Branches for Lenny

Author: Thomas Scheffczyk
Revision Date: 2008-06-27 10:28:23 UTC

* Minor changes to fix warnings reported by lintian for version 1.0.0-10
* Change the order of preferred editors to avoid problems reported with
mcedit, the prior standard. Preferred editor if installed is now emacs,
followed by vi and nano.
* New option for mason-gui-text: When started with the option "--force"
it will try to stop other instances of itself instead of exiting.

Author: Christian Perrier
Revision Date: 2008-02-09 13:31:32 UTC

* Non-maintainer upload.
* Fix encoding of debian/changelog and debian/copyright. Closes: #454021
* Remove dh-make boilerplate from debian/copyright
* Replace direct init.d script calls by invoke-rc.d calls (thanks, lintian)

Author: Christian Perrier
Revision Date: 2008-02-09 12:07:46 UTC

* Non-maintainer upload.
* Fix encoding for changelog and copyright. Closes: #454032
* Remove dh-make boilerplate from debian/copyright
* Replace direct init.d script calls by invoke-rc.d calls (thanks, lintian)

Author: Benjamin Bayart
Revision Date: 2006-10-08 16:12:44 UTC

* Non-maintainer upload.
* The PK files have to be removed on remove, not on purge. The
  only point in keeping those during a remove would be for an
  upgrade, where they were already removed. (Closes: Bug#391199)

Author: madduck
Revision Date: 2009-05-05 08:45:22 UTC

* Change my previous recommendation for postfix over to Debian's default
  MTA, exim4 (see #522300 and #508644).
* Cherry-pick bug script enhancements from sid version:
  - Enhance bugscript, which now asks to run as root (sudo/su) if invoked by
    a normal user.
  - Include MD5 sums of md-related files in initrd in bug reports.
  - Add grub2 information retrieval to bugscript.
  - Trap SIGINT and thus prevent ctrl-c from terminating the bugscript
    prematurely.
  - Add information about udev and device links in /dev to bugscript output.

Author: akira yamada
Revision Date: 2009-07-10 17:17:38 UTC

* added patch: 932_CVE-2009-1904 (closes: #532689)
  It fixes BigDecimal DoS vulnerability (CVE-2009-1904). (backported from
  1.8.7-p172 and 1.8.7-p174)
* Add upstream patch to properly check return values of the
  OCSP_basic_verify function (CVE-2009-0642; Closes: #513528)

Author: Jay Berkenbilt
Revision Date: 2012-01-21 19:56:44 UTC

Apply patch CVE-2011-4599 to address a buffer overflow.

Author: dann frazier
Revision Date: 2012-03-08 07:55:16 UTC

* Rebuild against linux-source-2.6.26 (2.6.26-29):
  * hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops (CVE-2011-2203)
  * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)
  * KEYS: Fix a NULL pointer deref in the user-defined key type
    (CVE-2011-4110)
  * futex: clear robust_list on execve (CVE-2012-0028)
  * rose: Add length checks to CALL_REQUEST parsing (CVE-2011-4914)
  * [x86] KVM: Prevent starting PIT timers in the absence of irqchip support
    (CVE-2011-4622)
  * jbd/jbd2: validate sb->s_first in journal_get_superblock()
    (CVE-2011-4132)
  * hfs: add sanity check for file name length (CVE-2011-4330)
  * Restrict ioctl forwarding on partitions and logical volumes
    (CVE-2011-4127)

Author: dann frazier
Revision Date: 2012-03-07 23:41:26 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:41:06 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:38:30 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:35:30 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:32:24 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:30:25 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:25:58 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:22:38 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:19:13 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:16:55 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:13:52 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-07 23:12:22 UTC

rebuild to drop .git directories

Author: dann frazier
Revision Date: 2012-03-03 22:24:34 UTC

Revert: [powerpc] oprofile: Handle events that raise an exception without
overflowing (CVE-2011-4347).

Author: Santiago Vila
Revision Date: 2012-02-16 20:49:38 UTC

Bump version in /etc/debian_version to "5.0.10".

Author: Thijs Kinkhorst
Revision Date: 2012-02-15 16:08:24 UTC

* Update packages to their current versions in oldstable:
  - openssl 0.9.8g-15+lenny14 -> 0.9.8g-15+lenny16
  - libxml2 2.6.32.dfsg-5+lenny4 -> 2.6.32.dfsg-5+lenny5

Author: Stefan Fritsch
Revision Date: 2012-02-05 22:22:50 UTC

* Non-maintainer upload by the Security Team.
* Rebuild with apache2-src 2.2.9-10+lenny12.

Author: Stefan Fritsch
Revision Date: 2012-02-05 21:56:02 UTC

* Prevent unintended pattern expansion in some reverse proxy
  configurations by strictly validating the request-URI. Fixes
  CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
* CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
  privilege escalation.
* CVE-2012-0031: Fix client process being able to crash parent process
  during shutdown.
* CVE-2012-0053: Fix an issue in code 400 error responses that could expose
  "httpOnly" cookies.

Author: Ondřej Surý
Revision Date: 2012-02-03 09:01:31 UTC

Fix UMR in php_register_variable_ex (pull from upstream SVN)

Author: Mike Hommey
Revision Date: 2012-02-01 00:43:36 UTC

Fixes for mfsa-2012-{01,02,08}, also known as
CVE-2012-0442, CVE-2011-3670, CVE-2012-0449.

Author: Alessandro Ghedini
Revision Date: 2012-01-25 16:03:45 UTC

* Non-maintainer upload.
* Fix SSL CBC IV vulnerability as per CVE-2011-3389
  http://curl.haxx.se/docs/adv_20120124B.html
* Set urgency=high accordingly

Author: Aron Xu
Revision Date: 2012-01-24 06:04:56 UTC

* Security update.
* parser.c: Fix an allocation error when copying entities.
  CVE-2011-3919. Closes: #656377.
* parser.c: Make sure parser returns when getting a Stop order.
  CVE-2011-3905.
* encoding.c: Fix off by one error. CVE-2011-0216. Closes: 652352.
* xpath.c: Fix for undefined namespaces.
  CVE-2011-2834. Closes: 643648.

Author: Ondřej Surý
Revision Date: 2012-01-22 11:13:46 UTC

Fix security regression caused by pulling invalid upstream fix
for our version of rails

Author: Luk Claes
Revision Date: 2012-01-21 23:41:35 UTC

lib/snmp.php: Add $max_oids parameter to snmp_walk
Closes: #656613

Author: Kurt Roeckx
Revision Date: 2012-01-18 21:38:40 UTC

Fix CVE-2012-0050.

Author: Stefan Fritsch
Revision Date: 2012-01-16 15:45:55 UTC

Disable robust pthread mutexes on alpha, arm, and armel. This fixes build
problems on buildds running newer Linux kernels.

Author: Michael Gilbert
Revision Date: 2012-01-16 10:43:16 UTC

Fix cve-2011-2902: insecure tempfile usage in zxpdf. (closes: #635849)

Author: Yves-Alexis Perez
Revision Date: 2012-01-14 21:55:47 UTC

* Non-maintainer upload by the Security Team.
* debian/patches:
  - CVE-2010-2642 added, fix heap-based buffer overflow first found in
    evince but applicable to the embedded afmparse library found in t1lib
    too. Fixes CVE-2011-0433 too on the same patch.
  - CVE-2011-0764 added, fix arbitrary code execution by only using ppoints
    when it is a valid pointer. closes: #652996
    This fixes CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554
* format-string added, fix a format string error IfTrace0 macro and another
  in T1_SubfsetFont().

Author: Matthijs Kooijman
Revision Date: 2012-01-10 13:41:46 UTC

* Fix three security issues, patches supplied by upstream. See
  http://security.openttd.org/ for details.
  - CVE-2011-3341
  - CVE-2011-3342
  - CVE-2011-3343

Author: Robert Luberda
Revision Date: 2012-01-07 13:02:44 UTC

* Add 12-Use-vsnprintf.patch to fix buffer overflow error occurring
  when logging via syslog is enabled (CVE-2011-2776).
* Add 13-Potential-format-string-vulnerability.patch to fix
  a vulnerability that might occur if the user of file name or file
  name used in the tag contains a '%' character.

Author: Jonathan Wiltshire
Revision Date: 2012-01-06 20:36:51 UTC

* Non-maintainer upload by the security team.
* Various security fixes in src/utils/mount.ecryptfs_private.c:
  - chdir into mountpoint before checking permissions in (CVE-2011-1831,
    CVE-2011-1832)
  - modify mtab via a temp file first and make sure it succeeds before
    replacing the real mtab (CVE-2011-1834)
  - make sure we don't copy into a user controlled directory (CVE-2011-1835)
  - also set gid and umask before updating mtab (CVE-2011-3145)

Author: Florian Weimer
Revision Date: 2012-01-05 20:50:28 UTC

Apply patch from Bert Hubert to avoid responding to respones.

Author: Didier Raboud
Revision Date: 2012-01-04 13:15:38 UTC

* Fix CVE-2011-2697
  "foomatic-rip in foomatic-filters allows remote attackers to execute
   arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd
   file."
  - Patch foomatic-rip.in using debian/patches/CVE-2011-2697.patch from
    Ubuntu hardy's 3.0.2-20071204-0ubuntu2.3, itself backported from
    upstream (revision 140).

Author: Nico Golde
Revision Date: 2012-01-01 18:10:57 UTC

* Non-maintainer upload by the Security Team.
* Fix possible NULL pointer dereference via crafted message reference
  id caused by a missing sanitizing of the mail headers. This can be
  exploited from a client making use of the IMAP threading feature
  (CVE-2011-3481).

Author: Luk Claes
Revision Date: 2011-12-30 09:12:15 UTC

Don't set umask to fix CVE-2011-4339 (Closes: #651917).

Author: Florian Weimer
Revision Date: 2011-12-26 11:35:59 UTC

Apply patch from FreeBSD to fix CVE-2011-4862

Author: Florian Weimer
Revision Date: 2011-12-25 16:37:34 UTC

Apply patch from FreeBSD to fix CVE-2011-4862

Author: Florian Weimer
Revision Date: 2011-12-25 14:25:36 UTC

Add patch from FreeBSD to fix CVE-2011-4862

Author: Moritz Muehlenhoff
Revision Date: 2011-12-24 17:29:51 UTC

Depend on libcurl4-openssl-dev instead of libcurl3-dev, otherwise
sbuild fails to install the needed deps

Author: Roland Stigge
Revision Date: 2011-12-24 14:19:04 UTC

* Backported patch from #652649:
  - CVE-2011-4516: Heap-based buffer overflow
  - CVE-2011-4517: Heap-based buffer overflow

Author: Nico Golde
Revision Date: 2011-12-21 19:36:22 UTC

* Non-maintainer upload by the Security Team.
* Fix directory traversal vulnerability through crafted HTTP requests
  (CVE-2011-2524; Closes: #635837)

Author: Florian Weimer
Revision Date: 2011-12-21 19:13:04 UTC

* Apply patch from upstream to fix DNSSEC-related crashes
  (CVE-2011-4528)
* Fix empty error packet handling assertion failure (CVE-2011-1922)
  (Not actually exposed due to disabled asserts.)

Author: Arno Töll
Revision Date: 2011-12-18 23:41:49 UTC

* Backport security issues from 1.4.30:
  + Fix integer overflow (CVE-2011-4362)
  + Fix attack vector as disclosed by the SSL BEAST attack (related:
    CVE-2011-3389). Note: If you are upgrading from an older version you need
    to change your configuration to mitigate effects of the attack. See the
    corresponding NEWS file for details.

Author: Jonathan Wiltshire
Revision Date: 2011-12-18 23:19:40 UTC

Security fixes from upstream (Closes: #650434):
CVE-2011-4360page titles on private wikis could be exposed
bypassing different page ids to index.php
CVE-2011-4361action=ajax requests were dispatched to the
relevant function without any read permission checks being done
CVE-2011-1578XSS for IE <= 6
CVE-2011-1579CSS validation error in wikitext parser
CVE-2011-1580access control checks on transwiki import feature
CVE-2011-1587fix incomplete patch for CVE-2011-1578

Author: Tzafrir Cohen
Revision Date: 2011-12-18 22:12:00 UTC

* Patch AST-2011-013: potential remote information disclosure
  Closes: #651552 (CVE-2011-4597 The side issue. The DoS is
  inapplicable to Lenny).
  - The patch changeges the sample sip.conf . We change the sample
     config files, but not the files under /etc/asterisk .

Author: Peter Palfrader
Revision Date: 2011-12-15 21:25:18 UTC

New upstream version, fixing a heap overflow bug related to Tor's
SOCKS code (CVE-2011-2778).

Author: Moritz
Revision Date: 2011-12-06 19:23:10 UTC

Rebuild to workaround expired buildd keys

Author: Florian Weimer
Revision Date: 2011-12-04 17:27:25 UTC

Build with GCJ on all architectures, due to IcedTea6 bug 631

Author: Moritz
Revision Date: 2011-11-30 17:57:46 UTC

CVE-2011-4357

Author: Yves-Alexis Perez
Revision Date: 2011-11-29 13:53:32 UTC

* Non-maintainer upload by the Security Team.
* debian/patches:
  - 61_dvi_security backported from the Squeeze package, fixing various
    security issues: CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and
    CVE-2010-2643. closes: #609534
  - 62_dvi_security backported from upstream git (439c50 and efadec4f) to
    complete previous incomplete fix.

Author: Yves-Alexis Perez
Revision Date: 2011-11-28 15:07:53 UTC

* Non-maintainer upload by the Security Team.
* debian/patches:
  - str3867 added, fix an infinite loop / heap-based buffer overflow in the
    gif_read_lzw() function (CVE-2011-2896)
  - str3914 added, complete the fix for the previous issue (CVE-2011-3170).

Author: NOKUBI Takatsugu
Revision Date: 2011-11-25 03:41:18 UTC

Fix buffer overflow in chasen_sparse_main (CVE-2011-4000)

Author: Balint Reczey
Revision Date: 2011-11-19 01:17:15 UTC

* security fixes from Wireshark 1.4.10:
  - Huzaifa Sidhpurwala of Red Hat Security Response Team discovered a
    buffer overflow in the ERF file reader. (CVE-2011-4102)

Author: Michael Gilbert
Revision Date: 2011-11-18 06:46:24 UTC

* Non-maintainer upload by the Security Team.
* Fix CVE-2011-3439: vulnerability in CID-keyed Type 1 fonts.

Author: Florian Weimer
Revision Date: 2011-11-16 20:25:57 UTC

Apply patch from ISC to fix query.c crash (CVE-2011-4313)

Author: Francesco Paolo Lovergine
Revision Date: 2011-11-16 10:50:20 UTC

Missed the second part of the #3624, now added to avoid segfaulting.
(closes: #648922)

Author: Mike Hommey
Revision Date: 2011-11-06 09:11:10 UTC

* Explicitly distrust malaysian Digicert Sdn. Bhd CA certificate.
* Address CVE-2011-3640 (Untrusted search path vulnerability).
  Closes: #647614.

Author: Robert Luberda
Revision Date: 2011-11-03 20:56:18 UTC

man2html.cgi.c: Validate user input and make some error messages less
verbose to prevent XSS attacks (CVE-2011-2770).

Author: François Marier
Revision Date: 2011-11-03 16:04:03 UTC

* SECURITY UPDATE: fix unsanitised URIs in external feed block (XSS)
  - debian/patches/CVE-2011-2771.dpatch: upstream patch

* SECURITY UPDATE: fix DoS when large or invalid images are uploaded
  - debian/patches/CVE-2011-2772.dpatch: upstream patch

* SECURITY UPDATE: fix CSRF when adding a user to an institution
  - debian/patches/CVE-2011-2773.dpatch: upstream patch

* SECURITY UPDATE: prevent masquerading as another user through MNet
  - debian/patches/mnet_masquerading.dpatch: upstream patch

Author: Raphaël Hertzog
Revision Date: 2011-10-28 08:47:50 UTC

* Security upload:
  https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
* Backport the 3 patches provided for Django 1.2 to the old 1.0 version
  provided in Debian Lenny.
  Closes: #641405

Author: Jonathan Wiltshire
Revision Date: 2011-10-27 12:54:16 UTC

* Non-maintainer upload by the security team
* CVE-2011-4074 Fix XSS vulnerability in debug code (Closes: #646769)
* CVE-2011-4075 Fix remote code execution by anonymous users (Closes: #646754)

Author: Josselin Mouette
Revision Date: 2008-11-24 16:05:29 UTC

Add missing dependency on python-glade2. Closes: #506743.

Author: Jonathan Nieder
Revision Date: 2011-01-13 23:13:05 UTC

* Non-maintainer upload.
* debian/diff/0010-CVE-2010-3906.diff:
  new; gitweb: do not parrot filenames or other arguments given
  in a request without proper quoting (closes: #607248).

Author: Michael Schutte
Revision Date: 2008-06-22 12:45:38 UTC

* Read /etc/environment or /etc/default/locale earlier in the init script,
  closes: #486787. This has caused UNICODE_MODE not to be set properly.
  Thanks to Stanislav Maslovski <stanislav.maslovski@gmail.com> for the
  patch.
* Medium urgency upload because the former bug could have rendered kbd
  nearly useless for some.
* unicode_start: Do not invoke setfont by default, closes: #443645.
* Revert the console-screen.kbd.sh LSB header change from the previous
  revision, again closes: #483607. Handling the original problem properly
  is considered insserv’s responsibility, see #474515.
* openvt: Document the -f switch, closes: #487390.
* Bump Standards-Version to 3.8.0 (no changes needed).

Author: Tollef Fog Heen
Revision Date: 2008-06-20 21:51:04 UTC

* Fix up confusion in debian/myspell-n[bn].info-myspell which broke
  hyphenation support in openoffice.org. Closes: 483806
* Correct typo in aspell-no.postinst (missing space before ]).

Author: Mark Purcell
Revision Date: 2008-10-22 22:05:02 UTC

* Switch postinst to check for /dev/MAKEDEV
  - /var/lib/dpkg/info/dvb-apps.postinst: line 6: /sbin/MAKEDEV: No such
  file or directory (Closes: #502831)

Author: Vincent Bernat
Revision Date: 2008-07-07 08:14:39 UTC

Fix a bashism in mplayer wrapper, thanks to Raphaël Geissert
(Closes: #489598)

Author: Patrick Matthäi
Revision Date: 2010-02-08 00:03:27 UTC

* Added patch fix-sql-injection.diff, which adds missing security quoting in
  SQL statements. Authenticated users may become administrative privileges.
  This fixes CVE-2010-0438.
* Change maintainer also in security upload (for further users questions).

Author: Oleksandr Moskalenko
Revision Date: 2008-04-21 08:48:04 UTC

Added libfontconfig1-dev, libpng12-dev, libice-dev, libsm-dev, libxi-dev,
libxrandr-dev, libxrender-dev to build-depends as qt4 doesn't depend on
them directly anymore (Closes: #477003).

Author: Sergio Talens-Oliag
Revision Date: 2006-12-21 23:55:13 UTC

Put soundifles on '/usr/share/childsplay/Data/AlphabetSounds/sv' instead
of '/usr/share/childsplay/Data/AlphabetSounds' (Closes: Bug#403992).

Author: Bart Martens
Revision Date: 2008-06-29 20:31:38 UTC

* New upstream release.
* src/Makefile.in: Reverted change of 1.1.0-1. No longer needed.
* src/keyboard.h: Default keyboard layout set to qwerty_us.

Author: Michal Čihař
Revision Date: 2008-06-07 12:31:21 UTC

* Move packaging to Python Modules Packaging Team:
  - Change Vcs fields in debian/control.
  - Add team to Uploaders.
* Update to standards 3.8.0.

Author: Peter Eisentraut
Revision Date: 2008-04-15 22:54:36 UTC

* Non-maintainer upload.
* Fix problems with LSB header in init.d script. Closes: #475823.
* Replace ${Source-Version} by ${binary:Version} and ${source:Version} to
  make package binNMU-safe. Closes: #434449.

Author: Timo Jyrinki
Revision Date: 2008-04-29 22:39:14 UTC

* New upstream release
* Update debian/copyright to fix lintian warning and more

Author: Sergio Talens-Oliag
Revision Date: 2006-10-01 00:38:19 UTC

New upstream release.

Author: Rene Engelhard
Revision Date: 2007-01-27 19:52:13 UTC

new maintainer

Author: Changwoo Ryu
Revision Date: 2008-05-31 09:15:46 UTC

Add more missing #include <cstdlib>.

Author: Bastian Venthur
Revision Date: 2008-03-26 15:31:13 UTC

* Bumped standards version
* Added Homepage field

Author: Stig Sandbeck Mathisen
Revision Date: 2011-10-22 17:07:22 UTC

Fix SSL impersonation attack by disabling "certdnsnames"
(CVE-2011-3848)

Author: Yves-Alexis Perez
Revision Date: 2011-10-14 08:58:40 UTC

* Non-maintainer upload by the Security Team.
* debian/patches: backport patches from upstream to fix various security
  issues: closes: #644614
  - 0001-set_interface_var-doesn-t-check-interface-name-and-b fix arbitrary
    file overwrite (CVE-2011-3602)
  - 0002-main-must-fail-on-privsep_init-errors-it-must-not-ru,
    0003-privsep_read_loop-should-return-on-unprivileged-daem and
    0004-Really-exit-on-privsep-init-failure fix failure to check return
    code of privilege dropping function (CVE-2011-3603)
  - 0005-process_ra-has-numerous-missed-len-checks.-It-leads- fix multiple
    buffer overreads (CVE-2011-3604)
  - 0006-removing-mdelay-in-unicast-only-case fix a denial of service
    (CVE-2011-3605)
  - 0007-checking-iface-name-more-carefully on top of
    0001-set_interface_var-doesn-t-check-interface-name-and-b
    (CVE-2011-3602)

Author: Christoph Berg
Revision Date: 2011-10-10 10:25:50 UTC

Fix CVE-2011-3598 (XSS).

Author: Ansgar Burchardt
Revision Date: 2011-10-07 18:35:21 UTC

[CVE-2011-3597] Fix unsafe use of eval in Digest->new().

Author: Tanguy Ortolo
Revision Date: 2011-10-06 21:03:07 UTC

debian/patches/rss_security.diff: avoid calling an undefined function.
(Closes: #644145)

Author: Steve McIntyre
Revision Date: 2011-10-04 16:55:21 UTC

* Non-maintainer upload.
* Add patch from upstream to fix a cross-site scripting vulnerability in
  the rst parser (CVE-2011-1058). Closes: #643904

Author: Florian Weimer
Revision Date: 2011-10-02 14:28:25 UTC

* SECURITY:
  This is a backport of the security patches of Quagga 0.99.19 and 0.99.20:
  - The vulnerabilities CVE-2011-3324 and CVE-2011-3323 are related to the
    IPv6 routing protocol (OSPFv3) implemented in ospf6d daemon. Receiving
    modified Database Description and Link State Update messages,
    respectively, can result in denial of service in IPv6 routing.
  - The vulnerability CVE-2011-3325 is a denial of service vulnerability
    related to Hello message handling by the OSPF service. As Hello messages
    are used to initiate adjacencies, exploiting the vulnerability may be
    feasible from the same broadcast domain without an established adjacency.
    A malformed packet may result in denial of service in IPv4 routing.
  - The vulnerability CVE-2011-3326 results from the handling of LSA (Link
    State Advertisement) states in the OSPF service. Receiving a modified
    Link State Update message with malicious state information can result in
    denial of service in IPv4 routing.
  - The vulnerability CVE-2011-3327 is related to the extended communities
    handling in BGP messages. Receiving a malformed BGP update can result in
    a buffer overflow and disruption of IPv4 routing.

Author: Jeffrey Ratcliffe
Revision Date: 2011-03-05 23:10:34 UTC

Disable xterm-based debug windows (closes: #612032, LP: #607297). Thanks
to Kees Cook for the bug report.

Author: Jan Dittberner
Revision Date: 2011-02-23 10:50:11 UTC

add debian/patches/ipaddr-crash_603436.patch: fix crash on long
addresses that trigger signedness in "%d", thanks to Kees Cook for the
patch (LP: #722386, Closes: 603436).

Author: Aurelien Jarno
Revision Date: 2011-09-26 20:48:25 UTC

* New upstream release:
  - Update DST rules for Ukraine. Closes: #642232.
  - Update DST rules for Belarus. Closes: #641846.

Author: Olly Betts
Revision Date: 2011-09-26 01:14:49 UTC

* Fix escaping issues in templates: godmode, opensearch, query, xml.
  + Undocumented and apparently unused CGI parameter HILITECLASS is
    no longer supported by the xml template.

Author: Evgeni Golov
Revision Date: 2011-09-22 15:45:35 UTC

* Fix CVE-2011-1070: failure to validate netlink message sender
  + Adding 02_CVE-2011-1070.patch
  + Closes: #619404
* Do not include random kernel headers in CFLAGS.
  + Adding 03_dont-include-kernel.patch
  + Closes: #525415

Author: Dario Minnucci
Revision Date: 2011-09-12 13:41:03 UTC

* Bump package version to 'lenny6' for another security upload try
  as requested by Moritz.
  Previous upload was rejected by dak. Reject Reasons:
   + md5sum for mantis_1.1.6+dfsg.orig.tar.gz doesn't match
   + size for mantis_1.1.6+dfsg.orig.tar.gz doesn't match

Author: Thomas Goirand
Revision Date: 2011-09-11 05:15:26 UTC

* QA upload fixing:
  - Removed old iGlobalWall folder which included unwanted information.
  - Removed sourceless OSX mod_log_sql.so files (Closes: #637469).
  - Fixes lists shell injection issue (Closes: #637477).
  - Sets unix rights to non-world readable for the apache2.conf file,
  since it contains SQL access password (Closes: #637485).
  - Now htmlspecialchars() the output of DNS & MX, preventing a possible
  HTML injection issue (Closes: #637584).
  - Fixes "package installer includes php files in untrusted directories"
  if some package install packages are installed (Closes: #637629, #637630).
  - Adds htmlspecialchars() in the ticket display.
  - Fixes sudo access to chrootuid is giving access to root using the new
  dtc-chroot-wrapper (Closes: #637618).
  - Not using htpasswd -b to create .htpasswd files (Closes: #637537).
  - Checks $_SERVER["addrlink"] input correctly, since it could lead to very
  bad SQL insertion (Closes: #637487 ).
  - Fixes an SQL injection in package installer (Closes: #637632).
  - Fixes an SQL injection in the draw_user_admin.php (Closes: #637669).

Author: Nico Golde
Revision Date: 2011-09-10 13:24:31 UTC

* Non-maintainer upload by the Security Team.
* Fix buffer overflow on long gopher server replies
  (CVE-2011-3205; Closes: #639755).