Preparation of Debian GNU/Linux 4.0r6
=====================================

We are preparing the next revision of the current stable Debian
distribution (etch) and will send reports so people can actually
comment on it and intervene whenever this is required.

If you disagree with one bit or another, please reply to this mail and
explain why these things should be handled differently.

An ftpmaster still has to give the final approval for each package
since ftpmasters are responsible for the archive.  However, we are
trying to make their work as easy as possible in hope to get the next
revision out properly and without any hassle.

If you would like to get a package updated in the stable release, you
are advised to talk to the stable release managers first (see
<http://www.debian.org/intro/organization>).

Accepted Packages
-----------------

These packages will be installed into the stable Debian distribution
and will be part of the next revision.

Sourceful update of postgresql-7.4:
 version in stable:  1:7.4.19-0etch1
 version in updates: 1:7.4.23-0etch1
 Rationales:
  - 7.4.23-0etch1: postgresql-7.4 - incorporate bug fix releases 7.4.20, 7.4.21, 7.4.22 and 7.4.23

Sourceful update of tdiary:
 version in stable:  2.0.2+20060303-5
 version in updates: 2.0.2+20060303-6
 Rationales:
  - 2.0.2+20060303-6: tdiary - Fix a Cross Site Scripting vulnerability (#464778)

Sourceful update of openoffice.org:
 version in stable:  2.0.4.dfsg.2-7etch5
 version in updates: 2.0.4.dfsg.2-7etch6
 Rationales:
  - 2.0.4.dfsg.2-7etch6: DSA 1661 openoffice.org - several vulnerabilities

Sourceful update of libxml2:
 version in stable:  2.6.27.dfsg-5
 version in updates: 2.6.27.dfsg-6
 Rationales:
  - 2.6.27.dfsg-6: DSA 1666 libxml2 - several vulnerabilities

Sourceful update of libhdate:
 version in stable:  1.4.8-1
 version in updates: 1.4.8-2
 Rationales:
  - 1.4.8-2: libhdate - drop binary package libhdate-pascal using fp-compiler (#506977)

Sourceful update of spamassassin:
 version in stable:  3.1.7-2
 version in updates: 3.1.7-2etch1
 Rationales:
  - 3.1.7-2etch1: spamassassin - fix for CVE-2007-2873, remove DSBL and SECURITYSAGE blacklists (#505162)

Sourceful update of linux-2.6.24:
 version in stable:  2.6.24-6~etchnhalf.6
 version in updates: 2.6.24-6~etchnhalf.7
 Rationales:
  - 2.6.24-6~etchnhalf.7: DSA 1681 linux-2.6.24 - several vulnerabilities

Sourceful update of qemu:
 version in stable:  0.8.2-4etch1
 version in updates: 0.8.2-4etch2
 Rationales:
  - 0.8.2-4etch2: DSA 1657 qemu - denial of service

Sourceful update of blender:
 version in stable:  2.42a-7.1+etch1
 version in updates: 2.42a-8
 Rationales:
  - 2.42a-8: blender - sanitize Python's default import path (#503632)

Sourceful update of enscript:
 version in stable:  1.6.4-11
 version in updates: 1.6.4-11.1
 Rationales:
  - 1.6.4-11.1: DSA 1670 enscript - arbitrary code execution

Sourceful update of net-snmp:
 version in stable:  5.2.3-7etch2
 version in updates: 5.2.3-7etch4
 Rationales:
  - 5.2.3-7etch3: DSA 1663 net-snmp - several vulnerabilities (CVE-2008-2292, CVE-2008-0960)
  - 5.2.3-7etch4: DSA 1663 net-snmp - several vulnerabilities (CVE-2008-4309)

Sourceful update of glibc:
 version in stable:  2.3.6.ds1-13etch7
 version in updates: 2.3.6.ds1-13etch8
 Rationales:
  - 2.3.6.ds1-13etch8: glibc - Keep ld.so in optimized libraries (#501433)

Sourceful update of jailer:
 version in stable:  0.4-9
 version in updates: 0.4-9+etch1
 Rationales:
  - 0.4-9+etch1: DSA 1674 jailer - denial of service

Sourceful update of perl:
 version in stable:  5.8.8-7etch3
 version in updates: 5.8.8-7etch4
 Rationales:
  - 5.8.8-7etch4: perl - Fix Time::HiRes with kernels >= 2.6.22 (including etch-n-half) (#502435)

Sourceful update of websvn:
 version in stable:  1.61-20
 version in updates: 1.61-21
 Rationales:
  - 1.61-21: websvn - fix potential PHP code execution (#503330)

Sourceful update of xulrunner:
 version in stable:  1.8.0.15~pre080614d-0etch1
 version in updates: 1.8.0.15~pre080614h-0etch1
 Rationales:
  - 1.8.0.15~pre080614h-0etch1: DSA 1669 xulrunner - several vulnerabilities

Sourceful update of streamripper:
 version in stable:  1.61.27-1
 version in updates: 1.61.27-1+etch1
 Rationales:
  - 1.61.27-1+etch1: DSA 1683 streamripper - potential code execution

Sourceful update of flamethrower:
 version in stable:  0.1.8-1
 version in updates: 0.1.8-1+etch1
 Rationales:
  - 0.1.8-1+etch1: DSA 1676 flamethrower - denial of service

Sourceful update of wireshark:
 version in stable:  0.99.4-5.etch.2
 version in updates: 0.99.4-5.etch.3
 Rationales:
  - 0.99.4-5.etch.3: DSA 1673 wireshark - several vulnerabilities

Sourceful update of freetype:
 version in stable:  2.2.1-5+etch2
 version in updates: 2.2.1-5+etch3
 Rationales:
  - 2.2.1-5+etch3: DSA 1635 freetype - multiple vulnerabilities

Sourceful update of refpolicy:
 version in stable:  0.0.20061018-5
 version in updates: 0.0.20061018-5.1+etch1
 Rationales:
  - 0.0.20061018-5.1+etch1: DSA 1617 refpolicy - incompatible policy

Sourceful update of dbus:
 version in stable:  1.0.2-1+etch1
 version in updates: 1.0.2-1+etch2
 Rationales:
  - 1.0.2-1+etch2: DSA 1658 dbus - denial of service

Sourceful update of clamav:
 version in stable:  0.90.1dfsg-3.1+etch14
 version in updates: 0.90.1dfsg-4etch16
 Rationales:
  - 0.90.1dfsg-4etch15: DSA 1660 clamav - denial of service
  - 0.90.1dfsg-4etch16: DSA 1680 clamav - potential code execution

Sourceful update of mysql-dfsg-5.0:
 version in stable:  5.0.32-7etch6
 version in updates: 5.0.32-7etch8
 Rationales:
  - 5.0.32-7etch8: DSA 1662 mysql-dfsg-5.0 - authorization bypass

Sourceful update of python2.4:
 version in stable:  2.4.4-3+etch1
 version in updates: 2.4.4-3+etch2
 Rationales:
  - 2.4.4-3+etch2: DSA 1667 python2.4 - several vulnerabilities

Sourceful update of imlib2:
 version in stable:  1.3.0.0debian1-4+etch1
 version in updates: 1.3.0.0debian1-4+etch2
 Rationales:
  - 1.3.0.0debian1-4+etch2: DSA 1672 imlib2 - arbitrary code execution

Sourceful update of cupsys:
 version in stable:  1.2.7-4etch4
 version in updates: 1.2.7-4etch6
 Rationales:
  - 1.2.7-4etch5: DSA 1656 cupsys - several vulnerabilities
  - 1.2.7-4etch6: DSA 1677 cupsys - arbitrary code execution

Sourceful update of hf:
 version in stable:  0.7.3-4
 version in updates: 0.7.3-4etch1
 Rationales:
  - 0.7.3-4etch1: DSA 1668 hf - execution of arbitrary code

Sourceful update of dpkg:
 version in stable:  1.13.25
 version in updates: 1.13.26
 Rationales:
  - 1.13.26: dpkg - do not treat two symlinks to the same directory as a conflict (#377682), reenable no-debsig (#311843)

Sourceful update of iceweasel:
 version in stable:  2.0.0.17-0etch1
 version in updates: 2.0.0.18-0etch1
 Rationales:
  - 2.0.0.18-0etch1: DSA 1671 iceweasel - several vulnerabilities

Sourceful update of epiphany-browser:
 version in stable:  2.14.3-7
 version in updates: 2.14.3-8
 Rationales:
  - 2.14.3-8: epiphany-browser - Allow the deletion of certificates (#393837)

Sourceful update of postgresql-8.1:
 version in stable:  8.1.13-0etch1
 version in updates: 8.1.15-0etch1
 Rationales:
  - 8.1.15-0etch1: postgresql-8.1 - incorporate bug fix releases 8.1.14 and 8.1.15

Sourceful update of ekg:
 version in stable:  1:1.7~rc2-1etch1
 version in updates: 1:1.7~rc2-1etch2
 Rationales:
  - 1.7~rc2-1etch2: DSA 1664 ekg - fix denial of service

Sourceful update of awstats:
 version in stable:  6.5+dfsg-1
 version in updates: 6.5+dfsg-1+etch1
 Rationales:
  - 6.5+dfsg-1+etch1: DSA 1679 awstats - cross-site scripting

Sourceful update of libspf2:
 version in stable:  1.2.5-4
 version in updates: 1.2.5-4+etch1
 Rationales:
  - 1.2.5-4+etch1: DSA 1659 libspf2 - potential remote code execution

Sourceful update of libcdaudio:
 version in stable:  0.99.12p2-2
 version in updates: 0.99.12p2-2+etch1
 Rationales:
  - 0.99.12p2-2+etch1: DSA 1665 libcdaudio - heap overflow

Sourceful update of newsx:
 version in stable:  1.6-2
 version in updates: 1.6-2etch1
 Rationales:
  - 1.6-2etch1: DSA 1622 newsx - arbitrary code execution

Sourceful update of reportbug:
 version in stable:  3.31
 version in updates: 3.31+etch1
 Rationales:
  - 3.31+etch1: reportbug - bugs.d.o is now RR DNS. SMTP is only running on one of them.

Sourceful update of phpmyadmin:
 version in stable:  4:2.9.1.1-8
 version in updates: 4:2.9.1.1-9
 Rationales:
  - 2.9.1.1-9: DSA 1675 phpmyadmin - fix cross site scripting, fix regression introduced in DSA 1641

Sourceful update of fai-kernels:
 version in stable:  1.17+etch.23
 version in updates: 1.17+etch.23etch1
  - 1.17+etch.23etch1: DSA 1687 fai-kernels - several vulnerabilities

Sourceful update of squirrelmail:
 version in stable:  2:1.4.9a-2
 version in updates: 2:1.4.9a-3
 Rationales:
  - 1.4.9a-3: DSA 1682 squirrelmail - fix cross site scripting

Sourceful update of user-mode-linux:
 version in stable:  2.6.18-1um-2etch.23
 version in updates: 2.6.18-1um-2etch.23etch1
 Rationales:
  - 2.6.18-1um-2etch.23etch1: DSA 1687 user-mode-linux - several vulnerabilities

Sourceful update of linux-2.6:
 version in stable:  2.6.18.dfsg.1-23
 version in updates: 2.6.18.dfsg.1-23etch1
 Rationales:
  - 2.6.18.dfsg.1-23etch1: DSA 1687 linux-2.6 - several vulnerabilities

Sourceful update of graphviz:
 version in stable:  2.8-2.4
 version in updates: 2.8-3+etch1
 Rationales:
  - 2.8-3+etch1: graphviz - fix stack overflow (CVE-2008-4555)

Sourceful update of devscripts:
 version in stable:  2.9.26
 version in updates: 2.9.26etch1
 Rationales:
  - 2.9.26etch1: devscripts - Allow signing of changes files produced by dpkg versions >= 1.14.17 (#474949)

Requires further Investigation
------------------------------

These packages need further investigation.  One reason the package is
listed here could be that I'm not yet convinced this package should go
into stable, but don't want to reject it entirely at the moment.

Another reason could be that released and updated architectures are
not yet in sync.

Sourceful update of perl:
 version in updates:     5.8.8-7etch4
 version in updates-NEW: 5.8.8-7etch5
 Rationales:
  - 5.8.8-7etch5: DSA 1678 perl - fix privilege escalation
 Problems: FTBFS on hppa
 Conclusion: postponed to next point release

Removed Packages
----------------

These packages will be removed from the stable Debian distribution.
This normally only a result of license problems when the license
prohibits their distribution.

Removal of source packages fpc, gearhead, imapcopy:
Rationale: #506977: Copyright infringement in fp-compiler;
  needs to be removed with rdepends and build-rdeps
To be removed:
 fp-compiler     |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-docs         |    2.0.0-4 | all
 fp-ide          |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-base   |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-db     |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-fcl    |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-fv     |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-gfx    |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-gnome1 |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-gtk    |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-gtk2   |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-misc   |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-net    |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-units-rtl    |    2.0.0-4 | amd64, i386, powerpc, sparc
 fp-utils        |    2.0.0-4 | amd64, i386, powerpc, sparc
 fpc             |    2.0.0-4 | source
 gearhead        |    1.010-1 | source, amd64, i386, powerpc, sparc
 gearhead-data   |    1.010-1 | all
 imapcopy   | 1.01+20060420-1 | source, amd64, i386, powerpc, sparc

Removal of source package astrolog:
Rationale: #507239: astrolog - RoQA; orphaned long time, non-free, contains
  potentially undistributable code
To be removed:
 astrolog |     5.40-3 | source, alpha, i386

Removal of source package youtube-dl:
Rationale: #439363: youtube-dl - RoQA; broken
To be removed:
 youtube-dl | 2006.11.12-1 | source, all

Covered DSAs
------------

The following DSAs are incorporated into this point release.

DSA 1617 | refpolicy | incompatible policy
DSA 1622 | newsx | arbitrary code execution
DSA 1635 | freetype | multiple vulnerabilities
DSA 1656 | cupsys | several vulnerabilities
DSA 1657 | qemu | denial of service
DSA 1658 | dbus | denial of service
DSA 1659 | libspf2 | potential remote code execution
DSA 1660 | clamav | denial of service
DSA 1661 | openoffice.org | several vulnerabilities
DSA 1662 | mysql-dfsg-5.0 | authorization bypass
DSA 1663 | net-snmp | several vulnerabilities (CVE-2008-2292, CVE-2008-0960)
DSA 1663 | net-snmp | several vulnerabilities (CVE-2008-4309)
DSA 1664 | ekg | fix denial of service
DSA 1665 | libcdaudio | heap overflow
DSA 1666 | libxml2 | several vulnerabilities
DSA 1667 | python2.4 | several vulnerabilities
DSA 1668 | hf | execution of arbitrary code
DSA 1669 | xulrunner | several vulnerabilities
DSA 1670 | enscript | arbitrary code execution
DSA 1671 | iceweasel | several vulnerabilities
DSA 1672 | imlib2 | arbitrary code execution
DSA 1673 | wireshark | several vulnerabilities
DSA 1674 | jailer | denial of service
DSA 1675 | phpmyadmin | fix cross site scripting, fix regression introduced in DSA 1641
DSA 1676 | flamethrower | denial of service
DSA 1677 | cupsys | arbitrary code execution
DSA 1679 | awstats | cross-site scripting
DSA 1680 | clamav | potential code execution
DSA 1681 | linux-2.6.24 | several vulnerabilities
DSA 1682 | squirrelmail | fix cross site scripting
DSA 1683 | streamripper | potential code execution
DSA 1687 | fai-kernels | several vulnerabilities
DSA 1687 | linux-2.6 | several vulnerabilities
DSA 1687 | user-mode-linux | several vulnerabilities

Disclaimer
----------

This list intends to help the ftp-masters releasing 4.0r6.  They have the
final power to accept a package or not.  If you want to comment on
this list, please send a mail to the debian release mailing list
<debian-release@lists.debian.org>.

Final version.