR - PHP Extension and Application Repository php5 - server-side, HTML-embedded scripting language (metapackage) php5-cgi - server-side, HTML-embedded scripting language (CGI binary) php5-cli - command-line interpreter for the php5 scripting language php5-common - Common files for packages built from the php5 source php5-curl - CURL module for php5 php5-dbg - Debug symbols for PHP5 php5-dev - Files for PHP5 module development php5-enchant - Enchant module for php5 php5-fpm - server-side, HTML-embedded scripting language (FPM-CGI binary) php5-gd - GD module for php5 php5-gmp - GMP module for php5 php5-intl - internationalisation module for php5 php5-ldap - LDAP module for php5 php5-mysql - MySQL module for php5 php5-odbc - ODBC module for php5 php5-pgsql - PostgreSQL module for php5 php5-pspell - pspell module for php5 php5-recode - recode module for php5 php5-snmp - SNMP module for php5 php5-sqlite - SQLite module for php5 php5-sybase - Sybase / MS SQL Server module for php5 php5-tidy - tidy module for php5 php5-xmlrpc - XML-RPC module for php5 php5-xsl - XSL module for php5 Launchpad-Bugs-Fixed: 930115 Changes: php5 (5.3.3-1ubuntu9.10) maverick-security; urgency=low . * debian/patches/php5-CVE-2012-0831-regression.patch: fix magic_quotes_gpc ini setting regression introduced by patch for CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115) Checksums-Sha1: 1ffb8d22f31acd4b33860c43a8647ff97fe5277b 3272 php5_5.3.3-1ubuntu9.10.dsc ef00385706979e9c60d86114d49e6c377b470c73 248751 php5_5.3.3-1ubuntu9.10.diff.gz Checksums-Sha256: 3858679ed34a19d3bfab454556afc84d7cab087c040e258a11094618bef7112c 3272 php5_5.3.3-1ubuntu9.10.dsc ca58f51e81caf47e10e4477d3e2be42ec8a8c4f6fca8f5e8b20f9acad8595ca9 248751 php5_5.3.3-1ubuntu9.10.diff.gz Files: 51b345ac5c48258c8194b723b06b6140 3272 php optional php5_5.3.3-1ubuntu9.10.dsc 277796d4e71b46628eb6fb1dd07c9c96 248751 php optional php5_5.3.3-1ubuntu9.10.diff.gz Original-Maintainer: Debian PHP Maintainers From jamie at ubuntu.com Tue Feb 14 16:33:31 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Tue, 14 Feb 2012 16:33:31 -0000 Subject: [ubuntu/maverick-security] puppet 2.6.1-0ubuntu2.5 (Accepted) Message-ID: <20120214163331.29823.48092.launchpad@cocoplum.canonical.com> puppet (2.6.1-0ubuntu2.5) maverick-security; urgency=low * SECURITY UPDATE: fix access to remote resource when auth.conf is missing - debian/patches/CVE-2011-0528.patch: Disable remote ralsh by default - CVE-2011-0528 Date: Thu, 09 Feb 2012 22:08:43 -0600 Changed-By: Jamie Strandboge Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/puppet/2.6.1-0ubuntu2.5 -------------- next part -------------- Format: 1.8 Date: Thu, 09 Feb 2012 22:08:43 -0600 Source: puppet Binary: puppet puppetmaster-common puppetmaster puppetmaster-passenger puppet-common vim-puppet puppet-el puppet-testsuite Architecture: source Version: 2.6.1-0ubuntu2.5 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Jamie Strandboge Description: puppet - Centralized configuration management - agent startup and compatib puppet-common - Centralized configuration management puppet-el - syntax highlighting for puppet manifests in emacs puppet-testsuite - Centralized configuration management - test suite puppetmaster - Centralized configuration management - master startup and compati puppetmaster-common - Puppet master common scripts puppetmaster-passenger - Centralised configuration management - master setup to run under vim-puppet - syntax highlighting for puppet manifests in vim Changes: puppet (2.6.1-0ubuntu2.5) maverick-security; urgency=low . * SECURITY UPDATE: fix access to remote resource when auth.conf is missing - debian/patches/CVE-2011-0528.patch: Disable remote ralsh by default - CVE-2011-0528 Checksums-Sha1: 8c6c0ecf5981eae1df740d0d9b42167713a64a41 2296 puppet_2.6.1-0ubuntu2.5.dsc 74084079c5ff5ed6de95fbc7290a4d1db2c6e969 88162 puppet_2.6.1-0ubuntu2.5.debian.tar.gz Checksums-Sha256: 9a01ca7e1819e3a164fdf371a5eb8b6aec9fd6b61bfd3579202e095b781ffc87 2296 puppet_2.6.1-0ubuntu2.5.dsc 09de7f31a4bfb9d74b921a2c2a7606ff8f88fc5f42aceef2038e8a7f79915574 88162 puppet_2.6.1-0ubuntu2.5.debian.tar.gz Files: 2b505f7633a7806f6ccea0c2aa11fbcf 2296 admin optional puppet_2.6.1-0ubuntu2.5.dsc b62adc6a8f793f74b4e3f0b8dc1351d3 88162 admin optional puppet_2.6.1-0ubuntu2.5.debian.tar.gz Original-Maintainer: Puppet Package Maintainers From zubin.mithra at gmail.com Wed Feb 15 05:34:09 2012 From: zubin.mithra at gmail.com (Zubin Mithra) Date: Wed, 15 Feb 2012 05:34:09 -0000 Subject: [ubuntu/maverick-security] vdr_1.6.0-18ubuntu1.1_powerpc_translations.tar.gz, vdr_1.6.0-18ubuntu1.1_i386_translations.tar.gz, vdr_1.6.0-18ubuntu1.1_armel_translations.tar.gz, vdr, vdr_1.6.0-18ubuntu1.1_amd64_translations.tar.gz 1.6.0-18ubuntu1.1 (Accepted) Message-ID: <20120215053409.32191.16302.launchpad@cocoplum.canonical.com> vdr (1.6.0-18ubuntu1.1) maverick-security; urgency=low * SECURITY UPDATE: vdrleaktest in Video Disk Recorder (VDR) 1.6.0 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. (LP: #930700) - http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/24#debian/vdrleaktest and http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/25#debian/vdrleaktest - debian/vdrtestleak: changed to set LD_LIBRARY_PATH securely - CVE-2010-3387 Date: Tue, 14 Feb 2012 10:38:34 -0800 Changed-By: Zubin Mithra Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/vdr/1.6.0-18ubuntu1.1 -------------- next part -------------- Format: 1.8 Date: Tue, 14 Feb 2012 10:38:34 -0800 Source: vdr Binary: vdr vdr-dev vdr-dbg vdr-plugin-sky vdr-plugin-examples Architecture: source Version: 1.6.0-18ubuntu1.1 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Zubin Mithra Description: vdr - Video Disk Recorder for DVB cards vdr-dbg - Debuggable version of the VDR Video Disk Recorder vdr-dev - Video Disk Recorder for DVB cards vdr-plugin-examples - Plugins for vdr to show some possible features vdr-plugin-sky - Plugin for using a Sky Digibox with vdr Launchpad-Bugs-Fixed: 930700 Changes: vdr (1.6.0-18ubuntu1.1) maverick-security; urgency=low . * SECURITY UPDATE: vdrleaktest in Video Disk Recorder (VDR) 1.6.0 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. (LP: #930700) - http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/24#debian/vdrleaktest and http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/25#debian/vdrleaktest - debian/vdrtestleak: changed to set LD_LIBRARY_PATH securely - CVE-2010-3387 Checksums-Sha1: e58339c765addf1b4a23059079806b8683e4b06a 2173 vdr_1.6.0-18ubuntu1.1.dsc 514de9abc4883cddbaf75957e1eac67f4f967450 149496 vdr_1.6.0-18ubuntu1.1.diff.gz Checksums-Sha256: 5738845d58b8b30392813fb6cda183096aa69ce14aed2d2de306d738e8a4ba2c 2173 vdr_1.6.0-18ubuntu1.1.dsc 73c45be01d506959fc60140d52bdeb9517c37db937e501d8462500eb31d4cb34 149496 vdr_1.6.0-18ubuntu1.1.diff.gz Files: 126c3be97424a3655ab844b8f5caeb36 2173 video extra vdr_1.6.0-18ubuntu1.1.dsc 3f445c580e63d03cc9d275298f6d405d 149496 video extra vdr_1.6.0-18ubuntu1.1.diff.gz Original-Maintainer: Debian VDR Team From amoog at ubuntu.com Wed Feb 15 16:04:11 2012 From: amoog at ubuntu.com (Andreas Moog) Date: Wed, 15 Feb 2012 16:04:11 -0000 Subject: [ubuntu/maverick-security] gypsy 0.8-0ubuntu1.1 (Accepted) Message-ID: <20120215160411.7396.8553.launchpad@cocoplum.canonical.com> gypsy (0.8-0ubuntu1.1) maverick-security; urgency=low * SECURITY UPDATE: "arbitrary file access and buffer overflows" A new config file, /etc/gypsy.conf, is added that specifies a whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps", and "bluetooth" (which matches Bluetooth addresses). Thanks to Michael Leibowitz CVE-2011-0523 * SECURITY UPDATE: Prevent buffer overflows in NMEA parsing by using snprintf() instead of sprintf. Thanks to Bastien Nocera CVE-2011-0524 (LP: #690323) * Run autoreconf to include changes to configure.ac Date: Sat, 11 Feb 2012 16:02:45 +0100 Changed-By: Andreas Moog Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/gypsy/0.8-0ubuntu1.1 -------------- next part -------------- Format: 1.8 Date: Sat, 11 Feb 2012 16:02:45 +0100 Source: gypsy Binary: gypsy-daemon libgypsy0 libgypsy-dev libgypsy-doc Architecture: source Version: 0.8-0ubuntu1.1 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Andreas Moog Description: gypsy-daemon - A GPS Multiplexing Daemon libgypsy-dev - A GPS Multiplexing Daemon (Development Package) libgypsy-doc - A GPS Multiplexing Daemon (HTML API Docs) libgypsy0 - A GPS Multiplexing Daemon (Library Package) Launchpad-Bugs-Fixed: 690323 Changes: gypsy (0.8-0ubuntu1.1) maverick-security; urgency=low . * SECURITY UPDATE: "arbitrary file access and buffer overflows" A new config file, /etc/gypsy.conf, is added that specifies a whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps", and "bluetooth" (which matches Bluetooth addresses). Thanks to Michael Leibowitz CVE-2011-0523 * SECURITY UPDATE: Prevent buffer overflows in NMEA parsing by using snprintf() instead of sprintf. Thanks to Bastien Nocera CVE-2011-0524 (LP: #690323) * Run autoreconf to include changes to configure.ac Checksums-Sha1: 6ec896de23d590b5edaa0d0ff83b3a6874956855 1840 gypsy_0.8-0ubuntu1.1.dsc b45f68629420cbe024af03e3fccae4495f8622ec 22537 gypsy_0.8-0ubuntu1.1.debian.tar.gz Checksums-Sha256: 842a044006721d57c984caa4a274b20c42e8369596e9ceed97a5e5ea8054db11 1840 gypsy_0.8-0ubuntu1.1.dsc 23011d005893e41611b9fe2d088ab36aa330e04d16d76835707d490f6466d396 22537 gypsy_0.8-0ubuntu1.1.debian.tar.gz Files: 4e58fd8d8d77e29b8694ee36c42527ba 1840 utils optional gypsy_0.8-0ubuntu1.1.dsc 45987fe5f3e3c152d6d2e712fa6a46fd 22537 utils optional gypsy_0.8-0ubuntu1.1.debian.tar.gz Original-Maintainer: Linaro User Platforms From zubin.mithra at gmail.com Wed Feb 15 16:04:17 2012 From: zubin.mithra at gmail.com (Zubin Mithra) Date: Wed, 15 Feb 2012 16:04:17 -0000 Subject: [ubuntu/maverick-security] dhcpcd 1:3.2.3-7ubuntu0.10.10.1 (Accepted) Message-ID: <20120215160417.7396.93489.launchpad@cocoplum.canonical.com> dhcpcd (1:3.2.3-7ubuntu0.10.10.1) maverick-security; urgency=high * SECURITY UPDATE: dhcpcd before 5.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. (LP: #931036) - https://build.opensuse.org/package/view_file?file=dhcpcd-3.2.3-option-checks.diff&package=dhcpcd&project=network%3Adhcp&rev=52442e5c1d803d7c1818a920a0bae7f1 - above linked patch(without the additional support for NETBIOS type messages) has been added. - CVE-2011-0996 Date: Mon, 13 Feb 2012 14:27:54 +0530 Changed-By: Zubin Mithra Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/dhcpcd/1:3.2.3-7ubuntu0.10.10.1 -------------- next part -------------- Format: 1.8 Date: Mon, 13 Feb 2012 14:27:54 +0530 Source: dhcpcd Binary: dhcpcd Architecture: source Version: 1:3.2.3-7ubuntu0.10.10.1 Distribution: maverick-security Urgency: high Maintainer: Ubuntu Developers Changed-By: Zubin Mithra Description: dhcpcd - DHCP client for automatically configuring IPv4 networking Launchpad-Bugs-Fixed: 931036 Changes: dhcpcd (1:3.2.3-7ubuntu0.10.10.1) maverick-security; urgency=high . * SECURITY UPDATE: dhcpcd before 5.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. (LP: #931036) - https://build.opensuse.org/package/view_file?file=dhcpcd-3.2.3-option-checks.diff&package=dhcpcd&project=network%3Adhcp&rev=52442e5c1d803d7c1818a920a0bae7f1 - above linked patch(without the additional support for NETBIOS type messages) has been added. - CVE-2011-0996 Checksums-Sha1: 55842862d886c4b4aae5010ec9eeae09ebb2bb4f 1724 dhcpcd_3.2.3-7ubuntu0.10.10.1.dsc fa32844a91173e50ebfa091f8897bd4c6b6a9959 19544 dhcpcd_3.2.3-7ubuntu0.10.10.1.diff.gz Checksums-Sha256: afe65f1abb0cdce265588b2ee7476f3dafd6da73aa893eaebfd156884fc52885 1724 dhcpcd_3.2.3-7ubuntu0.10.10.1.dsc 1c93be55c7b8b5ea3956417858673b28af457b84d3beb87f7ab50741d1581246 19544 dhcpcd_3.2.3-7ubuntu0.10.10.1.diff.gz Files: d0552fe17463c517f9f4d96965d40fe7 1724 net optional dhcpcd_3.2.3-7ubuntu0.10.10.1.dsc 9d1ca2ee080807d13991a09c8c5d00e5 19544 net optional dhcpcd_3.2.3-7ubuntu0.10.10.1.diff.gz Original-Maintainer: Simon Kelley From tyhicks at canonical.com Wed Feb 15 17:03:41 2012 From: tyhicks at canonical.com (Tyler Hicks) Date: Wed, 15 Feb 2012 17:03:41 -0000 Subject: [ubuntu/maverick-security] devscripts_2.10.67ubuntu1.1_amd64_translations.tar.gz, devscripts, devscripts_2.10.67ubuntu1.1_powerpc_translations.tar.gz, devscripts_2.10.67ubuntu1.1_armel_translations.tar.gz, devscripts_2.10.67ubuntu1.1_i386_translations.tar.gz 2.10.67ubuntu1.1 (Accepted) Message-ID: <20120215170341.29188.94793.launchpad@cocoplum.canonical.com> devscripts (2.10.67ubuntu1.1) maverick-security; urgency=low * SECURITY UPDATE: Arbitrary code execution via crafted filenames in .dsc and .changes files - scripts/debdiff.pl: Perform input sanitization on filenames. Thanks to Raphael Geissert for the original patch. - CVE-2012-0210 * SECURITY UPDATE: Arbitrary code execution via crafted filenames in the top level directory of the original upstream source tarball - scripts/debdiff.pl: Perform input sanitization on filenames. Thanks to Adam D. Barratt for the original patch. - CVE-2012-0211 * SECURITY UPDATE: Arbritray code execution via crafted filenames in arguments passed to debdiff - scripts/debdiff.pl: Perform input sanitization on filenames. Based on upstream patches. - http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commitdiff;h=87f88232eb643f0c118c6ba38db8e966915b450f - http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commitdiff;h=76227af1ee8d68f4844f642325eac903ca21e739 - CVE-2012-0212 * scripts/debdiff.pl: Remove undocumented functionality which treated files with extentionless filenames as packages. Thanks to Adam D. Barratt for the original patch. - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659559 Date: Wed, 15 Feb 2012 03:33:42 -0600 Changed-By: Tyler Hicks Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/devscripts/2.10.67ubuntu1.1 -------------- next part -------------- Format: 1.8 Date: Wed, 15 Feb 2012 03:33:42 -0600 Source: devscripts Binary: devscripts Architecture: source Version: 2.10.67ubuntu1.1 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Tyler Hicks Description: devscripts - scripts to make the life of a Debian Package maintainer easier Changes: devscripts (2.10.67ubuntu1.1) maverick-security; urgency=low . * SECURITY UPDATE: Arbitrary code execution via crafted filenames in .dsc and .changes files - scripts/debdiff.pl: Perform input sanitization on filenames. Thanks to Raphael Geissert for the original patch. - CVE-2012-0210 * SECURITY UPDATE: Arbitrary code execution via crafted filenames in the top level directory of the original upstream source tarball - scripts/debdiff.pl: Perform input sanitization on filenames. Thanks to Adam D. Barratt for the original patch. - CVE-2012-0211 * SECURITY UPDATE: Arbritray code execution via crafted filenames in arguments passed to debdiff - scripts/debdiff.pl: Perform input sanitization on filenames. Based on upstream patches. - http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commitdiff;h=87f88232eb643f0c118c6ba38db8e966915b450f - http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commitdiff;h=76227af1ee8d68f4844f642325eac903ca21e739 - CVE-2012-0212 * scripts/debdiff.pl: Remove undocumented functionality which treated files with extentionless filenames as packages. Thanks to Adam D. Barratt for the original patch. - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659559 Checksums-Sha1: 2e3ce9191f8f3c984dbd7a3e519cec28c00d52c4 2206 devscripts_2.10.67ubuntu1.1.dsc a8615b09eeb01f80f6c0cfba009d97324d010ad7 731220 devscripts_2.10.67ubuntu1.1.tar.gz Checksums-Sha256: 2181025811f6e383dd0a3944cc7b1d6c8fbf457f4263c86fa019d0fe1870279f 2206 devscripts_2.10.67ubuntu1.1.dsc 2f863204a65ef890fb833ee5b49cd646bc877fc5f412ea9b38b9c175abfadac3 731220 devscripts_2.10.67ubuntu1.1.tar.gz Files: 9d5c4186b5b6b4cbf1d1dfb4bb423065 2206 devel optional devscripts_2.10.67ubuntu1.1.dsc 52a377d4bce1cf88977e60b155d982f6 731220 devel optional devscripts_2.10.67ubuntu1.1.tar.gz Original-Maintainer: Devscripts Devel Team From chris.coulson at canonical.com Wed Feb 15 22:00:42 2012 From: chris.coulson at canonical.com (Chris Coulson) Date: Wed, 15 Feb 2012 22:00:42 -0000 Subject: [ubuntu/maverick] adobe-flashplugin 11.1.102.62-0maverick1 (Accepted) Message-ID: <20120215220042.11200.67968.launchpad@cocoplum.canonical.com> adobe-flashplugin (11.1.102.62-0maverick1) maverick; urgency=low * Initial release of 11.1.102.62 for Maverick Date: Wed, 15 Feb 2012 21:28:32 +0000 Changed-By: Chris Coulson Maintainer: DL-Flash Player Ubuntu https://launchpad.net/ubuntu/maverick/+source/adobe-flashplugin/11.1.102.62-0maverick1 -------------- next part -------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 15 Feb 2012 21:28:32 +0000 Source: adobe-flashplugin Binary: adobe-flashplugin adobe-flash-properties-gtk adobe-flash-properties-kde Architecture: source Version: 11.1.102.62-0maverick1 Distribution: maverick Urgency: low Maintainer: DL-Flash Player Ubuntu Changed-By: Chris Coulson Description: adobe-flash-properties-gtk - GTK+ control panel for Adobe Flash Player plugin version 11 adobe-flash-properties-kde - KDE control panel Adobe Flash Player plugin version 11 adobe-flashplugin - Adobe Flash Player plugin version 11 Changes: adobe-flashplugin (11.1.102.62-0maverick1) maverick; urgency=low . * Initial release of 11.1.102.62 for Maverick Checksums-Sha1: 107009b88d81a30ac89c1dfbff519bcc4b087fa0 1736 adobe-flashplugin_11.1.102.62-0maverick1.dsc b93a63dc1bcbdf9e452d72f2aa9984d28730c40f 4658 adobe-flashplugin_11.1.102.62-0maverick1.diff.gz Checksums-Sha256: 698435535ea8fd035b7c5ad7d5dfd902210eca284bfc998cfecb63d060481c03 1736 adobe-flashplugin_11.1.102.62-0maverick1.dsc 0c2f5cd8a4777b59a0e0c9ccf3d4719c1cb1d80b2db65d2dd12c2d18616102c3 4658 adobe-flashplugin_11.1.102.62-0maverick1.diff.gz Files: 2a7aff7fae268daf7eed9d301da7dbd5 1736 partner/web optional adobe-flashplugin_11.1.102.62-0maverick1.dsc 3dbc2cddc65e52586d21121bac9c9014 4658 partner/web optional adobe-flashplugin_11.1.102.62-0maverick1.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJPPCOxAAoJEGEfvezVlG4PdJ0H/2SC5jw4qefGrjz+s0bHIxsK CkkFUtewQLBkbk3VsHvMmUu36uVuv7Q+RBDdBg1ir1LnGXTGbM5GVyfvOJPM8b76 fFYEp7ihiuQyXGN+uOcmzy+ut5u80N9om7ahtwl+9TkLwueHlAiVbzGgNod2/3vC 2Gj0iT9/rxIOi6PxVr0kN3utw/YgFuBtvvsEn1pTQqNVRx+fpYjbc2nR6S6ficSS tqiyVq80ZV62haoP82qZ0EgslCi6OJhCcI5wXXGBQLRdJUm/ul92eOAy5o1FbLAd WasRx6ImkJ9TsSUGma9ger4aD2/Eo4VF6BLU9zVN75JE3N5hpO1fs643xLLgWx0= =mYX7 -----END PGP SIGNATURE----- From marc.deslauriers at ubuntu.com Thu Feb 16 01:33:59 2012 From: marc.deslauriers at ubuntu.com (Marc Deslauriers) Date: Thu, 16 Feb 2012 01:33:59 -0000 Subject: [ubuntu/maverick-security] flashplugin-nonfree, flashplugin-nonfree_11.1.102.62ubuntu0.10.10.1_i386_translations.tar.gz, flashplugin-nonfree_11.1.102.62ubuntu0.10.10.1_amd64_translations.tar.gz 11.1.102.62ubuntu0.10.10.1 (Accepted) Message-ID: <20120216013359.28932.97927.launchpad@cocoplum.canonical.com> flashplugin-nonfree (11.1.102.62ubuntu0.10.10.1) maverick-security; urgency=low * New upstream release 11.1.102.62 - debian/{config,postinst}: Updated version and sha256sums. - CVE-2012-0752 - CVE-2012-0753 - CVE-2012-0754 - CVE-2012-0755 - CVE-2012-0756 - CVE-2012-0757 * Add native amd64 support (LP: #870835): - debian/control: clean up depends, remove lpia, update description. Adjust Homepage. - debian/postinst: use $DPKG_MAINTSCRIPT_ARCH to copy the right binary, remove old nspluginwrapper alternatives. - debian/rules: remove nspluginwrapper files. - debian/{config,postinst,prerm}: remove flashplugin-installer-unpackdir directory migration, this was before hardy. Date: Wed, 15 Feb 2012 17:47:11 -0500 Changed-By: Marc Deslauriers Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/flashplugin-nonfree/11.1.102.62ubuntu0.10.10.1 -------------- next part -------------- Format: 1.8 Date: Wed, 15 Feb 2012 17:47:11 -0500 Source: flashplugin-nonfree Binary: flashplugin-installer flashplugin-nonfree Architecture: source Version: 11.1.102.62ubuntu0.10.10.1 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Marc Deslauriers Description: flashplugin-installer - Adobe Flash Player plugin installer flashplugin-nonfree - Adobe Flash Player plugin installer (transitional package) Launchpad-Bugs-Fixed: 870835 Changes: flashplugin-nonfree (11.1.102.62ubuntu0.10.10.1) maverick-security; urgency=low . * New upstream release 11.1.102.62 - debian/{config,postinst}: Updated version and sha256sums. - CVE-2012-0752 - CVE-2012-0753 - CVE-2012-0754 - CVE-2012-0755 - CVE-2012-0756 - CVE-2012-0757 * Add native amd64 support (LP: #870835): - debian/control: clean up depends, remove lpia, update description. Adjust Homepage. - debian/postinst: use $DPKG_MAINTSCRIPT_ARCH to copy the right binary, remove old nspluginwrapper alternatives. - debian/rules: remove nspluginwrapper files. - debian/{config,postinst,prerm}: remove flashplugin-installer-unpackdir directory migration, this was before hardy. Checksums-Sha1: 67c4b4f5a9b20d77e0aa3a11ef58a43d3d2ffd58 1645 flashplugin-nonfree_11.1.102.62ubuntu0.10.10.1.dsc f9b96a57355fc254f33ced8a30852834956ef416 27568 flashplugin-nonfree_11.1.102.62ubuntu0.10.10.1.tar.gz Checksums-Sha256: cb9b7630af9678889511e6c4d0abd4f3c249a41a2c25cccc95b4f7cf549d20ab 1645 flashplugin-nonfree_11.1.102.62ubuntu0.10.10.1.dsc 2b0ec03f0574a4d64a09da2d5bc0a77e57c6693be18d4ea18357d4e117afc079 27568 flashplugin-nonfree_11.1.102.62ubuntu0.10.10.1.tar.gz Files: 213c75fc631520ccd27aaa8366321cd1 1645 contrib/web optional flashplugin-nonfree_11.1.102.62ubuntu0.10.10.1.dsc ea3e77caa07207b91f41246c5dbbf9f0 27568 contrib/web optional flashplugin-nonfree_11.1.102.62ubuntu0.10.10.1.tar.gz Original-Maintainer: Bart Martens From jamie at ubuntu.com Thu Feb 16 18:34:59 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Thu, 16 Feb 2012 18:34:59 -0000 Subject: [ubuntu/maverick-security] libpng 1.2.44-1ubuntu0.2 (Accepted) Message-ID: <20120216183459.23778.65032.launchpad@cocoplum.canonical.com> libpng (1.2.44-1ubuntu0.2) maverick-security; urgency=low * SECURITY UPDATE: fix integer overflow / truncation - debian/patches/05-CVE-2011-3026.patch: adjust pngrutil.c to verify size when allocating memory in png_decompress_chunk() - CVE-2011-3026 Date: Wed, 15 Feb 2012 21:18:29 -0600 Changed-By: Jamie Strandboge Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/libpng/1.2.44-1ubuntu0.2 -------------- next part -------------- Format: 1.8 Date: Wed, 15 Feb 2012 21:18:29 -0600 Source: libpng Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb Architecture: source Version: 1.2.44-1ubuntu0.2 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Jamie Strandboge Description: libpng12-0 - PNG library - runtime libpng12-0-udeb - PNG library - minimal runtime library (udeb) libpng12-dev - PNG library - development libpng3 - PNG library - runtime Changes: libpng (1.2.44-1ubuntu0.2) maverick-security; urgency=low . * SECURITY UPDATE: fix integer overflow / truncation - debian/patches/05-CVE-2011-3026.patch: adjust pngrutil.c to verify size when allocating memory in png_decompress_chunk() - CVE-2011-3026 Checksums-Sha1: 08216bb69964d3a3ed4a85208ecaa3e765a33a50 1939 libpng_1.2.44-1ubuntu0.2.dsc d0e885088b9c2068790091e3111c2a8be2661388 16835 libpng_1.2.44-1ubuntu0.2.debian.tar.bz2 Checksums-Sha256: dce3999687decfe77e5a0d02b2864410388713ceb1e85a9e8d144a5f0d3e491b 1939 libpng_1.2.44-1ubuntu0.2.dsc d875a54944c81b9a09a64b30039821418d2d2cfdf0b5a5975224b19ae824de3d 16835 libpng_1.2.44-1ubuntu0.2.debian.tar.bz2 Files: 2f5035ea3d6a6fe101e2b2a27d5c890e 1939 libs optional libpng_1.2.44-1ubuntu0.2.dsc da18bce8a39ebfe33f4dec06b7f858b3 16835 libs optional libpng_1.2.44-1ubuntu0.2.debian.tar.bz2 Original-Maintainer: Anibal Monsalve Salazar From marc.deslauriers at ubuntu.com Thu Feb 16 18:35:29 2012 From: marc.deslauriers at ubuntu.com (Marc Deslauriers) Date: Thu, 16 Feb 2012 18:35:29 -0000 Subject: [ubuntu/maverick-security] update-manager_0.142.23.2_powerpc_translations.tar.gz, update-manager, update-manager_0.142.23.2_i386_translations.tar.gz, dist-upgrader_0.142.23.2_all.tar.gz, update-manager_0.142.23.2_amd64_translations.tar.gz, update-manager_0.142.23.2_armel_translations.tar.gz 1:0.142.23.2 (Accepted) Message-ID: <20120216183529.23778.28532.launchpad@cocoplum.canonical.com> update-manager (1:0.142.23.2) maverick-security; urgency=low * REGRESSION FIX: - DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper return value handling. (LP: #933225) Date: Wed, 15 Feb 2012 22:45:27 -0500 Changed-By: Marc Deslauriers Maintainer: Michael Vogt https://launchpad.net/ubuntu/maverick/+source/update-manager/1:0.142.23.2 -------------- next part -------------- Format: 1.8 Date: Wed, 15 Feb 2012 22:45:27 -0500 Source: update-manager Binary: update-manager-core update-manager update-manager-hildon update-manager-text update-manager-kde auto-upgrade-tester Architecture: source Version: 1:0.142.23.2 Distribution: maverick-security Urgency: low Maintainer: Michael Vogt Changed-By: Marc Deslauriers Description: auto-upgrade-tester - Test release upgrades in a virtual environment update-manager - GNOME application that manages apt updates update-manager-core - manage release upgrades update-manager-hildon - Hildon application that manages apt updates update-manager-kde - Support modules for KPackageKit update-manager-text - Text application that manages apt updates Launchpad-Bugs-Fixed: 933225 Changes: update-manager (1:0.142.23.2) maverick-security; urgency=low . * REGRESSION FIX: - DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper return value handling. (LP: #933225) Checksums-Sha1: b3a6e497767ab4c696b6b857a5de8c0eeacc2db8 1858 update-manager_0.142.23.2.dsc c6e4147c83a1061d013888dfaaef01853dfbd538 2915141 update-manager_0.142.23.2.tar.gz Checksums-Sha256: a753eaf0fcd498aa0457cd162e2806b06d566f97e542d9ea9ed410595465d260 1858 update-manager_0.142.23.2.dsc fc9f7cddf4c5526b89fb9cd3a3e1ac1245dd96faa397a29400b8eb017579d1c6 2915141 update-manager_0.142.23.2.tar.gz Files: dc0699866168de0e26aa8555ed96046e 1858 gnome optional update-manager_0.142.23.2.dsc 880c8bf43cb3364618d6771c6d083a6c 2915141 gnome optional update-manager_0.142.23.2.tar.gz From marc.deslauriers at ubuntu.com Thu Feb 16 19:34:35 2012 From: marc.deslauriers at ubuntu.com (Marc Deslauriers) Date: Thu, 16 Feb 2012 19:34:35 -0000 Subject: [ubuntu/maverick-security] apache2 2.2.16-1ubuntu3.5 (Accepted) Message-ID: <20120216193435.14530.61610.launchpad@cocoplum.canonical.com> apache2 (2.2.16-1ubuntu3.5) maverick-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf directive (LP: #811422) - debian/patches/215_CVE-2011-3607.dpatch: validate length in server/util.c. - CVE-2011-3607 * SECURITY UPDATE: another mod_proxy reverse proxy exposure - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c, server/protocol.c. - CVE-2011-4317 * SECURITY UPDATE: denial of service and possible code execution via type field modification within a scoreboard shared memory segment - debian/patches/218_CVE-2012-0031.dpatch: check type field in server/scoreboard.c. - CVE-2012-0031 * SECURITY UPDATE: cookie disclosure via Bad Request errors - debian/patches/219_CVE-2012-0053.dpatch: check lengths in server/protocol.c. - CVE-2012-0053 Date: Tue, 14 Feb 2012 10:11:29 -0500 Changed-By: Marc Deslauriers Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/apache2/2.2.16-1ubuntu3.5 -------------- next part -------------- Format: 1.8 Date: Tue, 14 Feb 2012 10:11:29 -0500 Source: apache2 Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg Architecture: source Version: 2.2.16-1ubuntu3.5 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Marc Deslauriers Description: apache2 - Apache HTTP Server metapackage apache2-dbg - Apache debugging symbols apache2-doc - Apache HTTP Server documentation apache2-mpm-event - Apache HTTP Server - event driven model apache2-mpm-itk - multiuser MPM for Apache 2.2 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model apache2-mpm-worker - Apache HTTP Server - high speed threaded model apache2-prefork-dev - Apache development headers - non-threaded MPM apache2-suexec - Standard suexec program for Apache 2 mod_suexec apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec apache2-threaded-dev - Apache development headers - threaded MPM apache2-utils - utility programs for webservers apache2.2-bin - Apache HTTP Server common binary files apache2.2-common - Apache HTTP Server common files Launchpad-Bugs-Fixed: 811422 Changes: apache2 (2.2.16-1ubuntu3.5) maverick-security; urgency=low . * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf directive (LP: #811422) - debian/patches/215_CVE-2011-3607.dpatch: validate length in server/util.c. - CVE-2011-3607 * SECURITY UPDATE: another mod_proxy reverse proxy exposure - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c, server/protocol.c. - CVE-2011-4317 * SECURITY UPDATE: denial of service and possible code execution via type field modification within a scoreboard shared memory segment - debian/patches/218_CVE-2012-0031.dpatch: check type field in server/scoreboard.c. - CVE-2012-0031 * SECURITY UPDATE: cookie disclosure via Bad Request errors - debian/patches/219_CVE-2012-0053.dpatch: check lengths in server/protocol.c. - CVE-2012-0053 Checksums-Sha1: 14a7b190bb244dcfc73433dcc9fb7624f89ea03f 2686 apache2_2.2.16-1ubuntu3.5.dsc a61dc7b5b7d088df815c65d92ce80790b476766c 225073 apache2_2.2.16-1ubuntu3.5.diff.gz Checksums-Sha256: 4fe78267c4f66d8fbe89a3e2a360da81c306caed423a842280762ca5aedeac6b 2686 apache2_2.2.16-1ubuntu3.5.dsc 771696accf5b5e800e8222fa3378bf33b3d30b53cb35fe8a96cfc14121cf85df 225073 apache2_2.2.16-1ubuntu3.5.diff.gz Files: 1885a773e20007afc5ec70befb1bef8d 2686 httpd optional apache2_2.2.16-1ubuntu3.5.dsc e574ee7d9d5687712bb191637f291a42 225073 httpd optional apache2_2.2.16-1ubuntu3.5.diff.gz Original-Maintainer: Debian Apache Maintainers Original-Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2 Original-Vcs-Svn: svn://svn.debian.org/pkg-apache/trunk/apache2 From marc.deslauriers at ubuntu.com Fri Feb 17 02:33:40 2012 From: marc.deslauriers at ubuntu.com (Marc Deslauriers) Date: Fri, 17 Feb 2012 02:33:40 -0000 Subject: [ubuntu/maverick-security] flashplugin-nonfree, flashplugin-nonfree_11.1.102.62ubuntu0.10.10.2_i386_translations.tar.gz, flashplugin-nonfree_11.1.102.62ubuntu0.10.10.2_amd64_translations.tar.gz 11.1.102.62ubuntu0.10.10.2 (Accepted) Message-ID: <20120217023340.32154.16651.launchpad@cocoplum.canonical.com> flashplugin-nonfree (11.1.102.62ubuntu0.10.10.2) maverick-security; urgency=low * Fix use of dpkg-reconfigure by not using $DPKG_MAINTSCRIPT_ARCH (LP: #933484) - debian/postinst.in: renamed from postinst and replaced $DPKG_MAINTSCRIPT_ARCH with #ARCH#. - debian/rules: replace #ARCH# in postinst.in with $DEB_HOST_ARCH during build. - debian/prerm: also clean out subdirectories in /var/cache/flashplugin-installer. * postinst.in: use "mega" style by default so we stop filling up log files. (LP: #872723) Date: Thu, 16 Feb 2012 19:01:39 -0500 Changed-By: Marc Deslauriers Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/flashplugin-nonfree/11.1.102.62ubuntu0.10.10.2 -------------- next part -------------- Format: 1.8 Date: Thu, 16 Feb 2012 19:01:39 -0500 Source: flashplugin-nonfree Binary: flashplugin-installer flashplugin-nonfree Architecture: source Version: 11.1.102.62ubuntu0.10.10.2 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Marc Deslauriers Description: flashplugin-installer - Adobe Flash Player plugin installer flashplugin-nonfree - Adobe Flash Player plugin installer (transitional package) Launchpad-Bugs-Fixed: 872723 933484 Changes: flashplugin-nonfree (11.1.102.62ubuntu0.10.10.2) maverick-security; urgency=low . * Fix use of dpkg-reconfigure by not using $DPKG_MAINTSCRIPT_ARCH (LP: #933484) - debian/postinst.in: renamed from postinst and replaced $DPKG_MAINTSCRIPT_ARCH with #ARCH#. - debian/rules: replace #ARCH# in postinst.in with $DEB_HOST_ARCH during build. - debian/prerm: also clean out subdirectories in /var/cache/flashplugin-installer. * postinst.in: use "mega" style by default so we stop filling up log files. (LP: #872723) Checksums-Sha1: 53560a9d5e508ba7bcb895574ec1b5a72f62fd0d 1645 flashplugin-nonfree_11.1.102.62ubuntu0.10.10.2.dsc a0a47cc2376bffeff279349bbb7bfdc9b125ff88 27522 flashplugin-nonfree_11.1.102.62ubuntu0.10.10.2.tar.gz Checksums-Sha256: 0ddaea37d7ebd85fb5e0dd4d9a1156cb1608612f0ad25b421a53f50fdc9705dc 1645 flashplugin-nonfree_11.1.102.62ubuntu0.10.10.2.dsc 9052e55b69521930db96c1f83048707aa7b57285f1db04e266a3afb545dfedd3 27522 flashplugin-nonfree_11.1.102.62ubuntu0.10.10.2.tar.gz Files: e5fc96a7c53970d59bad2084c86949ef 1645 contrib/web optional flashplugin-nonfree_11.1.102.62ubuntu0.10.10.2.dsc 06dda549877862735521822836fbea7e 27522 contrib/web optional flashplugin-nonfree_11.1.102.62ubuntu0.10.10.2.tar.gz Original-Maintainer: Bart Martens From marc.deslauriers at ubuntu.com Mon Feb 20 01:04:15 2012 From: marc.deslauriers at ubuntu.com (Marc Deslauriers) Date: Mon, 20 Feb 2012 01:04:15 -0000 Subject: [ubuntu/maverick-security] mumble_1.2.2-4ubuntu0.2_amd64_translations.tar.gz, mumble, mumble_1.2.2-4ubuntu0.2_i386_translations.tar.gz, mumble_1.2.2-4ubuntu0.2_armel_translations.tar.gz, mumble_1.2.2-4ubuntu0.2_powerpc_translations.tar.gz 1.2.2-4ubuntu0.2 (Accepted) Message-ID: <20120220010415.17368.39178.launchpad@cocoplum.canonical.com> mumble (1.2.2-4ubuntu0.2) maverick-security; urgency=low * SECURITY UPDATE: credential disclosure via incorrect permissions (LP: #783405) - debian/patches/0004-set-file-permissions.patch: Set restrictive permissions on data files. - CVE-2012-0863 Date: Fri, 17 Feb 2012 09:31:21 -0500 Changed-By: Marc Deslauriers Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/mumble/1.2.2-4ubuntu0.2 -------------- next part -------------- Format: 1.8 Date: Fri, 17 Feb 2012 09:31:21 -0500 Source: mumble Binary: mumble mumble-11x mumble-server mumble-dbg mumble-server-web Architecture: source Version: 1.2.2-4ubuntu0.2 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Marc Deslauriers Description: mumble - Low latency VoIP client mumble-11x - Low latency VoIP client (1.1.x) mumble-dbg - Low latency VoIP client (debugging symbols) mumble-server - Low latency VoIP server mumble-server-web - Web scripts for mumble-server Launchpad-Bugs-Fixed: 783405 Changes: mumble (1.2.2-4ubuntu0.2) maverick-security; urgency=low . * SECURITY UPDATE: credential disclosure via incorrect permissions (LP: #783405) - debian/patches/0004-set-file-permissions.patch: Set restrictive permissions on data files. - CVE-2012-0863 Checksums-Sha1: 1e713165343adb9f6f71af3713b72299b71a737c 2637 mumble_1.2.2-4ubuntu0.2.dsc 614b8aa486d36930c3cb02b07fcca3a0faf2b7a6 32036 mumble_1.2.2-4ubuntu0.2.debian.tar.gz Checksums-Sha256: d142d83021d8c4480919825f4d270b1bd5ba01490ce89d5b3769fa2b0ea949f5 2637 mumble_1.2.2-4ubuntu0.2.dsc c607f7c627daed7428c20ce0b25d5ec204d9a8fb79ab37e7e9e4019c17f30bb2 32036 mumble_1.2.2-4ubuntu0.2.debian.tar.gz Files: 0b0886e31623160c128f74bc33eab15b 2637 sound optional mumble_1.2.2-4ubuntu0.2.dsc a14ea2cb6eb139528b0fe3fafe6aed49 32036 sound optional mumble_1.2.2-4ubuntu0.2.debian.tar.gz Original-Maintainer: Debian VoIP Team From marc.deslauriers at ubuntu.com Mon Feb 20 18:04:13 2012 From: marc.deslauriers at ubuntu.com (Marc Deslauriers) Date: Mon, 20 Feb 2012 18:04:13 -0000 Subject: [ubuntu/maverick-security] libvorbis 1.3.1-1ubuntu0.1 (Accepted) Message-ID: <20120220180413.12145.83251.launchpad@cocoplum.canonical.com> libvorbis (1.3.1-1ubuntu0.1) maverick-security; urgency=low * SECURITY UPDATE: denial of service and possible code execution - lib/floor1.c: validate count. - https://trac.xiph.org/changeset/18151 - CVE-2012-0444 Date: Fri, 17 Feb 2012 15:29:02 -0500 Changed-By: Marc Deslauriers Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/libvorbis/1.3.1-1ubuntu0.1 -------------- next part -------------- Format: 1.8 Date: Fri, 17 Feb 2012 15:29:02 -0500 Source: libvorbis Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev libvorbis-dbg Architecture: source Version: 1.3.1-1ubuntu0.1 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Marc Deslauriers Description: libvorbis-dbg - The Vorbis General Audio Compression Codec (debug files) libvorbis-dev - The Vorbis General Audio Compression Codec (development files) libvorbis0a - The Vorbis General Audio Compression Codec (Decoder library) libvorbisenc2 - The Vorbis General Audio Compression Codec (Encoder library) libvorbisfile3 - The Vorbis General Audio Compression Codec (High Level API) Changes: libvorbis (1.3.1-1ubuntu0.1) maverick-security; urgency=low . * SECURITY UPDATE: denial of service and possible code execution - lib/floor1.c: validate count. - https://trac.xiph.org/changeset/18151 - CVE-2012-0444 Checksums-Sha1: 736928ef0fe2801acd105e8c26dc5778be673b7d 1988 libvorbis_1.3.1-1ubuntu0.1.dsc 5627cd462a8907c80ca3515bbdebea84303cf02a 7602 libvorbis_1.3.1-1ubuntu0.1.diff.gz Checksums-Sha256: ee6e9fdbab26d4418799984e8344bc1a0761521a78aa0f05088d55e201507105 1988 libvorbis_1.3.1-1ubuntu0.1.dsc 170cb617fd37d9ba85a4a56767b773a10e8f64be535f88c2eb3784f85eedc1bc 7602 libvorbis_1.3.1-1ubuntu0.1.diff.gz Files: 0a45382457b5ccd3bc1fa3f3dc354138 1988 libs optional libvorbis_1.3.1-1ubuntu0.1.dsc 83caca0869fc4019cd06cd3f9d188ab4 7602 libs optional libvorbis_1.3.1-1ubuntu0.1.diff.gz Original-Maintainer: Debian Xiph.org Maintainers From marc.deslauriers at ubuntu.com Wed Feb 22 15:33:37 2012 From: marc.deslauriers at ubuntu.com (Marc Deslauriers) Date: Wed, 22 Feb 2012 15:33:37 -0000 Subject: [ubuntu/maverick-security] cvs_1.12.13-12ubuntu1.10.10.1_i386_translations.tar.gz, cvs_1.12.13-12ubuntu1.10.10.1_amd64_translations.tar.gz, cvs_1.12.13-12ubuntu1.10.10.1_armel_translations.tar.gz, cvs, cvs_1.12.13-12ubuntu1.10.10.1_powerpc_translations.tar.gz 1:1.12.13-12ubuntu1.10.10.1 (Accepted) Message-ID: <20120222153337.16482.23265.launchpad@cocoplum.canonical.com> cvs (1:1.12.13-12ubuntu1.10.10.1) maverick-security; urgency=low * SECURITY UPDATE: arbitrary code execution via heap overflow - debian/patches/99ubuntu002-CVE-2012-0804.diff: remove use of write_buf in src/client.c. - CVE-2012-0804 Date: Mon, 13 Feb 2012 11:39:57 -0500 Changed-By: Marc Deslauriers Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/cvs/1:1.12.13-12ubuntu1.10.10.1 -------------- next part -------------- Format: 1.8 Date: Mon, 13 Feb 2012 11:39:57 -0500 Source: cvs Binary: cvs Architecture: source Version: 1:1.12.13-12ubuntu1.10.10.1 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Marc Deslauriers Description: cvs - Concurrent Versions System Changes: cvs (1:1.12.13-12ubuntu1.10.10.1) maverick-security; urgency=low . * SECURITY UPDATE: arbitrary code execution via heap overflow - debian/patches/99ubuntu002-CVE-2012-0804.diff: remove use of write_buf in src/client.c. - CVE-2012-0804 Checksums-Sha1: b027617a4f346c0cf2b4002fb55d2b3cb020aeae 1912 cvs_1.12.13-12ubuntu1.10.10.1.dsc 07273beb364ca5a08b70b13b91d753adb653cfcb 108288 cvs_1.12.13-12ubuntu1.10.10.1.diff.gz Checksums-Sha256: 0c18aefa9ee2e7411560ea8e2c7459d913f8ef6335c01d4d34211f04f27e67ee 1912 cvs_1.12.13-12ubuntu1.10.10.1.dsc 7e73d7accd1342bf08c94a5800af9bd9608d44e13241a757ddec8e1de258c3ee 108288 cvs_1.12.13-12ubuntu1.10.10.1.diff.gz Files: 2e2297d43ad06b6adeeeb72b1667ce6b 1912 devel optional cvs_1.12.13-12ubuntu1.10.10.1.dsc 6ae69e06714e6534b0ec4d58dc2e7af3 108288 devel optional cvs_1.12.13-12ubuntu1.10.10.1.diff.gz Original-Maintainer: Steve McIntyre <93sam at debian.org> From jamie at ubuntu.com Thu Feb 23 13:03:43 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Thu, 23 Feb 2012 13:03:43 -0000 Subject: [ubuntu/maverick-security] puppet 2.6.1-0ubuntu2.6 (Accepted) Message-ID: <20120223130343.19506.51596.launchpad@cocoplum.canonical.com> puppet (2.6.1-0ubuntu2.6) maverick-security; urgency=low * SECURITY UPDATE: correctly drop group privileges - debian/patches/CVE-2012-1053_CVE-2012-1054.patch - CVE-2012-1053 * SECURITY UPDATE: properly handle symlinks with Klogin - debian/patches/CVE-2012-1053_CVE-2012-1054.patch - CVE-2012-1054 Date: Thu, 16 Feb 2012 13:21:42 -0600 Changed-By: Jamie Strandboge Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/puppet/2.6.1-0ubuntu2.6 -------------- next part -------------- Format: 1.8 Date: Thu, 16 Feb 2012 13:21:42 -0600 Source: puppet Binary: puppet puppetmaster-common puppetmaster puppetmaster-passenger puppet-common vim-puppet puppet-el puppet-testsuite Architecture: source Version: 2.6.1-0ubuntu2.6 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Jamie Strandboge Description: puppet - Centralized configuration management - agent startup and compatib puppet-common - Centralized configuration management puppet-el - syntax highlighting for puppet manifests in emacs puppet-testsuite - Centralized configuration management - test suite puppetmaster - Centralized configuration management - master startup and compati puppetmaster-common - Puppet master common scripts puppetmaster-passenger - Centralised configuration management - master setup to run under vim-puppet - syntax highlighting for puppet manifests in vim Changes: puppet (2.6.1-0ubuntu2.6) maverick-security; urgency=low . * SECURITY UPDATE: correctly drop group privileges - debian/patches/CVE-2012-1053_CVE-2012-1054.patch - CVE-2012-1053 * SECURITY UPDATE: properly handle symlinks with Klogin - debian/patches/CVE-2012-1053_CVE-2012-1054.patch - CVE-2012-1054 Checksums-Sha1: 7c262ca9c9fcad8a164f6305b5446b2ab359bf4f 2296 puppet_2.6.1-0ubuntu2.6.dsc ce54b53a47cb37d41917116ea7a9cf1a533d4c53 98982 puppet_2.6.1-0ubuntu2.6.debian.tar.gz Checksums-Sha256: 9beb06c9eca8482b44b52d9202839a7f0708fc12284f8c39464d75644f1b0a1c 2296 puppet_2.6.1-0ubuntu2.6.dsc c3dcb510e8bccb4039fc2668efb0b03faff44af8bd9431462dd098b9a82ad334 98982 puppet_2.6.1-0ubuntu2.6.debian.tar.gz Files: 9e0a3b0a13a5613e0152c9654764053b 2296 admin optional puppet_2.6.1-0ubuntu2.6.dsc f17d93e6a22c882f697350648539526d 98982 admin optional puppet_2.6.1-0ubuntu2.6.debian.tar.gz Original-Maintainer: Puppet Package Maintainers From sbeattie at ubuntu.com Thu Feb 23 21:34:40 2012 From: sbeattie at ubuntu.com (Steve Beattie) Date: Thu, 23 Feb 2012 21:34:40 -0000 Subject: [ubuntu/maverick-security] fex 20100208+debian1-1+squeeze2build0.10.10.1 (Accepted) Message-ID: <20120223213440.3278.77250.launchpad@cocoplum.canonical.com> fex (20100208+debian1-1+squeeze2build0.10.10.1) maverick-security; urgency=low * fake sync from Debian fex (20100208+debian1-1+squeeze2) stable-security; urgency=high * Add debian/patches/08_xss.patch (backported from and by upstream) to fix XSS (Closes: #660621) - CVE-2012-0869 Date: Wed, 22 Feb 2012 09:40:49 -0800 Changed-By: Steve Beattie Maintainer: Giuseppe Iuculano https://launchpad.net/ubuntu/maverick/+source/fex/20100208+debian1-1+squeeze2build0.10.10.1 -------------- next part -------------- Format: 1.8 Date: Wed, 22 Feb 2012 09:40:49 -0800 Source: fex Binary: fex fex-utils Architecture: source Version: 20100208+debian1-1+squeeze2build0.10.10.1 Distribution: maverick-security Urgency: high Maintainer: Giuseppe Iuculano Changed-By: Steve Beattie Description: fex - web service for transfering very large files fex-utils - web service for transfering very large files (utils) Closes: 660621 Changes: fex (20100208+debian1-1+squeeze2build0.10.10.1) maverick-security; urgency=low . * fake sync from Debian . fex (20100208+debian1-1+squeeze2) stable-security; urgency=high . * Add debian/patches/08_xss.patch (backported from and by upstream) to fix XSS (Closes: #660621) - CVE-2012-0869 Checksums-Sha1: 62536762a8db3a020e1e218ff620fa14bf5befce 1951 fex_20100208+debian1-1+squeeze2build0.10.10.1.dsc f44c4a016a7ec1ed52c7997fbf9106d8649e334d 9497 fex_20100208+debian1-1+squeeze2build0.10.10.1.diff.gz Checksums-Sha256: cbc15196d5ec0d0ddb7b29b57b6da3e0b560c770755a0189aad0f9b3c709ffc3 1951 fex_20100208+debian1-1+squeeze2build0.10.10.1.dsc 622a4b1ba1d63b709794380160354eef783b79a43d036b7ba67888bf053c4709 9497 fex_20100208+debian1-1+squeeze2build0.10.10.1.diff.gz Files: df3ce1803ad4a635ddea9bf9aa10e216 1951 web optional fex_20100208+debian1-1+squeeze2build0.10.10.1.dsc 52820a198308a08d9afdc7c85d9ba79e 9497 web optional fex_20100208+debian1-1+squeeze2build0.10.10.1.diff.gz From sbeattie at ubuntu.com Thu Feb 23 22:36:28 2012 From: sbeattie at ubuntu.com (Steve Beattie) Date: Thu, 23 Feb 2012 22:36:28 -0000 Subject: [ubuntu/maverick-security] openjdk-6 6b20-1.9.13-0ubuntu1~10.10.1 (Accepted) Message-ID: <20120223223628.24934.42345.launchpad@cocoplum.canonical.com> openjdk-6 (6b20-1.9.13-0ubuntu1~10.10.1) maverick-security; urgency=low * SECURITY UPDATE: update to IcedTea 6 1.9.13 - Security fixes: - S7082299, CVE-2011-3571: Fix in AtomicReferenceArray - S7088367, CVE-2011-3563: Fix issues in java sound - S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method - S7110687, CVE-2012-0503: Issues with TimeZone class - S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass - S7110704, CVE-2012-0506: Issues with some method in corba - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object - S7118283, CVE-2012-0501: Better input parameter checking in zip file processing - S7126960, CVE-2011-5035: (httpserver) Add property to limit number of request headers to the HTTP Server - Bug fixes: - S7102369, RH751203: remove java.rmi.server.codebase property parsing from registyimpl - S7094468, RH751203: rmiregistry clean up - S6851973, PR830: ignore incoming channel binding if acceptor does not set one * drop debian/patches/openjdk-7103725-ssl_beast_regression.patch as it's included in the upstream release. Date: Wed, 15 Feb 2012 14:30:55 -0800 Changed-By: Steve Beattie Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/openjdk-6/6b20-1.9.13-0ubuntu1~10.10.1 -------------- next part -------------- Format: 1.8 Date: Wed, 15 Feb 2012 14:30:55 -0800 Source: openjdk-6 Binary: openjdk-6-jdk openjdk-6-jre-headless openjdk-6-jre openjdk-6-jre-lib openjdk-6-demo openjdk-6-source openjdk-6-doc openjdk-6-dbg icedtea6-plugin icedtea-6-jre-cacao openjdk-6-jre-zero Architecture: source Version: 6b20-1.9.13-0ubuntu1~10.10.1 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Steve Beattie Description: icedtea-6-jre-cacao - Alternative JVM for OpenJDK, using Cacao icedtea6-plugin - web browser plugin based on OpenJDK and IcedTea to execute Java a openjdk-6-dbg - Java runtime based on OpenJDK (debugging symbols) openjdk-6-demo - Java runtime based on OpenJDK (demos and examples) openjdk-6-doc - OpenJDK Development Kit (JDK) documentation openjdk-6-jdk - OpenJDK Development Kit (JDK) openjdk-6-jre - OpenJDK Java runtime, using ${vm:Name} openjdk-6-jre-headless - OpenJDK Java runtime, using ${vm:Name} (headless) openjdk-6-jre-lib - OpenJDK Java runtime (architecture independent libraries) openjdk-6-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark openjdk-6-source - OpenJDK Development Kit (JDK) source files Changes: openjdk-6 (6b20-1.9.13-0ubuntu1~10.10.1) maverick-security; urgency=low . * SECURITY UPDATE: update to IcedTea 6 1.9.13 - Security fixes: - S7082299, CVE-2011-3571: Fix in AtomicReferenceArray - S7088367, CVE-2011-3563: Fix issues in java sound - S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method - S7110687, CVE-2012-0503: Issues with TimeZone class - S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass - S7110704, CVE-2012-0506: Issues with some method in corba - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object - S7118283, CVE-2012-0501: Better input parameter checking in zip file processing - S7126960, CVE-2011-5035: (httpserver) Add property to limit number of request headers to the HTTP Server - Bug fixes: - S7102369, RH751203: remove java.rmi.server.codebase property parsing from registyimpl - S7094468, RH751203: rmiregistry clean up - S6851973, PR830: ignore incoming channel binding if acceptor does not set one * drop debian/patches/openjdk-7103725-ssl_beast_regression.patch as it's included in the upstream release. Checksums-Sha1: 0644e88ec926a0a79d6f073aaeb2353ce460a066 3122 openjdk-6_6b20-1.9.13-0ubuntu1~10.10.1.dsc 2d66ac45635ab374bef46c710877bdf23078389c 73935529 openjdk-6_6b20-1.9.13.orig.tar.gz ef1e1782f1b5b10a33a7603481d4a50adcdbbac6 138070 openjdk-6_6b20-1.9.13-0ubuntu1~10.10.1.diff.gz Checksums-Sha256: cb57cf06ff7042092ec1d1cb8e24b658e2f087e44870e2b349db43cb48e58f2b 3122 openjdk-6_6b20-1.9.13-0ubuntu1~10.10.1.dsc 41e4e8573b6e66774810f43e1e2f01a09a22b13b66135fa8e892c5eb0fa75e76 73935529 openjdk-6_6b20-1.9.13.orig.tar.gz 486d2419d9bde877391204688e922543a383d9569cbbf7eebcc84ade3671b601 138070 openjdk-6_6b20-1.9.13-0ubuntu1~10.10.1.diff.gz Files: 0bdb60f7d7e4f0e04756d452e5e1cc29 3122 java optional openjdk-6_6b20-1.9.13-0ubuntu1~10.10.1.dsc 377eace2085d523080c1607496f5f363 73935529 java optional openjdk-6_6b20-1.9.13.orig.tar.gz c6258ac6674f91319dffaf17c4441a19 138070 java optional openjdk-6_6b20-1.9.13-0ubuntu1~10.10.1.diff.gz Original-Maintainer: OpenJDK Team From evan at ebroder.net Sat Feb 25 07:20:07 2012 From: evan at ebroder.net (Evan Broder) Date: Sat, 25 Feb 2012 07:20:07 -0000 Subject: [ubuntu/maverick-proposed] insserv 1.14.0-2ubuntu0.10.10.1 (Accepted) Message-ID: <20120225072007.22652.62348.launchpad@cocoplum.canonical.com> insserv (1.14.0-2ubuntu0.10.10.1) maverick-proposed; urgency=low [ Adam Stokes ] * Add 200_hide_insserv_on_ubuntu.patch: Move insserv out of system path to disuade package maintainers from invoking it directly. (LP: #897390) [ Evan Broder ] * Fix the shutdown sequence if it was broken by insserv being run at some point in the past. Date: Thu, 23 Feb 2012 16:31:43 -0800 Changed-By: Evan Broder Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/insserv/1.14.0-2ubuntu0.10.10.1 -------------- next part -------------- Format: 1.8 Date: Thu, 23 Feb 2012 16:31:43 -0800 Source: insserv Binary: insserv Architecture: source Version: 1.14.0-2ubuntu0.10.10.1 Distribution: maverick-proposed Urgency: low Maintainer: Ubuntu Developers Changed-By: Evan Broder Description: insserv - Tool to organize boot sequence using LSB init.d script dependenci Launchpad-Bugs-Fixed: 897390 Changes: insserv (1.14.0-2ubuntu0.10.10.1) maverick-proposed; urgency=low . [ Adam Stokes ] * Add 200_hide_insserv_on_ubuntu.patch: Move insserv out of system path to disuade package maintainers from invoking it directly. (LP: #897390) . [ Evan Broder ] * Fix the shutdown sequence if it was broken by insserv being run at some point in the past. Checksums-Sha1: 232f88a1295792a7caf5a0ddbe9a463ec66d917d 2026 insserv_1.14.0-2ubuntu0.10.10.1.dsc b2148fdc18f78703e5d2c13744a14e60ab2c5730 55464 insserv_1.14.0-2ubuntu0.10.10.1.diff.gz Checksums-Sha256: 0e7b2ee60ce085b45e0ba2ed810ec36835c9c7178acaac50e44f718a3d239c84 2026 insserv_1.14.0-2ubuntu0.10.10.1.dsc 297cbd27ee05fabae9d8135d3b958354326dfa33556221cde4e4e21eb0171b53 55464 insserv_1.14.0-2ubuntu0.10.10.1.diff.gz Files: 5d3c56af158d1cd33f0f7c46f30b4cef 2026 misc optional insserv_1.14.0-2ubuntu0.10.10.1.dsc 8937708ba6ad0f0cf610ae5aa7627533 55464 misc optional insserv_1.14.0-2ubuntu0.10.10.1.diff.gz Debian-Vcs-Browser: http://svn.debian.org/wsvn/initscripts-ng/trunk/src/insserv/ Debian-Vcs-Svn: svn://svn.debian.org/initscripts-ng/trunk/src/insserv Original-Maintainer: Petter Reinholdtsen From jamie at ubuntu.com Sun Feb 26 03:28:37 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Sun, 26 Feb 2012 03:28:37 -0000 Subject: [ubuntu/maverick-updates] chromium-browser 17.0.963.56~r121963-0ubuntu0.10.10.1 (Accepted) Message-ID: <20120226032837.904.37540.launchpad@ackee.canonical.com> chromium-browser (17.0.963.56~r121963-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream release from the Stable Channel (LP: #931905, #933262) This release fixes the following security issues from 17.0.963.56: - [105803] High CVE-2011-3015: Integer overflows in PDF codecs. Credit to Google Chrome Security Team (scarybeasts). - [106336] Medium CVE-2011-3016: Read-after-free with counter nodes. Credit to miaubiz. - [108695] High CVE-2011-3017: Possible use-after-free in database handling. Credit to miaubiz. - [110172] High CVE-2011-3018: Heap overflow in path rendering. Credit to Aki Helin of OUSPG. - [110849] High CVE-2011-3019: Heap buffer overflow in MKV handling. Credit to Google Chrome Security Team (scarybeasts) and Mateusz Jurczyk of the Google Security Team. - [111575] Medium CVE-2011-3020: Native client validator error. Credit to Nick Bray of the Chromium development community. - [111779] High CVE-2011-3021: Use-after-free in subframe loading. Credit to Arthur Gerkis. - [112236] Medium CVE-2011-3022: Inappropriate use of http for translation script. Credit to Google Chrome Security Team (Jorge Obes). - [112259] Medium CVE-2011-3023: Use-after-free with drag and drop. Credit to pa_kt. - [112451] Low CVE-2011-3024: Browser crash with empty x509 certificate. Credit to chrometot. - [112670] Medium CVE-2011-3025: Out-of-bounds read in h.264 parsing. Credit to Sławomir Błażek. - [112822] High CVE-2011-3026: Integer overflow / truncation in libpng. Credit to Jüri Aedla. - [112847] High CVE-2011-3027: Bad cast in column handling. Credit to miaubiz. This release fixes the following security issues from 17.0.963.46: - [73478] Low CVE-2011-3953: Avoid clipboard monitoring after paste event. Credit to Daniel Cheng of the Chromium development community. - [92550] Low CVE-2011-3954: Crash with excessive database usage. Credit to Collin Payne. - [93106] High CVE-2011-3955: Crash aborting an IndexDB transaction. Credit to David Grogan of the Chromium development community. - [103630] Low CVE-2011-3956: Incorrect handling of sandboxed origins inside extensions. Credit to Devdatta Akhawe, UC Berkeley. - [104056] High CVE-2011-3957: Use-after-free in PDF garbage collection. Credit to Aki Helin of OUSPG. - [105459] High CVE-2011-3958: Bad casts with column spans. Credit to miaubiz. - [106441] High CVE-2011-3959: Buffer overflow in locale handling. Credit to Aki Helin of OUSPG. - [108416] Medium CVE-2011-3960: Out-of-bounds read in audio decoding. Credit to Aki Helin of OUSPG. - [108871] Critical CVE-2011-3961: Race condition after crash of utility process. Credit to Shawn Goertzen. - [108901] Medium CVE-2011-3962: Out-of-bounds read in path clipping. Credit to Aki Helin of OUSPG. - [109094] Medium CVE-2011-3963: Out-of-bounds read in PDF fax image handling. Credit to Atte Kettunen of OUSPG. - [109245] Low CVE-2011-3964: URL bar confusion after drag + drop. Credit to Code Audit Labs of VulnHunt.com. - [109664] Low CVE-2011-3965: Crash in signature check. Credit to Sławomir Błażek. - [109716] High CVE-2011-3966: Use-after-free in stylesheet error handling. Credit to Aki Helin of OUSPG. - [109717] Low CVE-2011-3967: Crash with unusual certificate. Credit to Ben Carrillo. - [109743] High CVE-2011-3968: Use-after-free in CSS handling. Credit to Arthur Gerkis. - [110112] High CVE-2011-3969: Use-after-free in SVG layout. Credit to Arthur Gerkis. - [110277] Medium CVE-2011-3970: Out-of-bounds read in libxslt. Credit to Aki Helin of OUSPG. - [110374] High CVE-2011-3971: Use-after-free with mousemove events. Credit to Arthur Gerkis. - [110559] Medium CVE-2011-3972: Out-of-bounds read in shader translator. Credit to Google Chrome Security Team (Inferno). * Rebase patch - update debian/patches/disable_dlog_and_dcheck_in_release_builds.patch * Update .install file to just install all .pak files instead of listing them by name - update debian/chromium-browser.install Date: 2012-02-21 07:30:24.360287+00:00 Changed-By: Micah Gersten Maintainer: Fabien Tassin Signed-By: Jamie Strandboge https://launchpad.net/ubuntu/maverick/+source/chromium-browser/17.0.963.56~r121963-0ubuntu0.10.10.1 -------------- next part -------------- Sorry, changesfile not available. From jamie at ubuntu.com Sun Feb 26 03:30:04 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Sun, 26 Feb 2012 03:30:04 -0000 Subject: [ubuntu/maverick-security] chromium-browser 17.0.963.56~r121963-0ubuntu0.10.10.1 (Accepted) Message-ID: <20120226033004.904.12398.launchpad@ackee.canonical.com> chromium-browser (17.0.963.56~r121963-0ubuntu0.10.10.1) maverick-security; urgency=low * New upstream release from the Stable Channel (LP: #931905, #933262) This release fixes the following security issues from 17.0.963.56: - [105803] High CVE-2011-3015: Integer overflows in PDF codecs. Credit to Google Chrome Security Team (scarybeasts). - [106336] Medium CVE-2011-3016: Read-after-free with counter nodes. Credit to miaubiz. - [108695] High CVE-2011-3017: Possible use-after-free in database handling. Credit to miaubiz. - [110172] High CVE-2011-3018: Heap overflow in path rendering. Credit to Aki Helin of OUSPG. - [110849] High CVE-2011-3019: Heap buffer overflow in MKV handling. Credit to Google Chrome Security Team (scarybeasts) and Mateusz Jurczyk of the Google Security Team. - [111575] Medium CVE-2011-3020: Native client validator error. Credit to Nick Bray of the Chromium development community. - [111779] High CVE-2011-3021: Use-after-free in subframe loading. Credit to Arthur Gerkis. - [112236] Medium CVE-2011-3022: Inappropriate use of http for translation script. Credit to Google Chrome Security Team (Jorge Obes). - [112259] Medium CVE-2011-3023: Use-after-free with drag and drop. Credit to pa_kt. - [112451] Low CVE-2011-3024: Browser crash with empty x509 certificate. Credit to chrometot. - [112670] Medium CVE-2011-3025: Out-of-bounds read in h.264 parsing. Credit to Sławomir Błażek. - [112822] High CVE-2011-3026: Integer overflow / truncation in libpng. Credit to Jüri Aedla. - [112847] High CVE-2011-3027: Bad cast in column handling. Credit to miaubiz. This release fixes the following security issues from 17.0.963.46: - [73478] Low CVE-2011-3953: Avoid clipboard monitoring after paste event. Credit to Daniel Cheng of the Chromium development community. - [92550] Low CVE-2011-3954: Crash with excessive database usage. Credit to Collin Payne. - [93106] High CVE-2011-3955: Crash aborting an IndexDB transaction. Credit to David Grogan of the Chromium development community. - [103630] Low CVE-2011-3956: Incorrect handling of sandboxed origins inside extensions. Credit to Devdatta Akhawe, UC Berkeley. - [104056] High CVE-2011-3957: Use-after-free in PDF garbage collection. Credit to Aki Helin of OUSPG. - [105459] High CVE-2011-3958: Bad casts with column spans. Credit to miaubiz. - [106441] High CVE-2011-3959: Buffer overflow in locale handling. Credit to Aki Helin of OUSPG. - [108416] Medium CVE-2011-3960: Out-of-bounds read in audio decoding. Credit to Aki Helin of OUSPG. - [108871] Critical CVE-2011-3961: Race condition after crash of utility process. Credit to Shawn Goertzen. - [108901] Medium CVE-2011-3962: Out-of-bounds read in path clipping. Credit to Aki Helin of OUSPG. - [109094] Medium CVE-2011-3963: Out-of-bounds read in PDF fax image handling. Credit to Atte Kettunen of OUSPG. - [109245] Low CVE-2011-3964: URL bar confusion after drag + drop. Credit to Code Audit Labs of VulnHunt.com. - [109664] Low CVE-2011-3965: Crash in signature check. Credit to Sławomir Błażek. - [109716] High CVE-2011-3966: Use-after-free in stylesheet error handling. Credit to Aki Helin of OUSPG. - [109717] Low CVE-2011-3967: Crash with unusual certificate. Credit to Ben Carrillo. - [109743] High CVE-2011-3968: Use-after-free in CSS handling. Credit to Arthur Gerkis. - [110112] High CVE-2011-3969: Use-after-free in SVG layout. Credit to Arthur Gerkis. - [110277] Medium CVE-2011-3970: Out-of-bounds read in libxslt. Credit to Aki Helin of OUSPG. - [110374] High CVE-2011-3971: Use-after-free with mousemove events. Credit to Arthur Gerkis. - [110559] Medium CVE-2011-3972: Out-of-bounds read in shader translator. Credit to Google Chrome Security Team (Inferno). * Rebase patch - update debian/patches/disable_dlog_and_dcheck_in_release_builds.patch * Update .install file to just install all .pak files instead of listing them by name - update debian/chromium-browser.install Date: 2012-02-21 07:30:24.360287+00:00 Changed-By: Micah Gersten Maintainer: Fabien Tassin Signed-By: Jamie Strandboge https://launchpad.net/ubuntu/maverick/+source/chromium-browser/17.0.963.56~r121963-0ubuntu0.10.10.1 -------------- next part -------------- Sorry, changesfile not available. From jamie at ubuntu.com Mon Feb 27 23:33:51 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Mon, 27 Feb 2012 23:33:51 -0000 Subject: [ubuntu/maverick-security] libxml2 2.7.7.dfsg-4ubuntu0.4 (Accepted) Message-ID: <20120227233351.18460.90622.launchpad@cocoplum.canonical.com> libxml2 (2.7.7.dfsg-4ubuntu0.4) maverick-security; urgency=low * SECURITY UPDATE: add randomization to dictionaries with hash tables help prevent denial of service via hash algorithm collision - configure.in: lookup for rand, srand and time - dict.c: add randomization to dictionaries hash tables - hash.c: add randomization to normal hash tables - 8973d58b7498fa5100a876815476b81fd1a2412a - CVE-2012-0841 Date: Fri, 24 Feb 2012 15:16:59 -0600 Changed-By: Jamie Strandboge Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/libxml2/2.7.7.dfsg-4ubuntu0.4 -------------- next part -------------- Format: 1.8 Date: Fri, 24 Feb 2012 15:16:59 -0600 Source: libxml2 Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg libxml2-udeb Architecture: source Version: 2.7.7.dfsg-4ubuntu0.4 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Jamie Strandboge Description: libxml2 - GNOME XML library libxml2-dbg - Debugging symbols for the GNOME XML library libxml2-dev - Development files for the GNOME XML library libxml2-doc - Documentation for the GNOME XML library libxml2-udeb - GNOME XML library - minimal runtime (udeb) libxml2-utils - XML utilities python-libxml2 - Python bindings for the GNOME XML library python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension) Changes: libxml2 (2.7.7.dfsg-4ubuntu0.4) maverick-security; urgency=low . * SECURITY UPDATE: add randomization to dictionaries with hash tables help prevent denial of service via hash algorithm collision - configure.in: lookup for rand, srand and time - dict.c: add randomization to dictionaries hash tables - hash.c: add randomization to normal hash tables - 8973d58b7498fa5100a876815476b81fd1a2412a - CVE-2012-0841 Checksums-Sha1: b536007cfbc4e07f1ad86b524964dc937cc3792b 2287 libxml2_2.7.7.dfsg-4ubuntu0.4.dsc 9e4ec7d0ab350117eb84f4161caf123557d70d65 107948 libxml2_2.7.7.dfsg-4ubuntu0.4.diff.gz Checksums-Sha256: be363b1c3a783cf004d62702353c3a0b3babeeed15c56a74c2998a17b5b4259e 2287 libxml2_2.7.7.dfsg-4ubuntu0.4.dsc f61198be3e4dfb3ced9fcc823abc7108b668cf2f5f0e9a9c5554c42a617c867a 107948 libxml2_2.7.7.dfsg-4ubuntu0.4.diff.gz Files: bd31c83c02033d692623ae9f9f3aa17d 2287 libs optional libxml2_2.7.7.dfsg-4ubuntu0.4.dsc ffa10f78b8203aa293c79084be377e22 107948 libs optional libxml2_2.7.7.dfsg-4ubuntu0.4.diff.gz Original-Maintainer: Debian XML/SGML Group From jamie at ubuntu.com Mon Feb 27 23:34:00 2012 From: jamie at ubuntu.com (Jamie Strandboge) Date: Mon, 27 Feb 2012 23:34:00 -0000 Subject: [ubuntu/maverick-security] fex 20100208+debian1-1+squeeze3build0.10.10.1 (Accepted) Message-ID: <20120227233400.18460.4642.launchpad@cocoplum.canonical.com> fex (20100208+debian1-1+squeeze3build0.10.10.1) maverick-security; urgency=low * fake sync from Debian fex (20100208+debian1-1+squeeze3) stable-security; urgency=high * Fixup for last upload. (Missing initialization, Closes: #660828) Date: Mon, 27 Feb 2012 13:21:40 -0600 Changed-By: Jamie Strandboge Maintainer: Giuseppe Iuculano https://launchpad.net/ubuntu/maverick/+source/fex/20100208+debian1-1+squeeze3build0.10.10.1 -------------- next part -------------- Format: 1.8 Date: Mon, 27 Feb 2012 13:21:40 -0600 Source: fex Binary: fex fex-utils Architecture: source Version: 20100208+debian1-1+squeeze3build0.10.10.1 Distribution: maverick-security Urgency: high Maintainer: Giuseppe Iuculano Changed-By: Jamie Strandboge Description: fex - web service for transfering very large files fex-utils - web service for transfering very large files (utils) Closes: 660828 Changes: fex (20100208+debian1-1+squeeze3build0.10.10.1) maverick-security; urgency=low . * fake sync from Debian . fex (20100208+debian1-1+squeeze3) stable-security; urgency=high . * Fixup for last upload. (Missing initialization, Closes: #660828) Checksums-Sha1: af096d914a4fd02672ea590f29b798d94007b7bf 1951 fex_20100208+debian1-1+squeeze3build0.10.10.1.dsc 8f719a4052a6cad04e64097c73107ac20b5138e2 9661 fex_20100208+debian1-1+squeeze3build0.10.10.1.diff.gz Checksums-Sha256: ee2b2b31af0a98bee8ddf85d1952c370abfdd2f82640f961b69c4ac3e451ebfc 1951 fex_20100208+debian1-1+squeeze3build0.10.10.1.dsc 7910fe152a711f40145397ca115b45f69a3cf7efca82ac2dc56abfa19de93ec0 9661 fex_20100208+debian1-1+squeeze3build0.10.10.1.diff.gz Files: f0df94484747bebf50d3dce7b307a49d 1951 web optional fex_20100208+debian1-1+squeeze3build0.10.10.1.dsc e0f9532ca5827f600f5e1d8137f36ff3 9661 web optional fex_20100208+debian1-1+squeeze3build0.10.10.1.diff.gz From tyhicks at canonical.com Tue Feb 28 02:33:54 2012 From: tyhicks at canonical.com (Tyler Hicks) Date: Tue, 28 Feb 2012 02:33:54 -0000 Subject: [ubuntu/maverick-security] ruby1.8 1.8.7.299-2ubuntu0.1 (Accepted) Message-ID: <20120228023354.14816.20091.launchpad@cocoplum.canonical.com> ruby1.8 (1.8.7.299-2ubuntu0.1) maverick-security; urgency=low * SECURITY UPDATE: Cross-site scripting via HTTP error responses - debian/patches/CVE-2010-0541.patch: Use the ISO-8859-1 character set for HTTP error responses. Based on upstream patch. - CVE-2010-0541 * SECURITY UPDATE: Arbitrary code execution and denial of service - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory corruption during allocation. Based on upstream patch. - CVE-2011-0188 * SECURITY UPDATE: Arbitrary file deletion due to symlink race - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather than recursively removing everything underneath the symlink destination. Based on upstream patch. - CVE-2011-1004 * SECURITY UPDATE: Safe level bypass - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint in exception handling methods. Based on upstream patch. - CVE-2011-1005 * SECURITY UPDATE: Predictable random number generation - debian/patches/CVE-2011-2686.patch: Reseed the random number generator each time a child process is created. Based on upstream patch. - CVE-2011-2686 * SECURITY UPDATE: Predicatable random number generation - debian/patches/CVE-2011-2705.patch: Reseed the random number generator with the pid number and the current time to prevent predictable random numbers in the case of pid number rollover. Based on upstream patch. - CVE-2011-2705 * SECURITY UPDATE: Denial of service via crafted hash table keys - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing algorithm to prevent predictable results when inserting objects into a hash table. Based on upstream patch. - CVE-2011-4815 Date: Tue, 21 Feb 2012 16:28:51 -0600 Changed-By: Tyler Hicks Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/ruby1.8/1.8.7.299-2ubuntu0.1 -------------- next part -------------- Format: 1.8 Date: Tue, 21 Feb 2012 16:28:51 -0600 Source: ruby1.8 Binary: ruby1.8 libruby1.8 libruby1.8-dbg ruby1.8-dev libtcltk-ruby1.8 ruby1.8-examples ruby1.8-elisp ri1.8 Architecture: source Version: 1.8.7.299-2ubuntu0.1 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Tyler Hicks Description: libruby1.8 - Libraries necessary to run Ruby 1.8 libruby1.8-dbg - Debugging symbols for Ruby 1.8 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8 ri1.8 - Ruby Interactive reference (for Ruby 1.8) ruby1.8 - Interpreter of object-oriented scripting language Ruby 1.8 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8 ruby1.8-elisp - ruby-mode for Emacsen ruby1.8-examples - Examples for Ruby 1.8 Changes: ruby1.8 (1.8.7.299-2ubuntu0.1) maverick-security; urgency=low . * SECURITY UPDATE: Cross-site scripting via HTTP error responses - debian/patches/CVE-2010-0541.patch: Use the ISO-8859-1 character set for HTTP error responses. Based on upstream patch. - CVE-2010-0541 * SECURITY UPDATE: Arbitrary code execution and denial of service - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory corruption during allocation. Based on upstream patch. - CVE-2011-0188 * SECURITY UPDATE: Arbitrary file deletion due to symlink race - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather than recursively removing everything underneath the symlink destination. Based on upstream patch. - CVE-2011-1004 * SECURITY UPDATE: Safe level bypass - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint in exception handling methods. Based on upstream patch. - CVE-2011-1005 * SECURITY UPDATE: Predictable random number generation - debian/patches/CVE-2011-2686.patch: Reseed the random number generator each time a child process is created. Based on upstream patch. - CVE-2011-2686 * SECURITY UPDATE: Predicatable random number generation - debian/patches/CVE-2011-2705.patch: Reseed the random number generator with the pid number and the current time to prevent predictable random numbers in the case of pid number rollover. Based on upstream patch. - CVE-2011-2705 * SECURITY UPDATE: Denial of service via crafted hash table keys - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing algorithm to prevent predictable results when inserting objects into a hash table. Based on upstream patch. - CVE-2011-4815 Checksums-Sha1: 9ef98eb5557d8f69a5aa080c682bf20dc1744ccd 2276 ruby1.8_1.8.7.299-2ubuntu0.1.dsc 5fa068266ed7691f05e5c22ca7ad50ad341b7949 52166 ruby1.8_1.8.7.299-2ubuntu0.1.diff.gz Checksums-Sha256: 96d03f4521d45ebc4a096caa86cb5b0007495b72380eb907890de75ddd3e24d7 2276 ruby1.8_1.8.7.299-2ubuntu0.1.dsc dc3ba918e4959f86b1c7aaf961f3207372a02b68d0e47b31e641f99dd7127c9a 52166 ruby1.8_1.8.7.299-2ubuntu0.1.diff.gz Files: 4c1255fee07045ac6d5aef5b2d1dc7b6 2276 ruby optional ruby1.8_1.8.7.299-2ubuntu0.1.dsc 3e3535f5c0a523c5e32cd7eecbe15a83 52166 ruby optional ruby1.8_1.8.7.299-2ubuntu0.1.diff.gz Original-Maintainer: akira yamada From chris.j.arges at canonical.com Tue Feb 28 13:39:30 2012 From: chris.j.arges at canonical.com (Chris J Arges) Date: Tue, 28 Feb 2012 13:39:30 -0000 Subject: [ubuntu/maverick-proposed] kexec-tools 1:2.0.1-2ubuntu2.2 (Accepted) Message-ID: <20120228133930.8163.54079.launchpad@gac.canonical.com> kexec-tools (1:2.0.1-2ubuntu2.2) maverick-proposed; urgency=low * Backport changes to fix kdump functionality. LP: #828731. - debian/kdump.initramfs: call /usr/bin/makedumpfile via a chroot command, so that if makedumpfile is statically linked, we get proper library resolution. Thanks to Louis Bouchard for the patch. LP: #785425. - debian/kdump.initramfs: handle the possibility that /usr, /boot, or /var is on a separate filesystem and needs to be manually mounted before calling makedumpfile. LP: #828731. - Depend on makedumpfile, without which the initramfs script doesn't work. - Fix an unnecessary bashism. - Only install the kdump initramfs script and depend on makedumpfile on architectures that makedumpfile supports. Date: Wed, 18 Jan 2012 15:32:08 -0600 Changed-By: Chris J Arges Maintainer: Ubuntu Developers Signed-By: Barry Warsaw https://launchpad.net/ubuntu/maverick/+source/kexec-tools/1:2.0.1-2ubuntu2.2 -------------- next part -------------- Format: 1.8 Date: Wed, 18 Jan 2012 15:32:08 -0600 Source: kexec-tools Binary: kexec-tools Architecture: source Version: 1:2.0.1-2ubuntu2.2 Distribution: maverick-proposed Urgency: low Maintainer: Ubuntu Developers Changed-By: Chris J Arges Description: kexec-tools - kexec tool for kexec reboots Launchpad-Bugs-Fixed: 785425 828731 Changes: kexec-tools (1:2.0.1-2ubuntu2.2) maverick-proposed; urgency=low . * Backport changes to fix kdump functionality. LP: #828731. - debian/kdump.initramfs: call /usr/bin/makedumpfile via a chroot command, so that if makedumpfile is statically linked, we get proper library resolution. Thanks to Louis Bouchard for the patch. LP: #785425. - debian/kdump.initramfs: handle the possibility that /usr, /boot, or /var is on a separate filesystem and needs to be manually mounted before calling makedumpfile. LP: #828731. - Depend on makedumpfile, without which the initramfs script doesn't work. - Fix an unnecessary bashism. - Only install the kdump initramfs script and depend on makedumpfile on architectures that makedumpfile supports. Checksums-Sha1: 1ba2bb5a6c714f0ed04e2ff1fdb2a3155f137442 1862 kexec-tools_2.0.1-2ubuntu2.2.dsc 80458ef69aa09b7fe5f5929244fe0e82d2c25b50 19553 kexec-tools_2.0.1-2ubuntu2.2.diff.gz Checksums-Sha256: d5630c8887d906e16da62f4ac8d4cf657a8395c00a5d750e2811ddbbb303b56f 1862 kexec-tools_2.0.1-2ubuntu2.2.dsc 1b2afb6e37685e7d4ca24c8f82ee3a3b92207c4acfed5c61d5c07a1d9361218d 19553 kexec-tools_2.0.1-2ubuntu2.2.diff.gz Files: 804b8ee469ab5e3d568b60e7c3debdf2 1862 admin optional kexec-tools_2.0.1-2ubuntu2.2.dsc 28607df451fe8cd6e2642db2152d4181 19553 admin optional kexec-tools_2.0.1-2ubuntu2.2.diff.gz Original-Maintainer: Khalid Aziz From martin.pitt at ubuntu.com Tue Feb 28 13:49:17 2012 From: martin.pitt at ubuntu.com (Martin Pitt) Date: Tue, 28 Feb 2012 13:49:17 -0000 Subject: [ubuntu/maverick-updates] linux 2.6.35-32.66 (Accepted) Message-ID: <20120228134917.32636.2409.launchpad@ackee.canonical.com> linux (2.6.35-32.66) maverick-proposed; urgency=low [Herton R. Krzesinski] * Release Tracking Bug - LP: #931600 [ Upstream Kernel Changes ] * net: ip_expire() must revalidate route - LP: #922051 - CVE-2011-1927 * bridge: Fix mglist corruption that leads to memory corruption - LP: #917813 - CVE-2011-0716 * AppArmor: fix oops in apparmor_setprocattr - LP: #789409 - CVE-2011-3619 Date: 2012-02-13 21:01:18.334600+00:00 Changed-By: "Herton R. Krzesinski" Signed-By: Martin Pitt https://launchpad.net/ubuntu/maverick/+source/linux/2.6.35-32.66 -------------- next part -------------- Sorry, changesfile not available. From martin.pitt at ubuntu.com Tue Feb 28 13:49:30 2012 From: martin.pitt at ubuntu.com (Martin Pitt) Date: Tue, 28 Feb 2012 13:49:30 -0000 Subject: [ubuntu/maverick-security] linux 2.6.35-32.66 (Accepted) Message-ID: <20120228134930.32636.70411.launchpad@ackee.canonical.com> linux (2.6.35-32.66) maverick-proposed; urgency=low [Herton R. Krzesinski] * Release Tracking Bug - LP: #931600 [ Upstream Kernel Changes ] * net: ip_expire() must revalidate route - LP: #922051 - CVE-2011-1927 * bridge: Fix mglist corruption that leads to memory corruption - LP: #917813 - CVE-2011-0716 * AppArmor: fix oops in apparmor_setprocattr - LP: #789409 - CVE-2011-3619 Date: 2012-02-13 21:01:18.334600+00:00 Changed-By: "Herton R. Krzesinski" Signed-By: Martin Pitt https://launchpad.net/ubuntu/maverick/+source/linux/2.6.35-32.66 -------------- next part -------------- Sorry, changesfile not available. From martin.pitt at ubuntu.com Tue Feb 28 16:38:40 2012 From: martin.pitt at ubuntu.com (Martin Pitt) Date: Tue, 28 Feb 2012 16:38:40 -0000 Subject: [ubuntu/maverick-security] postgresql-8.4, postgresql-8.4_8.4.11-0ubuntu0.10.10_armel_translations.tar.gz, postgresql-8.4_8.4.11-0ubuntu0.10.10_powerpc_translations.tar.gz, postgresql-8.4_8.4.11-0ubuntu0.10.10_amd64_translations.tar.gz, postgresql-8.4_8.4.11-0ubuntu0.10.10_i386_translations.tar.gz 8.4.11-0ubuntu0.10.10 (Accepted) Message-ID: <20120228163840.32011.33204.launchpad@cocoplum.canonical.com> postgresql-8.4 (8.4.11-0ubuntu0.10.10) maverick-security; urgency=low * New upstream bug fix/security release: (LP: #941912) - Require execute permission on the trigger function for "CREATE TRIGGER". This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866) - Remove arbitrary limitation on length of common name in SSL certificates. Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867) - Convert newlines to spaces in names written in pg_dump comments. pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868) - Fix btree index corruption from insertions concurrent with vacuuming. An index page split caused by an insertion could sometimes cause a concurrently-running "VACUUM" to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things. - Update per-column permissions, not only per-table permissions, when changing table owner. Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions. - Allow non-existent values for some settings in "ALTER USER/DATABASE SET". Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one. - Avoid crashing when we have problems deleting table files post-commit. Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database. - Track the OID counter correctly during WAL replay, even when it wraps around. Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed. - Fix regular expression back-references with - attached. Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol. A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release. - Fix recently-introduced memory leak in processing of inet/cidr values. - Fix dangling pointer after "CREATE TABLE AS"/"SELECT INTO" in a SQL-language function. In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible. - Fix I/O-conversion-related memory leaks in plpgsql. - Improve pg_dump's handling of inherited table columns. pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly. - Fix pg_restore's direct-to-database mode for INSERT-style table data. Direct-to-database restores from archive files made with "--inserts" or "--column-inserts" options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay. - Allow AT option in ecpg DEALLOCATE statements. The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case. - Fix error in "contrib/intarray"'s int[] & int[] operator. If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result. - Fix error detection in "contrib/pgcrypto"'s encrypt_iv() and decrypt_iv(). These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input. - Fix one-byte buffer overrun in "contrib/test_parser". The code would try to read one more byte than it should, which would crash in corner cases. Since "contrib/test_parser" is only example code, this is not a security issue in itself, but bad example code is still bad. - Use __sync_lock_test_and_set() for spinlocks on ARM, if available. This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation. - Use "-fexcess-precision=standard" option when building with gcc versions that accept it. This prevents assorted scenarios wherein recent versions of gcc will produce creative results. - Allow use of threaded Python on FreeBSD. Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check. * Drop 00git_inet_cidr_unpack.patch, 04-armel-tas.patch: applied upstream. Date: Mon, 27 Feb 2012 15:13:58 +0100 Changed-By: Martin Pitt Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/maverick/+source/postgresql-8.4/8.4.11-0ubuntu0.10.10 -------------- next part -------------- Format: 1.8 Date: Mon, 27 Feb 2012 15:13:58 +0100 Source: postgresql-8.4 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-8.4 postgresql-client-8.4 postgresql-server-dev-8.4 postgresql-doc-8.4 postgresql-contrib-8.4 postgresql-plperl-8.4 postgresql-plpython-8.4 postgresql-pltcl-8.4 postgresql postgresql-client postgresql-doc postgresql-contrib Architecture: source Version: 8.4.11-0ubuntu0.10.10 Distribution: maverick-security Urgency: low Maintainer: Ubuntu Developers Changed-By: Martin Pitt Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 8.4 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql - object-relational SQL database (supported version) postgresql-8.4 - object-relational SQL database, version 8.4 server postgresql-client - front-end programs for PostgreSQL (supported version) postgresql-client-8.4 - front-end programs for PostgreSQL 8.4 postgresql-contrib - additional facilities for PostgreSQL (supported version) postgresql-contrib-8.4 - additional facilities for PostgreSQL postgresql-doc - documentation for the PostgreSQL database management system postgresql-doc-8.4 - documentation for the PostgreSQL database management system postgresql-plperl-8.4 - PL/Perl procedural language for PostgreSQL 8.4 postgresql-plpython-8.4 - PL/Python procedural language for PostgreSQL 8.4 postgresql-pltcl-8.4 - PL/Tcl procedural language for PostgreSQL 8.4 postgresql-server-dev-8.4 - development files for PostgreSQL 8.4 server-side programming Launchpad-Bugs-Fixed: 941912 Changes: postgresql-8.4 (8.4.11-0ubuntu0.10.10) maverick-security; urgency=low . * New upstream bug fix/security release: (LP: #941912) - Require execute permission on the trigger function for "CREATE TRIGGER". This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866) - Remove arbitrary limitation on length of common name in SSL certificates. Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867) - Convert newlines to spaces in names written in pg_dump comments. pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868) - Fix btree index corruption from insertions concurrent with vacuuming. An index page split caused by an insertion could sometimes cause a concurrently-running "VACUUM" to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things. - Update per-column permissions, not only per-table permissions, when changing table owner. Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions. - Allow non-existent values for some settings in "ALTER USER/DATABASE SET". Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one. - Avoid crashing when we have problems deleting table files post-commit. Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database. - Track the OID counter correctly during WAL replay, even when it wraps around. Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed. - Fix regular expression back-references with - attached. Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol. A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release. - Fix recently-introduced memory leak in processing of inet/cidr values. - Fix dangling pointer after "CREATE TABLE AS"/"SELECT INTO" in a SQL-language function. In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible. - Fix I/O-conversion-related memory leaks in plpgsql. - Improve pg_dump's handling of inherited table columns. pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly. - Fix pg_restore's direct-to-database mode for INSERT-style table data. Direct-to-database restores from archive files made with "--inserts" or "--column-inserts" options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay. - Allow AT option in ecpg DEALLOCATE statements. The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case. - Fix error in "contrib/intarray"'s int[] & int[] operator. If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result. - Fix error detection in "contrib/pgcrypto"'s encrypt_iv() and decrypt_iv(). These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input. - Fix one-byte buffer overrun in "contrib/test_parser". The code would try to read one more byte than it should, which would crash in corner cases. Since "contrib/test_parser" is only example code, this is not a security issue in itself, but bad example code is still bad. - Use __sync_lock_test_and_set() for spinlocks on ARM, if available. This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation. - Use "-fexcess-precision=standard" option when building with gcc versions that accept it. This prevents assorted scenarios wherein recent versions of gcc will produce creative results. - Allow use of threaded Python on FreeBSD. Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check. * Drop 00git_inet_cidr_unpack.patch, 04-armel-tas.patch: applied upstream. Checksums-Sha1: 00351e78d7a929dbd003b5249b8a4cd926096a53 2628 postgresql-8.4_8.4.11-0ubuntu0.10.10.dsc b12084003937d8ed59287b6db2508e098ac52953 18178451 postgresql-8.4_8.4.11.orig.tar.gz 6dddddb70fa05eb2115fa9f1e5b7376118559188 49581 postgresql-8.4_8.4.11-0ubuntu0.10.10.diff.gz Checksums-Sha256: e0a5964ba30149431d4145a0be9a7ce708b03868bb0b3d2c1960acae64e8d8e9 2628 postgresql-8.4_8.4.11-0ubuntu0.10.10.dsc 5d430fe7b72ad466d477867bad8ee428b25eeefbd161560dc13ac73d77b3541d 18178451 postgresql-8.4_8.4.11.orig.tar.gz 0fd5f2345725cc31ec79ca44d0ad357cd9364da91df7412cb183509a01d7e014 49581 postgresql-8.4_8.4.11-0ubuntu0.10.10.diff.gz Files: 3c4fb17731a9d001c8d2daaca706c8aa 2628 database optional postgresql-8.4_8.4.11-0ubuntu0.10.10.dsc 413b8ae9ae6e7f053e2a992e068af63e 18178451 database optional postgresql-8.4_8.4.11.orig.tar.gz 2c066c41bc6b1f81537a1c3e87345c52 49581 database optional postgresql-8.4_8.4.11-0ubuntu0.10.10.diff.gz Original-Maintainer: Martin Pitt