Preparation of Debian GNU/Linux 4.0r5
=====================================

We are preparing the next revision of the current stable Debian
distribution (etch) and will frequently send reports so people can
actually comment on it and intervene whenever this is required.

If you disagree with one bit or another, please reply to this mail and
explain why these things should be handled differently.

An ftpmaster still has to give the final approval for each package
since ftpmasters are responsible for the archive.  However, we are
trying to make their work as easy as possible in hope to get the next
revision out properly and without any hassle.

If you would like to get a package updated in the stable release, you
are advised to talk to the stable release managers first (see
<http://www.debian.org/intro/organization>).

Accepted Packages
-----------------

These packages will be installed into the stable Debian distribution
and will be part of the next revision.

Sourceful update of phpmyadmin:
 version in stable:  4:2.9.1.1-7
 version in updates: 4:2.9.1.1-8
 Rationales:
  - 2.9.1.1-8: DSA 1641 phpmyadmin - several vulnerabilities

Sourceful update of wdiff:
 version in stable:  0.5-16
 version in updates: 0.5-16etch1
 Rationales:
  - 0.5-16etch1: wdiff - fix a race condition related to temporary files (#425254)

Sourceful update of dist:
 version in stable:  3.70-31
 version in updates: 3.70-31etch1
 Rationales:
  - 3.70-31etch1: dist - Fix insecure temp file usage

Sourceful update of libxml2:
 version in stable:  2.6.27.dfsg-2
 version in updates: 2.6.27.dfsg-5
 Rationales:
  - 2.6.27.dfsg-3: DSA 1631 libxml2 - denial of service
  - 2.6.27.dfsg-4: DSA 1631 libxml2 - denial of service
  - 2.6.27.dfsg-5: DSA 1654 libxml2 - Fix execution of arbitrary code

Sourceful update of squid:
 version in stable:  2.6.5-6etch1
 version in updates: 2.6.5-6etch4
 Rationales:
  - 2.6.5-6etch2: DSA 1646 squid - Fix array bounds check
  - 2.6.5-6etch4: DSA 1646 squid - Fix array bounds check

Sourceful update of linux-2.6.24:
 version in stable:  2.6.24-6~etchnhalf.4
 version in updates: 2.6.24-6~etchnhalf.6
 Rationales:
  - 2.6.24-6~etchnhalf.5: DSA 1636 linux-2.6.24 - denial of service/information leak
  - 2.6.24-6~etchnhalf.6: DSA 1655 linux-2.6.24 - Fix several vulnerabilities

Sourceful update of icedove:
 version in stable:  1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1
 version in updates: 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1
 Rationales:
  - 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1: DSA 1621 icedove - several vulnerabilities

Sourceful update of opensc:
 version in stable:  0.11.1-2
 version in updates: 0.11.1-2etch2
 Rationales:
  - 0.11.1-2etch1: DSA 1627 opensc - smart card vulnerability
  - 0.11.1-2etch2: DSA 1627 opensc - smart card vulnerability

Sourceful update of twiki:
 version in stable:  1:4.0.5-9.1
 version in updates: 1:4.0.5-9.1etch1
 Rationales:
  - 4.0.5-9.1etch1: DSA 1639 twiki - arbitrary code execution

Sourceful update of apache2-mpm-itk:
 version in stable:  2.2.3-01-2
 version in updates: 2.2.3-01-2+etch1
 Rationales:
  - 2.2.3-01-2+etch1: apache2-mpm-itk - rebuild against apache2 2.2.3-4+etch6, fix hanging processes on restart/shutdown

Sourceful update of libxslt:
 version in stable:  1.1.19-2
 version in updates: 1.1.19-3
 Rationales:
  - 1.1.19-3: DSA 1624 libxslt - arbitrary code execution

Sourceful update of mon:
 version in stable:  0.99.2-9
 version in updates: 0.99.2-9+etch2
 Rationales:
  - 0.99.2-9+etch2: DSA 1648 mon - Fix insecure temporary files

Sourceful update of jumpnbump:
 version in stable:  1.50-6
 version in updates: 1.50-6+etch1
 Rationales:
  - 1.50-6+etch1: jumpnbump - Fix insecure handling of /tmp (#500611)

Sourceful update of wordnet:
 version in stable:  1:2.1-4
 version in updates: 1:2.1-4+etch2
 Rationales:
  - 2.1-4+etch1: DSA 1634 wordnet - stack and heap overflows
  - 2.1-4+etch2: DSA 1634 wordnet - arbitrary code execution

Sourceful update of ruby1.8:
 version in stable:  1.8.5-4etch2
 version in updates: 1.8.5-4etch3
 Rationales:
  - 1.8.5-4etch3: DSA 1651 ruby1.8 - several vulnerabilities

Sourceful update of fai-kernels:
 version in stable:  1.17+etch.21
 version in updates: 1.17+etch.23
 Rationales:
  - 1.17+etch.22etch2: DSA 1630 linux-2.6 - several vulnerabilities
  - 1.17+etch.22etch3: DSA 1653 linux-2.6 - several vulnerabilities
  - 1.17+etch.23: linux-2.6 - fix xfs corruption / Xen crash

Sourceful update of ruby1.9:
 version in stable:  1.9.0+20060609-1etch1
 version in updates: 1.9.0+20060609-1etch3
 Rationales:
  - 1.9.0+20060609-1etch2: DSA 1618 ruby1.9 - several vulnerabilities
  - 1.9.0+20060609-1etch3: DSA 1652 ruby1.9 - several vulnerabilities

Sourceful update of yaird:
 version in stable:  0.0.12-18
 version in updates: 0.0.12-18etch1
 Rationales:
  - 0.0.12-18etch1: yaird - backported for etch+0.5 kernel

Sourceful update of newsx:
 version in stable:  1.6-2
 version in updates: 1.6-2etch1
 Rationales:
  - 1.6-2etch1: DSA 1622 newsx - arbitrary code execution

Sourceful update of python-django:
 version in stable:  0.95.1-1etch1
 version in updates: 0.95.1-1etch2
 Rationales:
  - 0.95.1-1etch2: DSA 1640 python-django - several vulnerabilities

Sourceful update of openldap2.3:
 version in stable:  2.3.30-5+etch1
 version in updates: 2.3.30-5+etch2
 Rationales:
  - 2.3.30-5+etch2: DSA 1650 openldap2.3 - Fix denial of service

Sourceful update of apache2:
 version in stable:  2.2.3-4+etch5
 version in updates: 2.2.3-4+etch6
 Rationales:
  - 2.2.3-4+etch6: apache2 - fix various issues (CVE-2007-6388, CVE-2008-2939, CVE-2008-2364, #489899, #470652)

Sourceful update of tzdata:
 version in stable:  2007k-1etch1
 version in updates: 2008e-1etch3
 Rationales:
  - 2008e-1etch1: tzdata - updates to several timezones
  - 2008e-1etch2: tzdata - Adjust to several timezone and DST setting
  - 2008e-1etch3: tzdata - Adjust to several timezone and DST setting

Sourceful update of user-mode-linux:
 version in stable:  2.6.18-1um-2etch.21
 version in updates: 2.6.18-1um-2etch.23
 Rationales:
  - 2.6.18-1um-2etch.22etch1: DSA 1630 linux-2.6 - several vulnerabilities
  - 2.6.18-1um-2etch.22etch2: DSA 1630 linux-2.6 - several vulnerabilities
  - 2.6.18-1um-2etch.22etch3: DSA 1653 linux-2.6 - several vulnerabilities
  - 2.6.18-1um-2etch.23: linux-2.6 - fix xfs corruption / Xen crash

Sourceful update of xulrunner:
 version in stable:  1.8.0.15~pre080323b-0etch2
 version in updates: 1.8.0.15~pre080614d-0etch1
 Rationales:
  - 1.8.0.15~pre080614d-0etch1: DSA 1615 xulrunner - several vulnerabilities

Sourceful update of feta:
 version in stable:  1.4.15
 version in updates: 1.4.15+etch1
 Rationales:
  - 1.4.15+etch1: DSA 1643 feta - Fix insecure temp file usage

Sourceful update of tiff:
 version in stable:  3.8.2-7
 version in updates: 3.8.2-7+etch1
 Rationales:
  - 3.8.2-7+etch1: DSA 1632 tiff - arbitrary code execution

Sourceful update of php5:
 version in stable:  5.2.0-8+etch11
 version in updates: 5.2.0-8+etch13
 Rationales:
  - 5.2.0-8+etch13: DSA 1647 php5 - Fix several vulnerabilities

Sourceful update of blosxom:
 version in stable:  2.0-14
 version in updates: 2.0-14+etch1
 Rationales:
  - 2.0-14+etch1: blosxom - Fix XSS (CVE-2008-2236, #500873)

Sourceful update of git-core:
 version in stable:  1:1.4.4.4-2
 version in updates: 1:1.4.4.4-4
 Rationales:
  - 1.4.4.4-3: git-core - support download of packs v2 through dumb transports
  - 1.4.4.4-4: git-core - newer version of git-core would overwrite DSA

Sourceful update of refpolicy:
 version in stable:  0.0.20061018-5
 version in updates: 0.0.20061018-5.1+etch1
 Rationales:
  - 0.0.20061018-5.1+etch1: DSA 1617 refpolicy - incompatible policy

Sourceful update of slash:
 version in stable:  2.2.6-8
 version in updates: 2.2.6-8etch1
 Rationales:
  - 2.2.6-8etch1: DSA 1633 slash - multiple vulnerabilities

Sourceful update of horde3:
 version in stable:  3.1.3-4etch3
 version in updates: 3.1.3-4etch4
 Rationales:
  - 3.1.3-4etch4: DSA 1642 horde3 - cross site scripting

Sourceful update of lighttpd:
 version in stable:  1.4.13-4etch10
 version in updates: 1.4.13-4etch11
 Rationales:
  - 1.4.13-4etch11: DSA 1645 lighttpd - various problems

Sourceful update of clamav:
 version in stable:  0.90.1dfsg-3etch11
 version in updates: 0.90.1dfsg-3.1+etch14
 Rationales:
  - 0.90.1dfsg-3.1+etch14: DSA 1616 clamav - fix denial of service
  - 0.90.1dfsg-3etch13: DSA 1616 clamav - fix denial of service

Sourceful update of python-dns:
 version in stable:  2.3.0-5.1
 version in updates: 2.3.0-5.2+etch2
 Rationales:
  - 2.3.0-5.2+etch1: DSA 1619 python-dns - DNS response spoofing
  - 2.3.0-5.2+etch2: DSA 1619 python-dns - DNS response spoofing

Sourceful update of libpam-pwdfile:
 version in stable:  0.99-3
 version in updates: 0.99-3etch1
 Rationales:
  - 0.99-3etch1: libpam_pwdfile - use gcc instead of ld (#499203)

Sourceful update of python2.5:
 version in stable:  2.5-5
 version in updates: 2.5-5+etch1
 Rationales:
  - 2.5-5+etch1: DSA 1620 python2.5 - several vulnerabilities

Sourceful update of net6:
 version in stable:  1:1.3.1-3
 version in updates: 1:1.3.1-4
 Rationales:
  - 1.3.1-4: net6 - fix object access after deallocation

Sourceful update of pdns:
 version in stable:  2.9.20-8
 version in updates: 2.9.20-8+etch1
 Rationales:
  - 2.9.20-8+etch1: DSA 1628 pdns - DNS response spoofing

Sourceful update of iceweasel:
 version in stable:  2.0.0.15-0etch1
 version in updates: 2.0.0.17-0etch1
 Rationales:
  - 2.0.0.16-0etch1: DSA 1614 iceweasel - several vulnerabilities
  - 2.0.0.17-0etch1: DSA 1649 iceweasel - Fix several vulnerabilities

Sourceful update of postgresql-8.1:
 version in stable:  8.1.11-0etch1
 version in updates: 8.1.13-0etch1
 Rationales:
  - 8.1.13-0etch1: postgresql-8.1 - upstream bugfix release 8.1.13

Sourceful update of trac:
 version in stable:  0.10.3-1etch3
 version in updates: 0.10.3-1etch4
 Rationales:
  - 0.10.3-1etch4: trac - fix multiple vulnerabilities (CVE-2008-3328, CVE-2008-2951)

Sourceful update of postfix:
 version in stable:  2.3.8-2
 version in updates: 2.3.8-2+etch1
 Rationales:
  - 2.3.8-2+etch1: DSA 1629 postfix - programming error
  - 2.3.8-2etch1: DSA 1629 postfix - programming error

Sourceful update of irqbalance:
 version in stable:  0.12-7
 version in updates: 0.12-7etch1
 Rationales:
  - 0.12-7etch1: irqbalance - Fix segfault when /proc/interrupts contains an interrupt with a number of 256 or larger

Sourceful update of linux-2.6:
 version in stable:  2.6.18.dfsg.1-22
 version in updates: 2.6.18.dfsg.1-23
 Rationales:
  - 2.6.18.dfsg.1-22etch1: DSA 1630 linux-2.6 - several vulnerabilities
  - 2.6.18.dfsg.1-22etch2: DSA 1630 linux-2.6 - several vulnerabilities
  - 2.6.18.dfsg.1-22etch3: DSA 1653 linux-2.6 - several vulnerabilities
  - 2.6.18.dfsg.1-23: linux-2.6 - fix xfs corruption / Xen crash

Sourceful update of myspell:
 version in stable:  1:3.0+pre3.1-18
 version in updates: 1:3.0+pre3.1-18etch1
 Rationales:
  - 3.0+pre3.1-18etch1: myspell - fix insecure temp file usage (#496392)

Sourceful update of httrack:
 version in stable:  3.40.4-3.1
 version in updates: 3.40.4-3.1+etch1
 Rationales:
  - 3.40.4-3.1+etch1: DSA 1626 httrack - arbitrary code execution

Sourceful update of dnsmasq:
 version in stable:  2.35-1
 version in updates: 2.35-1+etch4
 Rationales:
  - 2.35-1+etch4: DSA 1623 dnsmasq - cache poisoning

Sourceful update of mt-daapd:
 version in stable:  0.2.4+r1376-1.1+etch1
 version in updates: 0.2.4+r1376-1.1+etch2
 Rationales:
  - 0.2.4+r1376-1.1+etch2: DSA 1597 mt-daapd - fix several vulnerabilities (fixes for regression)

Sourceful update of openssh:
 version in stable:  1:4.3p2-9etch2
 version in updates: 1:4.3p2-9etch3
 Rationales:
  - 4.3p2-9etch3: DSA 1638 openssh - denial of service

Sourceful update of cupsys:
 version in stable:  1.2.7-4etch3
 version in updates: 1.2.7-4etch4
 Rationales:
  - 1.2.7-4etch4: DSA 1625 cupsys - arbitrary code execution

Sourceful update of mplayer:
 version in stable:  1.0~rc1-12etch3
 version in updates: 1.0~rc1-12etch5
 Rationales:
  - 1.0~rc1-12etch5: DSA 1644 mplayer - Fix integer overflows

binNMU for source package obby:
 - libobby-0.4-0 0.4.1-2+b2 i386
 - libobby-0.4-0 0.4.1-2+b1 s390 amd64 sparc powerpc arm mips ia64 alpha mipsel hppa
 - libobby-0.4-dev 0.4.1-2+b2 i386
 - libobby-0.4-dev 0.4.1-2+b1 s390 amd64 sparc powerpc arm mips ia64 alpha mipsel hppa
 - libobby-0.4-0-dbg 0.4.1-2+b2 i386
 - libobby-0.4-0-dbg 0.4.1-2+b1 s390 amd64 sparc powerpc arm mips ia64 alpha mipsel hppa
 Rationale: Rebuild against net6.
 Rationale: Rebuild against net6.

binNMU for source package sobby:
 - sobby 0.4.1-1+b2 s390 amd64 sparc powerpc arm i386 mips ia64 alpha mipsel hppa
 Rationale: Rebuild against net6.

binNMU for source package gobby:
 - gobby 0.4.1-2+b1 s390 amd64 sparc powerpc arm i386 mips ia64 alpha mipsel hppa
 Rationale: Rebuild against net6.

Requires further Investigation
------------------------------

These packages need further investigation.  One reason the package is
listed here could be that I'm not yet convinced this package should go
into stable, but don't want to reject it entirely at the moment.

Another reason could be that released and updated architectures are
not yet in sync.

Removed Packages
----------------

These packages will be removed from the stable Debian distribution.
This normally only a result of license problems when the license
prohibits their distribution.

Removal of source package f-prot-installer:
Rationale: #495171: f-prot-installer - RoM, RoQA; obsolete
To be removed:
 f-prot-installer |     0.5.22 | stable/contrib | source, i386

debian-installer Decrufting
---------------------------

The following builds of debian-installer should be removed from the
stable tree.  Builds of r0 are normally kept, others might be removed
at point release time.

 - 20070308etch2

Covered DSAs
------------

The following DSAs are incorporated into this point release.

DSA 1597 | mt-daapd | fix several vulnerabilities (fixes for regression)
DSA 1614 | iceweasel | several vulnerabilities
DSA 1615 | xulrunner | several vulnerabilities
DSA 1616 | clamav | fix denial of service
DSA 1616 | clamav | fix denial of service
DSA 1617 | refpolicy | incompatible policy
DSA 1618 | ruby1.9 | several vulnerabilities
DSA 1619 | python-dns | DNS response spoofing
DSA 1619 | python-dns | DNS response spoofing
DSA 1620 | python2.5 | several vulnerabilities
DSA 1621 | icedove | several vulnerabilities
DSA 1622 | newsx | arbitrary code execution
DSA 1623 | dnsmasq | cache poisoning
DSA 1624 | libxslt | arbitrary code execution
DSA 1625 | cupsys | arbitrary code execution
DSA 1626 | httrack | arbitrary code execution
DSA 1627 | opensc | smart card vulnerability
DSA 1627 | opensc | smart card vulnerability
DSA 1628 | pdns | DNS response spoofing
DSA 1629 | postfix | programming error
DSA 1629 | postfix | programming error
DSA 1630 | fai-kernels | several vulnerabilities
DSA 1630 | linux-2.6 | several vulnerabilities
DSA 1630 | linux-2.6 | several vulnerabilities
DSA 1630 | user-mode-linux | several vulnerabilities
DSA 1630 | user-mode-linux | several vulnerabilities
DSA 1631 | libxml2 | denial of service
DSA 1631 | libxml2 | denial of service
DSA 1632 | tiff | arbitrary code execution
DSA 1633 | slash | multiple vulnerabilities
DSA 1634 | wordnet | arbitrary code execution
DSA 1634 | wordnet | stack and heap overflows
DSA 1636 | linux-2.6.24 | denial of service/information leak
DSA 1638 | openssh | denial of service
DSA 1639 | twiki | arbitrary code execution
DSA 1640 | python-django | several vulnerabilities
DSA 1641 | phpmyadmin | several vulnerabilities
DSA 1642 | horde3 | cross site scripting
DSA 1643 | feta | Fix insecure temp file usage
DSA 1644 | mplayer | Fix integer overflows
DSA 1645 | lighttpd | various problems
DSA 1646 | squid | Fix array bounds check
DSA 1646 | squid | Fix array bounds check
DSA 1647 | php5 | Fix several vulnerabilities
DSA 1648 | mon | Fix insecure temporary files
DSA 1649 | iceweasel | Fix several vulnerabilities
DSA 1650 | openldap2.3 | Fix denial of service
DSA 1651 | ruby1.8 | several vulnerabilities
DSA 1652 | ruby1.9 | several vulnerabilities
DSA 1653 | fai-kernels | several vulnerabilities
DSA 1653 | linux-2.6 | several vulnerabilities
DSA 1653 | user-mode-linux | several vulnerabilities
DSA 1654 | libxml2 | Fix execution of arbitrary code
DSA 1655 | linux-2.6.24 | Fix several vulnerabilities

Disclaimer
----------

This list intends to help the ftp-masters releasing 4.0r5.  They have the
final power to accept a package or not.  If you want to comment on
this list, please send a mail to the debian release mailing list 
<debian-release@lists.debian.org>.

Last updated 2008/10/22 09:50 UTC