Branches for Hardy

Author: Daniel Hahler
Revision Date: 2012-03-27 22:09:13 UTC

* Rebuild for 2.6.24-31 (LP: #875058)
  - debian/control: s/2.6.24-28/2.6.24-31/g

Author: Tyler Hicks
Revision Date: 2012-04-12 05:28:44 UTC

[ Steve Beattie ]
* SECURITY UPDATE: unauthenticated remote code execution via
  RPC calls (LP: #978458)
  - debian/patches/security-CVE-2012-1182.patch: make variable length
    check be consistent with memory allocation size computation.
  - CVE-2012-1182

Author: Tyler Hicks
Revision Date: 2012-04-12 05:28:44 UTC

[ Steve Beattie ]
* SECURITY UPDATE: unauthenticated remote code execution via
  RPC calls (LP: #978458)
  - debian/patches/security-CVE-2012-1182.patch: make variable length
    check be consistent with memory allocation size computation.
  - CVE-2012-1182

Author: Dustin Kirkland 
Revision Date: 2008-11-06 22:15:08 UTC

* Fixes for LP: #290885, backported from Intrepid to Hardy
* Backport functionality to enable booting degraded RAID from Intrepid to
  Hardy
* debian/control: these fixes require initramfs-tools >= 0.85eubuntu39.3
* debian/initramfs/init-premount: enhance the init handling to allow for
  booting a degraded RAID, and add the appropriate fail hook
* debian/mdadm-udeb.dirs, debian/mdadm.config, debian/mdadm.postinst,
  debian/po/*, debian/install-rc, debian/mdadm-udeb.templates:
  partman/install/debconf boot-degraded-raid configurability
* check.d/root_on_raid, check.d/_numbers: installer script to determine if /
  or /boot is on a RAID device

Author: Dustin Kirkland 
Revision Date: 2008-11-06 22:15:08 UTC

* Fixes for LP: #290885, backported from Intrepid to Hardy
* Backport functionality to enable booting degraded RAID from Intrepid to
  Hardy
* debian/control: these fixes require initramfs-tools >= 0.85eubuntu39.3
* debian/initramfs/init-premount: enhance the init handling to allow for
  booting a degraded RAID, and add the appropriate fail hook
* debian/mdadm-udeb.dirs, debian/mdadm.config, debian/mdadm.postinst,
  debian/po/*, debian/install-rc, debian/mdadm-udeb.templates:
  partman/install/debconf boot-degraded-raid configurability
* check.d/root_on_raid, check.d/_numbers: installer script to determine if /
  or /boot is on a RAID device

Author: Luke Yelavich
Revision Date: 2008-02-18 12:10:40 UTC

debian/initramfs/init-premount: Make sure the script exists when it is called
with mountfail.

Author: Marc Deslauriers
Revision Date: 2009-07-15 13:06:03 UTC

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/904_security_CVE-2009-0642.dpatch: also check for -1
    return code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/905_security_CVE-2009-1904.dpatch: handle large
    numbers properly in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

Author: Michael Vogt
Revision Date: 2007-11-23 16:08:57 UTC

* Merge from debian unstable, remaining changes:
  - Adjust configure options for lpia.
  - add -g when build with noopt

Author: Jamie Strandboge
Revision Date: 2009-10-07 11:33:48 UTC

* SECURITY UPDATE: fix improper handling of invalid byte sequences
  during Unicode conversion
  - debian/07-CVE-2009-0153.patch: backported patch thanks to RedHat via
    Debian
  - 03-redhat.icu5797.patch, 04-redhat.icu6001.patch, and
    05-redhat.icu6002.patch required for applying 07-CVE-2009-0153.patch
    with 06-CVE-2008-1036.patch needing adjustments. Patch from Debian.
  - CVE-2009-0153

Author: Jamie Strandboge
Revision Date: 2009-10-07 11:33:48 UTC

* SECURITY UPDATE: fix improper handling of invalid byte sequences
  during Unicode conversion
  - debian/07-CVE-2009-0153.patch: backported patch thanks to RedHat via
    Debian
  - 03-redhat.icu5797.patch, 04-redhat.icu6001.patch, and
    05-redhat.icu6002.patch required for applying 07-CVE-2009-0153.patch
    with 06-CVE-2008-1036.patch needing adjustments. Patch from Debian.
  - CVE-2009-0153

Author: Jay Berkenbilt
Revision Date: 2008-02-07 12:58:34 UTC

* Add debian/patches/00-cve-2007-4770-4771.patch created from with
  svn diff -c 23292 \
  http://source.icu-project.org/repos/icu/icu/branches/maint/maint-3-8
  to address the following security vulnerablilities:
   - CVE-2007-4770: reference to non-existent capture group may
     cause access to invalid memory
   - CVE-2007-4771: buffer overflow in regexcmp.cpp
  (Closes: #463688)
* Updated standards version to 3.7.3: no changes required.

Author: Marc Deslauriers
Revision Date: 2012-03-28 09:25:59 UTC

* SECURITY UPDATE: Update to 5.0.96 to fix security issues (LP: #965523)
  - http://dev.mysql.com/doc/refman/5.0/en/news-5-0-96.html

Author: Marc Deslauriers
Revision Date: 2012-04-05 08:47:42 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  memory corruption issue.
  - pngset.c: correctly restore to previous condition.
  - Patch from Debian's 1.2.44-1+squeeze4 update
  - CVE-2011-3048

Author: Marc Deslauriers
Revision Date: 2012-04-05 08:47:42 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  memory corruption issue.
  - pngset.c: correctly restore to previous condition.
  - Patch from Debian's 1.2.44-1+squeeze4 update
  - CVE-2011-3048

Author: Daniel Hahler
Revision Date: 2012-03-27 22:09:13 UTC

* Rebuild for 2.6.24-31 (LP: #875058)
  - debian/control: s/2.6.24-28/2.6.24-31/g

Author: Marc Deslauriers
Revision Date: 2012-02-14 10:49:11 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/220_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/222_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Marc Deslauriers
Revision Date: 2012-02-14 10:49:11 UTC

* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
  directive (LP: #811422)
  - debian/patches/220_CVE-2011-3607.dpatch: validate length in
    server/util.c.
  - CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
  - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
    modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
    server/protocol.c.
  - CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
  type field modification within a scoreboard shared memory segment
  - debian/patches/222_CVE-2012-0031.dpatch: check type field in
    server/scoreboard.c.
  - CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
  - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
    server/protocol.c.
  - CVE-2012-0053

Author: Tyler Hicks
Revision Date: 2012-02-15 03:33:36 UTC

* SECURITY UPDATE: Arbitrary code execution via crafted filenames in .dsc
  and .changes files
  - scripts/debdiff.pl: Perform input sanitization on filenames. Thanks to
    Raphael Geissert for the original patch.
  - CVE-2012-0210
* SECURITY UPDATE: Arbitrary code execution via crafted filenames in the top
  level directory of the original upstream source tarball
  - scripts/debdiff.pl: Perform input sanitization on filenames. Thanks to
    Adam D. Barratt for the original patch.
  - CVE-2012-0211
* SECURITY UPDATE: Arbritray code execution via crafted filenames in
  arguments passed to debdiff
  - scripts/debdiff.pl: Perform input sanitization on filenames. Based on
    upstream patches.
  - http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commitdiff;h=87f88232eb643f0c118c6ba38db8e966915b450f
  - http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commitdiff;h=76227af1ee8d68f4844f642325eac903ca21e739
  - CVE-2012-0212
* scripts/debdiff.pl: Remove undocumented functionality which treated
  files with extentionless filenames as packages. Thanks to Adam D. Barratt
  for the original patch.
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659559

Author: Tyler Hicks
Revision Date: 2012-02-15 03:33:36 UTC

* SECURITY UPDATE: Arbitrary code execution via crafted filenames in .dsc
  and .changes files
  - scripts/debdiff.pl: Perform input sanitization on filenames. Thanks to
    Raphael Geissert for the original patch.
  - CVE-2012-0210
* SECURITY UPDATE: Arbitrary code execution via crafted filenames in the top
  level directory of the original upstream source tarball
  - scripts/debdiff.pl: Perform input sanitization on filenames. Thanks to
    Adam D. Barratt for the original patch.
  - CVE-2012-0211
* SECURITY UPDATE: Arbritray code execution via crafted filenames in
  arguments passed to debdiff
  - scripts/debdiff.pl: Perform input sanitization on filenames. Based on
    upstream patches.
  - http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commitdiff;h=87f88232eb643f0c118c6ba38db8e966915b450f
  - http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commitdiff;h=76227af1ee8d68f4844f642325eac903ca21e739
  - CVE-2012-0212
* scripts/debdiff.pl: Remove undocumented functionality which treated
  files with extentionless filenames as packages. Thanks to Adam D. Barratt
  for the original patch.
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659559

Author: Imre Gergely
Revision Date: 2012-02-08 23:24:53 UTC

* SECURITY UPDATE: temporary DoS with specially crafted packets (LP: #918588)
  - debian/patches/CVE-2012-0206.dpatch: prevent the auth servers from
    entering a packet loop. Based on upstream suggestion.
  - CVE-2012-0206

Author: Imre Gergely
Revision Date: 2012-02-08 23:24:53 UTC

* SECURITY UPDATE: temporary DoS with specially crafted packets (LP: #918588)
  - debian/patches/CVE-2012-0206.dpatch: prevent the auth servers from
    entering a packet loop. Based on upstream suggestion.
  - CVE-2012-0206

Author: Clint Byrum
Revision Date: 2010-12-02 00:21:30 UTC

70_remove_open-whois.org.dpatch: Remove open-whois.org (LP: #551655)

Author: Scott Kitterman
Revision Date: 2010-12-02 07:22:43 UTC

[ Clint Byrum ]
70_remove_open-whois.org.dpatch: Remove open-whois.org (LP: #551655)

Author: Harald Jenny
Revision Date: 2012-01-17 16:53:31 UTC

* SECURITY UPDATE: symlink attack through predictable filenames in /tmp
  - debian/patches/02-fix-unsecure-tmp-file.dpatch: change
    programs/livetest/livetest.in to use mktemp for temporary file creation.
    Patch taken from Debian openswan 1:2.4.12+dfsg-1.3 package.
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374
* SECURITY UPDATE: denial of service attack via malicious Dead Peer Detection
  packet
  - debian/patches/03-CVE-2009-0790.dpatch: adjust programs/pluto/demux.c to
    check for a possbile NULL value. Patch taken from Debian openswan
    1:2.4.12+dfsg-1.3+lenny1 package.
  - CVE-2009-0790
* SECURITY UPDATE: denial of service attack via specially crafted X.509
  certificate
  - debian/patches/04-CVE-2009-2185.dpatch: create include/oswtime.h and
    modify programs/pluto/asn1.c as well as lib/libopenswan/optionsfrom.c to
    do proper checks on certificate objects length. Patch taken from Debian
    openswan 1:2.4.12+dfsg-1.3+lenny2 package.
  - CVE-2009-2185
* SECURITY UPDATE: denial of service attack via deliberately interrupted
  IPSec connection attempt
  - debian/patches/05-2.4.9-CVE-2011-4073.dpatch: change
    programs/pluto/ikev1_continuations.h and programs/pluto/ikev1_quick.c to
    check for vanished ISAKMP SA in Quick Mode negotiation. Patch taken from
    Debian openswan 1:2.4.12+dfsg-1.3+lenny3 package and slightly modified.
  - CVE-2011-4073
(LP: #917754)

Author: Harald Jenny
Revision Date: 2012-01-17 16:53:31 UTC

* SECURITY UPDATE: symlink attack through predictable filenames in /tmp
  - debian/patches/02-fix-unsecure-tmp-file.dpatch: change
    programs/livetest/livetest.in to use mktemp for temporary file creation.
    Patch taken from Debian openswan 1:2.4.12+dfsg-1.3 package.
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374
* SECURITY UPDATE: denial of service attack via malicious Dead Peer Detection
  packet
  - debian/patches/03-CVE-2009-0790.dpatch: adjust programs/pluto/demux.c to
    check for a possbile NULL value. Patch taken from Debian openswan
    1:2.4.12+dfsg-1.3+lenny1 package.
  - CVE-2009-0790
* SECURITY UPDATE: denial of service attack via specially crafted X.509
  certificate
  - debian/patches/04-CVE-2009-2185.dpatch: create include/oswtime.h and
    modify programs/pluto/asn1.c as well as lib/libopenswan/optionsfrom.c to
    do proper checks on certificate objects length. Patch taken from Debian
    openswan 1:2.4.12+dfsg-1.3+lenny2 package.
  - CVE-2009-2185
* SECURITY UPDATE: denial of service attack via deliberately interrupted
  IPSec connection attempt
  - debian/patches/05-2.4.9-CVE-2011-4073.dpatch: change
    programs/pluto/ikev1_continuations.h and programs/pluto/ikev1_quick.c to
    check for vanished ISAKMP SA in Quick Mode negotiation. Patch taken from
    Debian openswan 1:2.4.12+dfsg-1.3+lenny3 package and slightly modified.
  - CVE-2011-4073
(LP: #917754)

Author: Michael Vogt
Revision Date: 2012-01-18 10:09:26 UTC

* UpdateManager/Core/MetaRelease.py, UpdateManager/MetaReleaseGObject.py:
  - fix "no longer supported" message (LP: #364583)

Author: Colin Watson
Revision Date: 2012-01-06 12:23:00 UTC

[ Scott Moser ]
Add --quiet to dpkg-divert calls in chroot_setup.

Author: Colin Watson
Revision Date: 2012-01-06 12:23:00 UTC

[ Scott Moser ]
Add --quiet to dpkg-divert calls in chroot_setup.

Author: Jamie Strandboge
Revision Date: 2011-12-21 12:27:41 UTC

SECURITY UPDATE: fix unsafe lockfile creation. The scope of this
is limited by when this script is run, but it is still worthwhile
to get this cleaned up (LP: #876994)

Author: Jamie Strandboge
Revision Date: 2011-12-21 12:27:41 UTC

SECURITY UPDATE: fix unsafe lockfile creation. The scope of this
is limited by when this script is run, but it is still worthwhile
to get this cleaned up (LP: #876994)

Author: Ubuntu Archive Auto-Sync
Revision Date: 2011-12-15 10:14:04 UTC

Automated backport upload; no source changes.

Author: Tyler Hicks
Revision Date: 2011-12-12 11:32:00 UTC

* SECURITY UPDATE: Fix temporary file creation race condition
  - bzexe: Ensure link target is a regular file. Patch from vladz.
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862#5
  - CVE-2011-4089

Author: Tyler Hicks
Revision Date: 2011-12-12 11:32:00 UTC

* SECURITY UPDATE: Fix temporary file creation race condition
  - bzexe: Ensure link target is a regular file. Patch from vladz.
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862#5
  - CVE-2011-4089

Author: Jelmer Vernooij
Revision Date: 2011-12-11 02:24:50 UTC

releasing version 0.7.2+bzr162-0ubuntu1~1.IS.8.04

Author: Marc Deslauriers
Revision Date: 2011-11-28 09:38:19 UTC

No change rebuild for security. This is needed to build update-manager
in the security pocket.

Author: Marc Deslauriers
Revision Date: 2011-11-28 09:38:19 UTC

No change rebuild for security. This is needed to build update-manager
in the security pocket.

Author: Evan Broder
Revision Date: 2011-11-10 23:47:14 UTC

* Backport to hardy:
  - Use source format 1.0, and use the old quilt makefile include (Hardy
    predates dh_quilt_patch and the quilt sequence)
  - Drop debhelper build-dependency version
  - Replace override_% syntax with old-style dh --before and dh --after
    syntax

Author: Abhishek kumar singh
Revision Date: 2011-10-18 10:59:31 UTC

*
* #!/bin/sh is changed to #!/bin/bash.

Author: Rolf Leggewie
Revision Date: 2011-07-29 22:25:11 UTC

backport patch from Aloisio Almeida Jr to fix logging. LP: #697788

Author: Rolf Leggewie
Revision Date: 2011-07-29 22:25:11 UTC

backport patch from Aloisio Almeida Jr to fix logging. LP: #697788

Author: Sebastien Bacher
Revision Date: 2008-07-17 11:37:33 UTC

The glib version used to build the previous revision had buggy big endian
detection code, no change upload to rebuild using the new fixed version
(bug #245150)

Author: Sebastien Bacher
Revision Date: 2008-07-17 11:37:33 UTC

The glib version used to build the previous revision had buggy big endian
detection code, no change upload to rebuild using the new fixed version
(bug #245150)

Author: Sebastien Bacher
Revision Date: 2008-04-09 23:38:32 UTC

* debian/patches/81_dont_change_ggz_build_requirements.patch,
  debian/patches/99_reautoconf.patch:
  - revert the upstream changes which require the server directory

Author: Rich Johnson
Revision Date: 2008-01-14 10:25:58 UTC

* New upstream release
* Dropped kubuntu_01_no_progress_dialogue.diff - implemented upstream
* Updated debian/cdbs to contain the latest checkout in use for our KDE 4
  packages
* Updated debian/rules accordingly
* Updated debian/control - bumped standards to 3.7.3 and libqtwebkit-dev to
  0~svn27674-2

Author: Marc Deslauriers
Revision Date: 2009-02-12 15:49:08 UTC

[ David Leadbeater ]
* SECURITY UPDATE: Fix remote code execution in gitweb (LP: #317052)
  - CVE-2008-5516: http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae
  - CVE-2008-5517: http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5

[ Marc Deslauriers ]
* SECURITY UPDATE: arbitrary code execution via long PATH in diff_addremove
  and diff_change (LP: #248750)
  - debian/diff/0007-SECURITY-CVE-2008-3546.diff: safely build the full path.
  - CVE-2008-3546
* SECURITY UPDATE: arbitrary command execution via diff.external configuration
  variable.
  - debian/diff/0008-SECURITY-CVE-2008-5916.diff: remove unused legacy-style
    URI code in gitweb/gitweb.perl.
  - CVE-2008-5916

Author: Marc Deslauriers
Revision Date: 2009-02-12 15:49:08 UTC

[ David Leadbeater ]
* SECURITY UPDATE: Fix remote code execution in gitweb (LP: #317052)
  - CVE-2008-5516: http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae
  - CVE-2008-5517: http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5

[ Marc Deslauriers ]
* SECURITY UPDATE: arbitrary code execution via long PATH in diff_addremove
  and diff_change (LP: #248750)
  - debian/diff/0007-SECURITY-CVE-2008-3546.diff: safely build the full path.
  - CVE-2008-3546
* SECURITY UPDATE: arbitrary command execution via diff.external configuration
  variable.
  - debian/diff/0008-SECURITY-CVE-2008-5916.diff: remove unused legacy-style
    URI code in gitweb/gitweb.perl.
  - CVE-2008-5916

Author: Bryan Donlan
Revision Date: 2008-04-06 18:53:53 UTC

debian/rules: Use wish8.4 for the tcl interpreter, to match our dependency
in debian/control. (LP: #196846)

Author: Colin Watson
Revision Date: 2008-02-04 14:19:21 UTC

loadkeys_console-setup.patch: Use ckbcomp to get the keyboard layout if
other data files are not available (LP: #83487).

Author: Matthias Klose
Revision Date: 2007-11-28 09:35:36 UTC

Drop build-dependency on ssed (last use in main); we don't care
about how fast the package is built.

Author: Debian VDR Team
Revision Date: 2007-08-06 21:41:18 UTC

[ Mark Purcell ]
* Update scan files from 20070804
  - initial-tuning-data files duplication between dvb-utils & kaffeine
  (Closes: #419566)
* Add myself to uploaders
* Add debian/compat: lintian debian-rules-sets-DH_COMPAT

Author: Gonéri Le Bouder
Revision Date: 2007-01-24 22:16:48 UTC

* Non-maintainer upload.
* Remove mozilla, opera and acroread icons and remplace them with icons from
  kde-icons-crystalclear (Closes: 389127).
  - update debian/copyright to precis these icons origin
  - rename mozilla menu entrys
* Remove these non-free icons set: doom doom3 firefox lxdoom mozilla-firefox
  mozilla-thunderbird quake4 realplayer thunderbird ubuntu ut2004 vmware
  skype
* Use local charset instead of ISO-8859-1 in menus (Closes: #392824)

Author: Torsten Werner
Revision Date: 2007-12-08 21:43:01 UTC

* new upstream release
* Add Vcs and Homepage headers to debian/control.
* Switch to debhelper 5.
* Add dutch debconf translation. (Closes: #449414)

Author: Sergio Talens-Oliag
Revision Date: 2006-12-21 23:55:13 UTC

Put soundifles on '/usr/share/childsplay/Data/AlphabetSounds/sv' instead
of '/usr/share/childsplay/Data/AlphabetSounds' (Closes: Bug#403992).

Author: Bart Martens
Revision Date: 2008-01-12 20:16:08 UTC

New upstream release.

Author: Steve Langasek
Revision Date: 2008-02-20 09:20:08 UTC

No-change rebuild against libexiv2-2.

Author: Soren Hansen
Revision Date: 2008-02-06 21:58:40 UTC

Remove shlibs.local. It wasn't needed and made console-tools-udeb depend
on libconsole (not -udeb).

Author: Timo Jyrinki
Revision Date: 2008-01-10 22:16:23 UTC

* New upstream version
* Update standards-version to 3.7.3 (no changes)
* Use new official "Homepage" field in control file
* Add new Vcs-* fields as supported in dpkg 1.14.6 (thanks to Teemu Likonen)

Author: Sergio Talens-Oliag
Revision Date: 2006-10-01 00:38:19 UTC

New upstream release.

Author: Luca Falavigna
Revision Date: 2008-01-07 00:14:53 UTC

* debian/rules: set /bin/bash as default shell, fix FTBFS
* debian/control: update Maintainer field as per spec

Author: Bastian Venthur
Revision Date: 2007-07-23 17:59:50 UTC

Upstream renamed Crystal Clear to Crystal Project, so do I

Author: Marc Deslauriers
Revision Date: 2011-10-18 10:31:55 UTC

* SECURITY UPDATE: possible code execution via incorrect environment file
  parsing (LP: #874469)
  - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
    whitespace when parsing environment file in
    Linux-PAM/modules/pam_env/pam_env.c.
  - CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
  expansion (LP: #874565)
  - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
    with PAM_BUF_ERR in Linux-PAM/modules/pam_env/pam_env.c.
  - CVE-2011-3149

Author: Jamie Strandboge
Revision Date: 2011-10-20 14:23:00 UTC

* SECURITY UPDATE: temporary file vulnerability (LP: #408915)
  - utils/iscsi_discovery: use mktemp to store iscsiadm -m discovery result
    rather than writing it to an insecurely-created temporary file. Move
    cleanup sooner so we don't leave files around if nothing is discovered.
  - CVE-2009-1297

Author: Jamie Strandboge
Revision Date: 2011-10-20 14:23:00 UTC

* SECURITY UPDATE: temporary file vulnerability (LP: #408915)
  - utils/iscsi_discovery: use mktemp to store iscsiadm -m discovery result
    rather than writing it to an insecurely-created temporary file. Move
    cleanup sooner so we don't leave files around if nothing is discovered.
  - CVE-2009-1297

Author: Marc Deslauriers
Revision Date: 2011-10-18 10:31:55 UTC

* SECURITY UPDATE: possible code execution via incorrect environment file
  parsing (LP: #874469)
  - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
    whitespace when parsing environment file in
    Linux-PAM/modules/pam_env/pam_env.c.
  - CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
  expansion (LP: #874565)
  - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
    with PAM_BUF_ERR in Linux-PAM/modules/pam_env/pam_env.c.
  - CVE-2011-3149

Author: James Page
Revision Date: 2011-09-26 11:42:02 UTC

* SECURITY UPDATE: Apache Tomcat Authentication bypass and information
  disclosure (LP: #843701).
 - connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java: Prevent AJP
   request forgery via unread request body packet - upstream patch from Mark
   Thomas
 - http://svn.apache.org/viewvc?view=revision&revision=1162960
 - CVE-2011-3190

Author: Alexander Sack
Revision Date: 2008-04-16 00:39:41 UTC

* fix "frequent crashes with flash on youtube"; we fix this by
  demoting libflashsupport from depends: to suggests: (LP: #192888)
  This has positive as well as negative consequences:
   (+) increased stability for firefox and nspluginwrapper
   (-) pulseaudio users reported that this breaks sound if flash
       while other applications are running that use the sound
       device for output.
  Users that installed libflashsupport during hardy cycle should
  uninstall it to increase stability.
  - update debian/control

Author: Jelmer Vernooij
Revision Date: 2011-10-12 00:54:19 UTC

Add build-conflicts with python-twisted (the version in hardy is too old).

Author: Neal Poole
Revision Date: 2011-07-12 22:31:10 UTC

* SECURITY UPDATE:
    - Merge r3528 from upstream repository to mitigate
      potential null byte vulnerability (LP: #803720)

Author: Jamie Strandboge
Revision Date: 2011-10-05 14:48:27 UTC

* SECURITY UPDATE: unauthenticated directory traversal allows writing of
  arbitrary files as puppet master. Patch thanks to Daniel Pittman from
  upstream puppet.
  - 5107c5a979d74d9da40a4cb8362f8ea3e7fb0dd5
  - CVE-2011-3848
  - LP: #861182
* SECURITY UPDATE: k5login can overwrite arbitrary files as root
  - adjust type/k5login.rb to securely open the file before writing to it as
    root. Patch thanks to Daniel Pittman from upstream puppet.
  - 17bf848bd1fa40fb56e6a83e2ac823e6cce60479
  - CVE-2011-3869

Author: Jelmer Vernooij
Revision Date: 2011-10-03 22:50:59 UTC

releasing version 2.4.0-0ubuntu2~11.IS.8.04

Author: James Page
Revision Date: 2011-09-26 15:54:38 UTC

* SECURITY UPDATE: Apache Tomcat Authentication bypass and information
  disclosure (LP: #843701).
 - d/patches/security-CVE-2011-3190.patch: Patch from upstream to Prevent AJP
   request forgery via unread request body packet.
 - CVE-2011-3190

Author: James Page
Revision Date: 2011-09-26 11:42:02 UTC

* SECURITY UPDATE: Apache Tomcat Authentication bypass and information
  disclosure (LP: #843701).
 - connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java: Prevent AJP
   request forgery via unread request body packet - upstream patch from Mark
   Thomas
 - http://svn.apache.org/viewvc?view=revision&revision=1162960
 - CVE-2011-3190

Author: James Page
Revision Date: 2011-09-26 10:56:33 UTC

* SECURITY UPDATE: Apache Tomcat Authentication bypass and information
  disclosure (LP: #843701).
 - connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java: Prevent AJP
   request forgery via unread request body packet - upstream patch.
 - CVE-2011-3190

Author: Julian Taylor
Revision Date: 2011-09-08 15:27:29 UTC

* SECURITY UPDATE: missing input sanitization allowing execution
  of arbitrary commands (LP: #844743)
  - backported fix from upstream by Chris St. Pierre
  - https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1
  - CVE-2011-3211

Author: Julian Taylor
Revision Date: 2011-09-08 15:27:29 UTC

* SECURITY UPDATE: missing input sanitization allowing execution
  of arbitrary commands (LP: #844743)
  - backported fix from upstream by Chris St. Pierre
  - https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1
  - CVE-2011-3211

Author: Jelmer Vernooij
Revision Date: 2011-08-31 10:31:11 UTC

Fix clean.

Author: Jelmer Vernooij
Revision Date: 2011-08-23 18:17:34 UTC

Merge lucid-cat.

Author: Jelmer Vernooij
Revision Date: 2011-08-23 18:04:27 UTC

releasing version 0.48-5~0.IS.8.04

Author: Marc Deslauriers
Revision Date: 2011-08-03 12:37:16 UTC

* SECURITY UPDATE: arbitrary code execution via crafted PPD file
  - debian/patches/CVE-2011-2697.patch: don't parse named options when
    running as a filter in foomatic-rip.in.
  - CVE-2011-2697

Author: Colin Watson
Revision Date: 2011-08-16 11:24:38 UTC

Honour apt-setup/security_path when constructing initial security
entries in sources.list (LP: #820306).

Author: Colin Watson
Revision Date: 2011-08-16 11:24:38 UTC

Honour apt-setup/security_path when constructing initial security
entries in sources.list (LP: #820306).

Author: Marc Deslauriers
Revision Date: 2011-08-11 11:54:18 UTC

* SECURITY UPDATE: denial of service via specially crafted packets
  - debian/patches/CVE-2011-2748-2749.dpatch: tighten up restriction in
    common/discover.c, properly calculate length in common/options.c,
    validate packet->options in server/dhcp.c.
  - CVE-2011-2748
  - CVE-2011-2749

Author: Marc Deslauriers
Revision Date: 2011-08-11 11:54:18 UTC

* SECURITY UPDATE: denial of service via specially crafted packets
  - debian/patches/CVE-2011-2748-2749.dpatch: tighten up restriction in
    common/discover.c, properly calculate length in common/options.c,
    validate packet->options in server/dhcp.c.
  - CVE-2011-2748
  - CVE-2011-2749

Author: Marc Deslauriers
Revision Date: 2011-08-03 12:37:16 UTC

* SECURITY UPDATE: arbitrary code execution via crafted PPD file
  - debian/patches/CVE-2011-2697.patch: don't parse named options when
    running as a filter in foomatic-rip.in.
  - CVE-2011-2697

Author: Marc Gariépy
Revision Date: 2011-07-21 17:12:19 UTC

Fix bash 4.2 problem (LP: #732322)

Author: Alan Boudreault
Revision Date: 2011-07-12 01:07:50 UTC

* SECURITY UPDATE: SQL Injection and buffer overflows (LP: #809133)
  - debian/patches/09_wfs_sql_injection.dpatch: Fix possible WFS
    SQL injection and buffer overflows in OGC Filter Encoding
    support. [http://trac.osgeo.org/mapserver/ticket/3874]
    [http://trac.osgeo.org/mapserver/ticket/3903]
  - CVE-2011-2703, CVE-2011-2704

Author: Marc Gariépy
Revision Date: 2011-07-21 17:12:19 UTC

Fix bash 4.2 problem (LP: #732322)

Author: Marc Deslauriers
Revision Date: 2011-06-17 14:25:03 UTC

* SECURITY UPDATE: race condition and symlink attacks
  - debian/patches/CVE-2011-1098-1548.patch: prevent races and symlink
    attacks in logrotate.c.
  - CVE-2011-1098
  - CVE-2011-1548
* SECURITY UPDATE: denial of service via invalid characters in log
  filename
  - debian/patches/CVE-2011-1155.patch: properly escape filenames in
    logrotate.c.
  - CVE-2011-1155

Author: Max Bowsher
Revision Date: 2011-07-17 23:30:45 UTC

Merge 2.3.4

Author: Neal Poole
Revision Date: 2011-07-12 21:41:00 UTC

* SECURITY UPDATE:
    - Merge r3528 from upstream repository to mitigate
      potential null byte vulnerability (LP: #803720)

Author: Lionel Le Folgoc
Revision Date: 2008-01-27 11:21:56 UTC

* Merge from Debian unstable. Remaining Ubuntu changes:
  - switch to cdbs
  - debian/control:
    + b-d on autotools-dev, debhelper (>= 5), cdbs and drop chrpath
    + adhere to DebianMaintainerField
  - debian/patches/00_xdg_data_dirs.patch:
    make sure to add /etc/xdg/xubuntu even if XDG_DATA_DIRS is already set
  - debian/patches/02_xfce4-about_return_version.patch:
    patch to print Xfce4 version when passed arg "--xfce-version" as part of
    the about-this-computer spec
  - debian/rules: pass --enable-dbus --with-vendor-info=Ubuntu to ./configure
  - debian/compat: bump to 5.
* debian/control:
  - drop quilt from b-d
  - do not depend on exo-utils (not in the archive yet).
* debian/patches/series: dropped.

Author: Neal Poole
Revision Date: 2011-07-12 21:41:00 UTC

* SECURITY UPDATE:
    - Merge r3528 from upstream repository to mitigate
      potential null byte vulnerability (LP: #803720)

Author: Alan Boudreault
Revision Date: 2011-07-12 01:07:50 UTC

* SECURITY UPDATE: SQL Injection and buffer overflows (LP: #809133)
  - debian/patches/09_wfs_sql_injection.dpatch: Fix possible WFS
    SQL injection and buffer overflows in OGC Filter Encoding
    support. [http://trac.osgeo.org/mapserver/ticket/3874]
    [http://trac.osgeo.org/mapserver/ticket/3903]
  - CVE-2011-2703, CVE-2011-2704

Author: Felix Geyer
Revision Date: 2011-01-20 13:02:50 UTC

* SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
  - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
    0640 and the owner to root:mumble-server.

Author: Felix Geyer
Revision Date: 2011-01-20 13:02:50 UTC

* SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
  - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
    0640 and the owner to root:mumble-server.

Author: Marc Deslauriers
Revision Date: 2011-04-20 10:08:22 UTC

* SECURITY UPDATE: arbitrary code execution via long request (LP: #718300)
  - nbd-server.c: fix buffer size checking.
  - https://github.com/yoe/nbd/commit/3ef52043861ab16352d49af89e048ba6339d6df8
  - CVE-2011-0530

Author: Marc Deslauriers
Revision Date: 2011-04-20 10:08:22 UTC

* SECURITY UPDATE: arbitrary code execution via long request (LP: #718300)
  - nbd-server.c: fix buffer size checking.
  - https://github.com/yoe/nbd/commit/3ef52043861ab16352d49af89e048ba6339d6df8
  - CVE-2011-0530

Author: Marc Deslauriers
Revision Date: 2011-06-17 14:25:03 UTC

* SECURITY UPDATE: race condition and symlink attacks
  - debian/patches/CVE-2011-1098-1548.patch: prevent races and symlink
    attacks in logrotate.c.
  - CVE-2011-1098
  - CVE-2011-1548
* SECURITY UPDATE: denial of service via invalid characters in log
  filename
  - debian/patches/CVE-2011-1155.patch: properly escape filenames in
    logrotate.c.
  - CVE-2011-1155

Author: Timo Aaltonen
Revision Date: 2009-01-07 18:49:25 UTC

Remove initscripts/etc/network/if-up.d/mountnfs.orig. (LP: #314772)

Author: Timo Aaltonen
Revision Date: 2009-01-07 18:49:25 UTC

Remove initscripts/etc/network/if-up.d/mountnfs.orig. (LP: #314772)