====================================== Sat, 27 Apr 2019 - Debian 9.9 released ====================================== ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:24:04 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-gnome-keyring | 0.12-1 | source xul-ext-gnome-keyring | 0.12-1 | all Closed bugs: 922791 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:24:24 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: gcontactsync | 2.0.5-1 | source xul-ext-gcontactsync | 2.0.5-1 | all Closed bugs: 922792 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:24:44 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: google-tasks-sync | 0.5.3-1 | source xul-ext-google-tasks-sync | 0.5.3-1 | all Closed bugs: 922793 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:25:23 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: timeline | 0.5-4 | source xul-ext-timeline | 0.5-4 | all Closed bugs: 925504 ------------------- Reason ------------------- RoQA; incompatible with newer thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:25:43 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: tbdialout | 1.7.2-1+deb9u1 | source xul-ext-tbdialout | 1.7.2-1+deb9u1 | all Closed bugs: 926048 ------------------- Reason ------------------- RoQA; incompatible with newer thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:32:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: gcu-plugin | 0.14.15-1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by gnome-chemistry-utils) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:33:24 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedtea-8-plugin | 1.6.2-3.1 | amd64, arm64, armel, armhf, i386, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by icedtea-web) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:33:48 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: default-java-plugin | 2:1.8-58 | amd64, arm64, armel, armhf, i386, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by java-common) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:35:29 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: btrfs-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel cdrom-core-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel crypto-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel event-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ext4-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel fat-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel fb-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel fuse-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel input-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ipv6-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel isofs-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel jffs2-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel jfs-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel kernel-image-4.9.0-8-marvell-di | 4.9.144-3.1 | armel leds-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel linux-headers-4.9.0-8-all-armel | 4.9.144-3.1 | armel linux-headers-4.9.0-8-marvell | 4.9.144-3.1 | armel linux-image-4.9.0-8-marvell | 4.9.144-3.1 | armel linux-image-4.9.0-8-marvell-dbg | 4.9.144-3.1 | armel loop-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel md-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel minix-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel mmc-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel mouse-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel mtd-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel multipath-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel nbd-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel nic-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel nic-shared-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel nic-usb-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ppp-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel sata-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel scsi-core-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel squashfs-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel udf-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel usb-serial-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel usb-storage-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel zlib-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:36:49 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ata-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf btrfs-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf crc-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf crypto-dm-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf crypto-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf efi-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf event-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf ext4-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf fat-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf fb-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf fuse-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf i2c-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf input-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf isofs-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf jfs-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf kernel-image-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf leds-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf linux-headers-4.9.0-8-all-armhf | 4.9.144-3.1 | armhf linux-headers-4.9.0-8-armmp | 4.9.144-3.1 | armhf linux-headers-4.9.0-8-armmp-lpae | 4.9.144-3.1 | armhf linux-image-4.9.0-8-armmp | 4.9.144-3.1 | armhf linux-image-4.9.0-8-armmp-dbg | 4.9.144-3.1 | armhf linux-image-4.9.0-8-armmp-lpae | 4.9.144-3.1 | armhf linux-image-4.9.0-8-armmp-lpae-dbg | 4.9.144-3.1 | armhf loop-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf md-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf mmc-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf mtd-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf multipath-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nbd-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nic-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nic-shared-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nic-usb-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nic-wireless-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf pata-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf ppp-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf sata-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf scsi-core-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf scsi-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf squashfs-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf udf-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf uinput-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf usb-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf usb-storage-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf virtio-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf zlib-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:37:31 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: acpi-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 acpi-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ata-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 ata-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 btrfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 btrfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 cdrom-core-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 cdrom-core-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 crc-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 crc-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 crypto-dm-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 crypto-dm-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 crypto-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 crypto-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 efi-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 efi-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 event-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 event-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ext4-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 ext4-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 fat-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 fat-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 fb-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 fb-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 firewire-core-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 firewire-core-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 fuse-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 fuse-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 hyperv-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 hyperv-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 i2c-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 i2c-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 input-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 input-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 isofs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 isofs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 jfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 jfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 kernel-image-4.9.0-8-686-di | 4.9.144-3.1 | i386 kernel-image-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 linux-headers-4.9.0-8-686 | 4.9.144-3.1 | i386 linux-headers-4.9.0-8-686-pae | 4.9.144-3.1 | i386 linux-headers-4.9.0-8-all-i386 | 4.9.144-3.1 | i386 linux-headers-4.9.0-8-rt-686-pae | 4.9.144-3.1 | i386 linux-image-4.9.0-8-686 | 4.9.144-3.1 | i386 linux-image-4.9.0-8-686-dbg | 4.9.144-3.1 | i386 linux-image-4.9.0-8-686-pae | 4.9.144-3.1 | i386 linux-image-4.9.0-8-686-pae-dbg | 4.9.144-3.1 | i386 linux-image-4.9.0-8-rt-686-pae | 4.9.144-3.1 | i386 linux-image-4.9.0-8-rt-686-pae-dbg | 4.9.144-3.1 | i386 loop-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 loop-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 md-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 md-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 mmc-core-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 mmc-core-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 mmc-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 mmc-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 mouse-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 mouse-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 multipath-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 multipath-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nbd-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nbd-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-pcmcia-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-pcmcia-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-shared-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-shared-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-usb-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-usb-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-wireless-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-wireless-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ntfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 ntfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 pata-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 pata-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 pcmcia-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 pcmcia-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 pcmcia-storage-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 pcmcia-storage-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ppp-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 ppp-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 sata-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 sata-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 scsi-core-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 scsi-core-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 scsi-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 scsi-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 serial-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 serial-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 sound-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 sound-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 speakup-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 speakup-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 squashfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 squashfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 udf-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 udf-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 uinput-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 uinput-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 usb-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 usb-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 usb-serial-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 usb-serial-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 usb-storage-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 usb-storage-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 virtio-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 virtio-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 xfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 xfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:37:50 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-headers-4.9.0-8-all-mips | 4.9.144-3.1 | mips ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:38:37 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: affs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel btrfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel cdrom-core-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel crc-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel crypto-dm-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel crypto-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel event-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel ext4-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel fat-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel fuse-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel hfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel input-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel isofs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel jfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel kernel-image-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel linux-headers-4.9.0-8-5kc-malta | 4.9.144-3.1 | mips, mips64el, mipsel linux-headers-4.9.0-8-octeon | 4.9.144-3.1 | mips, mips64el, mipsel linux-image-4.9.0-8-5kc-malta | 4.9.144-3.1 | mips, mips64el, mipsel linux-image-4.9.0-8-5kc-malta-dbg | 4.9.144-3.1 | mips, mips64el, mipsel linux-image-4.9.0-8-octeon | 4.9.144-3.1 | mips, mips64el, mipsel linux-image-4.9.0-8-octeon-dbg | 4.9.144-3.1 | mips, mips64el, mipsel loop-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel md-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel minix-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel multipath-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nbd-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nic-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nic-shared-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nic-usb-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nic-wireless-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel ntfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel pata-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel ppp-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel rtc-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel sata-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel scsi-core-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel scsi-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel sound-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel squashfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel udf-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel usb-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel usb-serial-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel usb-storage-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel virtio-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel xfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel zlib-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:39:01 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: acpi-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ata-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 btrfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 cdrom-core-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 crc-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 crypto-dm-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 crypto-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 efi-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 event-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ext4-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 fat-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 fb-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 firewire-core-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 fuse-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 hyperv-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 i2c-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 input-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 isofs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 jfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 kernel-image-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 linux-headers-4.9.0-8-all-amd64 | 4.9.144-3.1 | amd64 linux-headers-4.9.0-8-amd64 | 4.9.144-3.1 | amd64 linux-headers-4.9.0-8-rt-amd64 | 4.9.144-3.1 | amd64 linux-image-4.9.0-8-amd64 | 4.9.144-3.1 | amd64 linux-image-4.9.0-8-amd64-dbg | 4.9.144-3.1 | amd64 linux-image-4.9.0-8-rt-amd64 | 4.9.144-3.1 | amd64 linux-image-4.9.0-8-rt-amd64-dbg | 4.9.144-3.1 | amd64 loop-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 md-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 mmc-core-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 mmc-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 mouse-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 multipath-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nbd-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-pcmcia-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-shared-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-usb-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-wireless-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ntfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 pata-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 pcmcia-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 pcmcia-storage-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ppp-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 sata-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 scsi-core-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 scsi-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 serial-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 sound-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 speakup-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 squashfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 udf-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 uinput-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 usb-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 usb-serial-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 usb-storage-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 virtio-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 xfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:39:17 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: btrfs-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x crc-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x crypto-dm-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x crypto-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x dasd-extra-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x dasd-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x ext4-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x fat-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x fuse-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x isofs-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x kernel-image-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x linux-headers-4.9.0-8-all-s390x | 4.9.144-3.1 | s390x linux-headers-4.9.0-8-s390x | 4.9.144-3.1 | s390x linux-image-4.9.0-8-s390x | 4.9.144-3.1 | s390x linux-image-4.9.0-8-s390x-dbg | 4.9.144-3.1 | s390x loop-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x md-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x multipath-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x nbd-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x nic-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x scsi-core-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x scsi-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x udf-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x virtio-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x xfs-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x zlib-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:39:52 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-headers-4.9.0-8-all | 4.9.144-3.1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:40:18 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ata-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 btrfs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 cdrom-core-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 crc-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 crypto-dm-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 crypto-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 efi-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 event-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 ext4-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 fat-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 fb-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 fuse-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 i2c-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 input-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 isofs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 jfs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 kernel-image-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 leds-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 linux-headers-4.9.0-8-all-arm64 | 4.9.144-3.1 | arm64 linux-headers-4.9.0-8-arm64 | 4.9.144-3.1 | arm64 linux-image-4.9.0-8-arm64 | 4.9.144-3.1 | arm64 linux-image-4.9.0-8-arm64-dbg | 4.9.144-3.1 | arm64 loop-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 md-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 mmc-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 multipath-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nbd-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nic-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nic-shared-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nic-usb-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nic-wireless-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 ppp-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 sata-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 scsi-core-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 scsi-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 squashfs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 udf-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 uinput-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 usb-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 usb-storage-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 virtio-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 xfs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:41:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: crc-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel crypto-dm-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:42:04 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: affs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ata-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel btrfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel cdrom-core-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel crc-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel crypto-dm-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel crypto-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel event-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ext4-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel fat-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel fuse-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel hfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel i2c-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel input-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel isofs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel jfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel kernel-image-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel linux-headers-4.9.0-8-4kc-malta | 4.9.144-3.1 | mips, mipsel linux-image-4.9.0-8-4kc-malta | 4.9.144-3.1 | mips, mipsel linux-image-4.9.0-8-4kc-malta-dbg | 4.9.144-3.1 | mips, mipsel loop-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel md-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel minix-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel mmc-core-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel mmc-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel mouse-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel multipath-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nbd-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nic-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nic-shared-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nic-usb-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nic-wireless-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ntfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel pata-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ppp-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel sata-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel scsi-core-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel scsi-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel sound-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel squashfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel udf-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel usb-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel usb-serial-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel usb-storage-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel virtio-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel xfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel zlib-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:42:36 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: affs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ata-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el btrfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el cdrom-core-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el crc-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el crypto-dm-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el crypto-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el event-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ext4-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el fat-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el fuse-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el hfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el i2c-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el input-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el isofs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el jfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el kernel-image-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el linux-headers-4.9.0-8-all-mips64el | 4.9.144-3.1 | mips64el loop-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el md-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el minix-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el mmc-core-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el mmc-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el mouse-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el multipath-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nbd-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nic-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nic-shared-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nic-usb-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nic-wireless-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ntfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el pata-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ppp-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el sata-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el scsi-core-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el scsi-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el sound-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el squashfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el udf-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el usb-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el usb-serial-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el usb-storage-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el virtio-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el xfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el zlib-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:43:12 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: affs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ata-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel btrfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel cdrom-core-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel crc-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel crypto-dm-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel crypto-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel event-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ext4-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel fat-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel fb-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel firewire-core-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel fuse-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel hfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel input-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel isofs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel jfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel kernel-image-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel linux-headers-4.9.0-8-loongson-3 | 4.9.144-3.1 | mips64el, mipsel linux-image-4.9.0-8-loongson-3 | 4.9.144-3.1 | mips64el, mipsel linux-image-4.9.0-8-loongson-3-dbg | 4.9.144-3.1 | mips64el, mipsel loop-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel md-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nbd-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nic-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nic-shared-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nic-usb-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nic-wireless-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ntfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel pata-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ppp-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel sata-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel scsi-core-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel scsi-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel sound-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel speakup-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel squashfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel udf-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel usb-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel usb-serial-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel usb-storage-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel virtio-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel xfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel zlib-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:43:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-headers-4.9.0-8-all-mipsel | 4.9.144-3.1 | mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:43:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ata-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el btrfs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el cdrom-core-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el crc-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el crypto-dm-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el crypto-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el event-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el ext4-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el fancontrol-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el fat-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el firewire-core-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el fuse-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el hypervisor-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el input-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el isofs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el jfs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el kernel-image-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el linux-headers-4.9.0-8-all-ppc64el | 4.9.144-3.1 | ppc64el linux-headers-4.9.0-8-powerpc64le | 4.9.144-3.1 | ppc64el linux-image-4.9.0-8-powerpc64le | 4.9.144-3.1 | ppc64el linux-image-4.9.0-8-powerpc64le-dbg | 4.9.144-3.1 | ppc64el loop-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el md-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el mouse-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el multipath-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el nbd-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el nic-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el nic-shared-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el ppp-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el sata-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el scsi-core-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el scsi-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el serial-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el squashfs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el udf-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el uinput-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el usb-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el usb-serial-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el usb-storage-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el virtio-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el xfs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:44:40 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: uinput-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel usb-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:44:51 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: minix-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel multipath-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:47:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-headers-4.9.0-8-common | 4.9.144-3.1 | all linux-headers-4.9.0-8-common-rt | 4.9.144-3.1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:49:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedtea-plugin | 1.6.2-3.1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by icedtea-web) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:49:49 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-support-4.9.0-8 | 4.9.144-3.1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:56:57 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-doc-4.9 | 4.9.144-3.1 | all linux-manual-4.9 | 4.9.144-3.1 | all linux-source-4.9 | 4.9.144-3.1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:58:11 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: java-common | 0.58 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by java-common) ---------------------------------------------- ========================================================================= ansible (2.2.1.0-2+deb9u1) stretch-security; urgency=high . * Add patch to fix CVE 2018-10855. * Add patch to fix CVE 2018-16837. * Add patch to fix CVE 2018-10875. * Add patch to fix CVE 2018-16876. * Add patch to fix CVE 2019-3828. apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium . [ Xavier Guimard ] * CVE-2018-17199: mode_session: Fix missing check for session expiry time. Closes: #920303 . [ Stefan Fritsch ] * mod_http2: Fix keepalive timeout behavior. This fixes a regression with Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. Closes: #920302 * CVE-2019-0196: mod_http2: Fix read after free * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. * CVE-2019-0217: mod_auth_digest: Access control bypass * CVE-2019-0220: URL normalization inconsistincy. Consecutive slashes in URL's are now merged before use in LocationMatch and RewriteRule. The old behavior can be restored with the new directive "MergeSlashes off". audiofile (0.3.6-4+deb9u1) stretch; urgency=medium . * CVE-2018-13440 (Closes: #903499) * CVE-2018-17095 (Closes: #913166) base-files (9.9+deb9u9) stretch; urgency=medium . * Change /etc/debian_version to 9.9, for Debian 9.9 point release. bwa (0.7.15-2+deb9u1) stretch; urgency=medium . * Team upload * Add patch from upstream to fix CVE-2019-10269. (Closes: #926014) ca-certificates-java (20170929~deb9u3) stretch; urgency=medium . * Team upload. * Fix printf syntax problem introduced in 20170929~deb9u2 ca-certificates-java (20170929~deb9u2) stretch; urgency=medium . * Team upload. * Address bashisms in postinst and jks-keystore (Closes: #922720) cernlib (20061220+dfsg3-4.3+deb9u2) stretch; urgency=medium . * Update patch 304-update-Imake-config-files.dpatch to force -no-pie when linking Fortran executables (workaround for #863152 being in the way of the previous fix) cernlib (20061220+dfsg3-4.3+deb9u1) stretch; urgency=medium . * Backport for stretch of the fix for #922453 bringed by 20061220+dfsg3-4.4 * 126-fix-patchy-compile-flags.dpatch 304-update-Imake-config-files.dpatch: fix these patches to apply optimization flag -O to fortran modules instead of -O2 which generates broken code (closes: #922453; thanks to Jacek M. Holeczek ) choose-mirror (2.79+deb9u1) stretch; urgency=medium . [ Cyril Brulebois ] * Update MIRRORLISTURL to point to salsa. . [ Julien Cristau ] * Update Mirrors.masterlist. chrony (3.0-4+deb9u2) stretch; urgency=medium . * debian/patches/*: - Add allow-_llseek-in-seccomp-filter.patch. Needed on various 32-bit plateforms to log the {raw}measurements and statistics information when the seccomp filter is enabled. Thanks a lot to Francesco Poli (wintermute) for the report. (Closes: #923137) - Add allow-waitpid-in-seccomp-filter.patch. Needed to correctly stop chronyd on some plateforms when the seccomp filter is enabled. ckermit (302-5.3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Drop check openssl compile time version vs runtime version (Closes: #917485). clamav (0.100.3+dfsg-0+deb9u1) stretch; urgency=medium . * New upstream security release - Fixes for the following vulnerabilities: - [CVE-2019-1787]: An out-of-bounds heap read condition may occur when scanning PDF documents. The defect is a failure to correctly keep track of the number of bytes remaining in a buffer when indexing file data. - [CVE-2019-1789]: An out-of-bounds heap read condition may occur when scanning PE files (i.e. Windows EXE and DLL files) that have been packed using Aspack as a result of inadequate bound-checking. - [CVE-2019-1788]: An out-of-bounds heap write condition may occur when scanning OLE2 files such as Microsoft Office 97-2003 documents. The invalid write happens when an invalid pointer is mistakenly used to initialize a 32bit integer to zero. This is likely to crash the application. * Update debian/copyright * Update private symbols for new upstream release clamav (0.100.2+dfsg-2) unstable; urgency=medium . * Increase clamd socket command read timeout to 30 seconds (Closes: #915098) clamav (0.100.2+dfsg-1) unstable; urgency=medium . * Import new upstream - Bump symbol version due to new version. - CVE-2018-15378 (Closes: #910430). * add NEWS.md and README.md from upstream * Fix infinite loop in dpkg-reconfigure, Patch by Santiago Ruano Rincón (Closes: #905044). coturn (4.5.0.5-1+deb9u1) stretch-security; urgency=high . * HotFix: for 3 vulnerabilities . For more details see: - CVE-2018-4056 coTURN Administrator Web Portal SQL injection vulnerability . Fix: Disable (hardcocded) web admin interface until 4.5.1.0, where it will be fixed more correctly. . - CVE-2018-4058 coTURN TURN server unsafe loopback forwarding default configuration vulnerability . Fix: Disable loopback-peer functionality by default. . - CVE-2018-4059 coTURN server unsafe telnet admin portal default configuration vulnerability . Fix: Disable telnet cli if the cli-password is empty. dansguardian (2.10.1.1-5.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add 'missingok' to logrotate config. (Closes: #916566) debian-installer (20170615+deb9u6) stretch; urgency=medium . * Bump Linux kernel version from 4.9.0-8 to 4.9.0-9. debian-installer-netboot-images (20170615+deb9u6) stretch; urgency=medium . * Update to 20170615+deb9u6 images, from stretch-proposed-update debian-security-support (2019.02.02~deb9u1) stretch; urgency=medium . * Team upload. * Rebuild for stretch. * Re-add debian/compat and depend on debhelper instead of debhelper-compat. debian-security-support (2019.02.01) unstable; urgency=medium . * Team upload. * mark enigmail as unsupported in jessie diffoscope (78+deb9u1) stretch; urgency=medium . * tests: + Fix ps tests to pass with the new ghostscript 9.26. Closes: #925051 dns-root-data (2019031302~deb9u1) stretch; urgency=medium . * Rebuild for stretch. * d/control: move Vcs-* to salsa.debian.org * d/control: use dns-root-data@packages.debian.org as Maintainer * sort generated .ds files by key tag * Update root.hints to 2018013001 * Update order of root.key to follow output of unbound-anchor * use DEP-14 branches * update root data to 2019031302 * parse-root-anchors.sh: account for validity windows * check: deliberately skip the TTL generated by ldns-key2ds * add myself to uploaders dns-root-data (2018091102) unstable; urgency=medium . * new upstream version of root.hints, 2018091102 * use DEP-14 branches * Standards-Version: 4.2.1 (no changes needed) * add Rules-Requires-Root: no * add baseline autopkgtest dns-root-data (2018013001) unstable; urgency=medium . * new upstream version of root.hints, 2018013001 * use wrap-and-sort -ast * added myself to uploaders * d/control: use dns-root-data@packages.debian.org as Maintainer * Standards-Version: bump to 4.1.3 (no changes needed) * d/control: move Vcs-* to salsa.debian.org * move to debhelper 11 * d/rules: clean up get_orig_source * sort generated .ds files by key tag * d/rules: trim trailing whitespace * d/copyright: Format: use https * d/copyright: add my own copyright to debian/* * d/copyright: name upstream data grant "ICANN-Public" * d/copyright: Source: use https: * update README.source to cover the different origins of the data * Update order of root.key to follow output of unbound-anchor dns-root-data (2017072601) unstable; urgency=medium . * Update root.hints to 2017072601 version dnsruby (1.54-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * add new root key (KSK-2017). upstream commit 55edc31a2150e4617edb6664d440e6141f535e6a (Closes: #908887) * ruby 2.3.0 deprecates TimeoutError, use Timeout::Error (Closes: #910754) dovecot (1:2.2.27-3+deb9u4) stretch-security; urgency=high . * [d402493] Fix two buffer overflows when reading oversized FTS headers and/or oversized POP3-UIDL headers (CVE-2019-7524). dovecot (1:2.2.27-3+deb9u3) stretch-security; urgency=high . * [1fb4e06] Fix CVE-2019-3814: TLS client auth username handling dpdk (16.11.9-1+deb9u1) stretch; urgency=medium . * Merge stable update to 16.11.9; For a list of changes see https://mails.dpdk.org/archives/announce/2019-March/000252.html drupal7 (7.52-2+deb9u8) stretch-security; urgency=high . * SA-CORE-2019-006: Fix XSS vulnerability (Closes: #927330) drupal7 (7.52-2+deb9u7) stretch-security; urgency=high . * SA-CORE-2019-004: Fix XSS vulnerability edk2 (0~20161202.7bbe0b3e-1+deb9u1) stretch; urgency=medium . * Security fixes (Closes: #924615): - Fix buffer overflow in BlockIo service (CVE-2018-12180) - DNS: Check received packet size before using (CVE-2018-12178) - Fix stack overflow with corrupted BMP (CVE-2018-12181) firefox-esr (60.6.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-10, also known as: CVE-2019-9810, CVE-2019-9813. firefox-esr (60.6.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-08, also known as: CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9793, CVE-2019-9795, CVE-2019-9796, CVE-2018-18506, CVE-2019-9788. . * debian/rules: Disable debug symbols on mips/mipsel on buster. The rust compiler can't deal with them in the available address space. * debian/browser.mozconfig.in: Adjust to the upstream change wrt Google API key configure options. firefox-esr (60.6.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-08, also known as: CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9793, CVE-2019-9795, CVE-2019-9796, CVE-2018-18506, CVE-2019-9788. . * debian/rules: Disable debug symbols on mips/mipsel on buster. The rust compiler can't deal with them in the available address space. * debian/browser.mozconfig.in: Adjust to the upstream change wrt Google API key configure options. firefox-esr (60.5.1esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-05, also known as: CVE-2018-18356, CVE-2019-5785. . * debian/rules, debian/upstream.mk: Manually set the update channel. Closes: #921381, #921121, #921654. * debian/rules: Disable ion JIT on mips and mipsel. This should fix the FTBFS. firefox-esr (60.5.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-05, also known as: CVE-2018-18356, CVE-2019-5785. . * debian/rules, debian/upstream.mk: Manually set the update channel. Closes: #921381, #921121, #921654. * debian/rules: Disable ion JIT on mips and mipsel. This should fix the FTBFS. firefox-esr (60.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-02, also known as: CVE-2018-18500, CVE-2018-18505, CVE-2018-18501. firmware-nonfree (20161130-5) stretch; urgency=medium . [ Emilio Pozuelo Monfort ] * CVE-2018-5383: - atheros: Update BT firmware files for QCA ROME chip. - iwlwifi: Update Intel BT firmware to 20.60.0.2. flatpak (0.8.9-0+deb9u3) stretch; urgency=medium . * d/p/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch: Reject all ioctls that the kernel will interpret as TIOCSTI, including those where the high 32 bits in a 64-bit word are nonzero. (Closes: #925541, CVE-2019-10063) flatpak (0.8.9-0+deb9u2) stretch-security; urgency=medium . * d/p/Don-t-expose-proc-when-running-apply_extra.patch: Backport patch from upstream v1.2.3: do not let the apply_extra script for a system installation modify the host-side executable via /proc/self/exe, similar to CVE-2019-5736 in runc (Closes: #922059) ghostscript (9.26a~dfsg-0+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Have gs_cet.ps run from gs_init.ps * Undef /odef in gs_init.ps * Restrict superexec and remove it from internals and gs_cet.ps (CVE-2019-3835) (Closes: #925256) * Obliterate "superexec". We don't need it, nor do any known apps (CVE-2019-3835) (Closes: #925256) * Make a transient proc executeonly (in DefineResource) (CVE-2019-3838) (Closes: #925257) * an extra transient proc needs executeonly'ed (CVE-2019-3838) (Closes: #925257) gnome-chemistry-utils (0.14.15-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. . [ Adrian Bunk ] * Drop the obsolete gcu-plugin. (Closes: #906855, #890980) gocode (20150303-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * gocode-auto-complete-el: Promote auto-complete-el to Pre-Depends. (Closes: #911590) gpac (0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1) stretch; urgency=medium . * CVE-2018-7752 (Closes: #892526) * CVE-2018-13005, CVE-2018-13006 (Closes: #902782) * CVE-2018-20760, CVE-2018-20761, CVE-2018-20762, CVE-2018-20763 (Closes: #921969) icedtea-web (1.6.2-3.1+deb9u1) stretch; urgency=medium . * Stop building the browser plugin, no longer works with Firefox 60 igraph (0.7.1-2.1+deb9u1) stretch; urgency=medium . * Team upload. * Add patch from upstream to fix CVE-2018-20349. (Closes: #917211) ikiwiki (3.20170111.1) stretch-security; urgency=high . * aggregate: Use LWPx::ParanoidAgent if available. Previously blogspam, openid and pinger used this module if available, but aggregate did not. This prevents server-side request forgery or local file disclosure, and mitigates denial of service when slow "tarpit" URLs are accessed. (CVE-2019-9187) * blogspam, openid, pinger: Use a HTTP proxy if configured, even if LWPx::ParanoidAgent is installed. Previously, only aggregate would obey proxy configuration. If a proxy is used, the proxy (not ikiwiki) is responsible for preventing attacks like CVE-2019-9187. * aggregate, blogspam, openid, pinger: Do not access non-http, non-https URLs. Previously, these plugins would have allowed non-HTTP-based requests if LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local file disclosure, and preventing other rarely-used URI schemes like gopher mitigates request forgery attacks. * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly recommended. These plugins can request attacker-controlled URLs in some site configurations. * blogspam: Document LWPx::ParanoidAgent as desirable. This plugin doesn't request attacker-controlled URLs, so it's non-critical here. * blogspam, openid, pinger: Consistently use cookiejar if configured. Previously, these plugins would only obey this configuration if LWPx::ParanoidAgent was not installed, but this appears to have been unintended. jabref (3.8.1+ds-3+deb9u1) stretch; urgency=medium . [ gregor herrmann & tony mancill ] * Add patch from upstream commit to fix CVE-2018-1000652: XML External Entity attack. Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772) java-common (0.58+deb9u1) stretch; urgency=medium . * Remove default-java-plugin as the icedtea-web Xul plugin is going away * Also drop the Recommends: to default-java-plugin in default-jre jquery (3.1.1-2+deb9u1) stretch; urgency=medium . * Team upload * Add patch to prevent Object.prototype pollution (Closes: #927385, CVE-2019-11358) * Disable check-against-upstream-build test (autopkgtest) since file is now patched kauth (5.28.0-2+deb9u1) stretch; urgency=medium . * CVE-2019-7443 (Closes: #921995) ldb (2:1.1.27-1+deb9u1) stretch-security; urgency=high . * Fixes CVE-2019-3824: "Out of bound read in ldb_wildcard_compare" - Add CVE-2019-3824-master-v4-5-02.patch from upstream's bug 13773 - Update path in CVE-2019-3824-master-v4-5-02.patch libapache2-mod-auth-mellon (0.12.0-2+deb9u1) stretch-security; urgency=high . * Upload to stable-security (closes: #925197) - Auth bypass when used with reverse proxy [CVE-2019-3878] - Open redirect vulnerability in logout [CVE-2019-3877] libdate-holidays-de-perl (1.9-1+deb9u3) stretch; urgency=medium . * Mark Mar 8th (from 2019) and May 8th (only 2020) as public holidays (Berlin only). libdatetime-timezone-perl (1:2.09-1+2019a) stretch; urgency=medium . * Update to Olson database version 2019a. This update contains contemporary changes for Palestine and Metlakatla. liblivemedia (2016.11.28-1+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2019-6256: denial of service when processing get and post with identical x-session-cookie within the same tcp session. * CVE-2019-7314: use-after-free during RTSP stream termination. * CVE-2019-9215: malformed headers lead to invalid memory access in the parseAuthorizationHeader function. libreoffice (1:5.2.7-1+deb9u7) stretch; urgency=medium . * debian/patches/mention-java-common-package.diff: update message to reflect current config dir... * debian/patches/disableClassPathURLCheck.diff: revert openjdk is fixed . * debian/control.in: - make -core conflict against openjdk-8-jre-headless (= 8u181-b13-2~deb9u1) (closes: 913641#) and build-conflict against it libreoffice (1:5.2.7-1+deb9u6) stable; urgency=medium . * debian/patches/jp-JP-Reiwa.diff: Introduce next Japanese gengou era 'Reiwa', from libreoffice-6-1 branch libssh2 (1.7.0-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Possible integer overflow in transport read allows out-of-bounds write (CVE-2019-3855) (Closes: #924965) * Possible integer overflow in keyboard interactive handling allows out-of-bounds write (CVE-2019-3856) (Closes: #924965) * Possible integer overflow leading to zero-byte allocation and out-of-bounds write (CVE-2019-3857) (Closes: #924965) * Possible zero-byte allocation leading to an out-of-bounds read (CVE-2019-3858) (Closes: #924965) * Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require and _libssh2_packet_requirev (CVE-2019-3859) (Closes: #924965) * Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860) (Closes: #924965) * Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) (Closes: #924965) * Out-of-bounds memory comparison (CVE-2019-3862) (Closes: #924965) * Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes (CVE-2019-3863) (Closes: #924965) * Fixed misapplied patch for user auth. * moved MAX size declarations libu2f-host (1.1.2-2+deb9u1) stretch-security; urgency=high . * Backport patch for CVE-2018-20340 (Closes: #921725) linux (4.9.168-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.162 - Revert "loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()" - Revert "loop: Get rid of loop_index_mutex" - Revert "loop: Fold __loop_release into loop_release" - scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached - [arm64] drm/msm: Unblock writer if reader closes file - [x86] ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field - [x86] ALSA: compress: prevent potential divide by zero bugs - [x86] thermal: int340x_thermal: Fix a NULL vs IS_ERR() check - [arm64,armhf] usb: dwc3: gadget: synchronize_irq dwc irq in suspend - [arm64,armhf] usb: dwc3: gadget: Fix the uninitialized link_state when udc starts - usb: gadget: Potential NULL dereference on allocation error - ASoC: dapm: change snprintf to scnprintf for possible overflow - [armhf] ASoC: imx-audmux: change snprintf to scnprintf for possible overflow - [x86] drivers: thermal: int340x_thermal: Fix sysfs race condition - mac80211: fix miscounting of ttl-dropped frames - locking/rwsem: Fix (possible) missed wakeup - direct-io: allow direct writes to empty inodes - scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() - net: usb: asix: ax88772_bind return error when hw_reset fail - [ppc64el] ibmveth: Do not process frames after calling napi_reschedule - mac80211: don't initiate TDLS connection if station is not associated to AP - mac80211: Add attribute aligned(2) to struct 'action' - cfg80211: extend range deviation for DMG - [x86] svm: Fix AVIC incomplete IPI emulation - [x86] KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1 - [powerpc*] Always initialize input array when calling epapr_hypercall() - [arm64] mmc: spi: Fix card detection during probe - mm: enforce min addr even if capable() in expand_downwards() (CVE-2019-9213) - [x86] uaccess: Don't leak the AC flag into __put_user() value evaluation https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.163 - USB: serial: option: add Telit ME910 ECM composition - USB: serial: cp210x: add ID for Ingenico 3070 - USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 - cpufreq: Use struct kobj_attribute instead of struct global_attr - ncpfs: fix build warning of strncpy - [x86] staging: comedi: ni_660x: fix missing break in switch statement - ip6mr: Do not call __IP6_INC_STATS() from preemptible context - net-sysfs: Fix mem leak in netdev_register_kobject - sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 - team: Free BPF filter when unregistering netdev - bnxt_en: Drop oversize TX packets to prevent errors. - [x86] hv_netvsc: Fix IP header checksum for coalesced packets - [armhf] net: dsa: mv88e6xxx: Fix u64 statistics - net: netem: fix skb length BUG_ON in __skb_to_sgvec - net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails - net: sit: fix memory leak in sit_init_net() - xen-netback: don't populate the hash cache on XenBus disconnect - xen-netback: fix occasional leak of grant ref mappings under memory pressure - net: Add __icmp_send helper. - tun: fix blocking read - tun: remove unnecessary memory barrier - net: phy: Micrel KSZ8061: link failure after cable connect - [x86] CPU/AMD: Set the CPB bit unconditionally on F17h - applicom: Fix potential Spectre v1 vulnerabilities - [mips*] irq: Allocate accurate order pages for irq stack - hugetlbfs: fix races and page leaks during migration - exec: Fix mem leak in kernel_read_file (CVE-2019-8980) - media: uvcvideo: Fix 'type' check leading to overflow - vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel - perf core: Fix perf_proc_update_handler() bug - perf tools: Handle TOPOLOGY headers with no CPU - IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM - [amd64] iommu/amd: Call free_iova_fast with pfn in map_sg - [amd64] iommu/amd: Unmap all mapped pages in error path of map_sg - ipvs: Fix signed integer overflow when setsockopt timeout - [amd64] iommu/amd: Fix IOMMU page flush when detach device from a domain - [arm64] net: hns: Fix for missing of_node_put() after of_parse_phandle() - [arm64] net: hns: Fix wrong read accesses via Clause 45 MDIO protocol - [armhf] net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() - nfs: Fix NULL pointer dereference of dev_name - qed: Fix VF probe failure while FLR - scsi: libfc: free skb when receiving invalid flogi resp - [x86] platform: Fix unmet dependency warning for SAMSUNG_Q10 - cifs: fix computation for MAX_SMB2_HDR_SIZE - [arm64] kprobe: Always blacklist the KVM world-switch code - [x86] kexec: Don't setup EFI info if EFI runtime is not enabled - mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone - mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone - fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() - autofs: drop dentry reference only when it is never used - autofs: fix error return in autofs_fill_super() - vsock/virtio: fix kernel panic after device hot-unplug - vsock/virtio: reset connected sockets on device removal - netfilter: nf_nat: skip nat clash resolution for same-origin entries - [s390x] qeth: fix use-after-free in error path - perf symbols: Filter out hidden symbols from labels - [mips*] Remove function size check in get_frame_info() - fs: ratelimit __find_get_block_slow() failure message. - Input: wacom_serial4 - add support for Wacom ArtPad II tablet - Input: elan_i2c - add id for touchpad found in Lenovo s21e-20 - [x86] iscsi_ibft: Fix missing break in switch statement - scsi: aacraid: Fix missing break in switch statement - futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() - [armhf] dts: exynos: Fix pinctrl definition for eMMC RTSN line on Odroid X2/U3 - drm: disable uncached DMA optimization for ARM and arm64 - [armhf] dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420 - [x86] perf/x86/intel: Make cpuc allocations consistent - [x86] perf/x86/intel: Generalize dynamic constraint creation - [x86] Add TSX Force Abort CPUID/MSR https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.164 - ACPICA: Reference Counts: increase max to 0x4000 for large servers - KEYS: restrict /proc/keys by credentials at open time - l2tp: fix infoleak in l2tp_ip6_recvmsg() - net: sit: fix UBSAN Undefined behaviour in check_6rd - pptp: dst_release sk_dst_cache in pptp_sock_destruct - route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race - tcp: handle inet_csk_reqsk_queue_add() failures - vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() - net/mlx4_core: Fix reset flow when in command polling mode - net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling - net/mlx4_core: Fix qp mtt size calculation - mdio_bus: Fix use-after-free on device_register fails - net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 - af_unix: missing barriers in some of unix_sock ->addr and ->path accesses - ipvlan: disallow userns cap_net_admin to change global mode/flags - vxlan: Fix GRO cells race condition between receive and link delete - rxrpc: Fix client call queueing, waiting for channel - gro_cells: make sure device is up in gro_cells_receive() - tcp/dccp: remove reqsk_put() from inet_child_forget() - [x86] perf: Fixup typo in stub functions - ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 - md: It's wrong to add len to sector_nr in raid10 reshape twice - of: Support const and non-const use for to_of_node() - vhost/vsock: fix vhost vsock cid hashing inconsistent https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.165 - media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused() - 9p: use inode->i_lock to protect i_size_write() under 32-bit - 9p/net: fix memory leak in p9_client_create - [armhf] iio: adc: exynos-adc: Fix NULL pointer exception on unbind - crypto: ahash - fix another early termination in hash walk - [armhf] gpu: ipu-v3: Fix i.MX51 CSI control registers offset - [armhf] gpu: ipu-v3: Fix CSI offsets for imx53 - [s390x] dasd: fix using offset into zero size array error - [armhf] OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized - floppy: check_events callback should not return a negative number - mm/gup: fix gup_pmd_range() for dax - mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs - [arm64] net: hns: Fix object reference leaks in hns_dsaf_roce_reset() - [armhf] clk: sunxi: A31: Fix wrong AHB gate number - assoc_array: Fix shortcut creation - scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task - [arm64] pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins - qmi_wwan: apply SET_DTR quirk to Sierra WP7607 - [armel] net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() - [x86] ASoC: topology: free created components in tplg load error - [arm64] Relax GIC version check during early boot - [armhf] net: marvell: mvneta: fix DMA debug warning - tmpfs: fix link accounting when a tmpfile is linked in - mac80211_hwsim: propagate genlmsg_reply return code - [arm64] net: thunderx: make CFG_DONE message to run through generic send-ack sequence - nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K - nfp: bpf: fix ALU32 high bits clearance bug - net: set static variable an initial value in atl2_probe() - tmpfs: fix uninitialized return value in shmem_link - [x86] libnvdimm/label: Clear 'updating' flag after label-set update - [x86] libnvdimm/pmem: Honor force_raw for legacy pmem regions - [amd64] libnvdimm: Fix altmap reservation size calculation - crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails - [arm64] crypto: aes-ccm - fix logical bug in AAD MAC handling - CIFS: Do not reset lease state to NONE on lease break - CIFS: Fix read after write for files with read caching - tracing: Do not free iter->trace in fail path of tracing_open_pipe() - [amd64,arm64,i386] ACPI / device_sysfs: Avoid OF modalias creation for removed device - [armhf] spi: ti-qspi: Fix mmap read when more than one CS in use - [armhf] regulator: s2mps11: Fix steps for buck7, buck8 and LDO35 - [armhf] regulator: s2mpa01: Fix step values for some LDOs - [armhf] clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR - [armhf] clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown - [s390x] virtio: handle find on invalid queue gracefully - scsi: virtio_scsi: don't send sc payload with tmfs - scsi: sd: Optimal I/O size should be a multiple of physical block size - scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock - fs/devpts: always delete dcache dentry-s in dput() - splice: don't merge into linked buffers - btrfs: ensure that a DUP or RAID1 block group has exactly two stripes - crypto: pcbc - remove bogus memcpy()s with src == dest - libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer - [arm64,armhf] cpufreq: tegra124: add missing of_node_put() - ext4: fix crash during online resizing - [armhf] clk: clk-twl6040: Fix imprecise external abort for pdmclk - [x86] nfit: acpi_nfit_ctl(): Check out_obj->type in the right place - mm: hwpoison: fix thp split handing in soft_offline_in_use_page() (CVE-2019-10124) - mm/vmalloc: fix size check for remap_vmalloc_range_partial() - kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv - device property: Fix the length used in PROPERTY_ENTRY_STRING() - [x86] intel_th: Don't reference unassigned outputs - parport_pc: fix find_superio io compare code, should use equal test. - [arm64,armhf] i2c: tegra: fix maximum transfer size - [x86] drm/i915: Relax mmap VMA check - [arm64] serial: uartps: Fix stuck ISR if RX disabled with non-empty FIFO - serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart - 8250: FIX Fourth port offset of Pericom PI7C9X7954 boards - serial: 8250_pci: Fix number of ports for ACCES serial cards - serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() - jbd2: clear dirty flag when revoking a buffer from an older transaction - jbd2: fix compile warning when using JBUFFER_TRACE - [powerpc] Clear on-stack exception marker upon exception return - [ppc64el] powernv: Make opal log only readable by root - [ppc64el] Fix 32-bit KVM-PR lockup and host crash with MacOS guest - [ppc64el] ptrace: Simplify vr_get/set() to avoid GCC warning - dm: fix to_sector() for 32bit - NFS: Fix I/O request leakages - NFS: Fix an I/O request leakage in nfs_do_recoalesce - NFS: Don't recoalesce on error in nfs_pageio_complete_mirror() - nfsd: fix memory corruption caused by readdir - nfsd: fix wrong check in write_v4_end_grace() - PM / wakeup: Rework wakeup source timer cancellation - bcache: never writeback a discard operation - [x86] perf intel-pt: Fix CYC timestamp calculation after OVF - perf auxtrace: Define auxtrace record alignment - [x86] perf intel-pt: Fix overlap calculation for padding - [x86] perf intel-pt: Fix divide by zero when TSC is not available - md: Fix failed allocation of md_register_thread - rcu: Do RCU GP kthread self-wakeup from softirq and interrupt - media: uvcvideo: Avoid NULL pointer dereference at the end of streaming - drm/radeon/evergreen_cs: fix missing break in switch statement - [x86] KVM: nVMX: Sign extend displacements of VMX instr's mem operands - [x86] KVM: nVMX: Ignore limit checks on VMX instructions using flat segments - [x86] KVM: Fix residual mmio emulation request to userspace https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.166 - [x86] drm/vmwgfx: Don't double-free the mode stored in par->set_mode - [amd64] iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE - libceph: wait for latest osdmap in ceph_monc_blacklist_add() - udf: Fix crash on IO error during truncate - [mips*] Ensure ELF appended dtb is relocated - [mips*] Fix kernel crash for R6 in jump label branch function - futex: Ensure that futex address is aligned in handle_futex_death() - objtool: Move objtool_file struct off the stack - ext4: fix NULL pointer dereference while journal is aborted - ext4: fix data corruption caused by unaligned direct AIO - ext4: brelse all indirect buffer in ext4_ind_remove_space() - media: v4l2-ctrls.c/uvc: zero v4l2_event - Bluetooth: Fix decrementing reference count twice in releasing socket - ALSA: hda - Record the current power state before suspend/resume calls - ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec - tcp/dccp: drop SYN packets if accept queue is full - vfs: Hang/soft lockup in d_invalidate with simultaneous calls - [arm64] traps: disable irq in die() - lib/int_sqrt: optimize small argument - scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 - rtc: Fix overflow when converting time64_t to rtc_time - [armhf] pwm-backlight: Enable/disable the PWM before/after LCD enable toggle. - ath10k: avoid possible string overflow https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.167 - Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt (CVE-2019-3460) - Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer (CVE-2019-3459) - cfg80211: size various nl80211 messages correctly - [arm64,armhf] stmmac: copy unicast mac address to MAC registers - dccp: do not use ipv6 header for ipv4 flow - mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S - net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec - net: rose: fix a possible stack overflow - packets: Always register packet sk in the same order - tcp: do not use ipv6 header for ipv4 flow - vxlan: Don't call gro_cells_destroy() before device is unregistered - sctp: get sctphdr by offset in sctp_compute_cksum - tun: properly test for IFF_UP - tun: add a missing rcu_read_unlock() in error path - btrfs: remove WARN_ON in log_dir_items - btrfs: raid56: properly unmap parity page in finish_parity_scrub() - [powerpc*] bpf: Fix generation of load/store DW instructions - NFSv4.1 don't free interrupted slot on open - ALSA: rawmidi: Fix potential Spectre v1 vulnerability - ALSA: pcm: Fix possible OOB access in PCM oss plugins - ALSA: pcm: Don't suspend stream in unrecoverable PCM state - fs/open.c: allow opening only regular files during execve() - scsi: sd: Fix a race between closing an sd device and sd I/O - scsi: sd: Quiesce warning if device does not report optimal I/O size - [s390x] scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host - [s390x] scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices - [x86] staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest - USB: serial: cp210x: add new device id - USB: serial: ftdi_sio: add additional NovaTech products - USB: serial: mos7720: fix mos_parport refcount imbalance on error path - USB: serial: option: set driver_info for SIM5218 and compatibles - USB: serial: option: add Olicard 600 - fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links - usb: common: Consider only available nodes for dr_mode - [x86] perf intel-pt: Fix TSC slip - cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n - KVM: Reject device ioctls from processes other than the VM's creator - [x86] KVM: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts - USB: gadget: f_hid: fix deadlock in f_hidg_write() - xhci: Fix port resume done detection for SS ports with LPM enabled - [arm64] support keyctl() system call in 32-bit mode https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.168 - [arm64] debug: Don't propagate UNKNOWN FAR into si_code for debug signals - ext4: cleanup bh release code in ext4_ind_remove_space() - lib/int_sqrt: optimize initial value compute - mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified - i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA - CIFS: fix POSIX lock leak and invalid ptr deref - tracing: kdb: Fix ftdump to not sleep - [armhf] gpio: gpio-omap: fix level interrupt idling - include/linux/relay.h: fix percpu annotation in struct rchan - sysctl: handle overflow for file-max - [arm64] scsi: hisi_sas: Set PHY linkrate when disconnected - [armhf,ppc64el] mm/cma.c: cma_declare_contiguous: correct err handling - mm/page_ext.c: fix an imbalance with kmemleak - mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! - mm/slab.c: kmemleak no scan alien caches - ocfs2: fix a panic problem caused by o2cb_ctl - fs/file.c: initialize init_files.resize_wait - cifs: use correct format characters - dm thin: add sanity checks to thin-pool and external snapshot creation - cifs: Fix NULL pointer dereference of devname - jbd2: fix invalid descriptor block checksum - fs: fix guard_bio_eod to check for real EOD errors - wil6210: check null pointer in _wil_cfg80211_merge_extra_ies - [arm64,armhf] usb: chipidea: Grab the (legacy) USB PHY by phandle first - scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c - [armel,armhf] 8840/1: use a raw_spinlock_t in unwind - [armhf] mmc: omap: fix the maximum timeout setting - e1000e: Fix -Wformat-truncation warnings - IB/mlx4: Increase the timeout for CM cache - scsi: megaraid_sas: return error when create DMA pool failed - [armhf] SoC: imx-sgtl5000: add missing put_device() - vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 - [amd64] HID: intel-ish-hid: avoid binding wrong ishtp_cl_device - [armhf] leds: lp55xx: fix null deref on firmware load failure - iwlwifi: pcie: fix emergency path - [x86] ACPI / video: Refactor and fix dmi_is_desktop() - kprobes: Prohibit probing on bsearch() - ALSA: PCM: check if ops are defined before suspending PCM - usb: f_fs: Avoid crash due to out-of-scope stack ptr access - bcache: fix input overflow to cache set sysfs file io_error_halflife - bcache: fix input overflow to sequential_cutoff - bcache: improve sysfs_strtoul_clamp() - genirq: Avoid summation loops for /proc/stat - iw_cxgb4: fix srqidx leak during connection abort - fbdev: fbmem: fix memory access if logo is bigger than the screen - cdrom: Fix race condition in cdrom_sysctl_register - e1000e: fix cyclic resets at link up with active tx - efi/memattr: Don't bail on zero VA if it equals the region's PA - [arm64] soc: qcom: gsbi: Fix error handling in gsbi_probe() - [armhf] avoid Cortex-A9 livelock on tight dmb loops - tty: increase the default flip buffer limit to 2*640K - [ppc64el] powerpc/pseries: Perform full re-add of CPU for topology update post-migration - hwrng: virtio - Avoid repeated init of completion - [arm64,armhf] soc/tegra: fuse: Fix illegal free of IO base address - [amd64] HID: intel-ish: ipc: handle PIMR before ish_wakeup also clear PISR busy_clear bit - [x86] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable - [armhf] dmaengine: imx-dma: fix warning comparison of distinct pointer types - [arm64] dmaengine: qcom_hidma: assign channel cookie correctly - netfilter: physdev: relax br_netfilter dependency - [armhf] regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting - drm/nouveau: Stop using drm_crtc_force_disable - selinux: do not override context on context mounts - [arm64,armhf] wlcore: Fix memory leak in case wl12xx_fetch_firmware failure - [arm64,armhf] dmaengine: tegra: avoid overflow of byte tracking - drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers - [x86] ACPI / video: Extend chassis-type detection with a "Lunch Box" check . [ Ben Hutchings ] * debian/bin/abiupdate.py: Change default URLs to use https: scheme. * Resolve kernel ABI changes: - Revert "genirq: Avoid summation loops for /proc/stat" - tracing: ring_buffer: Avoid ABI change in 4.9.168 - net: icmp: Avoid ABI change in 4.9.163 - Revert "phonet: fix building with clang" - netfilter: Ignore removal of br_netfilter_enable() . [ Salvatore Bonaccorso ] * Refresh mm-mmap.c-expand_downwards-don-t-require-the-gap-if-.patch for context changes in 4.9.162 * [rt] Refresh 0008-futex-rt_mutex-Provide-futex-specific-rt_mutex-API.patch for context changes in 4.9.163 * [rt] Drop 0014-futex-rt_mutex-Restructure-rt_mutex_finish_proxy_loc.patch applied upstream in 4.9.163 * [rt] Refresh 0171-arm-include-definition-for-cpumask_t.patch for context changes in 4.9.165 * [rt] Drop 0256-arm-unwind-use-a-raw_spin_lock.patch linux (4.9.161-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.145 - [armhf] media: omap3isp: Unregister media device as first - [amd64] iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() - brcmutil: really fix decoding channel info for 160 MHz bandwidth - HID: input: Ignore battery reported by Symbol DS4308 - batman-adv: Expand merged fragment buffer for full packet - bnx2x: Assign unique DMAE channel number for FW DMAE transactions. - qed: Fix PTT leak in qed_drain() - qed: Fix reading wrong value in loop condition - net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command - net/mlx4_core: Fix uninitialized variable compilation warning - net/mlx4: Fix UBSAN warning of signed integer overflow - [amd64] iommu/vt-d: Use memunmap to free memremap - team: no need to do team_notify_peers or team_mcast_rejoin when disabling port - mm: don't warn about allocations which stall for too long - usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device - usb: appledisplay: Add 27" Apple Cinema Display - USB: check usb_get_extra_descriptor for proper size (CVE-2018-20169) - ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c (CVE-2018-19824) - [x86] ALSA: hda: Add support for AMD Stoney Ridge - ALSA: pcm: Fix starvation on down_write_nonblock() - ALSA: pcm: Call snd_pcm_unlink() conditionally at closing - ALSA: pcm: Fix interval evaluation with openmin/max - [x86] ALSA: hda/realtek - Fix speaker output regression on Thinkpad T570 - [s390x] virtio: avoid race on vcdev->config - [s390x] virtio: fix race in ccw_io_helper() - SUNRPC: Fix leak of krb5p encode pages - [armhf] dmaengine: cppi41: delete channel from pending list when stop channel - xhci: Prevent U1/U2 link pm states if exit latency is too long - swiotlb: clean up reporting - vsock: lookup and setup guest_cid inside vhost_vsock_lock - vhost/vsock: fix use-after-free in network stack callers (CVE-2018-14625) - cifs: Fix separator when building path from dentry - staging: rtl8712: Fix possible buffer overrun - tty: do not set TTY_IO_ERROR flag if console port - mac80211_hwsim: Timer should be initialized before device registered - mac80211: Clear beacon_int in ieee80211_do_stop - mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext - mac80211: fix reordering of buffered broadcast packets - mac80211: ignore NullFunc frames in the duplicate detection https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.146 - ipv6: Check available headroom in ip6_xmit() even without options - net: 8139cp: fix a BUG triggered by changing mtu with network traffic - net/mlx4_core: Correctly set PFC param if global pause is turned off. - net: phy: don't allow __set_phy_supported to add unsupported modes - net: Prevent invalid access to skb->prev in __qdisc_drop_all - rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices - tcp: fix NULL ref in tail loss probe - tun: forbid iface creation with rtnl ops - neighbour: Avoid writing before skb->head in neigh_hh_output() - [armhf] OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup - sysv: return 'err' instead of 0 in __sysv_write_inode - [s390x] cpum_cf: Reject request for sampling in event initialization - [armhf] ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing - ASoC: dapm: Recalculate audio map forcely when card instantiated - hwmon: (w83795) temp4_type has writable permission - objtool: Fix double-free in .cold detection error path - objtool: Fix segfault in .cold detection with -ffunction-sections - Btrfs: send, fix infinite loop due to directory rename dependencies - RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR - [armhf] ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE - [armhf] ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE - exportfs: do not read dentry after free - bpf: fix check of allowed specifiers in bpf_trace_printk - ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf - [arm64] net: thunderx: fix NULL pointer dereference in nic_remove - cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is active - igb: fix uninitialized variables - ixgbe: recognize 1000BaseLX SFP modules as 1Gbps - [arm64] net: hisilicon: remove unexpected free_netdev - drm/ast: fixed reading monitor EDID not stable issue - fscache: fix race between enablement and dropping of object - ocfs2: fix deadlock caused by ocfs2_defrag_extent() - hfs: do not free node before using - hfsplus: do not free node before using - ocfs2: fix potential use after free - pstore: Convert console write to use ->write_buf - staging: speakup: Replace strncpy with memcpy https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.147 - signal: Introduce COMPAT_SIGMINSTKSZ for use in compat_sys_sigaltstack (Closes: #904385) - timer/debug: Change /proc/timer_list from 0444 to 0400 - [armhf] pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 - aio: fix spectre gadget in lookup_ioctx - [armhf] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 - [arm*] ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt - tracing: Fix memory leak in set_trigger_filter() - tracing: Fix memory leak of instance function hash filters - [powerpc*] msi: Fix NULL pointer access in teardown code - Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" - [x86] drm/i915/execlists: Apply a full mb before execution for Braswell - mac80211: don't WARN on bad WMM parameters from buggy APs - mac80211: Fix condition validating WMM IE - [amd64] IB/hfi1: Remove race conditions in user_sdma send path - [x86] locking: Remove smp_read_barrier_depends() from queued_spin_lock_slowpath() - [x86] locking/qspinlock: Ensure node is initialised before updating prev->next - [x86] locking/qspinlock: Bound spinning on pending->locked transition in slowpath - [x86] locking/qspinlock: Merge 'struct __qspinlock' into 'struct qspinlock' - [x86] locking/qspinlock: Remove unbounded cmpxchg() loop from locking slowpath - [x86] locking/qspinlock: Remove duplicate clear_pending() function from PV code - [x86] locking/qspinlock: Kill cmpxchg() loop when claiming lock from head of queue - [x86] locking/qspinlock: Re-order code - [x86] locking/qspinlock/x86: Increase _Q_PENDING_LOOPS upper bound - [x86] locking/qspinlock, x86: Provide liveness guarantee - [x86] locking/qspinlock: Fix build for anonymous union in older GCC compilers - mac80211_hwsim: fix module init error paths for netlink - scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset - [x86] scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload - [x86] earlyprintk/efi: Fix infinite loop on some screen widths - [arm64] drm/msm: Grab a vblank reference when waiting for commit_done - bonding: fix 802.3ad state sent to partner when unbinding slave - nfs: don't dirty kernel pages read by direct-io - SUNRPC: Fix a potential race in xprt_connect() - [arm64] clk: mvebu: Off by one bugs in cp110_of_clk_get() - [armhf] Input: omap-keypad - fix keyboard debounce configuration - libata: whitelist all SAMSUNG MZ7KM* solid-state disks - [armhf] mv88e6060: disable hardware level MAC learning - net/mlx4_en: Fix build break when CONFIG_INET is off - bpf: check pending signals while verifying programs - [arm*] 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling - [arm*] 8815/1: V7M: align v7m_dma_inv_range() with v7 counterpart - drm/ast: Fix connector leak during driver unload - cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs) - vhost/vsock: fix reset orphans race with close timeout - [x86] i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node - nvmet-rdma: fix response use after free - [armhf] rtc: snvs: add a missing write sync - [armhf] rtc: snvs: Add timeouts to avoid kernel lockups https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.148 - block: break discard submissions into the user defined size - block: fix infinite loop if the device loses discard capability - ib_srpt: Fix a use-after-free in __srpt_close_all_ch() - USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (CVE-2018-19985) - xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only - USB: serial: option: add GosunCn ZTE WeLink ME3630 - USB: serial: option: add HP lt4132 - USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) - USB: serial: option: add Fibocom NL668 series - USB: serial: option: add Telit LN940 series - mmc: core: Reset HPI enabled state during re-init and in case of errors - mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support - mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl - [armhf] mmc: omap_hsmmc: fix DMA API warning - [x86] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels - [x86] mtrr: Don't copy uninitialized gentry fields back to userspace - [x86] fpu: Disable bottom halves while loading FPU registers - ubifs: Handle re-linking of inodes correctly while recovery - panic: avoid deadlocks in re-entrant console drivers - proc/sysctl: don't return ENOMEM on lookup when a table is unregistering - drm/ioctl: Fix Spectre v1 vulnerabilities https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.149 - ip6mr: Fix potential Spectre v1 vulnerability - ipv4: Fix potential Spectre v1 vulnerability - ax25: fix a use-after-free in ax25_fillin_cb() - [ppc64el] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path - ieee802154: lowpan_header_create check must check daddr - ipv6: explicitly initialize udp6_addr in udp_sock_create6() - ipv6: tunnels: fix two use-after-free - isdn: fix kernel-infoleak in capi_unlocked_ioctl - net: ipv4: do not handle duplicate fragments as overlapping - net: phy: Fix the issue that netif always links up after resuming - netrom: fix locking in nr_find_socket() - packet: validate address length - packet: validate address length if non-zero - sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event - tipc: fix a double kfree_skb() - vhost: make sure used idx is seen before log in vhost_add_used_n() - [x86] VSOCK: Send reset control packet when socket is partially bound - xen/netfront: tolerate frags with no data - tipc: use lock_sock() in tipc_sk_reinit() - tipc: compare remote and local protocols in tipc_udp_enable() - gro_cell: add napi_disable in gro_cells_destroy - net/mlx5e: Remove the false indication of software timestamping support - net/mlx5: Typo fix in del_sw_hw_rule - sock: Make sock->sk_stamp thread-safe - ptr_ring: wrap back ->producer in __ptr_ring_swap_queue() - ALSA: rme9652: Fix potential Spectre v1 vulnerability - ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities - ALSA: pcm: Fix potential Spectre v1 vulnerability - ALSA: emux: Fix potential Spectre v1 vulnerabilities - ALSA: hda: add mute LED support for HP EliteBook 840 G4 - [arm64,armhf] ALSA: hda/tegra: clear pending irq handlers - USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays - USB: serial: option: add Fibocom NL678 series - qmi_wwan: apply SET_DTR quirk to the SIMCOM shared device ID - Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G - [x86] KVM: Use jmp to invoke kvm_spurious_fault() from .fixup - platform-msi: Free descriptors in platform_msi_domain_free() - perf pmu: Suppress potential format-truncation warning - ext4: fix possible use after free in ext4_quota_enable - ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() - ext4: fix EXT4_IOC_GROUP_ADD ioctl - ext4: include terminating u32 in size of xattr entries when expanding inodes - ext4: force inode writes when nfsd calls commit_metadata() - [arm64,armhf] spi: bcm2835: Fix race on DMA termination - [arm64,armhf] spi: bcm2835: Fix book-keeping of DMA termination - [arm64,armhf] spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode - [armhf] clk: rockchip: fix typo in rk3188 spdif_frac parent - cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. - f2fs: fix validation of the block count in sanity_check_raw_super - media: vivid: free bitmap_cap when updating std/timings/etc. - media: v4l2-tpg: array index could become negative - [mips*] Ensure pmd_present() returns false after pmd_mknotpresent() - [mips*] OCTEON: mark RGMII interface disabled on OCTEON III - CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem - [x86] kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested - [arm64] KVM: Avoid setting the upper 32 bits of VTCR_EL2 to 1 - [armhf] rtc: m41t80: Correct alarm month range with RTC reads - [x86] tpm: tpm_i2c_nuvoton: use correct command duration for TPM 2.x - [arm64,armhf] spi: bcm2835: Unbreak the build of esoteric configs https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.150 - [arm64] pinctrl: meson: fix pull enable register calculation - Input: restore EV_ABS ABS_RESERVED - xfrm: Fix bucket count reported to userspace - netfilter: seqadj: re-load tcp header pointer after possible head reallocation - scsi: bnx2fc: Fix NULL dereference in error handling - [armhf] Input: omap-keypad - fix idle configuration to not block SoC idle states - netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel - bnx2x: Clear fip MAC when fcoe offload support is disabled - bnx2x: Remove configured vlans as part of unload sequence. - bnx2x: Send update-svid ramrod with retry/poll flags enabled - scsi: target: iscsi: cxgbit: fix csk leak - scsi: target: iscsi: cxgbit: add missing spin_lock_init() - [arm64] net: hns: Incorrect offset address used for some registers. - [arm64] net: hns: All ports can not work when insmod hns ko after rmmod. - [arm64] net: hns: Some registers use wrong address according to the datasheet. - [arm64] net: hns: Fixed bug that netdev was opened twice - [arm64] net: hns: Clean rx fbd when ae stopped. - [arm64] net: hns: Free irq when exit from abnormal branch - [arm64] net: hns: Avoid net reset caused by pause frames storm - [arm64] net: hns: Fix ntuple-filters status error. - net: hns: Add mac pcs config when enable|disable mac - SUNRPC: Fix a race with XPRT_CONNECTING - lan78xx: Resolve issue with changing MAC address - vxge: ensure data0 is initialized in when fetching firmware version information - net: netxen: fix a missing check and an uninitialized use - [s390x] scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown - libceph: fix CEPH_FEATURE_CEPHX_V2 check in calc_signature() - fork: record start_time late - hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined - mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL - mm, devm_memremap_pages: kill mapping "System RAM" support - sunrpc: fix cache_head leak due to queued request - sunrpc: use SVC_NET() in svcauth_gss_* functions - [mips*] math-emu: Write-protect delay slot emulation pages - [amd64] crypto: x86/chacha20 - avoid sleeping with preemption disabled - vhost/vsock: fix uninitialized vhost_vsock->guest_cid - [amd64] IB/hfi1: Incorrect sizing of sge for PIO will OOPs - ALSA: cs46xx: Potential NULL dereference in probe - ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() - ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks - dlm: fixed memory leaks after failed ls_remove_names allocation - dlm: possible memory leak on error path in create_lkb() - dlm: lost put_lkb on error path in receive_convert() and receive_unlock() - dlm: memory leaks on error path in dlm_user_request() - gfs2: Get rid of potential double-freeing in gfs2_create_inode - gfs2: Fix loop in gfs2_rbm_find - b43: Fix error in cordic routine - [powerpc*] tm: Set MSR[TS] just prior to recheckpoint - 9p/net: put a lower bound on msize - rxe: fix error completion wr_id and qp_num - [amd64] iommu/vt-d: Handle domain agaw being less than iommu agaw - ceph: don't update importing cap's mseq when handing cap export - [ppc64el] genwqe: Fix size check - [x86] intel_th: msu: Fix an off-by-one in attribute store - [i386] power: supply: olpc_battery: correct the temperature units - [arm64,armhf] drm/vc4: Set ->is_yuv to false when num_planes == 1 - bnx2x: Fix NULL pointer dereference in bnx2x_del_all_vlans() on some hw https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.151 - ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 - CIFS: Do not hide EINTR after sending network packets - cifs: Fix potential OOB access of lock element array - usb: cdc-acm: send ZLP for Telit 3G Intel based modems - USB: storage: don't insert sane sense for SPC3+ when bad sense specified - USB: storage: add quirk for SMI SM3350 - USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB - slab: alien caches must not be initialized if the allocation of the alien cache failed - mm: page_mapped: don't assume compound page is huge or THP - ACPI: power: Skip duplicate power resource references in _PRx - i2c: dev: prevent adapter retries and timeout being set as minus value - rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set - ext4: make sure enough credits are reserved for dioread_nolock writes - ext4: fix a potential fiemap/page fault deadlock w/ inline_data - ext4: avoid kernel warning when writing the superblock to a dead device - sunrpc: use-after-free in svc_process_common() (CVE-2018-16884) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.152 - tty/ldsem: Wake up readers after timed out down_write() - tty: Hold tty_ldisc_lock() during tty_reopen() - tty: Simplify tty->count math in tty_reopen() - tty: Don't hold ldisc lock in tty_reopen() if ldisc present - can: gw: ensure DLC boundaries after CAN frame modification (CVE-2019-3701) - Revert "f2fs: do not recover from previous remained wrong dnodes" - media: em28xx: Fix misplaced reset of dev->v4l::field_count - proc: Remove empty line in /proc/self/status - [arm64] kvm: consistently handle host HCR_EL2 flags - [arm64] Don't trap host pointer auth use to EL2 - ipv6: fix kernel-infoleak in ipv6_local_error() - net: bridge: fix a bug on using a neighbour cache entry without checking its state - packet: Do not leak dev refcounts on error exit - bonding: update nest level on unlink - ip: on queued skb use skb_header_pointer instead of pskb_may_pull - crypto: authencesn - Avoid twice completion call in decrypt path - crypto: authenc - fix parsing key with misaligned rta_len - btrfs: wait on ordered extents on abort cleanup - Yama: Check for pid death before checking ancestry - scsi: core: Synchronize request queue PM status only on successful resume - scsi: sd: Fix cache_type_store() - [arm64] kaslr: ensure randomized quantities are clean to the PoC - [mips*] Disable MSI also when pcie-octeon.pcie_disable on - media: vivid: fix error handling of kthread_run - media: vivid: set min width/height to a value > 0 - LSM: Check for NULL cred-security on free - media: vb2: vb2_mmap: move lock up - sunrpc: handle ENOMEM in rpcb_getport_async - netfilter: ebtables: account ebt_table_info to kmemcg - selinux: fix GPF on invalid policy - blockdev: Fix livelocks on loop device - sctp: allocate sctp_sockaddr_entry with kzalloc - tipc: fix uninit-value in tipc_nl_compat_link_reset_stats - tipc: fix uninit-value in tipc_nl_compat_bearer_enable - tipc: fix uninit-value in tipc_nl_compat_link_set - tipc: fix uninit-value in tipc_nl_compat_name_table_dump - tipc: fix uninit-value in tipc_nl_compat_doit - block/loop: Use global lock for ioctl() operation. - loop: Fold __loop_release into loop_release - loop: Get rid of loop_index_mutex - loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() - drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock - mm, memcg: fix reclaim deadlock with writeback - media: vb2: be sure to unlock mutex on errors - nbd: set the logical and physical blocksize properly - nbd: Use set_blocksize() to set device blocksize https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.153 - r8169: Add support for new Realtek Ethernet - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses - [x86] platform: asus-wmi: Tell the EC the OS will handle the display off hotkey - e1000e: allow non-monotonic SYSTIM readings - writeback: don't decrement wb->refcnt if !wb->bdi - [arm64,armhf] serial: set suppress_bind_attrs flag only if builtin - ALSA: oxfw: add support for APOGEE duet FireWire - [arm64] perf: set suppress_bind_attrs flag to true - selinux: always allow mounting submounts - rxe: IB_WR_REG_MR does not capture MR's iova field - jffs2: Fix use of uninitialized delayed_work, lockdep breakage - pstore/ram: Do not treat empty buffers as valid - [ppc64el] powerpc/xmon: Fix invocation inside lock region - [powerpc*] powerpc/pseries/cpuidle: Fix preempt warning - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info - net: call sk_dst_reset when set SO_DONTROUTE - scsi: target: use consistent left-aligned ASCII INQUIRY data - [armhf] clk: imx6q: reset exclusive gates on init - tty/serial: do not free trasnmit buffer page under port lock - [x86] perf intel-pt: Fix error with config term "pt=0" - perf svghelper: Fix unchecked usage of strncpy() - perf parse-events: Fix unchecked usage of strncpy() - dm kcopyd: Fix bug causing workqueue stalls - dm snapshot: Fix excessive memory usage and workqueue stalls - ALSA: bebob: fix model-id of unit for Apogee Ensemble - sysfs: Disable lockdep for driver bind/unbind files - scsi: smartpqi: correct lun reset issues - scsi: megaraid: fix out-of-bound array accesses - ocfs2: fix panic due to unrecovered local alloc - mm/page-writeback.c: don't break integrity writeback on ->writepage() error - mm, proc: be more verbose about unstable VMA flags in /proc//smaps - [arm64] ipmi:ssif: Fix handling of multi-part return messages - locking/qspinlock: Pull in asm/byteorder.h to ensure correct endianness https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.154 - net: bridge: Fix ethernet header pointer before check skb forwardable - net: Fix usage of pskb_trim_rcsum - openvswitch: Avoid OOB read when parsing flow nlattrs - vhost: log dirty page correctly - net: ipv4: Fix memory leak in network namespace dismantle - net_sched: refetch skb protocol for each filter - ipfrag: really prevent allocation on netns exit - USB: serial: simple: add Motorola Tetra TPG2200 device id - USB: serial: pl2303: add new PID to support PL2303TB - [x86] ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages - [s390x] early: improve machine detection - [s390x] smp: fix CPU hotplug deadlock with CPU rescan - [x86] char/mwave: fix potential Spectre v1 vulnerability - staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 - tty: Handle problem if line discipline does not have receive_buf - uart: Fix crash in uart_write and uart_put_char - [x86] tty/n_hdlc: fix __might_sleep warning - CIFS: Fix possible hang during async MTU reads and writes - Input: xpad - add support for SteelSeries Stratus Duo - compiler.h: enable builtin overflow checkers and add fallback code - Input: uinput - fix undefined behavior in uinput_validate_absinfo() - [x86] acpi/nfit: Block function zero DSMs - [x86] acpi/nfit: Fix command-supported detection - dm thin: fix passdown_double_checking_shared_status() - [x86] KVM: Fix single-step debugging - [x86] kaslr: Fix incorrect i8254 outb() parameters - can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it - can: bcm: check timer values before ktime conversion - vt: invoke notifier on screen size change - perf unwind: Unwind with libdw doesn't take symfs into account - perf unwind: Take pgoff into account when reporting elf to libdwfl - [arm64] irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size - [s390x] smp: Fix calling smp_call_ipl_cpu() from ipl CPU - nvmet-rdma: Add unlikely for response allocated check - nvmet-rdma: fix null dereference under heavy load - f2fs: read page index before freeing - btrfs: fix error handling in btrfs_dev_replace_start - btrfs: dev-replace: go back to suspended state if target device is missing https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.155 - Fix "net: ipv4: do not handle duplicate fragments as overlapping" - fs: add the fsnotify call to vfs_iter_write - ipv6: Consider sk_bound_dev_if when binding a socket to an address (Closes: #918103) - l2tp: copy 4 more bytes to linear part if necessary - net/mlx4_core: Add masking for a few queries on HCA caps - netrom: switch to sock timer API - net/rose: fix NULL ax25_cb kernel panic - net/mlx5e: Allow MAC invalidation while spoofchk is ON - l2tp: remove l2specific_len dependency in l2tp_core - l2tp: fix reading optional fields of L2TPv3 - ipvlan, l3mdev: fix broken l3s mode wrt local routes - CIFS: Do not count -ENODATA as failure for query directory - fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() - [arm64] kaslr: ensure randomized quantities are clean also when kaslr is off - [arm64] hyp-stub: Forbid kprobing of the hyp-stub - [arm64] hibernate: Clean the __hyp_text to PoC after resume - gfs2: Revert "Fix loop in gfs2_rbm_find" - [x86] platform/x86: asus-nb-wmi: Map 0x35 to KEY_SCREENLOCK - [x86] platform/x86: asus-nb-wmi: Drop mapping of 0x33 and 0x34 scan codes - [arm64,armhf] mmc: sdhci-iproc: handle mmc_of_parse() errors during probe - kernel/exit.c: release ptraced tasks before zap_pid_ns_processes - mm, oom: fix use-after-free in oom_kill_process - mm: hwpoison: use do_send_sig_info() instead of force_sig() - mm: migrate: don't rely on __PageMovable() of newpage after unlocking it - cifs: Always resolve hostname before reconnecting - drivers: core: Remove glue dirs from sysfs earlier - fs: don't scan the inode cache before SB_BORN is set - fanotify: fix handling of events on child sub-directory https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.156 - drm/bufs: Fix Spectre v1 vulnerability - [x86] ASoC: Intel: mrfld: fix uninitialized variable access - [armhf] gpu: ipu-v3: image-convert: Prevent race between run and unprepare - scsi: lpfc: Correct LCB RJT handling - [armhf] 8808/1: kexec:offline panic_smp_self_stop CPU - dlm: Don't swamp the CPU with callbacks queued during recovery - [x86] PCI: Fix Broadcom CNB20LE unintended sign extension (redux) - [ppc64el] powerpc/pseries: add of_node_put() in dlpar_detach_node() - [arm64,armhf] drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE - ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl - [arm64,armhf] soc/tegra: Don't leak device tree node reference - [x86] iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID - media: adv*/tc358743/ths8200: fill in min width/height/pixelclock - f2fs: move dir data flush to write checkpoint process - f2fs: fix wrong return value of f2fs_acl_create - nfsd4: fix crash on writing v4_end_grace before nfsd startup - Thermal: do not clear passive state during system sleep - firmware/efi: Add NULL pointer checks in efivars API functions - [arm64] ftrace: don't adjust the LR value - [x86] fpu: Add might_fault() to user_insn() - smack: fix access permissions for keyring - usb: hub: delay hub autosuspend if USB3 port is still link training - timekeeping: Use proper seqcount initializer - [armhf] clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module clocks - [amd64] iommu/amd: Fix amd_iommu=force_isolation - [armhf] dts: Fix OMAP4430 SDP Ethernet startup - [mips*] bpf: fix encoding bug for mm_srlv32_op - [arm64,armhf] iommu/arm-smmu: Add support for qcom,smmu-v2 variant - [arm64] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer - udf: Fix BUG on corrupted inode - memstick: Prevent memstick host from getting runtime suspended during card detection - [armhf] tty: serial: samsung: Properly set flags in autoCTS mode - perf header: Fix unchecked usage of strncpy() - perf probe: Fix unchecked usage of strncpy() - [arm64] KVM: Skip MMIO insn after emulation - mac80211: fix radiotap vendor presence bitmap handling - xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi - Bluetooth: Fix unnecessary error message for HCI request completion - scsi: smartpqi: correct host serial num for ssa - scsi: smartpqi: correct volume status - drbd: narrow rcu_read_lock in drbd_sync_handshake - drbd: disconnect, if the wrong UUIDs are attached on a connected peer - drbd: skip spurious timeout (ping-timeo) when failing promote - fbdev: fbmem: behave better with small rotated displays and many CPUs - i40e: define proper net_device::neigh_priv_len - igb: Fix an issue that PME is not enabled during runtime suspend - fbdev: fbcon: Fix unregister crash when more than one framebuffer - [arm64] pinctrl: meson: meson8: fix the GPIO function for the GPIOAO pins - [arm64] pinctrl: meson: meson8b: fix the GPIO function for the GPIOAO pins - [x86] KVM: svm: report MSR_IA32_MCG_EXT_CTL as unsupported - NFS: nfs_compare_mount_options always compare auth flavors. - hwmon: (lm80) fix a missing check of the status of SMBus read - hwmon: (lm80) fix a missing check of bus read in lm80 probe - seq_buf: Make seq_buf_puts() null-terminate the buffer - cifs: check ntwrk_buf_start for NULL before dereferencing it - um: Avoid marking pages with "changed protection" - niu: fix missing checks of niu_pci_eeprom_read - f2fs: fix sbi->extent_list corruption issue - ocfs2: don't clear bh uptodate for block read - HID: lenovo: Add checks to fix of_led_classdev_register - kernel/hung_task.c: break RCU locks based on jiffies - proc/sysctl: fix return error for proc_doulongvec_minmax() - fs/epoll: drop ovflist branch prediction - exec: load_script: don't blindly truncate shebang string - dccp: fool proof ccid_hc_[rt]x_parse_options() - rxrpc: bad unlock balance in rxrpc_recvmsg - skge: potential memory corruption in skge_get_regs() - rds: fix refcount bug in rds_sock_addref - net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames - [armhf] net: dsa: slave: Don't propagate flag changes on down slave interfaces - enic: fix checksum validation for IPv6 - ALSA: compress: Fix stop handling on compressed capture streams - ALSA: hda - Serialize codec registrations - fuse: call pipe_buf_release() under pipe lock - fuse: decrement NR_WRITEBACK_TEMP on the right page - fuse: handle zero sized retrieve correctly - [arm64,armhf] dmaengine: bcm2835: Fix interrupt race on RT - [arm64,armhf] dmaengine: bcm2835: Fix abort of transactions - [armhf] dmaengine: imx-dma: fix wrong callback invoke - [armhf] usb: phy: am335x: fix race condition in _probe - [armhf] usb: gadget: musb: fix short isoc packets with inventra dma - scsi: aic94xx: fix module loading - [x86] KVM: work around leak of uninitialized stack contents (CVE-2019-7222) - kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) - [x86] KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) - [x86] perf/x86/intel/uncore: Add Node ID mask - [x86] MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out() - perf/core: Don't WARN() for impossible ring-buffer sizes - perf tests evsel-tp-sched: Fix bitwise operator - serial: fix race between flush_to_ldisc and tty_open - oom, oom_reaper: do not enqueue same task twice - [amd64] PCI: vmd: Free up IRQs on suspend path - [amd64] IB/hfi1: Add limit test for RC/UC send via loopback - [x86] perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.157 - [armhf] mtd: rawnand: gpmi: fix MX28 bus master lockup problem - signal: Always notice exiting tasks - signal: Better detection of synchronous signals - [arm64,armhf] misc: vexpress: Off by one in vexpress_syscfg_exec() - debugfs: fix debugfs_rename parameter checking - [mips*] cm: reprime error cause - [mips*] OCTEON: don't set octeon_dma_bar_type if PCI is disabled - mac80211: ensure that mgmt tx skbs have tailroom for encryption - drm/modes: Prevent division by zero htotal - [x86] drm/vmwgfx: Fix setting of dma masks - [x86] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user - nfsd4: fix cached replies to solo SEQUENCE compounds - nfsd4: catch some false session retries - HID: debug: fix the ring buffer implementation (CVE-2019-3819) - Revert "cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)" - libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() - xfrm: refine validation of template and selector families - batman-adv: Avoid WARN on net_device without parent in netns - batman-adv: Force mac header to start of data on xmit https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.158 - Revert "exec: load_script: don't blindly truncate shebang string" https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.159 - dt-bindings: eeprom: at24: add "atmel,24c2048" compatible string - eeprom: at24: add support for 24c2048 - uapi/if_ether.h: prevent redefinition of struct ethhdr - [armel,armhf] 8789/1: signal: copy registers using __copy_to_user() - [armel,armhf] 8791/1: vfp: use __copy_to_user() when saving VFP state - [armel,armhf] 8793/1: signal: replace __put_user_error with __put_user - [armel,armhf] 8794/1: uaccess: Prevent speculative use of the current addr_limit - [armel,armhf] 8795/1: spectre-v1.1: use put_user() for __put_user() - [armel,armhf] 8796/1: spectre-v1,v1.1: provide helpers for address sanitization - [armel,armhf] 8797/1: spectre-v1.1: harden __copy_to_user - [armel,armhf] 8810/1: vfp: Fix wrong assignement to ufp_exc - [armel,armhf] make lookup_processor_type() non-__init - [armel,armhf] split out processor lookup - [armel,armhf] clean up per-processor check_bugs method call - [armel,armhf] add PROC_VTABLE and PROC_TABLE macros - [armel,armhf] spectre-v2: per-CPU vtables to work around big.Little systems - [armel,armhf] ensure that processor vtables is not lost after boot - [armel,armhf] fix the cockup in the previous patch - net: create skb_gso_validate_mac_len() (CVE-2018-1000026) - bnx2x: disable GSO where gso_size is too big for hardware (CVE-2018-1000026) - [i386] ACPI: NUMA: Use correct type for printing addresses on i386-PAE - cpufreq: check if policy is inactive early in __cpufreq_get() - [armel] dts: kirkwood: Fix polarity of GPIO fan lines - cifs: Limit memory used by lock request calls to a page - perf report: Include partial stacks unwound with libdw - Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G" - Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK - perf/core: Fix impossible ring-buffer sizes warning - [x86] perf: Add check_period PMU callback - ALSA: hda - Add quirk for HP EliteBook 840 G5 - ALSA: usb-audio: Fix implicit fb endpoint setup by quirk - [x86] kvm: vmx: Fix entry number check for add_atomic_switch_msr() - Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 - [alpha] fix page fault handling for r16-r18 targets - [alpha] Fix Eiger NR_IRQS to 128 - tracing/uprobes: Fix output for multiple string arguments - signal: Restore the stop PTRACE_EVENT_EXIT - [amd64] x86/a.out: Clear the dump structure initially - dm thin: fix bug where bio that overwrites thin block ignores FUA - [x86] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set - smsc95xx: Use skb_cow_head to deal with cloned skbs - ch9200: use skb_cow_head() to deal with cloned skbs - kaweth: use skb_cow_head() to deal with cloned skbs - [arm64,armhf] usb: dwc2: Remove unnecessary kfree - netfilter: nf_tables: fix mismatch in big-endian system - [arm64] pinctrl: msm: fix gpio-hog related boot issues - mm: stop leaking PageTables - uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define - Revert "scsi: aic94xx: fix module loading" https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.160 - net: fix IPv6 prefix route residue - [x86] vsock: cope with memory allocation failure at socket creation time - hwmon: (lm80) Fix missing unlock on error in set_fan_div() - net: Fix for_each_netdev_feature on Big endian - [arm64,armhf] net: stmmac: handle endianness in dwmac4_get_timestamp - sky2: Increase D3 delay again - vhost: correctly check the return value of translate_desc() in log_used() - net: Add header for usage of fls64() - tcp: tcp_v4_err() should be more careful - net: Do not allocate page fragments that are not skb aligned - tcp: clear icsk_backoff in tcp_write_queue_purge() - vxlan: test dev->flags & IFF_UP before calling netif_rx() - [arm64,armhf] net: stmmac: Fix a race in EEE enable callback - net: ipv4: use a dedicated counter for icmp_v4 redirect packets - btrfs: Remove false alert when fiemap range is smaller than on-disk extent - mISDN: fix a race in dev_expire_timer() - ax25: fix possible use-after-free https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.161 - mac80211: Free mpath object when rhashtable insertion fails - libceph: handle an empty authorize reply - ceph: avoid repeatedly adding inode to mdsc->snap_flush_list - numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES - proc, oom: do not report alien mms when setting oom_score_adj - KEYS: allow reaching the keys quotas exactly - [armhf] mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells - [armhf] mfd: twl-core: Fix section annotations on {,un}protect_pm_master - [arm64] mfd: qcom_rpm: write fw_version to CTRL_REG - [armhf] mfd: mc13xxx: Fix a missing check of a register-read failure - qed: Fix qed_ll2_post_rx_buffer_notify_fw() by adding a write memory barrier - [arm64] net: hns: Fix use after free identified by SLUB debug - scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param - [x86] scsi: isci: initialize shost fully before calling scsi_add_host() - atm: he: fix sign-extension overflow on large shift - [armhf] leds: lp5523: fix a missing check of return value of lp55xx_read - net/mlx5e: Fix wrong (zero) TX drop counter indication for representor - RDMA/srp: Rework SCSI device reset handling - KEYS: user: Align the payload buffer - KEYS: always initialize keyring_index_key::desc_len - batman-adv: fix uninit-value in batadv_interface_tx() - net/packet: fix 4gb buffer limit due to overflow check - team: avoid complex list operations in team_nl_cmd_options_set() - sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() - sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment - net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames - [hppa/parisc] Fix ptrace syscall number modification - [x86] hpet: Make cmd parameter of hpet_ioctl_common() unsigned - clocksource: Use GENMASK_ULL in definition of CLOCKSOURCE_MASK - netpoll: Fix device name check in netpoll_setup() - tracing: Use cpumask_available() to check if cpumask variable may be used - [x86] boot: Disable the address-of-packed-member compiler warning - [x86] drm/i915: Consistently use enum pipe for PCH transcoders - [x86] drm/i915: Fix enum pipe vs. enum transcoder for the PCH transcoder - [arm64] irqchip/gic-v3: Convert arm64 GIC accessors to {read,write}_sysreg_s - mm/zsmalloc.c: change stat type parameter to int - mm/zsmalloc.c: fix -Wunneeded-internal-declaration warning - Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" - netfilter: nf_tables: fix flush after rule deletion in the same batch - [arm64] pinctrl: max77620: Use define directive for max77620_pinconf_param values - [arm64,armhf] phy: tegra: remove redundant self assignment of 'map' - sched/sysctl: Fix attributes of some extern declarations . [ Salvatore Bonaccorso ] * Refresh kbuild-use-nostdinc-in-compile-tests.patch for context changes in 4.9.145 * [rt] Update to 4.9.146-rt125 - seqlock: provide the same ordering semantics as mainline - squashfs: make use of local lock in multi_cpu decompressor - locallock: provide {get,put}_locked_ptr() variants - posix-timers: move the rcu head out of the union - alarmtimer: Prevent live lock in alarm_cancel() - block: blk-mq: move blk_queue_usage_counter_release() into process context - Revert "block: blk-mq: Use swait" - Revert "rt,ntp: Move call to schedule_delayed_work() to helper thread" - net: use task_struct instead of CPU number as the queue owner on -RT - locking: add types.h - mm/slub: close possible memory-leak in kmem_cache_alloc_bulk() - crypto: limit more FPU-enabled sections - sched, tracing: Fix trace_sched_pi_setprio() for deboosting - rcu: Suppress lockdep false-positive ->boost_mtx complaints - rcu: Do not include rtmutex_common.h unconditionally - rtmutex: Make rt_mutex_futex_unlock() safe for irq-off callsites - futex: Fix OWNER_DEAD fixup - futex: Avoid violating the 10th rule of futex - futex: Fix more put_pi_state() vs. exit_pi_state_list() races - futex: Fix pi_state->owner serialization * [rt] Refresh 0366-posix-timers-move-the-rcu-head-out-of-the-union.patch. Refresh for context changes caused by a Debian specific patch to avoid ABI change in 4.9.136: "posix-timers: Avoid ABI change in 4.9.136" * [rt] Refresh 0280-random-Make-it-work-on-rt.patch * [rt] Refresh 0198-fs-aio-simple-simple-work.patch for context changes in 4.9.147 * Btrfs: fix corruption reading shared and compressed extents after hole punching (Closes: #922306) . [ Ben Hutchings ] * Bump ABI to 9 and apply deferred changes: - netfilter: ipv6: nf_defrag: reduce struct net memory waste - proc/sysctl: prune stale dentries during unregistering - proc/sysctl: Don't grab i_lock under sysctl_lock. - proc: Fix proc_sys_prune_dcache to hold a sb reference - [mips*] Correct the 64-bit DSP accumulator register size - inet: frags: fix ip6frag_low_thresh boundary - inet: frags: reorganize struct netns_frags - rhashtable: reorganize struct rhashtable layout - inet: frags: break the 2GB limit for frags storage - elevator: fix truncation of icq_cache_name linux (4.9.144-3.1) stretch; urgency=high . * Non-maintainer upload. * Fix boot breakage on 32-bit arm (closes: #922478). Thanks to Adrian Bunk for spotting the mistake. linux-latest (80+deb9u7) stretch; urgency=medium . * Update to 4.9.0-9 mariadb-10.1 (10.1.38-0+deb9u1) stretch; urgency=medium . * SECURITY UPDATE: New upstream release 10.1.38. Includes fixes for the following security vulnerabilities (Closes: #920933): - CVE-2019-2537 - CVE-2019-2529 * Update correct branch name in gbp.conf * Disable test unit.pcre_test on s390x that was failing in stretch-security (Closes: #920854) * Limit build test suite to 'main' like in mariadb-10.3 to make unnecessary build failures less likely in lifetime of Stretch. * Fix mips compilation failure (__bss_start symbol missing) (Closes: #920855) * Extend the server README to clarify common misunderstandings (Closes: #878215) * Enable ccache in CMake path so it can be used automatically where available * Heavily refactor and unify gitlab-ci.yml MariaDB install/upgrade steps. This ensures uploads to Stretch are much more safer to do now than in the past. mariadb-10.1 (10.1.37-0+deb9u1) stretch-security; urgency=high . * SECURITY UPDATE: New upstream release 10.1.37. Includes fixes for the following security vulnerabilities (Closes: #912848); - CVE-2018-3282 - CVE-2018-3251 - CVE-2018-3174 - CVE-2018-3156 - CVE-2018-3143 - CVE-2016-9843 * Add (and rename) new man pages * Add Gitlab-CI definition file that can test each commit to this repository * Fix d/control metadata to match status for Debian Stretch * Physically remove patches no longer in series and not applied anyway * Fix wrong-path-for-interpreter in innotop script to make package Lintian error free as pass CI systems fully * Previous upstream version 10.1.35 included fixes for the following security vulnerabilities: - CVE-2018-3066 - CVE-2018-3064 - CVE-2018-3063 - CVE-2018-3058 * Previous upstream version 10.1.33 included fixes for the following security vulnerabilities: - CVE-2018-2819 - CVE-2018-2817 - CVE-2018-2813 - CVE-2018-2787 - CVE-2018-2784 - CVE-2018-2782 - CVE-2018-2781 - CVE-2018-2771 - CVE-2018-2767 - CVE-2018-2766 - CVE-2018-2761 - CVE-2018-2755 * Previous upstream version 10.1.31 included fixes for the following security vulnerabilities: - CVE-2018-2668 - CVE-2018-2665 - CVE-2018-2640 - CVE-2018-2622 - CVE-2018-2612 - CVE-2018-2562 * Revert "Update d/gbp.conf to track stretch branches" * New upstream version 10.1.30. Includes fixes for the following security vulnerabilities (Closes: #885345): - CVE-2017-15365 * Amend previous Debian changelog entries to contain new CVE identifiers * Refresh patches for MariaDB 10.1.30 and again for .34 * Delete unnecessary systemd files introduced by upstream * Add new files introduced by upstream to correct packages * Use list-missing instead of fail in d/rules so builds pass . [ Ondřej Surý ] * New upstream version 10.1.29. Includes fixes for the following security vulnerabilities: - CVE-2017-10378 - CVE-2017-10268 - MDEV-13819 * Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix mytop * Add mips64el to the list of platforms that are allowed to fail test suite * Handle new and/or missing files * Ignore failed tests on more non-release platforms (kfreebsd-i386, kfreebsd-amd64 and sparc64) * Rebase patches for MariaDB 10.1.29 . [ Christian Ehrhardt ] * d/t/upstream: skip func_regexp_pcre on s390x . [ Vicentiu Ciorbaru ] * Fix Mroonga compilation failure on arm64 * Extend libmariadbclient-rename.patch to cover TokuDB as well * Disable disks.disks test mariadb-10.1 (10.1.29-1) unstable; urgency=medium . * New upstream version 10.1.29 * Remove the mariadb-test-* packages as they are now provided by mariadb-10.2 (Closes: #881898) * Rebase patches for new upstream version. mariadb-10.1 (10.1.28-2) unstable; urgency=high . * Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix mytop (Closes: #875708) * Add mips64el to the list of platforms that are allowed to fail test suite (Closes: #879637) mariadb-10.1 (10.1.28-1) unstable; urgency=medium . * New upstream version 10.1.28 * Rebase patches on top of MariaDB 10.1.28 * Add extra symbols aliases for libmariadbclient_16 mariadb-10.1 (10.1.26-1) unstable; urgency=medium . * Ignore upstream debian/ directory when importing upstream tarball * New upstream version 10.1.26 * Refresh patches for MariaDB 10.1.26 * Remove unstable tests patches for unstable build, so we see what is really failing and what is not mosquitto (1.4.10-3+deb9u4) stretch-security; urgency=high . * Fix potential crash when reloading persistence file. (closes: #922071). mosquitto (1.4.10-3+deb9u3) stretch-security; urgency=high . * SECURITY UPDATE: If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces more stringent parsing tests on the password file data. - CVE-2018-12551 * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures that if an ACL file is defined but no rules are defined, then access will be denied. - CVE-2018-12550 * SECURITY UPDATE: If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option `check_retain_source` has been introduced to enforce checking of the retained message source on publish. - debian/patches/mosquitto-1.4.9-1.4.14-cve-2018-12546.patch: this patch stores the originator of the retained message, so security checking can be carried out before re-publishing. The complexity of the patch is due to the need to save this information across broker restarts. - CVE-2018-12546 mumble (1.2.18-1+deb9u1) stretch-security; urgency=high . * debian/patches: - Add 60-fix-message-flood.diff to fix instability and crash due to message flooding Thanks to "the zombi community" for finding the bug, committing a fix upstream, and contacting me to fix the issue in Debian - Add 61-configurable-rate-limit.diff to make message rate limit configurable ncmpc (0.25-0.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix CVE-2018-9240 (Closes: #894724) neutron (2:9.1.1-3+deb9u1) stretch-security; urgency=medium . * CVE-2019-9735: it's possible to add a security group rule for VRRP with a dport. Apply upstream patch: When converting sg rules to iptables, do not emit dport if not supported. (Closes: #924508). node-superagent (0.20.0+dfsg-1+deb9u2) stretch; urgency=medium . * Fix incompatible instruction in CVE-2017-16129 patch node-superagent (0.20.0+dfsg-1+deb9u1) stretch; urgency=medium . * Team upload * Add patch to fix ZIP bomb attacks (Closes: CVE-2017-16129) ntfs-3g (1:2016.2.22AR.1+dfsg-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix heap-based buffer overflow (CVE-2019-9755) nvidia-graphics-drivers (390.116-1) stretch; urgency=medium . * New upstream legacy branch release 390.116 (2019-02-22). * Fixed CVE‑2018‑6260. (Closes: #913467) https://nvidia.custhelp.com/app/answers/detail/a_id/4772 - Fixed build failures which resulted in errors like "implicit declaration of function drm_...", when building the NVIDIA DRM kernel module for Linux kernel 5.0 release candidates. - Fixed a bug which could cause VK_KHR_external_semaphore_fd operations to fail. - Fixed a build failure, "implicit declaration of function 'vm_insert_pfn'", when building the NVIDIA DRM kernel module for Linux kernel 4.20 release candidates. - Fixed a build failure, "unknown type name 'ipmi_user_t'", when building the NVIDIA kernel module for Linux kernel 4.20 release candidates. - Fixed a bug that caused mode switches to fail when an SDI output board was connected. - Fixed a bug that could cause rendering corruption in Vulkan programs. - Fixed a bug that caused vkGetPhysicalDeviceDisplayPropertiesKHR() to occasionally return incorrect values for physicalResolution. * New upstream legacy branch release 340 series. - Fixed a build failure, "too many arguments to function 'get_user_pages'", when building the NVIDIA kernel module for Linux kernel v4.4.168. - Fixed a build failure, "implicit declaration of function do_gettimeofday", when building the NVIDIA kernel module for Linux kernel 5.0 release candidates. - Added a new kernel module parameter, NVreg_RestrictProfilingToAdminUsers, to allow restricting the use of GPU performance counters to system administrators only. . [ Luca Boccassi ] * Drop kmem_cache_create_usercopy.patch, drm-mode.patch, ipmi-user.patch, vm-insert-pfn.patch: fixed upstream. * Update symbols files. . [ Andreas Beckmann ] * nvidia-detect: stretch now has a 390.xx driver. * nvidia-kernel-source: Bump debhelper dependency to match Build-Depends. * Upload to stretch. nvidia-graphics-drivers (390.87-8) unstable; urgency=medium . * Tune more package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. nvidia-settings (390.116-1) stretch; urgency=medium . * New upstream release 390.116. - Added the synchronization state for PRIME Displays to nvidia-settings. - Fixed a bug that could prevent nvidia-xconfig from disabling the X Composite extension on version 1.20 of the X.org X server. * Upload to stretch. nvidia-settings (390.87-2) unstable; urgency=medium . * Drop versioned constraints that are satisfied in wheezy. * Switch to debhelper-compat (= 12). nvidia-settings (390.87-1) unstable; urgency=medium . * New upstream release 390.87. * Add Build-Depends-Package field to symbols file. * Bump Standards-Version to 4.3.0. No changes needed. obs-build (20160921-1+deb9u1) stretch; urgency=medium . * CVE-2017-14804 (Closes: #887306) - Improve extractbuild to avoid write to files in the host system. - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new openjdk-8 (8u212-b01-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch openjdk-8 (8u202-b26-3) unstable; urgency=medium . * Fix the 8u202 merge for aarch32, not using SA. openjdk-8 (8u202-b26-2) unstable; urgency=medium . * Fix builds using the aarch32 hotspot version. openjdk-8 (8u202-b26-1) unstable; urgency=high . * Update to 8u202-b26. * Security fixes: - CVE-2019-2422, S8206290: Better FileChannel transfer performance. - CVE-2019-2426, S8209094: Improve web server connections. - S8199156: Better route routing. - S8199552: Update to build scripts. - S8200659: Improve BigDecimal support. - S8203955: Improve robot support. - S8204895: Better icon support. - S8205709: Proper allocation handling. - S8205714: Initial class initialization. - S8210094: Better loading of classloader classes. - S8210606: Improved data set handling. - S8210866: Improve JPEG processing. . [ Tiago Stürmer Daitx ] * Update DEP8 tests: - debian/tests/control: updated to allow stderr output and to remove dpkg-dev dependency. - debian/tests/jtdiff-autopkgtest.sh: use dpkg --print-architecture instead of dpkg-architecture; log script name on any output. - debian/tests/jtreg-autopkgtest.in: use dpkg --print-architecture instead of dpkg-architecture; do not retain test temporary files; log script name on any output. - debian/tests/jtreg-autopkgtest.sh: regenerated. openjdk-8 (8u191-b12-2) unstable; urgency=high . * Upload to unstable. * Remove the "Team upload" for the last upload to experimental. openjdk-8 (8u191-b12-1) experimental; urgency=medium . * Team upload * Update to 8u191-b12. (Closes: #911925, Closes: #912333, LP: #1800792) * debian/excludelist.jdk.jtx: no longer needed, using ProblemsList.txt from upstream now. * debian/excludelist.langtools.jtx: upstream testing does not use any exclusion list. * debian/patches/sec-webrev-8u191-b12*: removed, applied upstream. * debian/patches/jdk-8132985-backport-double-free.patch, debian/patches/jdk-8139803-backport-warning.patch: fix crash in freetypescaler due to double free, thanks to Heikki Aitakangas for the report and patches. (Closes: #911847) * debian/rules: - tar and save JTreport directory. - run the same limited set of tests as upstream does. - call the same testsuites scripts used for autopkgtest. - reenable jdk testsuite. - simplified and moved xvfb logic into check-jdk rule. - removed jtreg and xvfb build dependency logic and moved the bdeps into debian/control.in. - added rules to generate autopkgtest scripts from templates. * updated dep8 tests: - debian/test/control: run hotspot, langtools, and jdk testsuites. - debian/tests/hotspot, debian/tests/jdk, debian/tests/langtools: add scripts for each testsuite to be run. - debian/tests/jtreg-autopkgtest.sh: template to generate the jtreg script used by the autopkgtest tests. - debian/tests/jtdiff-autopkgtest.sh: used by the scripts to report any differences between the autopkgtest and the tests results generated during the openjdk package build. - debian/tests/jtreg-autopkgtest.sh: used by the scripts to run jtreg and put the resulting artifacts in the right places. - debian/tests/valid-tests: removed, no longer needed. openjdk-8 (8u181-b13-2) unstable; urgency=high . [ Tiago Stürmer Daitx ] * Apply patches from 8u191-b12 security update. - CVE-2018-3136, S8194534: Manifest better support. - CVE-2018-3139, S8196902: Better HTTP Redirection. - CVE-2018-3149, S8199177: Enhance JNDI lookups. - CVE-2018-3169, S8199226: Improve field accesses. - CVE-2018-3180, S8202613: Improve TLS connections stability. - CVE-2018-3183, S8202936: Improve script engine support. - CVE-2018-3214, S8205361: Better RIFF reading support. - CVE-2018-3211: Unspecified vulnerability in the Serviceability component. - S8195868: Address Internet Addresses. - S8195874: Improve jar specification adherence. - S8201756: Improve cipher inputs. - S8203654: Improve cypher state updates. - S8204497: Better formatting of decimals. * debian/patches/jdk-freetypeScaler-crash.diff: removed as this patch causes a memory leak; upstream fixed it in openjdk-7, albeit in a different way. Closes: #910672. . [ Matthias Klose ] * Bump standards version. openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium . * Non-maintainer upload by the Security Team. * CVE-2018-14423: Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873). * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks (closes: #889683). * CVE-2017-17480: Write stack buffer overflow due to missing buffer length formatter in fscanf call (closes: #884738). * CVE-2018-18088: Null pointer dereference caused by null image components in imagetopnm (closes: #910763). * CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533). openssh (1:7.4p1-10+deb9u6) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Apply upstream patch to make scp handle shell-style brace expansions when checking that filenames sent by the server match what the client requested (closes: #923486). openssl1.0 (1.0.2r-1~deb9u1) stretch-security; urgency=medium . [ Kurt Roeckx ] * New upstream version - Fixes CVE-2019-1559 . [ Sebastian Andrzej Siewior ] * Use openssl.cnf from the build directory for the testsuite. openssl1.0 (1.0.2q-2) unstable; urgency=medium . * User openssl.cnf from the build directory for the testsuite. openssl1.0 (1.0.2q-1) unstable; urgency=medium . * Correct typo in the riscv64 target (Closes: #891799). * Update to policy 4.1.4 - drop Priority: important. - use signing-key.asc and a https links for downloads. - point the VCS-* to salsa. * Import upstream version 1.0.2q - CVE-2018-5407 (Microarchitecture timing vulnerability in ECC scalar multiplication) - CVE-2018-0734 (Timing vulnerability in DSA signature generation) - CVE-2018-0732 (Client DoS due to large DH parameter) - CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation) (Closes: #895845) passenger (5.0.30-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * arbitrary file read via REVISION symlink (CVE-2017-16355) (Closes: #884463) * Fix privilege escalation in the Nginx module (CVE-2018-12029) (Closes: #921767) pdns (4.0.3-1+deb9u4) stretch-security; urgency=medium . * Insufficient validation in the HTTP remote backend (CVE-2019-3871) Thanks to Salvatore Bonaccorso (Closes: #924966) perlbrew (0.78-1+deb9u1) stretch; urgency=medium . * Backport upstream fix for CPAN URLs. CPAN URLs have changed to use HTTPS, which makes perlbrew fail to detect perl tarballs. This patch changes the regexp to allow both HTTP and HTTPS. (Closes: #927065) php7.0 (7.0.33-0+deb9u3) stretch-security; urgency=medium . * Pull security fixes from https://github.com/Microsoft/php-src, a shared effort by Remi Collet and Anatol Belski to keep up with security issues in PHP 5.6.40 after EOL. * Security Issues Fixed: + Core: - Fixed bug #77630 (rename() across the device may allow unwanted access during processing). + EXIF: - Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). - Fixed bug #77540 (Invalid Read on exif_process_SOFn). - Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). - Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). + PHAR: - Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename). - Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). + SPL: - Fixed bug #77431 (openFile() silently truncates after a null byte). php7.0 (7.0.33-0+deb9u2) stretch-security; urgency=medium . * CVE-2019-9020 * CVE-2019-9021 * CVE-2019-9022 (plus backport for CAA support) * CVE-2019-9023 * CVE-2019-9024 postfix (3.1.12-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Add detailed smarthost instructions to README.Debian. Thanks to Celejar for the input. Closes: #919444 * Refresh patches . [Wietse Venema] . * 3.1.10 - Bugfix (introduced: Postfix 2.11): minor memory leak when minting issuer certs. This affects a tiny minority of use cases. Viktor Dukhovni, based on a fix by Juan Altmayer Pizzorno for the ssl_dane library. File: tls/tls_dane.c. - Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes, table lookups could casefold the search string when searching a lookup table that does not use fixed-string keys (regexp, pcre, tcp, etc.). Historically, Postfix would not case-fold the search string with such tables. File: util/dict_utf8.c. Closes: #917512 - Multiple 'bit rot' fixes for OpenSSL API changes, including support to disable TLSv1.3, to avoid issuing multiple session tickets. Viktor Dukhovni. Files: proto/postconf.proto, proto/TLS_README.html, tls/tls.h, tls/tls_server.c, tls/tls_misc.c. - Bugfix (introduced: 3.0): smtpd_discard_ehlo_keywords could not disable "SMTPUTF8". because the lookup table was using "EHLO_MASK_SMTPUTF8" instead. File: global/ehlo_mask.c. - Documentation: update documentation for Postfix versions that support disabling TLS 1.3. File: proto/postconf.proto. - Improved logging of TLS 1.3 summary information, and improved reporting of the same info in Received: message headers. Viktor Dukhovni. Files: proto/FORWARD_SECRECY_README.html, posttls-finger/posttls-finger.c, smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_proxy.h, tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, tls/tls_server.c. * 3.1.11 - Bugfix (introduced: postfix-2.11): with posttls-finger, connections to unix-domain servers always resulted in "Failed to establish session" even after a connection was established. Jaroslav Skarva. File: posttls-finger/posttls-finger.c. * 3.1.12 - Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce has been producing false rejects starting with the Postfix 2.2 smtpd_end_of_data_restrictons, and for the same reasons, did the same with the Postfix 3.4 BDAT command. The latter was reported by Andreas Schulze. File: smtpd/smtpd_check.c. - Bugfix (introduced: Postfix 3.0): LMTP connections over UNIX-domain sockets were cached but not reused, due to a cache lookup key mismatch. Therefore, idle cached connections could exhaust LMTP server resources, resulting in two-second pauses between email deliveries. This problem was investigated by Juliana Rodrigueiro. File: smtp/smtp_connect.c. postgresql-9.6 (9.6.12-0+deb9u1) stretch; urgency=medium . * New upstream version. * Revert upstream patch "Disallow setting client_min_messages higher than ERROR", it causes to much disruption to existing (test) scripts. psk31lx (2.1-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Make the version of the binary package 2.1+2.2really2.1-1+deb9u1 s.t. this sorts after the package in lenny (2.1+2.2beta1-8, built from src:twpsk) and before the the package in buster (2.2-1). (Closes: #911780) publicsuffix (20190415.1030-0+deb9u1) stretch; urgency=medium . * new upstream publicsuffix data publicsuffix (20190329.0756-1) unstable; urgency=medium . * new upstream version publicsuffix (20190221.0923-1) unstable; urgency=medium . * new upstream version publicsuffix (20190221.0923-0+deb9u1) stretch; urgency=medium . * new upstream publicsuffix data publicsuffix (20190128.1516-1) unstable; urgency=medium . * new upstream version publicsuffix (20181227.1630-1) unstable; urgency=medium . * new upstream version publicsuffix (20181108.2228-1) unstable; urgency=medium . * new upstream version publicsuffix (20181030.1007-1) unstable; urgency=medium . * new upstream version publicsuffix (20181003.1334-3) unstable; urgency=medium . * correct name of diff package for autopkgtest publicsuffix (20181003.1334-2) unstable; urgency=medium . * Standards-Version: bump to 4.2.1 (no changes needed) * add debian/watch to look at git, despite #910762 * added simple autopkgtest (borrowed from libpsl) publicsuffix (20181003.1334-1) unstable; urgency=medium . * new upstream version putty (0.67-3+deb9u1) stretch-security; urgency=high . * Backport security fixes from 0.71: - In random_add_noise, put the hashed noise into the pool, not the raw noise. - New facility for removing pending toplevel callbacks. - CVE-2019-9898: Fix one-byte buffer overrun in random_add_noise(). - uxnet: clean up callbacks when closing a NetSocket. - sk_tcp_close: fix memory leak of output bufchain. - Fix handling of bad RSA key with n=p=q=0. - Sanity-check the 'Public-Lines' field in ppk files. - Introduce an enum of the uxsel / select_result flags. - CVE-2019-9895: Switch to using poll(2) in place of select(2). - CVE-2019-9894: RSA kex: enforce the minimum key length. - CVE-2019-9897: Fix crash on ESC#6 + combining chars + GTK + odd-width terminal. - CVE-2019-9897: Limit the number of combining chars per terminal cell. - minibidi: fix read past end of line in rule W5. - CVE-2019-9897: Fix crash printing a width-2 char in a width-1 terminal. pyca (20031119-0.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . pyca (20031119-0.1) unstable; urgency=medium . * Non-maintainer upload. * Add 'missingok' to logrotate config. (Closes: #914836) * Add dummy binary-arch target. python-certbot (0.28.0-1~deb9u2) stretch; urgency=high . * The previous stable update incorrectly disabled systemd timer due to a change in debhelper compat version. This release drops the compat level back to debhelper 9, thus forcing a restart of the systemd timer. (Closes: #922031) . The behavior of dh_systemd_start changed between compat v9 and compat v10; in v9, timers were stopped in postrm and started in postinst, but in v10 timers were only started in postinst if they were running. Switching back to v9 will unilaterally start the timer in postinst once more. * Fix an FTBFS due to sbuild not considering or'ed dependencies. (Closes: #922543) python-cryptography (1.7.1-3+deb9u1) stretch; urgency=medium . * Remove BIO_callback_ctrl: The prototype differs with the OpenSSL's definition of it after it was changed (fixed) within OpenSSL. It has no users. python-django-casclient (1.2.0-2+deb9u1) stretch; urgency=medium . [ William Blough ] * Team upload * Apply django 1.10 middleware fix from upstream (Closes: #926350) . [ Adrian Bunk ] * python-django-casclient: Add the missing dependency on python-django. (Closes: #896317) * python3-django-casclient: Add the missing dependency on python3-django. (Closes: #896404) python-mode (1:6.2.3-1.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload * Rebuild for stretch. . python-mode (1:6.2.3-1.1) unstable; urgency=medium . * Non-maintainer upload * Drop xemacs21 support (Closes: #909383, #680578, #837991) python-pip (9.0.1-2+deb9u1) stretch; urgency=medium . * Team upload. * Add Properly_catch_requests_HTTPError_in_index.py.patch, which fixes --extra-index-url results in "HTTPError: 404 Client Error: NOT FOUND". The patch makes works even with the unbundled requests. (Closes: #837764). python-pykmip (0.5.0-4+deb9u1) stretch; urgency=medium . * CVE-2018-1000872: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can be made unavailable by one or more clients opening all of the available sockets. Applied upstream patch: Fix a denial-of-service bug by setting the server socket timeout (Closes: #917030). qtbase-opensource-src (5.7.1+dfsg-3+deb9u1) stretch-security; urgency=medium . * Backport fixes for: - CVE-2018-15518: “double free or corruption” in QXmlStreamReader - CVE-2018-19873: QBmpHandler segfault on malformed BMP file - CVE-2018-19870: Check for QImage allocation failure in qgifhandler * Backport ensure_pixel_density_of_at_least_1.patch in order to fix VLC after it's security update (Closes: #907139). r-cran-igraph (1.0.1-1+deb9u1) stretch; urgency=medium . * Add upstream patch to fix: CVE-2018-20349 (Closes: #917212). rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium . * CVE-2018-16476 (Closes: #914847) * CVE-2019-5418 / CVE-2019-5419 (Closes: #924520) rdesktop (1.8.4-1~deb9u1) stretch-security; urgency=medium . * Security backport for Stretch. * Relax debhelper build dependency. * Relax Standards-Version to 3.9.8 . rssh (2.3.4-5+deb9u4) stretch-security; urgency=high . * The fix for the scp security vulnerability in 2.3.4-9 combined with the regression fix in 2.3.4-10 rejected the -pf and -pt options, which are sent by libssh2's scp support. Add support for those variants. (LP #1815935) rsync (3.1.2-1+deb9u2) stretch; urgency=medium . * Apply CVEs from 2016 to the zlib code. closes:#924509 ruby-i18n (0.7.0-2+deb9u1) stretch; urgency=medium . * CVE-2014-10077: Prevent a remote denial-of-service vulnerability via an application crash by engineering a situation where `:some_key` is present in `keep_keys` but not present in the hash. (Closes: #913093) ruby2.3 (2.3.3-1+deb9u6) stretch-security; urgency=medium . * CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324 * CVE-2019-8325 ruby2.3 (2.3.3-1+deb9u5) stretch; urgency=medium . * Backport upstream patches to fix FTBFS due to expired SSL certificate and timezone changes (Closes: #919999) - imap: update test certificate - timezone changes for Japan and Kiritimati * test/ruby/test_gc.rb: skip entirely; some tests in there can fail unpredictably on buildds (Closes: #912740) ruby2.3 (2.3.3-1+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * OpenSSL::X509::Name equality check does not work correctly (CVE-2018-16395) * pack.c: avoid returning uninitialized String * Tainted flags are not propagated in Array#pack and String#unpack with some directives (CVE-2018-16396) ruby2.3 (2.3.3-1+deb9u3) stretch-security; urgency=medium . [ Santiago R.R. ] * Fix Command injection vulnerability in Net::FTP. [CVE-2017-17405] * webrick: use IO.copy_stream for multipart response. Required changes in WEBrick to fix CVE-2017-17742 and CVE-2018-8777 * Fix HTTP response splitting in WEBrick. [CVE-2017-17742] * Fix Command Injection in Hosts::new() by use of Kernel#open. [CVE-2017-17790] * Fix Unintentional directory traversal by poisoned NUL byte in Dir [CVE-2018-8780] * Fix multiple vulnerabilities in RubyGems. CVE-2018-1000073: Prevent Path Traversal issue during gem installation. CVE-2018-1000074: Fix possible Unsafe Object Deserialization Vulnerability in gem owner. CVE-2018-1000075: Strictly interpret octal fields in tar headers. CVE-2018-1000076: Raise a security error when there are duplicate files in a package. CVE-2018-1000077: Enforce URL validation on spec homepage attribute. CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when displayed via gem server. CVE-2018-1000079: Prevent path traversal when writing to a symlinked basedir outside of the root. * Fix directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library [CVE-2018-6914] * Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket [CVE-2018-8779] * Fix Buffer under-read in String#unpack [CVE-2018-8778] * Fix tests to cope with updates in tzdata (Closes: #889117) * Exclude Rinda TestRingFinger and TestRingServer test units requiring network access (Closes: #898694) . [ Antonio Terceiro ] * debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to assumptions that don't hold on newer tzdata update. Upstream bug: https://bugs.ruby-lang.org/issues/14655 runc (0.1.1+dfsg1-2+deb9u1) stretch; urgency=medium . * Team upload. * Add patch to address CVE-2019-5736 (Closes: #922050) samba (2:4.5.16+dfsg-1+deb9u1) stretch-security; urgency=high . * This is a security release in order to address the following defect: - CVE-2019-3880 Save registry file outside share as unprivileged user spip (3.1.4-4~deb9u2) stretch-security; urgency=medium . * Update security screen to 1.3.11 * Backport security fix from 3.1.10 - Arbitrary code execution for any identified visitor (Closes: #926764) systemd (232-25+deb9u11) stretch-security; urgency=high . * pam-systemd: use secure_getenv() rather than getenv() Fixes a vulnerability in the systemd PAM module which insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. (CVE-2019-3842) systemd (232-25+deb9u10) stretch; urgency=medium . * journald: fix assertion failure on journal_file_link_data (Closes: #916880) * tmpfiles: fix "e" to support shell style globs (Closes: #918400) * mount-util: accept that name_to_handle_at() might fail with EPERM. Container managers frequently block name_to_handle_at(), returning EACCES or EPERM when this is issued. Accept that, and simply fall back to fdinfo-based checks. (Closes: #917122) * automount: ack automount requests even when already mounted. Fixes a race condition in systemd which could result in automount requests not being serviced and processes using them to hang, causing denial of service. (CVE-2018-1049) * core: when deserializing state always use read_line(…, LONG_LINE_MAX, …) Fixes improper serialization on upgrade which can influence systemd execution environment and lead to root privilege escalation. (CVE-2018-15686, Closes: #912005) systemd (232-25+deb9u9) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Refuse dbus message paths longer than BUS_PATH_SIZE_MAX limit (CVE-2019-6454) * Allocate temporary strings to hold dbus paths on the heap (CVE-2019-6454) * sd-bus: if we receive an invalid dbus message, ignore and proceeed (CVE-2019-6454) thunderbird (1:60.6.1-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:60.5.1-1) unstable; urgency=medium . [ Alexander Nitsch ] * [c9775d4] Make the logo SVG square The original SVG source isn't completely square, modifying the SVG file so all generated other files from the input are also exactly square. * [6096812] Add script for generating PNGs from logo SVG * [4e9e5cc] Update icon PNGs to be properly scaled . [ Carsten Schoenert ] * [9e5527d] d/source.filter: add some configure scripts Filter out some files that are named 'configure', they are rebuild later anyway. The filtering of these files is moved from gbp.conf to source.filter. * [b63f2a2] Revert "d/gbp.conf: ignore configure script while importing" Reverting this commit as we need to move the files to filter to source.filter as the behaviour wasn't the expected outcome. * [4965c2a] New upstream version 60.5.1 Fixed CVE issues in upstream version 60.5.0 (MFSA 2019-06) CVE-2018-18356: Use-after-free in Skia CVE-2019-5785: Integer overflow in Skia CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D CVE-2018-18509: S/MIME signature spoofing thunderbird (1:60.5.1-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:60.5.0-3) unstable; urgency=medium . * [3e274d8] d/rules: move disable debug option into configure step Adding the option '--disable-debug-symbols' to the file mozconfig.default in case the build is running on a 32bit architecture instead of expanding the variable 'CONFIGURE_FLAGS'. The configuration approach for this option taken from firefox-esr was not working for the thunderbird package. * [b3d82d3] d/rules: reorder LDFLAGS for better readability Make the used additional options for LDFLAGS better readable by reordering the various used options. Also adding the option '-Wl, --as-needed' to the list of used options here. * [62d11e3] d/rules: use 'compress-debug-sections' only on 64bit Do not set 'LDFLAGS += -Wl,--compress-debug-sections=zlib' globally, lets use this option only if we are on a 64bit architecture as otherwise the build is failing on 32bit architectures again. We don't want to build any debug information on 32bit anyway so we don't need this option on these platforms. * [6225c44] d/mozconfig.default: adding option for mipsel We don't have set up any options for the mipsel platform before, but the build needs some additional options too on this platform to succeed. * [4e348d9] d/mozconfig.default: disable ion on mips and mipsel The build will fail on mips{,el} if we have enabled ION, the JaveScript JIT compiler on these platforms will loose some performance by this. thunderbird (1:60.5.0-2) unstable; urgency=medium . * [aa2dbe3] d/changelog: update MFSA information for 60.5.0 The MFSA gut published shortly after the upload of the previous version. Adding the CVE numbers for MFSA 2019-03 to the changelog accordingly like happen for 1:60.4.0-1 too. * [71807dc] rebuild patch queue from patch-queue branch Due greater changes to the source the previous rebuild and refreshing of the patch queue wasn't correctly nor complete. Some more rework was needed and some patches got cherry-picked from firefox-esr. readded patches (not included upstream): porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch cherry-picked from firefox-esr: fixes/Bug-1470701-Use-run-time-page-size-when-changing-map.patch fixes/Bug-1505608-Try-to-ensure-the-bss-section-of-the-elf.patch porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch removed patches (included upstream): porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch * [eaa065b] apparmor: update profile from upstream (commit 7ace41b1) * [c761425] d/rules: make dh_clean more robust Remove some regenerated files in dh_clean to the build will not fail in case the buils needs to be started twice within the same build environment. * [aa7b033] d/gbp.conf: ignore configure script while importing The shipped scripts '*configure' in the toplevel folder and also in js/src aren't needed and we can them filter out while importing the tarballs. These scripts got (re)created by dh_auto_configure nevertheless. * [9f0acb2] d/rules: tweek LDFLAGS more to reduce RAM usage Reduce RAM usage while linking by using compressed sections. (picked from firefox-esr) * [62f195d] d/rules: Don't build debug symbols on non 64bit platforms Reduce even more RAM usage while linking by don't build debugging symbols if we build on non 64bit architectures. (picked from firefox-esr) thunderbird (1:60.5.0-1) unstable; urgency=medium . * d/source.filter: update filter list Updating the list of files to filter out while repacking the upstream tarball based on recent work done in debian/experimental. Unfortunately a lot of semi minimized *.js files from the original upstream tarball are later needed within some integrated consoles like the AddOn debugger or the error console. Don't filter out such files for now. (Closes: #911198) * [edab34d] d/changelog: update MFSA information for 60.4.0 While releasing and uploading the Debian version 1:60.4.0-1 no MFSA information was available, adding this information now into the changelog entry for 1:60.4.0-1. * [f3f44a3] New upstream version 60.5.0 No dedicated MFSA announcement for this Thunderbird version provided. * [ccac089] rebuild patch queue from patch-queue branch removed patches (included upstream): porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch removed patches (dropped by us): debian-hacks/Don-t-build-testing-suites-and-stuff.patch debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch refreshed patches: debian-hacks/Add-another-preferences-directory-for-applications-p.patch porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch porting-m68k/Add-m68k-support-to-Thunderbird.patch porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch * [43c28c2] d/s/lintian-overrides: more files to ignore Related to [4201f43] the override list for the source needs to be adjusted as we have now more files included there Lintian is complaining about missing source. These files are no 'real' minimized JS files, but the have mostly some long lines that are triggered the Lintian check. thunderbird (1:60.4.0-1) unstable; urgency=medium . * [2e5a9d0] d/control: don't hard code LLVM packages in B-D (Closes: #912797) * [3aaa4a6] New upstream version 60.4.0 No MFSA published yet by Mozilla Security while packaging this version. (Closes: #913645) * [12d3be3] debian/control: increase Standards-Version to 4.3.0 No further changes needed. tryton-server (4.2.1-2+deb9u1) stretch-security; urgency=high . * Include patches for CVE-2019-10868. * Add 03_sec_issue7766_check_read_access_in_search_domain.patch. This patch fixes security issue http://bugs.tryton.org/issue7766: Check read access on field in search domain. It is possible for an authenticated user to guess the value of a field for which he has no access right no matter if it is at the model or the field level. The procedure is to make dichotomous search queries on the model using a domain clause on the field equals value until the search returns the id. See also https://discuss.tryton.org/t/security-release-for-issue7766/ . * Add 04_sec_issue8189_check_read_access_on_search_order.patch. This patch fixes security issue http://bugs.tryton.org/issue8189: Check read access on field in search_order. An authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. See also https://discuss.tryton.org/t/security-release-for-issue8189/ twig (1.24.0-2+deb9u1) stretch-security; urgency=medium . * Team upload * Stick to v1 for stretch * Backport fix from 1.38: security issue in the sandbox [CVE-2019-9942] twitter-bootstrap3 (3.3.7+dfsg-2+deb9u2) stretch; urgency=medium . * Add patch to fix CVE-2019-8331: XSS in tooltip or popover tzdata (2019a-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following past and future timestamps: - Palestine will not start DST until 2019-03-30, instead of 2019-03-23 as previously predicted. - Metlakatla ended its observance of Pacific standard time, rejoining Alaska Time, on 2019-01-20 at 02:00. tzdata (2018i-2) unstable; urgency=medium . * Update German debconf translation, by Holger Wansing. Closes: #918455. * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #920427. * Update Russian debconf translation, by Lev Lamberov. Closes: #920598. * Update Danish debconf translation, by Joe Hansen. Closes: #923061. tzdata (2018i-1) unstable; urgency=high . * New upstream version, affecting the following future timestamps: - São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. unzip (6.0-21+deb9u1) stretch; urgency=medium . * Fix buffer overflow in password protected ZIP archives. Closes: #889838. Patch borrowed from SUSE. For reference, this is CVE-2018-1000035. vcftools (0.1.14+dfsg-4+deb9u1) stretch; urgency=medium . * Team upload. * Add patch from upstream to fix CVE-2018-11099, CVE-2018-11129 and CVE-2018-11130 (Closes: #902190). vips (8.4.5-1+deb9u1) stretch; urgency=medium . * Fix CVE-2018-7998: NULL function pointer dereference vulnerability in the vips_region_generate() function. * Fix CVE-2019-6976: zero memory on malloc to prevent write of uninit memory under some error conditions. waagent (2.2.34-3~deb9u1) stretch; urgency=medium . * Upload to stretch. waagent (2.2.34-2) unstable; urgency=medium . * Disable all tests, they need a real system. (closes: #918943) waagent (2.2.34-1) unstable; urgency=medium . * New upstream version. waagent (2.2.26-1) unstable; urgency=medium . * New upstream version. * Update Vcs entries to point to salsa.debian.org. * Disable agent auto update. (closes: #887704) waagent (2.2.18-3) unstable; urgency=medium . * Move udev rules to /lib/udev. (closes: #856065) * Set priority to optional. waagent (2.2.18-3~deb9u2) stretch-security; urgency=high . * Set proper access rights on swap file. CVE-2019-0804 wget (1.18-5+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix a buffer overflow vulnerability (CVE-2019-5953) (Closes: #926389) wireshark (2.6.7-1~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch(-security). wireshark (2.6.6-1) unstable; urgency=medium . [ Jean-Philippe MENGUAL ] * French debconf translation update (Closes: #915161) . [ Balint Reczey ] * New upstream version 2.6.6 - security fixes: - The P_MUL dissector could crash. (CVE-2019-5717) - The RTSE dissector and other dissectors could crash. (CVE-2019-5718) - The ISAKMP dissector could crash. (CVE-2019-5719) - The 6LoWPAN dissector could crash. (CVE-2019-5716) * Mention GPLv3+ code snippet in tools/pidl/idl.yp (Closes: #918089) wireshark (2.6.5-1) unstable; urgency=medium . * Add debian/gitlab-ci.yml * New upstream version 2.6.5 - release notes: https://www.wireshark.org/docs/relnotes/wireshark-2.6.5.html - security fixes: - The Wireshark dissection engine could crash. (CVE-2018-19625) - The DCOM dissector could crash. (CVE-2018-19626) - The LBMPDM dissector could crash. (CVE-2018-19623) - The MMSE dissector could go into an infinite loop. (CVE-2018-19622) - The IxVeriWave file parser could crash. (CVE-2018-19627) - The PVFS dissector could crash. (CVE-2018-19624) - The ZigBee ZCL dissector could crash. (CVE-2018-19628) * Update symbols wordpress (4.7.5+dfsg-2+deb9u5) stretch-security; urgency=medium . * Backport security patches from wordpress 5.0.1 Closes: #916403 - CVE-2018-20147 Delete files through altered meta data - CVE-2018-20152 Create posts of unauthorized post types - CVE-2018-20148 PHP object injection through crafted meta data - CVE-2018-20153 Edit other users comments, leading to XSS - CVE-2018-20150 XSS in plugins through crafted URL inputs - CVE-2018-20151 User activation screen visible to search engines - CVE-2018-20149 Bypass MIME verification causing XSS - CVE-2019-8942 Remote Code Execution (RCE) in uploaded image files wpa (2:2.4-1+deb9u3) stretch-security; urgency=high . * Apply a partial security fix for CVE-2019-9495: - OpenSSL: Use constant time operations for private bignums. - See https://w1.fi/security/2019-2/ for more details. * Apply security fixes: - EAP-pwd server: Detect reflection attacks (CVE-2019-9497) - EAP-pwd client: Verify received scalar and element (partial fix for CVE-2019-9498) - EAP-pwd server: Verify received scalar and element (partial fix for CVE-2019-9499) - See https://w1.fi/security/2019-4/ for more details. * Add an upstream patch to add crypto_ec_point_cmp() required by the fixes for CVE-2019-9497. * Forcefully enable compilation of the ECC code. . wpa (2:2.4-1+deb9u2) stretch; urgency=high . * SECURITY UPDATE: - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data (Closes: #905739) xmltooling (1.6.0-4+deb9u2) stretch-security; urgency=high . * [2f0c065] New patch fixing CVE-2019-9628: uncaught exception on malformed XML declaration. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. This generally manifests as a crash in the calling code, which in the Service Provider software's case is usually the shibd daemon process, but can be Apache in some cases. Note that the crash occurs prior to evaluation of a message's authenticity, so can be exploited by an untrusted attacker. https://shibboleth.net/community/advisories/secadv_20190311.txt https://issues.shibboleth.net/jira/browse/CPPXT-143 Thanks to Scott Cantor (Closes: #924346) yorick-av (0.0.4-2~deb9u1) stable; urgency=low . * Rebuild for stretch. zziplib (0.13.62-3.2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. ====================================== Sat, 16 Feb 2019 - Debian 9.8 released ====================================== ========================================================================= [Date: Sat, 16 Feb 2019 09:45:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: debian-parl | 1.9.10 | source parl-data | 1.9.10 | all parl-desktop | 1.9.10 | all parl-desktop-eu | 1.9.10 | all parl-desktop-strict | 1.9.10 | all parl-desktop-world | 1.9.10 | all Closed bugs: 921749 ------------------- Reason ------------------- RoQA; depends on broken / removed Firefox plugins ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:45:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: xul-ext-y-u-no-validate | 2013052407-3 | all y-u-no-validate | 2013052407-3 | source Closed bugs: 908405 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:46:28 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozvoikko | 2.2-0.1 | source xul-ext-mozvoikko | 2.2-0.1 | all Closed bugs: 912465 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:47:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: personasplus | 1.7.8-1 | source xul-ext-personasplus | 1.7.8-1 | all Closed bugs: 913436 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:48:00 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: corebird | 1.4.1-1+deb9u1 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 915292 ------------------- Reason ------------------- RoM; broken by Twitter API changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:49:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: firefox-branding-iceweasel | 0.4.0 | source xul-ext-iceweasel-branding | 0.4.0 | all Closed bugs: 918160 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:49:37 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: imap-acl-extension | 0.2.7-1 | source xul-ext-imap-acl | 0.2.7-1 | all Closed bugs: 918254 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:50:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: toggle-proxy | 1.9-2 | source xul-ext-toggle-proxy | 1.9-2 | all Closed bugs: 918257 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:51:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-password-editor | 2.10.3-1 | source xul-ext-password-editor | 2.10.3-1 | all Closed bugs: 918258 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:52:30 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: firefox-kwallet5 | 1.0-2 | source xul-ext-kwallet5 | 1.0-2 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 918346 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:55:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: adblock-plus | 2.7.3+dfsg-1 | source xul-ext-adblock-plus | 2.7.3+dfsg-1 | all Closed bugs: 918347 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:56:40 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-dom-inspector | 1:2.0.16-2 | source xul-ext-dom-inspector | 1:2.0.16-2 | all Closed bugs: 918349 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:56:54 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: browser-plugin-spice | 2.8.90-5 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x spice-xpi | 2.8.90-5 | source Closed bugs: 918350 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:57:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: flickrbackup | 0.2-3.1 | source, all Closed bugs: 919797 ------------------- Reason ------------------- RoM; ancient; abandoned upstream; deprecated ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:57:46 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: python-formalchemy | 1.4.2-1 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 920560 ------------------- Reason ------------------- RoQA; unusable, fails to import in python ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:58:01 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: flashblock | 1.5.20-2 | source xul-ext-flashblock | 1.5.20-2 | all Closed bugs: 920717 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:58:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: refcontrol | 0.8.17-3 | source xul-ext-refcontrol | 0.8.17-3 | all Closed bugs: 920718 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:58:54 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cookie-monster | 1.3.0.5-1 | source xul-ext-cookie-monster | 1.3.0.5-1 | all Closed bugs: 920719 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:59:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: requestpolicy | 1.0.0~beta12.3+dfsg-1 | source xul-ext-requestpolicy | 1.0.0~beta12.3+dfsg-1 | all Closed bugs: 920722 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:59:59 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-noscript | 2.9.0.14-1 | source xul-ext-noscript | 2.9.0.14-1 | all Closed bugs: 920724 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:00:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: debianbuttons | 1.11-3 | source xul-ext-debianbuttons | 1.11-3 | all Closed bugs: 921129 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:00:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: calendar-exchange-provider | 3.9.0-4 | source, all Closed bugs: 921932 ------------------- Reason ------------------- RoM; incompatible with newer Thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:00:50 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libwww-topica-perl | 0.6-5 | source, all Closed bugs: 922110 ------------------- Reason ------------------- RoQA; useless due to Topica site removal ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:14:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnvidia-egl-wayland1 | 384.130-1 | amd64, armhf, i386 nvidia-egl-wayland-common | 384.130-1 | amd64, armhf, i386 nvidia-egl-wayland-icd | 384.130-1 | amd64, armhf, i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by nvidia-graphics-drivers) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:25:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: python-certbot | 0.10.2-1 | all ------------------- Reason ------------------- [cruft] NBS (no longer built by python-certbot) ---------------------------------------------- ========================================================================= arc (5.21q-4+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix version 1 arc header reading * Fix arcdie crash when called with more then 1 variable argument * Fix directory traversal bugs (CVE-2015-9275) Thanks to Hans de Goede (Closes: #774527) astroml-addons (0.2.2-4~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . astroml-addons (0.2.2-4) unstable; urgency=medium . * Push Standards-Version to 4.0.0. No changes needed. . [ Scott Kitterman ] * Correct substitution variable for python3 binary so correct python3 interpreter depends are provided. Closes: #867243 base-files (9.9+deb9u8) stretch; urgency=medium . * Change /etc/debian_version to 9.8, for Debian 9.8 point release. c3p0 (0.9.1.2-9+deb9u1) stretch; urgency=medium . * Team upload. * Fix CVE-2018-20433. A XML External Entity (XXE) vulnerability was discovered in c3p0 that may be used to resolve information outside of the intended sphere of control. (Closes: #917257) ca-certificates-java (20170929~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . ca-certificates-java (20170929) unstable; urgency=low . [ Gianfranco Costamagna ] * Team upload. * Ack previous NMU, thanks . [ Rico Tzschichholz ] * Fix temporary jvm-*.cfg generation on armhf (Closes: #874276) - the armhf installation path is different from other architectures. ceph (10.2.11-2) stretch-security; urgency=medium . [ James Page ] * [d34d35] Fix build on i386 (Closes: #913909) ceph (10.2.11-1) stretch-security; urgency=medium . * [1aebf9] New upstream version 10.2.11 Fixes the following security vulnerabilities: - CVE-2017-7519: libradosstripper printf format string injection vulnerability - CVE-2018-1128: The cephx authentication protocol was vulnerable to a replay attack. - CVE-2018-1129: Cephx signature calculation did not cover the whole message being sent. This allowed an attacker to alter parts of the message. - CVE-2018-1086: A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. * [20b8e7] Replace sleep-recover.patch by reconnect-after-mds-reset.patch * [33f8d2] Remove CVE-2016-9597 patch applied upstream * [a9c2ee] Remove disable-openssl-linking.patch fixed upstream The upstream solution requires a build dependency on libssl-dev to be able to look up the sonames. The resulting code is not linked against libssl but can dlopen it at runtime. * [edc23d] Remove osd-limit-omap-data-in-push-op.patch applied upstream * [9dd30c] Remove rgw_rados-creation_time.patch applied upstream * [fff91f] Refresh patches * [c2925f] Update symbols for librbd1 (added in 10.2.6) ceph (10.2.7-0exp1) experimental; urgency=medium . [ James Page ] * [585f53] New upstream version 10.2.6 . [ Gaudenz Steinlin ] * [41b6fd] New upstream version 10.2.7 * [916972] Remove patch "cve-2016-9579_short_cors_request" applied upstream * [541204] Remove patch "disable-openssl-linking" sovled upstream * [60cc3d] Remove patch "osd-limit-omap-data-in-push-op" applied upstream * [ee0f76] Remove patch "rgw_rados-creation_time" applied upstream * [f07cb0] Refresh patches for 10.2.7 * [be7663] Build depend on libssl-dev. This is only needed to satisfy the build system checks the resulting binary is not linked against openssl and only dlopens it at runtime. So there is no GPL violation. chkrootkit (0.50-4+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Backport fix for regular expression for filtering out dhcpd and dhclient as false positives from the packet sniffer test. . [ Lorenzo "Palinuro" Faletra ] * Update /etc/cron.daily/chkrootkit (Closes: #600109) chromium-browser (70.0.3538.110-1~deb9u1) stretch-security; urgency=medium . * New upstream security release. - CVE-2018-17479: Use-after-free in GPU. chromium-browser (70.0.3538.102-1) unstable; urgency=medium . * New upstream security release. - CVE-2018-17478: Out of bounds memory access in V8. Reported by cloudfuzzer * Fix new lintian warnings. * Drop libjs-excanvas build dependency. * Add support for building with harfbuzz 2.1.1. * Document how to run chromium as root (closes: #838534). * Output debian specific instructions when no working sandbox is available. * Do not rely on transitive recommendation for the sandbox (closes: #913116). chromium-browser (70.0.3538.102-1~deb9u1) stretch-security; urgency=medium . * New upstream security release. - CVE-2018-17478: Out of bounds memory access in V8. Reported by cloudfuzzer * Eliminate unintended dependency on gconf-service (closes: #913926). * Restore arm64 crashpad patch mistakenly dropped in the previous upload. chromium-browser (70.0.3538.67-3) unstable; urgency=medium . * Fix a compiler warning. * Move the setuid sandbox into a separate package (closes: #839277). chromium-browser (70.0.3538.67-2) unstable; urgency=medium . * Restore support for building with gtk2. chromium-browser (70.0.3538.67-1) unstable; urgency=medium . * New upstream stable release. - CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark - CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson and Niklas Baumstark - Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn - CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr - CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian - CVE-2018-17466: Memory corruption in Angle. Reported by Omair - CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee - CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou - CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin - CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang - CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin - CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew - CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani - CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger - CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton * Fix build failure on i386. * Fix installation path of the master preferences file (closes: #911056). chromium-browser (70.0.3538.67-1~deb9u1) stretch-security; urgency=medium . * New upstream stable release. - CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark - CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson and Niklas Baumstark - Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn - CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr - CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian - CVE-2018-17466: Memory corruption in Angle. Reported by Omair - CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee - CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou - CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin - CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang - CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin - CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew - CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani - CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger - CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton chromium-browser (70.0.3538.54-2) unstable; urgency=medium . * Build with gcc 8 (closes: #901368). * Move the master preferences file to /etc/chromium (closes: #891232). chromium-browser (70.0.3538.54-1) unstable; urgency=medium . * New upstream beta release. chromium-browser (69.0.3497.100-1) unstable; urgency=medium . * New upstream stable release. * Update standards version to 4.2.1. * Clarify debugging section in README.debian (closes: #910842). * Remove ConvertUTF from the upstream tarball (closes: #900596). * Load all extensions installed to /usr/share/chromium/extensions. - Thanks to Michael Meskes (closes: #890392). * Remove audio_capture_enable setting from the default preferences (closes: #884887). chromium-browser (69.0.3497.92-1) unstable; urgency=medium . * New upstream security release. - Function signature mismatch in WebAssembly. Reported by Kevin Cheung - URL Spoofing in Omnibox. Reported by evi1m0 compactheader (2.1.6-1~deb9u1) stretch; urgency=medium . [ Carsten Schoenert ] * Rebuild for Stretch (Closes: #918167) * [93f8afe] debhelper: decrease to version available in stretch * [8fd6a50] d/compat: decrease accordingly to version 10 compactheader (2.1.5-1) unstable; urgency=medium . [ David Prévot ] * [faa4ffb] Drop Icedove from description * [58353f3] Update Standards-Version to 3.9.7 . [ Carsten Schoenert ] * [c9d19db] Adding debian/gbp.conf to make life easier * [5e31e42] New upstream version 2.1.5 (Closes: #891433) * [a7e96da] Add a patch queue * [15ea418] d/rules: don't install unneeded files and folder Don't install and ship files from the folder test and the files Readme.md build.xml which aren't needed for the use of the package. * [6d45fe5] d/rules: remove the get-orig-source target The old get-orig-source Makefile target isn't needed and can be dropped in favor of using uscan directly. * [449a5e1] bumping debhelper and compat to version 11 Let's use a recent debhelper version. * [27ff6a3] d/control: increase Standards-Version to 4.1.4 No further changes needed. * [8a365a5] d/control: move package over to pkg-mozext-team on salsa Alioth will be going offline and the successor platform is Salsa. * [891ab67] d/control: adding myself as uploader Thanks to William for working on compactheader in the past! (Closes: #892410) * [23957a9] d/control: adjust Maintainer field due changed email address Due changes for the Alioth host the Maintainer email is also changing to a new domain. compactheader (2.1.1~beta1-1) experimental; urgency=medium . * Team upload . [ jmozmoz ] * Add Portuguese translation courier (0.76.3-5+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport @piddir@ substitution from 1.0.5-1. . [ Markus Wanner ] * Extend patch 0018-Fix-default-configuration-for-Debian.patch with the piddir addition proposed by Willi Mann. Closes: #875696. cups (2.2.1-8+deb9u3) stretch; urgency=low . * Backport upstream fixes for: - CVE-2017-18248: DBUS notifications could crash the scheduler - CVE-2018-4700: Linux session cookies used a predictable random number seed (Closes: #915909) curl (7.52.1-5+deb9u9) stretch-security; urgency=high . * Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890 https://curl.haxx.se/docs/CVE-2018-16890.html * Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822 https://curl.haxx.se/docs/CVE-2019-3822.html * Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823 https://curl.haxx.se/docs/CVE-2019-3823.html debian-edu-config (1.929+deb9u3) stretch; urgency=medium . [ Wolfgang Schweer ] * debian-edu-config.chromium-ldapconf: Remove slapd start requirement. . debian-edu-config (1.929+deb9u2) stretch; urgency=medium . [ Wolfgang Schweer ] * Fix configuration of personal web pages. (Closes: #866228). - Set right order of linking in cf/cf.apache2. - Add conditional code to d/d-e-c.postinst to fix the wrong configuration generated via the cfengine run during main server installation (introduced in version 1.926). * Re-enable offline installation of a combi server including diskless workstation support. (Closes: #867271, #904331). - 015-edu-apt-source: fix apt-get options to be able to use a repo of type 'file://'. As 'media/cdrom/' in the LTSP chroot is treated as such a repo, add 'acquire::check-valid-until=0' to APT_GET_OPTS; otherwise installation fails because the Release file is expired. - 032-edu-pkgs: Move all diskless workstation installation parts to the finalization stage of LTSP chroot installation. * Enable Chromium homepage setting at installation time and via LDAP as further improvements for the fix for bug #891262 in version 1.929+deb9u1: - Add cf/cf.chromium (cfengine). - Add debian/debian-edu-config.chromium-ldapconf (init script). - Add share/debian-edu-config/tools/update-chromium-homepage (used by both cfengine and the init script). - Adjust Makefile and debian/rules. . [ Mike Gabriel ] * update-chromium-homepage: - Don't complain about non-existing config file when attempting its removal. - Don't statically set http://www as homepage, use detected homepage instead. (Closes: #911790) debian-edu-config (1.929+deb9u2) stretch; urgency=medium . [ Wolfgang Schweer ] * Fix configuration of personal web pages. (Closes: #866228). - Set right order of linking in cf/cf.apache2. - Add conditional code to d/d-e-c.postinst to fix the wrong configuration generated via the cfengine run during main server installation (introduced in version 1.926). * Re-enable offline installation of a combi server including diskless workstation support. (Closes: #867271, #904331). - 015-edu-apt-source: fix apt-get options to be able to use a repo of type 'file://'. As 'media/cdrom/' in the LTSP chroot is treated as such a repo, add 'acquire::check-valid-until=0' to APT_GET_OPTS; otherwise installation fails because the Release file is expired. - 032-edu-pkgs: Move all diskless workstation installation parts to the finalization stage of LTSP chroot installation. * Enable Chromium homepage setting at installation time and via LDAP as further improvements for the fix for bug #891262 in version 1.929+deb9u1: - Add cf/cf.chromium (cfengine). - Add debian/debian-edu-config.chromium-ldapconf (init script). - Add share/debian-edu-config/tools/update-chromium-homepage (used by both cfengine and the init script). - Adjust Makefile and debian/rules. . [ Mike Gabriel ] * update-chromium-homepage: - Don't complain about non-existing config file when attempting its removal. - Don't statically set http://www as homepage, use detected homepage instead. (Closes: #911790) debian-installer-netboot-images (20170615+deb9u5.b2) stretch; urgency=medium . * Update to 20170615+deb9u5+b2 images, from stretch-proposed-update debian-security-support (2019.02.01~deb9u1) stretch; urgency=medium . * Team upload. * Rebuild for stretch, without d/control changes. debian-security-support (2019.01.19) unstable; urgency=medium . * Team upload. . [ Holger Levsen ] * d/control: - bump standards version to 4.3.0. - bump debhelper compat to 11, use the new debhelper-compat(=11) notation and drop d/compat. - add "Rules-Requires-Root: no" to support building as non-root. debian-security-support (2018.11.25) unstable; urgency=medium . * Team upload. . [ Markus Koschany ] * Mark jasperreports as end-of-life in Jessie. . [ Salvatore Bonaccorso ] * Mark webkit2gtk as unsupported in all releases. (Closes: #914567) . [ Holger Levsen ] * Bump standards version to 4.2.1. . [ Ondřej Nový ] * d/copyright: Use https protocol in Format field. * d/changelog: Remove trailing whitespaces. debian-security-support (2018.11.25~deb9u1) stretch; urgency=medium . * Team upload. * Rebuild for stretch. . debian-security-support (2018.11.25) unstable; urgency=medium . * Team upload. . [ Markus Koschany ] * Mark jasperreports as end-of-life in Jessie. . [ Salvatore Bonaccorso ] * Mark webkit2gtk as unsupported in all releases. (Closes: #914567) . [ Holger Levsen ] * Bump standards version to 4.2.1. . [ Ondřej Nový ] * d/copyright: Use https protocol in Format field. * d/changelog: Remove trailing whitespaces. . debian-security-support (2018.06.08) unstable; urgency=medium . * Add .gitlab-ci.yml configuration * Mark jruby in jessie as end-of-life as per DSA-4219-1 (Closes: #901032) . debian-security-support (2018.05.20) unstable; urgency=medium . * Mark vlc in jessie as end-of-life as per DSA 4203-1 . debian-security-support (2018.05.17) unstable; urgency=medium . [ Antoine Beaupré ] * mark frontaccounting as unsupported . [ Markus Koschany ] * Add xulrunner to security-support-ended.deb7 . [ Salvatore Bonaccorso ] * Mark redmine as end-of-life for Debian 8 (jessie) (Closes: #897609) * Update Vcs-* headers for switch to salsa.debian.org * Update German translations. Thanks to Chris Leick (Closes: #878321) . debian-security-support (2018.01.29) unstable; urgency=medium . [ Markus Koschany ] * Add teamspeak to security-support-ended.deb7 * Add libstruts1.2-java to security-support-ended.deb7. * Add nvidia-graphics-drivers to security-support-ended.deb7. Non-free is not supported * Add glassfish to security-support-ended.deb7 * Mark jbossas4 as end-of-life in Wheezy. * Mark jasperreports as unsupported in Wheezy. No sponsor users it. Targeted fixes not possible because detailed information about the vulnerabilities and their solution (patches) is not available. . [ Salvatore Bonaccorso ] * Mark chromium-browser as end-of-life for Debian 8 (Jessie) . [ Raphaël Hertzog ] * Mark libnet-ping-external-perl as unsupported in wheezy. * Mark mp3gain as unsupported in wheezy. . [ Emilio Pozuelo Monfort ] * Mark tor as unsupported in wheezy. . [ Guido Günther ] * Add swftools to security support limited swftools is orphaned (#885088) and the security tracker is currently counting 25 open CVEs. It is a useful tool with trusted content though. * Bump standards version to 4.1.3. No changes needed * Bump debhelper compat level to 9 which is available in oldoldstable (wheezy). debian-security-support (2018.06.08) unstable; urgency=medium . * Add .gitlab-ci.yml configuration * Mark jruby in jessie as end-of-life as per DSA-4219-1 (Closes: #901032) debian-security-support (2018.05.20) unstable; urgency=medium . * Mark vlc in jessie as end-of-life as per DSA 4203-1 debian-security-support (2018.05.17) unstable; urgency=medium . [ Antoine Beaupré ] * mark frontaccounting as unsupported . [ Markus Koschany ] * Add xulrunner to security-support-ended.deb7 . [ Salvatore Bonaccorso ] * Mark redmine as end-of-life for Debian 8 (jessie) (Closes: #897609) * Update Vcs-* headers for switch to salsa.debian.org * Update German translations. Thanks to Chris Leick (Closes: #878321) debian-security-support (2018.01.29) unstable; urgency=medium . [ Markus Koschany ] * Add teamspeak to security-support-ended.deb7 * Add libstruts1.2-java to security-support-ended.deb7. * Add nvidia-graphics-drivers to security-support-ended.deb7. Non-free is not supported * Add glassfish to security-support-ended.deb7 * Mark jbossas4 as end-of-life in Wheezy. * Mark jasperreports as unsupported in Wheezy. No sponsor users it. Targeted fixes not possible because detailed information about the vulnerabilities and their solution (patches) is not available. . [ Salvatore Bonaccorso ] * Mark chromium-browser as end-of-life for Debian 8 (Jessie) . [ Raphaël Hertzog ] * Mark libnet-ping-external-perl as unsupported in wheezy. * Mark mp3gain as unsupported in wheezy. . [ Emilio Pozuelo Monfort ] * Mark tor as unsupported in wheezy. . [ Guido Günther ] * Add swftools to security support limited swftools is orphaned (#885088) and the security tracker is currently counting 25 open CVEs. It is a useful tool with trusted content though. * Bump standards version to 4.1.3. No changes needed * Bump debhelper compat level to 9 which is available in oldoldstable (wheezy). dnspython (1.15.0-1+deb9u1) stretch; urgency=medium . * Add debian/patches/0002-fix-error-when-parsing-nsec3-bitmap-from- text.patch from upstream (Closes: #915866) drupal7 (7.52-2+deb9u6) stretch-security; urgency=high . [ William Blough ] * Add upstream fix for DATE_RFC7231 conflict with php7 (Closes: #911791) . [ Gunnar Wolf ] * SA-CORE-2019-001: Vulnerability in a third-party library (related to CVE-2018-1000888) * SA-CORE-2019-002: Arbitrary PHP code execution egg (4.2.0-1.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Skip emacsen-install for unsupported xemacs21. (Closes: #900812) erlang (1:19.2.1+dfsg-2+deb9u2) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport removal of xemacs21 support from 1:21.2+dfsg-2. . [ Sergei Golovan ] * Do not install Erlang mode for XEmacs since it isn't supposed to work with it (closes: #909387). espeakup (1:0.80-5+deb9u3) stretch; urgency=high . * debian/espeakup.service: Fix compatibility with older versions of systemd (Closes: Bug#913453). Also fix starting with empty voice language. firefox-esr (60.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-02, also known as: CVE-2018-18500, CVE-2018-18505, CVE-2018-18501. firefox-esr (60.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-30, also known as: CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, CVE-2018-18498, CVE-2018-12405. firefox-esr (60.4.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-30, also known as: CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, CVE-2018-18498, CVE-2018-12405. . * debian/rules: Use embedded libevent in backports. Closes: #910397. * debian/browser.install.in, debian/rules: Properly copy the watermark to /usr/share/icons/hicolor/symbolic/apps. * debian/rules: Pass compiler and compiler flags environment variables down to ICU configure. That will make it use GCC instead of defaulting to clang now it's in PATH, avoiding the failing to build the ICU data file on big endian platforms because clang doesn't know some of the GCC flags it somehow got from the environment. . * build/unix/elfhack/test.c: Try to ensure the bss section of the elfhack testcase stays large enough. bz#1505608. * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB on systems with large pages. bz#1507035. Closes: #911898. firefox-esr (60.3.0esr-3) unstable; urgency=medium . * debian/browser.install.in, debian/rules: Properly copy the watermark to /usr/share/icons/hicolor/symbolic/apps. * debian/rules: Pass compiler and compiler flags environment variables down to ICU configure. That will make it use GCC instead of defaulting to clang now it's in PATH, avoiding the failing to build the ICU data file on big endian platforms because clang doesn't know some of the GCC flags it somehow got from the environment. firefox-esr (60.3.0esr-2) unstable; urgency=medium . * debian/control*: Build depend on unversioned clang/llvm. Closes: #912804. * debian/rules: Use embedded libevent in backports. Closes: #910397. . * build/unix/elfhack/test.c: Try to ensure the bss section of the elfhack testcase stays large enough. bz#1505608. * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB on systems with large pages. bz#1507035. Closes: #911898. firefox-esr (60.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-27, also known as: CVE-2018-12392, CVE-2018-12393, CVE-2018-12395, CVE-2018-12396, CVE-2018-12397, CVE-2018-12389, CVE-2018-12390. . * debian/rules: Work around armel FTBFS from conflicting __sync_* symbols between libgcc and rust's compiler_builtins. freerdp (1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3) stretch; urgency=medium . * debian/patches: Add security patches. - CVE-2018-8786.patch: The count variable in update_read_bitmap() needs to be UINT32 (not UINT16). - CVE-2018-8787.patch: In gdi_Bitmap_Decompress, check for invalid bpp, width and height before decompressing. CVE-2018-8788.patch: In NSC encode/decode functions, catch data flawed in various ways and bail out with failure. CVE-2018-8789.patch: In ntlm_read_message_fields_buffer, check buffer offset vs. Stream_Length and bail out if not appropriate. - Thanks to Alex Murray for backporting them to FreeRDP 1.1. * debian/patches: + Add 0010_add-support-for-credssp-v3-and-rdpproto-v6.patch. Add CredSSP v3 and RDP proto v6 support. This allows users to connect to recently (since March 2018) updated Microsoft RDP servers again. Thanks to Bernhard Miklautz and Martin Fleisz for helping out with backporting this patch. Much appreciated! * debian/control: + Update Vcs-*: URLs. * debian/lib{freerdp-core1.1,winpr-sspi0.1}.symbols: Update symbols. ganeti-os-noop (0.2-1+deb9u1) stretch; urgency=medium . * debian/control: + Update Vcs-*: fields. VCS repo has been migrated to salsa.debian.org. + Priority extra -> optional. + Update Maintainer: field to 'Debian Ganeti Team ' * debian/patches: + Add 1001_fix-export-script-for-non-block-devices.patch. Fix size detection for non-block devices. Thanks to Bastian Blank for providing the patch. (Closes: #895602). ghostscript (9.26a~dfsg-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 9.26a~dfsg + Includes fix for CVE-2019-6116 * Temporarily split ABI at ~ (not a). * Update symbols: 1 private added ghostscript (9.26~dfsg-2) unstable; urgency=high . * Add patches cherry-picked upstream to fix segfault with certain PDFs with -dLastPage=1. Closes: Bug#915832. Thanks to Salvatore Bonaccorso. * Set urgency=high as this is fixes regression in 9.26~dfsg-1. ghostscript (9.26~dfsg-1) unstable; urgency=high . [ upstream ] * New security and bugfix release. . [ Jonas Smedegaard ] * Drop patches cherry-picked upstream now applied. * Unfuzz patch 2009. * Set urgency=high due to high potential for security fixes (beyond those already included as cherry-picked patches). * Update symbols: 12 private added. ghostscript (9.26~dfsg-0+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches cherry-picked upstream to fix segfault with certain PDFs with -dLastPage=1. (Closes: #915832) ghostscript (9.26~dfsg-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 9.26~dfsg + Includes fixes for the following security vulnerabilities: CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477 * Drop patches cherry-picked upstream now applied * Unfuzz patch 2009. * Update symbols: 12 private added. ghostscript (9.25~dfsg-7) unstable; urgency=medium . * drop obsolete preinst migrations. * Quote variables in package helper update-gsfontmap. * Fix typos in previous changelog entries. * Disable parallel building. Closes: Bug#912847. Thanks to Matthias Klose. ghostscript (9.25~dfsg-6) unstable; urgency=medium . * Add patch cherry-picket upstream to fix cups get/put_params LeadingEdge logic. Closes: Bug#912664. Thanks to Salvatore Bonaccorso. ghostscript (9.25~dfsg-5) unstable; urgency=medium . * Add patch cherry-picket upstream to fix openjpeg segfault if size too large. ghostscript (9.25~dfsg-4) unstable; urgency=high . * Re-release with urgency=high, due to CVE fixes. ghostscript (9.25~dfsg-3) unstable; urgency=medium . * Add patches cherry-picked upstream to fix execution issues. + Implement .currentoutputdevice operator + Change "executeonly" to throw typecheck on gstatetype and devicetype objects + Undefine some additional internal operators. + Fix handling of .needinput if used from interpreter + Ensure all errors are included from initialization + setundercolorremoval memory corruption + copydevice fails after stack device copies invalidated + add operand checking to .setnativefontmapbuilt + add object type check for AES key + Add parameter type checking on .bigstring + zparse_dsc_comments can crash with invalid dsc_state + Catch errors in setpagesize, .setpagesize and setpagedevice and cleanup + Catch errors and cleanup stack on statusdict page size definitions + Add parameter checking in setresolution + device subclass open_device call must return child code + fix DSC comment parsing in pdfwrite + Check all uses of dict_find* to ensure 0 return properly handled + permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite + Avoid overrunning non terminated string buffer. + Prevent SEGV in gs_setdevice_no_erase. + Fix uninitialised value for render_cond. + Hide the .needinput operator + filenameforall calls bad iodev with insufficent scratch + Improve hiding of security critical custom operators + Prevent SEGV after calling gs_image_class_1_simple. + don't push userdict in preparation for Type 1 fonts + add control over hiding error handlers. + For hidden operators, pass a name object to error handler. + Explicitly exclude /unknownerror from the SAFERERRORLIST + don't include operator arrays in execstack output + Make .forceput unavailable from '.policyprocs' helper dictionary + .loadfontloop must be an operator + font parsing - prevent SEGV in .cffparse Closes: Bug#910678, #910758, #911175 (CVE-2018-17961, CVE-2018-18073, CVE-2018-18284). Thanks to Salvatore Bonaccorso. * Unfuzz patches. * Declare compliance with Debian Policy 4.2.1. * Update symbols: 1 private added. ghostscript (9.25~dfsg-2) unstable; urgency=high . * Add/correct bug-closures for previous releases 9.25~dfsg-1, 9.25~dfsg-1~exp1, 9.24~~rc2~dfsg-1, 9.21~dfsg-1. * Set urgency=high due to recent CVE fixes. ghostscript (9.25~dfsg-1) unstable; urgency=medium . * Stop needlessly install symlinks handled upstream since ~9.05. * Tidy control file: + Wrap-and-sort. + Drop support for auto-resolving package relations or major version. * Update package relations: + Stop needlessly depend on debconf. + Stop build-depend on dh-buildinfo: Effectively unused. + Stop build-depend on libtrio: Unused upstream since 9.18. * Update copyright info: + Wrap-and-sort. + Extend coverage of Debian packaging. Drop unneeded copyrigh signs. + Fix files section licensed as AGPL-3+ (no longer GPL-3+). + Use semantic linefeeds. * Update symbols tracking: + Drop 19 private symbols. + Add 59 private symbols. * Add more bug-closures to previous release 9.25~dfsg-1~exp1. ghostscript (9.25~dfsg-1~exp1) experimental; urgency=medium . [ upstream ] * New bugfix release(s). Closes: Bug#907703, #908300, #908303, #908304, #908305 (CVE-2018-16509, CVE-2018-16543, CVE-2018-16510, CVE-2018-16585). Thanks to Salvatore Bonaccorso. . * Update copyright info: + Stop exclude image containing non-DFSG ICC profile when repackaging upstream source: Fixed upstream. + Fix cover license FTL. * Set Rules-Requires-Root: no. * Update symbols: + Drop commented out obsolete symbols. + Flag as optional symbols not declared in public header files. * Avoid privacy breach linking documentation to jquery: + Add patch 2009 to use local jquery. + Add symlink from relative link to system-shared jquery library. + Have ghostscript-doc depend on libjs-jquery. * Avoid privacy breach linking documentation to font: + Avoid linking to remote fonts in documentation. * Avoid privacy breach linking documentation with Google: + Strip googletagmanager code from documentation. ghostscript (9.25~dfsg-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 9.25~dfsg + Fixes regression using ps2ascii after fix for CVE-2018-17183 (Closes: #909076) + status operator honour SAFER option (CVE-2018-11645) * Drop patches applied upstream * Rebase 2001_docdir_fix_for_debian.patch for 9.25 * Rebase 2010_add_build_timestamp_setting.patch for 9.25 * Add patches cherry-picked upstream to fix execution issues. + Implement .currentoutputdevice operator + Change "executeonly" to throw typecheck on gstatetype and devicetype objects + Undefine some additional internal operators. + Fix handling of .needinput if used from interpreter + Ensure all errors are included from initialization + setundercolorremoval memory corruption + copydevice fails after stack device copies invalidated + add operand checking to .setnativefontmapbuilt + add object type check for AES key + Add parameter type checking on .bigstring + zparse_dsc_comments can crash with invalid dsc_state + Catch errors in setpagesize, .setpagesize and setpagedevice and cleanup + Catch errors and cleanup stack on statusdict page size definitions + Add parameter checking in setresolution + device subclass open_device call must return child code + fix DSC comment parsing in pdfwrite + Check all uses of dict_find* to ensure 0 return properly handled + permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite + Avoid overrunning non terminated string buffer. + Prevent SEGV in gs_setdevice_no_erase. + Fix uninitialised value for render_cond. + Hide the .needinput operator + filenameforall calls bad iodev with insufficent scratch + Improve hiding of security critical custom operators (CVE-2018-17961) (Closes: #911175) + Prevent SEGV after calling gs_image_class_1_simple. + don't push userdict in preparation for Type 1 fonts + add control over hiding error handlers. (Closes: #909929) + For hidden operators, pass a name object to error handler. (CVE-2018-17961) (Closes: #911175) + Explicitly exclude /unknownerror from the SAFERERRORLIST + don't include operator arrays in execstack output (CVE-2018-18073) (Closes: #910758) + Make .forceput unavailable from '.policyprocs' helper dictionary (CVE-2018-18284) (Closes: #911175) + .loadfontloop must be an operator (CVE-2018-17961) (Closes: #911175) + font parsing - prevent SEGV in .cffparse * openjpeg allocator must return NULL if size too large * debian/copyright: Refresh with version from 9.25~dfsg-5 * debian/libgs9.symbols: Update (and sync from 9.25~dfsg-5) for new version. Adjust version for errorexec_find@Base. * Fix cups get/put_params LeadingEdge logic (cf. #912664) * Avoid privacy breach linking documentation to jquery: + Add patch 2009 to use local jquery. + Add symlink from relative link to system-shared jquery library. + Have ghostscript-doc depend on libjs-jquery. * Avoid privacy breach linking documentation to font: + Avoid linking to remote fonts in documentation. * Avoid privacy breach linking documentation with Google: + Strip googletagmanager code from documentation. ghostscript (9.24~~rc2~dfsg-1) experimental; urgency=medium . [ upstream ] * New prerelease. . * Update copyright info: + Exclude convenience code copy of lcms2mt (not lcms2) and image containing non-DFSG ICC profile when repackaging upstream source. * Update copyright-check maintainer script: Extract metadata from png files. * Update copyright info: + Extend coverage for main upstream author. + Extend coverage for Adobe. * Drop patches cherry-picked upstream since applied. * Unfuzz patches. ghostscript (9.22~dfsg-3) unstable; urgency=high . * Add patches cherry-picked upstream to fix execution issues: + Properly apply file permissions to .tempfile. + Don't just assume an object is a t_(a)struct. + Fix handling of pre-SAFER opened files. + Properly check return value when getting value from a dictionary. + Handle LockDistillerParams not being a boolean. + Fix shading_param incomplete type checking. + Ensure the correct is in place before cleanup. + Check the restore operand type. + Fix memory corruption in aesdecode. + Fix handle stack overflow during error handling. + Avoid sharing pointers between pdf14 compositors. + Improve restore robustness. + Hide the .shfill operator. Closes: Bug#907332. Thanks to Nicolas Braud-Santoni. * Use package section optional (not extra). * Extend lintian overrides regarding License-Reference. * Declare compliance with Debian Policy 4.2.0. ghostscript (9.22~dfsg-2.1) unstable; urgency=medium . * Non-maintainer upload. * Buffer overflow in fill_threshold_buffer (CVE-2016-10317) (Closes: #860869) * pdfwrite - Guard against trying to output an infinite number (CVE-2018-10194) (Closes: #896069) ghostscript (9.22~dfsg-2) unstable; urgency=medium . * Update Vcs-* fields for the move to salsa.d.o ghostscript (9.22~dfsg-1) unstable; urgency=medium . [ upstream ] * New release. Highlights: + Ghostscript can now consume and produce (via the pdfwrite device) PDF 2.0 compliant files. + The main focus of this release has been security and code cleanliness. Hence many AddressSanitizer, Valgrind and Coverity issues have been addressed. + The usual round of bug fixes, compatibility changes, and incremental improvements. . [ Jonas Smedegaard ] * Update copyright info: + Update paths of files to strip from upstream source. + Stop strip ConvertUTF files when repackaging upstream source: No longer included upstream. * Update watch file: Use substitution strings. * Update package relations: + Relax to build-depend unversioned on liblcms2-dev d-shlibs cdbs: Needed versions satisfied even in oldstable * Tighten lintian overrides regarding License-Reference. * Use https protocol for upstream Homepage. * Declare compliance with Debian Policy 4.1.1. * Drop patches applied upstream. * Unfuzz patches. * Update symbols file. ghostscript (9.22~~rc1~dfsg-1) experimental; urgency=medium . [ upstream ] * New release. Highlights: + Ghostscript can now consume and produce (via the pdfwrite device) PDF 2.0 compliant files. + The main focus of this release has been security and code cleanliness. Hence many AddressSanitizer, Valgrind and Coverity issues have been addressed. + The usual round of bug fixes, compatibility changes, and incremental improvements. . * Update copyright info: + Update paths of files to strip from upstream source. + Stop strip ConvertUTF files when repackaging upstream source: No longer included upstream. * Update watch file: Use substitution strings. * Update package relations: + Relax to build-depend unversioned on liblcms2-dev d-shlibs cdbs: Needed versions satisfied even in oldstable * Tighten lintian overrides regarding License-Reference. * Use https protocol for upstream Homepage. * Declare compliance with Debian Policy 4.1.0. * Drop patches applied upstream. * Unfuzz patches. ghostscript (9.21~dfsg-1) unstable; urgency=medium . [ upstream ] * New release. Highlights: + pdfwrite preserves annotations from input PDFs where possible. + GhostXPS pass required data to pdfwrite to emit a ToUnicode CMap, resulting in fully searchable PDFs created from XPS in most cases. + Allow default color space for PDF transparency blends. + Improved support for cross-compiling in configure script. + tiffscaled and tiffscaled4 supports ETS (Even Tone Screening). + toolbin/pdf_info.ps utility emits PDF XML metadata. + New scan converter, more performant with large and complex paths. . [ Jonas Smedegaard ] * Modernize cdbs: + Do copyright-check in maintainer script (not during build). * Avoid compressing pdf documentation. * Revive git-ignore file, lost importing NMUs. * Update watch file: Fix track releases (not tags). * Update copyright info: + Fix update main Files section to include all directory wildcards declared in root LICENSE file. + Stop track files no longer shipped upstream. + Add copyright holder Raph Levien. + Extend coverage for main upstream author. + Use https protocol in format string. * Update patches: + Drop patches applied upstream. + Normalize patch names. + Tidy DEP3 patch headers. + Add patch cherry-picked upstream to fix the shared openjpeg build. + Add patch cherry-picked upstream to fix shared lib build with openjpeg >= 2.1.1, replacing patch 1001. * Update package relations: + Relax build-dependency on cdbs. + Stop build-depend on licensecheck libregexp-assemble-perl libimage-exiftool-perl libfont-ttf-perl. * Relax symbols check when targeting experimental. * Update symbols: 16 dropped. 37 added. * Declare compliance with Debian Policy 4.0.0. ghostscript (9.21~dfsg-1~exp1) experimental; urgency=medium . [ upstream ] * New release. Highlights: + pdfwrite preserves annotations from input PDFs where possible. + GhostXPS pass required data to pdfwrite to emit a ToUnicode CMap, resulting in fully searchable PDFs created from XPS in most cases. + Allow default color space for PDF transparency blends. + Improved support for cross-compiling in configure script. + tiffscaled and tiffscaled4 supports ETS (Even Tone Screening). + toolbin/pdf_info.ps utility emits PDF XML metadata. + New scan converter, more performant with large and complex paths. . [ Jonas Smedegaard ] * Modernize cdbs: + Do copyright-check in maintainer script (not during build). * Avoid compressing pdf documentation. * Revive git-ignore file, lost importing NMUs. * Update watch file: Fix track releases (not tags). * Update copyright info: + Stop track files no longer shipped upstream. + Add copyright holder Raph Levien. + Extend coverage for main upstream author. * Update patches: + Drop patches applied upstream. + Normalize patch names. + Tidy DEP3 patch headers. + Add patch cherry-picked upstream to fix the shared openjpeg build. + Add patch cherry-picked upstream to fix shared lib build with openjpeg >= 2.1.1, replacing patch 1001. * Update package relations: + Relax build-dependency on cdbs. + Stop build-depend on licensecheck libregexp-assemble-perl libimage-exiftool-perl libfont-ttf-perl. * Relax symbols check when targeting experimental. glibc (2.24-11+deb9u4) stretch; urgency=medium . [ Aurelien Jarno ] * debian/patches/git-updates.diff: update from upstream stable branch: - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: #879501. - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: #879500. - Fix a buffer overflow in glob with GLOB_TILDE in unescaping (CVE-2017-15804). Closes: #879955. - Fix a memory leak in ld.so (CVE-2017-1000408). Closes: #884132. - Fix a buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133. - Fixes incorrect RPATH/RUNPATH handling for SUID binaries (CVE-2017-16997). Closes: #884615. - Fix a data corruption in SSE2-optimized memmove implementation for i386 (CVE-2017-18269). - Fix a stack-based buffer overflow in the realpath function (CVE-2018-11236). Closes: #899071. - Fix a buffer overflow in the AVX-512-optimized implementation of the mempcpy function (CVE-2018-11237). Closes: #899070. - Fix stack guard size accounting and reduce stack usage during unwinding to avoid segmentation faults on CPUs with AVX512-F. Closes: #903554. - Fix a use after free in pthread_create(). Closes: #916925. * debian/debhelper.in/libc.postinst, script.in/nsscheck.sh: check for postgresql in NSS check. Closes: #710275. . [ Sebastian Andrzej Siewior ] * patches/any/local-condvar-do-not-use-requeue-for-pshared-condvars.patch: patch to fix pthread_cond_wait() in the pshared case on non-x86. Closes: #904158. glx-alternatives (0.8.8~deb9u2) stretch; urgency=medium . * Revert dpkg-trigger changes from 0.8.8 as it may cause an exception thrown in apt. (Closes: #922210) glx-alternatives (0.8.8~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . glx-alternatives (0.8.8) unstable; urgency=medium . * glx-diversions: Put all packages that had shared libraries diverted into triggers-awaited state to ensure the triggers in glx-alternative-mesa setting up the glx alternative get processed earlier. (Closes: #905908) * Bump Standards-Version to 4.2.1. No changes needed. . glx-alternatives (0.8.7) unstable; urgency=medium . * Update validation of the diverted libGL.so symlink. . glx-alternatives (0.8.6) unstable; urgency=medium . * glx-alternative-mesa: libGLX_mesa.so.0 is not diverted and therefore not an indicator to install the alternative. (Closes: #904486) . glx-alternatives (0.8.5) unstable; urgency=medium . * Avoid confusing diagnostic message if no nvidia alternative is available. . glx-alternatives (0.8.4) unstable; urgency=medium . * Add diversion and alternative for libGLX_indirect.so.0. * Bump Standards-Version to 4.1.5. No changes needed. glx-alternatives (0.8.8~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . glx-alternatives (0.8.8) unstable; urgency=medium . * glx-diversions: Put all packages that had shared libraries diverted into triggers-awaited state to ensure the triggers in glx-alternative-mesa setting up the glx alternative get processed earlier. (Closes: #905908) * Bump Standards-Version to 4.2.1. No changes needed. glx-alternatives (0.8.7) unstable; urgency=medium . * Update validation of the diverted libGL.so symlink. glx-alternatives (0.8.7~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . glx-alternatives (0.8.7) unstable; urgency=medium . * Update validation of the diverted libGL.so symlink. . glx-alternatives (0.8.6) unstable; urgency=medium . * glx-alternative-mesa: libGLX_mesa.so.0 is not diverted and therefore not an indicator to install the alternative. (Closes: #904486) . glx-alternatives (0.8.5) unstable; urgency=medium . * Avoid confusing diagnostic message if no nvidia alternative is available. . glx-alternatives (0.8.4) unstable; urgency=medium . * Add diversion and alternative for libGLX_indirect.so.0. * Bump Standards-Version to 4.1.5. No changes needed. glx-alternatives (0.8.6) unstable; urgency=medium . * glx-alternative-mesa: libGLX_mesa.so.0 is not diverted and therefore not an indicator to install the alternative. (Closes: #904486) glx-alternatives (0.8.5) unstable; urgency=medium . * Avoid confusing diagnostic message if no nvidia alternative is available. glx-alternatives (0.8.4) unstable; urgency=medium . * Add diversion and alternative for libGLX_indirect.so.0. * Bump Standards-Version to 4.1.5. No changes needed. glx-alternatives (0.8.3) unstable; urgency=medium . * Divert libGL.so.1.7.0, libGLESv1_CM.so.1.2.0, libGLESv2.so.2.1.0, libEGL.so.1.1.0 that will be used by the next libglvnd upstream release. * Update validation of the diverted libGL.so.1 symlink. (Closes: #879041) gnulib (20140202+stable-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * vasnprintf: Fix heap memory overrun bug (CVE-2018-17942) (Closes: #910757) gnupg2 (2.1.18-8~deb9u4) stretch; urgency=medium . * Avoid crash when importing without a TTY (Closes: #913614) graphite-api (1.1.3-2+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport spelling fix from 1.1.3-3. (Closes: #826020) . [ Vincent Bernat ] * d/service: fix RequiresMountsFor spelling. grokmirror (1.0.0-1.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . grokmirror (1.0.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * Add the missing dependency on python-pkg-resources. (Closes: #888847) gvrng (4.4-3~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . gvrng (4.4-3) unstable; urgency=high . * QA upload. * Fix the permissions problem that prevented starting gvrng. (Closes: #850516) * Tell dh_python2 where to find the files to generate dependencies. ibus (1.5.14-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Remove the dependency of the gir package against python, it breaks multiarch installation. (Closes: #889053) icecast2 (2.4.2-1+deb9u1) stretch-security; urgency=high . * d/p/CVE-2018-18820.patch: - Cherry-pick upstream commits fixing buffer overflow in URL authentication - Closes: #912611, CVE-2018-18820 icinga2 (2.6.0-2+deb9u1) stretch; urgency=medium . * [0eb3cad] Fix timestamps being stored as local time in PostgreSQL. intel-microcode (3.20180807a.2~deb9u1) stretch; urgency=medium . * Release managers: This update is being distributed by Debian in unstable, testing and jessie- and stretch-backports since 2018-10-30 without issues, and by most distros since 2018-08/2018-09, with no known reports of regressions on Westmere EP processors (Spectre mitigations are very expensive on Nehalem and Westmere, though). * SECURITY FIX: this update adds the accumulated fixes for Westmere EP (signature 0x206c2) from nearly a decade, including but likely not limited to: + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + Implements SSBD support (Spectre v4 mitigation), Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation. Intel SA-0088, CVE-2017-5753, CVE-2017-5754 + Very likely implements LAPIC sinkhole fix + Fixes AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging may cause system crash * This Westmere EP microcode update has been explicitly approved by Intel for general distribution by operating systems, refer to the changelog entry for 3.20180807a.2 below . intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) intel-microcode (3.20180807a.2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) intel-microcode (3.20180807a.2~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes) . intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) intel-microcode (3.20180807a.1) unstable; urgency=high . [ Henrique de Moraes Holschuh ] * New upstream microcode datafile 20180807a (closes: #906158, #906160, #903135, #903141) + New Microcodes: sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264 sig 0x000206e6, pf_mask 0x04, 2018-05-15, rev 0x000d, size 9216 sig 0x000506c2, pf_mask 0x01, 2018-05-11, rev 0x0014, size 15360 sig 0x000506ca, pf_mask 0x03, 2018-05-11, rev 0x000c, size 14336 sig 0x000506f1, pf_mask 0x01, 2018-05-11, rev 0x0024, size 10240 + Updated Microcodes: sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288 sig 0x000106e5, pf_mask 0x13, 2018-05-08, rev 0x000a, size 9216 sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216 sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096 sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288 sig 0x000206f2, pf_mask 0x05, 2018-05-16, rev 0x003b, size 14336 sig 0x000306a9, pf_mask 0x12, 2018-04-10, rev 0x0020, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-04-02, rev 0x0025, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-03-22, rev 0x002b, size 18432 sig 0x00040651, pf_mask 0x72, 2018-04-02, rev 0x0024, size 22528 sig 0x00040661, pf_mask 0x32, 2018-04-02, rev 0x001a, size 25600 sig 0x00040671, pf_mask 0x22, 2018-04-03, rev 0x001e, size 13312 sig 0x000406e3, pf_mask 0xc0, 2018-04-17, rev 0x00c6, size 99328 sig 0x00050662, pf_mask 0x10, 2018-05-25, rev 0x0017, size 31744 sig 0x00050663, pf_mask 0x10, 2018-04-20, rev 0x7000013, size 22528 sig 0x00050664, pf_mask 0x10, 2018-04-20, rev 0xf000012, size 22528 sig 0x000506c9, pf_mask 0x03, 2018-05-11, rev 0x0032, size 16384 sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328 sig 0x000706a1, pf_mask 0x01, 2018-05-22, rev 0x0028, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-03-24, rev 0x008e, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-05-15, rev 0x0096, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-03-24, rev 0x008e, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-05-02, rev 0x0096, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-03-24, rev 0x008e, size 98304 + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + Implements SSBD support (Spectre v4 mitigation), Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation for older processors with signatures 0x106a5, 0x106e5, 0x20652, 0x20655. Intel SA-0088, CVE-2017-5753, CVE-2017-5754 * source: update symlinks to reflect id of the latest release, 20180807a * debian/intel-microcode.docs: ship license and releasenote upstream files. * debian/changelog: update entry for 3.20180703.1 with L1TF information . [ Julian Andres Klode ] * initramfs: include all microcode for MODULES=most. Default to early instead of auto, and install all of the microcode, not just the one matching the current CPU, if MODULES=most is set in the initramfs-tools config (LP: #1778738) isort (4.2.5+ds1-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add missing dependency on python3-pkg-resources. Thanks to Andreas Beckmann for reporting the issue. (Closes: #902327) * Fix dependencies of the python2 package by using the correct ${python:Depends} substvar instead of ${python3:Depends}. Thanks to Paul Wise for catching it. (Closes: #884682) jdupes (1.7-2+deb9u1) stretch; urgency=medium . * debian/patches/20_fix-crash-arm.patch: add to fix a potential crash in ARM. Thanks to Jody Bruchon . (Closes: #914078) kmodpy (0.1.10-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . kmodpy (0.1.10-2.1) unstable; urgency=high . * Non-maintainer upload. * Remove the incorrect Multi-Arch: same. (Closes: #897223) libapache-mod-jk (1:1.2.46-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 1.2.46 + CVE-2018-11759: fix information disclosure and privilege escalation libapache-mod-jk (1:1.2.44-3) unstable; urgency=medium . * Remove conf/httpd-jk.conf from debian/clean to fix a FTBFS when building binary-arch target. libapache-mod-jk (1:1.2.44-2) unstable; urgency=medium . * Fix broken httpd-jk symlink. Thanks to Andreas Beckmann for the report. (Closes: #910160) libapache-mod-jk (1:1.2.44-1) unstable; urgency=medium . * New upstream version 1.2.44. * Declare compliance with Debian Policy 4.2.1. * Remove Damien Raude-Morvan from Uploaders. Add myself to Uploaders. (Closes: #889461) * Suggest alternative tomcat9 package. * Drop obsolete libapache2-mod-jk.NEWS. * Install new httpd-jk.conf file which follows Apache 2.4 syntax. (Closes: #786635) libapache-mod-jk (1:1.2.43-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.3 * Switch to debhelper level 11 libapache2-mod-perl2 (2.0.10-2+deb9u1) stretch; urgency=medium . * [SECURITY] CVE-2011-2767: don't allow sections in user controlled configuration (Closes: #644169) libarchive (3.2.2-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload. * Fix the following security vulnerabilities: CVE-2016-10209, CVE-2016-10349, CVE-2016-10350, CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503, CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879 and CVE-2018-1000880. Multiple security vulnerabilities were found in libarchive, a multi-format archive and compression library. Heap-based buffer over-reads, NULL pointer dereferences, use-after-frees and out-of-bounds reads allow remote attackers to cause a denial-of-service (application crash) via specially crafted archive files. (Closes: #859456, #861609, #874539, #875966, #875974, #875960, #916964, #916963, #916960) libb2 (0.97-2+deb9u1) stretch; urgency=medium . * debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch: detect if the system can use AVX before actually using it (Closes: #884958) libdatetime-timezone-perl (1:2.09-1+2018i) stretch; urgency=medium . * Update to Olson database version 2018i. This update contains contemporary changes for São Tomé and Príncipe. libdatetime-timezone-perl (1:2.09-1+2018h) stretch; urgency=medium . * Update to Olson database version 2018h. This update contains contemporary changes for Kazakhstan, Alaska, Morocco, and Iran. libemail-address-list-perl (0.05-1+deb9u1) stretch; urgency=medium . * [SECURITY] Fix DoS vulnerability CVE-2018-18898 libemail-address-perl (1.908-1+deb9u1) stretch; urgency=medium . * Team upload. * [SECURITY]: Fix DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558 libextractor (1:1.3-4+deb9u3) stretch-security; urgency=high . * Fix out-of-bounds read vulnerability in common/convert.c (Closes: #917214, CVE-2018-20430). * Fix NULL pointer dereference in OLE2 extractor (Closes: #917213, CVE-2018-20431). libgd2 (2.2.4-2+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer overflow in gdImageColorMatch (CVE-2019-6977) (Closes: #920645) * Potential double-free in gdImage*Ptr() (CVE-2019-6978) (Closes: #920728) libgpod (0.8.3-8.2+deb9u1) stretch; urgency=high . * QA upload. * debian/control: Replace defunct Vcs-* fields with correct ones. * python-gpod: Add missing dependency on python-gobject-2. (Closes: #896230) liblivemedia (2016.11.28-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-4013: stack-based buffer overflow in the HTTP packet-parsing functionality, potentially resulting in code execution. libphp-phpmailer (5.2.14+dfsg-2.3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * object injection vulnerability (CVE-2018-19296) (Closes: #913912) libreoffice (1:5.2.7-1+deb9u5) stretch-security; urgency=high . * debian/patches/disableClassPathURLCheck.diff: add workaround to fix build with openjdks with S8195874 included - add -Djdk.net.URLClassPath.disableClassPathURLCheck=true to JAVAIFLAGS; see https://gerrit.libreoffice.org/#/c/63118/2 . * debian/patches/keep-pyuno-script-processing-below-base-uri.diff: as name says (CVE-2018-16858) * debian/patches/show-partial-signatures-even-if-cert-validation-fails.diff: as name says (CERT-Bund#2018100828000257), but backport the non-UI parts only - the "signing already existing PDFs" feature doesn't exist here yet libssh (0.7.3-2+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Fix broken server-side keyboard-interactive authentication. Thanks to Martin Pitt (Closes: #913870) libvncserver (0.9.11+dfsg-1.3~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch-security. libvncserver (0.9.11+dfsg-1.2) unstable; urgency=high . * Non-maintainer upload. * Fix multiple security vulnerabilities (Closes: #916941) - Use-after-free in file transfer extension allows for potential code execution (CVE-2018-15126) - Heap out-of-bounds write in rfbserver.c:rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - Multiple heap out-of-bound writes in VNC client code (CVE-2018-20019) - Heap out-of-bound write inside structure in VNC client code allows for potential code execution (CVE-2018-20020) - Infinite loop in VNC client code allows for denial of service (CVE-2018-20021) - Improper initialization in VNC client code allows for information disclosure (CVE-2018-20022) - Improper initialization in VNC Repeater client code allows for information disclosure (CVE-2018-20023) - NULL pointer dereference in VNC client code allows for denial of service (CVE-2018-20024) - Use-after-free in file transfer extension server code allows for potential code execution (CVE-2018-6307) * Update symbols file for libvncserver1. The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and introduces new CloseUndoneFileDownload and CloseUndoneFileUpload. libvncserver (0.9.11+dfsg-1.1) unstable; urgency=high . * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. (Closes: #894045) linux (4.9.144-3) stretch; urgency=medium . * libceph: fix CEPH_FEATURE_CEPHX_V2 check in calc_signature() (regression in 4.9.144) linux (4.9.144-2) stretch; urgency=medium . * [mips*] inst: Avoid ABI change in 4.9.136 (fixes FTBFS) * efi/libstub: Unify command line param parsing (fixes FTBFS on arm64) linux (4.9.144-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.136 - xfrm: Validate address prefix lengths in the xfrm selector. - xfrm6: call kfree_skb when skb is toobig - mac80211: Always report TX status - cfg80211: reg: Init wiphy_idx in regulatory_hint_core() - mac80211: fix pending queue hang due to TX_DROP - cfg80211: Address some corner cases in scan result channel updating - mac80211: TDLS: fix skb queue/priority assignment - [armel,armhf] 8799/1: mm: fix pci_ioremap_io() offset check - xfrm: validate template mode - nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT - mac80211_hwsim: do not omit multicast announce of first added radio - Bluetooth: SMP: fix crash in unpairing - qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor - qed: Avoid constant logical operation warning in qed_vf_pf_acquire - asix: Check for supported Wake-on-LAN modes - ax88179_178a: Check for supported Wake-on-LAN modes - lan78xx: Check for supported Wake-on-LAN modes - sr9800: Check for supported Wake-on-LAN modes - r8152: Check for supported Wake-on-LAN Modes - smsc75xx: Check for Wake-on-LAN modes - smsc95xx: Check for Wake-on-LAN modes - perf/ring_buffer: Prevent concurent ring buffer access - [x86] perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX - [armhf] net: fec: fix rare tx timeout - net: cxgb3_main: fix a missing-check bug - perf symbols: Fix memory corruption because of zero length symbols - mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone() - [mips*] microMIPS: Fix decoding of swsp16 instruction - [mips*] Handle non word sized instructions when examining frame - scsi: aacraid: Fix typo in blink status - f2fs: fix multiple f2fs_add_link() having same name for inline dentry - igb: Remove superfluous reset to PHY and page 0 selection - ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs - PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode - [arm64,armhf] i2c: bcm2835: Avoid possible NULL ptr dereference - efi/fb: Correct PCI_STD_RESOURCE_END usage - ipv6: set rt6i_protocol properly in the route when it is installed - [x86] platform: acer-wmi: setup accelerometer when ACPI device was found - IB/ipoib: Do not warn if IPoIB debugfs doesn't exist - IB/core: Fix the validations of a multicast LID in attach or detach operations - rxe: Fix a sleep-in-atomic bug in post_one_send - nvme-pci: fix CMB sysfs file removal in reset path - net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well. - net/mlx5: Fix command completion after timeout access invalid structure - tipc: Fix tipc_sk_reinit handling of -EAGAIN - tipc: fix a race condition of releasing subscriber object - bnxt_en: Don't use rtnl lock to protect link change logic in workqueue. - [armhf] dts: bcm283x: Reserve first page for firmware - btrfs: fiemap: Cache and merge fiemap extent before submit it to user - [arm64] reset: hi6220: Set module license so that it can be loaded - [x86] ASoC: Intel: Skylake: Fix to parse consecutive string tkns in manifest - mac80211: fix TX aggregation start/stop callback race - libata: fix error checking in in ata_parse_force_one() - [armhf] net: ethernet: stmmac: Fix altr_tse_pcs SGMII Initialization - [i386] x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC - [armhf] gpu: ipu-v3: Fix CSI selection for VDIC - [arm64,armhf] net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value - Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io - ufs: we need to sync inode before freeing it - net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare - ip6_tunnel: Correct tos value in collect_md mode - net/mlx5: Fix driver load error flow when firmware is stuck - perf evsel: Fix probing of precise_ip level for default cycles event - perf probe: Fix probe definition for inlined functions - net/mlx5: Fix health work queue spin lock to IRQ safe - [armhf] usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq - [armhf] clk: samsung: Fix m2m scaler clock on Exynos542x - rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp - qed: Warn PTT usage by wrong hw-function - ocfs2: fix deadlock caused by recursive locking in xattr - net: cdc_ncm: GetNtbFormat endian fix - sctp: use right member as the param of list_for_each_entry - ALSA: hda - No loopback on ALC299 codec - ath10k: convert warning about non-existent OTP board id to debug message - ipv6: fix cleanup ordering for ip6_mr failure - IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush - IB/rxe: put the pool on allocation failure - nbd: only set MSG_MORE when we have more to send - mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()' - IB/mlx5: Avoid passing an invalid QP type to firmware - scsi: qla2xxx: Avoid double completion of abort command - drm: bochs: Don't remove uninitialized fbdev framebuffer - i40e: avoid NVM acquire deadlock during NVM update - Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" - Btrfs: incremental send, fix invalid memory access - [arm64] drm/msm: Fix possible null dereference on failure of get_pages() - l2tp: remove configurable payload offset - macsec: fix memory leaks when skb_to_sgvec fails - perf/core: Fix locking for children siblings group read - cifs: Use ULL suffix for 64-bit constant - futex: futex_wake_op, do not fail on invalid op - ALSA: hda - Fix incorrect usage of IS_REACHABLE() - enic: do not overwrite error code - bonding: ratelimit failed speed/duplex update warning - nvmet: fix space padding in serial number - iio: buffer: fix the function signature to match implementation - [x86] paravirt: Fix some warning messages - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()' - libertas: call into generic suspend code before turning off power - xhci: Fix USB3 NULL pointer dereference at logical disconnect. - [armhf] dts: imx53-qsb: disable 1.2GHz OPP - rxrpc: Don't check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window() - rxrpc: Only take the rwind and mtu values from latest ACK - [x86] net: ena: fix NULL dereference due to untimely napi initialization - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() - mtd: spi-nor: Add support for is25wp series chips - Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing" - bridge: do not add port to router list when receives query with source 0.0.0.0 - net: bridge: remove ipv6 zero address check in mcast queries - ipv6: mcast: fix a use-after-free in inet6_mc_check - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called - llc: set SOCK_RCU_FREE in llc_sap_add_socket() - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs - net: sched: gred: pass the right attribute to gred_change_table_def() - net: socket: fix a missing-check bug - [arm64,armhf] net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules - net: udp: fix handling of CHECKSUM_COMPLETE packets - r8169: fix NAPI handling under high load - sctp: fix race on sctp_id2asoc - vhost: Fix Spectre V1 vulnerability - ethtool: fix a privilege escalation bug - bonding: fix length of actor system - net: drop skb on failure in ip_check_defrag() - net: fix pskb_trim_rcsum_slow() with odd trim offset - rtnetlink: Disallow FDB configuration for non-Ethernet device - ip6_tunnel: Fix encapsulation layout - crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned - ahci: don't ignore result code of ahci_reset_controller() - xfs: truncate transaction does not modify the inobt - cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) - ptp: fix Spectre v1 vulnerability - drm/edid: Add 6 bpc quirk for BOE panel in HP Pavilion 15-n233sl - RDMA/ucma: Fix Spectre v1 vulnerability - IB/ucm: Fix Spectre v1 vulnerability - cdc-acm: correct counting of UART states in serial state notification - usb: gadget: storage: Fix Spectre v1 vulnerability - USB: fix the usbfs flag sanitization for control transfers - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM - sched/fair: Fix throttle_list starvation with low CFS quota - [x86] percpu: Fix this_cpu_read() - [x86] time: Correct the attribute on jiffies' definition - posix-timers: Sanitize overrun handling (CVE-2018-12896) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.137 - bcache: fix miss key refill->end in writeback - jffs2: free jffs2_sb_info through jffs2_kill_sb() - pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges - [arm64] ipmi: Fix timer race with module unload - [hppa/parisc] Fix address in HPMC IVA - [hppa/parisc] Fix map_pages() to not overwrite existing pte entries - ALSA: hda - Add quirk for ASUS G751 laptop - ALSA: hda - Fix headphone pin config for ASUS G751 - ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops - [x86] speculation: Enable cross-hyperthread spectre v2 STIBP mitigation - [x86] corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided - [x86] speculation: Support Enhanced IBRS on future CPUs - Revert "perf tools: Fix PMU term format max value calculation" - xfrm: policy: use hlist rcu variants on insert - sched/fair: Fix the min_vruntime update logic in dequeue_entity() - perf cpu_map: Align cpu map synthesized events properly. - [x86] fpu: Remove second definition of fpu in __fpu__restore_sig() - net: qla3xxx: Remove overflowing shift statement - locking/lockdep: Fix debug_locks off performance problem - tun: Consistently configure generic netdev params via rtnetlink - [s390x] sthyi: Fix machine name validity indication - [armhf] hwmon: (pwm-fan) Set fan speed to 0 on suspend - perf tools: Free temporary 'sys' string in read_event_files() - perf tools: Cleanup trace-event-info 'tdata' leak - perf strbuf: Match va_{add,copy} with va_end - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 - iwlwifi: pcie: avoid empty free RB queue - [i386] x86/olpc: Indicate that legacy PC XO-1 platform should not register RTC - [arm64,armhf] cpufreq: dt: Try freeing static OPPs only if we have added them - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth - [arm64] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux - brcmfmac: fix for proper support of 160MHz bandwidth - kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers - [arm64] pinctrl: qcom: spmi-mpp: Fix drive strength setting - [arm64] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant - [arm64] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant - ixgbevf: VF2VF TCP RSS - ath10k: schedule hardware restart if WMI command times out - cgroup, netclassid: add a preemption point to write_classid - scsi: esp_scsi: Track residual for PIO transfers - scsi: megaraid_sas: fix a missing-check bug - RDMA/core: Do not expose unsupported counters - IB/ipoib: Clear IPCB before icmp_send - tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated - [x86] VMCI: Resource wildcard match fixed - ext4: fix argument checking in EXT4_IOC_MOVE_EXT - MD: fix invalid stored role for a disk - PCI/MSI: Warn and return error if driver enables MSI/MSI-X twice - [arm64,armhf] usb: chipidea: Prevent unbalanced IRQ disable - [amd64] driver/dma/ioat: Call del_timer_sync() without holding prep_lock - uio: ensure class is registered before devices - scsi: lpfc: Correct soft lockup when running mds diagnostics - signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init - ALSA: hda: Check the non-cached stream buffers more explicitly - [armhf] dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes - [armhf] dts: exynos: Add missing cooling device properties for CPUs - [armhf] dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings - [armhf] dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250 - xen-swiotlb: use actually allocated size on check physical continuous - [x86] tpm: Restore functionality to xen vtpm driver. - xen/blkfront: avoid NULL blkfront_info dereference on device removal - [x86] xen: fix race in xen_qlock_wait() - [x86] xen: make xen_qlock_wait() nestable - libertas: don't set URB_ZERO_PACKET on IN USB transfer - [x86] usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten - iwlwifi: mvm: check return value of rs_rate_from_ucode_rate() - [x86] libnvdimm: Hold reference on parent while scheduling async init - [x86] ASoC: intel: skylake: Add missing break in skl_tplg_get_token() - jbd2: fix use after free in jbd2_log_do_checkpoint() - gfs2_meta: ->mount() can get NULL dev_name - ext4: initialize retries variable in ext4_da_write_inline_data_begin() - ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR - HID: hiddev: fix potential Spectre v1 - EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting - [amd64] EDAC, skx_edac: Fix logical channel intermediate decoding - PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk - [ppc64el] signal/GenWQE: Fix sending of SIGKILL - crypto: lrw - Fix out-of bounds access on counter overflow - crypto: tcrypt - fix ghash-generic speed test - ima: fix showing large 'violations' or 'runtime_measurements_count' - hugetlbfs: dirty pages as they are added to pagecache - [armhf] w1: omap-hdq: fix missing bus unregister at removal - smb3: allow stats which track session and share reconnects to be reset - smb3: do not attempt cifs operation in smb3 query info error path - smb3: on kerberos mount if server doesn't specify auth type use krb5 - printk: Fix panic caused by passing log_buf_len to command line - genirq: Fix race on spurious interrupt detection - NFSv4.1: Fix the r/wsize checking - nfsd: Fix an Oops in free_session() - lockd: fix access beyond unterminated strings in prints - dm ioctl: harden copy_params()'s copy_from_user() from malicious users - [powerpc*] msi: Fix compile error on mpc83xx - [mips*] OCTEON: fix out of bounds array access on CN68XX - media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD - [x86] xen: fix xen_qlock_wait() - media: em28xx: use a default format if TRY_FMT fails - media: tvp5150: avoid going past array on v4l2_querymenu() - media: em28xx: fix input name for Terratec AV 350 - media: em28xx: make v4l2-compliance happier by starting sequence on zero - [arm64] lse: remove -fcall-used-x0 flag - rpmsg: smd: fix memory leak on channel create - Cramfs: fix abad comparison when wrap-arounds occur - [arm64,armhf] soc/tegra: pmc: Fix child-node lookup - btrfs: Handle owner mismatch gracefully when walking up tree - btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock - btrfs: fix error handling in free_log_tree - btrfs: iterate all devices during trim, instead of fs_devices::alloc_list - btrfs: don't attempt to trim devices that don't support it - btrfs: wait on caching when putting the bg cache - btrfs: reset max_extent_size on clear in a bitmap - btrfs: make sure we create all new block groups - Btrfs: fix wrong dentries after fsync of file that got its parent replaced - btrfs: qgroup: Dirty all qgroups before rescan - Btrfs: fix null pointer dereference on compressed write path error - btrfs: set max_extent_size properly - MD: fix invalid stored role for a disk - try2 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.138 - [powerpc*] powerpc/eeh: Fix possible null deref in eeh_dump_dev_log() - tty: check name length in tty_find_polling_driver() - [powerpc*] nohash: fix undefined behaviour when testing page size support - [armhf] drm/omap: fix memory barrier bug in DMM driver - media: pci: cx23885: handle adding to list failure - [mips*] kexec: Mark CPU offline before disabling local IRQ - [powerpc*] boot: Ensure _zimage_start is a weak symbol - [mips*] PCI: Call pcie_bus_configure_settings() to set MPS/MRRS - media: tvp5150: fix width alignment during set_selection() - 9p locks: fix glock.client_id leak in do_lock - 9p: clear dangling pointers in p9stat_free - cdrom: fix improper type cast, which can leat to information leak. (CVE-2018-18710) - scsi: qla2xxx: Fix incorrect port speed being set for FC adapters - scsi: qla2xxx: shutdown chip if reset fail - fuse: Fix use-after-free in fuse_dev_do_read() - fuse: Fix use-after-free in fuse_dev_do_write() - fuse: fix blocked_waitq wakeup - fuse: set FR_SENT while locked - mm: do not bug_on on incorrect length in __mm_populate() - e1000: avoid null pointer dereference on invalid stat type - e1000: fix race condition between e1000_down() and e1000_watchdog - bna: ethtool: Avoid reading past end of buffer - [hppa/parisc] Align os_hpmc_size on word boundary - [hppa/parisc] Fix HPMC handler by increasing size to multiple of 16 bytes - [hppa/parisc] Fix exported address of os_hpmc handler - [mips64el,mipsel] Loongson-3: Fix CPU UART irq delivery problem - [mips64le,mipsel] Loongson-3: Fix BRIDGE irq delivery problem - [armhf] clk: s2mps11: Fix matching when built as module and DT node contains compatible - [armhf] clk: rockchip: Fix static checker warning in rockchip_ddrclk_get_parent call - libceph: bump CEPH_MSG_MAX_DATA_LEN - Revert "ceph: fix dentry leak in splice_dentry()" - mach64: fix display corruption on big endian machines - mach64: fix image corruption due to reading accelerator registers - [arm64] reset: hisilicon: fix potential NULL pointer dereference - vhost/scsi: truncate T10 PI iov_iter to prot_bytes - ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings - netfilter: conntrack: fix calculation of next bucket number in early_drop - termios, tty/tty_baudrate.c: fix buffer overrun - Btrfs: fix cur_offset in the error case for nocow - Btrfs: fix data corruption due to cloning of eof block - clockevents/drivers/i8253: Add support for PIT shutdown quirk - ext4: add missing brelse() update_backups()'s error path - ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path - ext4: add missing brelse() add_new_gdb_meta_bg()'s error path - ext4: avoid potential extra brelse in setup_new_flex_group_blocks() - ext4: fix possible inode leak in the retry loop of ext4_resize_fs() - ext4: avoid buffer leak in ext4_orphan_add() after prior errors - ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing - ext4: avoid possible double brelse() in add_new_gdb() on error path - ext4: fix possible leak of sbi->s_group_desc_leak in error path - ext4: fix possible leak of s_journal_flag_rwsem in error path - ext4: release bs.bh before re-using in ext4_xattr_block_find() - ext4: fix buffer leak in ext4_xattr_move_to_block() on error path - ext4: fix buffer leak in __ext4_read_dirblock() on error path - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts - mount: Prevent MNT_DETACH from disconnecting locked mounts - sunrpc: correct the computation for page_ptr when truncating - nfsd: COPY and CLONE operations require the saved filehandle to be set - rtc: hctosys: Add missing range error reporting - fuse: fix use-after-free in fuse_direct_IO() - fuse: fix leaked notify reply - configfs: replace strncpy with memcpy - lib/ubsan.c: don't mark __ubsan_handle_builtin_unreachable as noreturn - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! - mm: migration: fix migration of huge PMD shared pages - [armhf] drm/rockchip: Allow driver to be shutdown on reboot/kexec - drm/dp_mst: Check if primary mstb is null - [x86] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values - [x86] drm/i915/execlists: Force write serialisation into context image vs execution - [arm64] KVM: Fix caching of host MDCR_EL2 value https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.139 - flow_dissector: do not dissect l4 ports for fragments - ip_tunnel: don't force DF when MTU is locked - net-gro: reset skb->pkt_type in napi_reuse_skb() - sctp: not allow to set asoc prsctp_enable by sockopt - tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control paths - usbnet: smsc95xx: disable carrier check while suspending - inet: frags: better deal with smp races - ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF - kbuild: Add better clang cross build support - kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS - kbuild: Consolidate header generation from ASM offset information - kbuild: consolidate redundant sed script ASM offset generation - kbuild: fix asm-offset generation to work with clang - kbuild: drop -Wno-unknown-warning-option from clang options - kbuild, LLVMLinux: Add -Werror to cc-option to support clang - kbuild: use -Oz instead of -Os when using clang - kbuild: Add support to generate LLVM assembly files - modules: mark __inittest/__exittest as __maybe_unused - [x86] kbuild: Use cc-option to enable -falign-{jumps/loops} - [amd64] crypto, x86: aesni - fix token pasting for clang - kbuild: Add __cc-option macro - [x86] build: Use __cc-option for boot code compiler options - [x86] build: Specify stack alignment for clang - kbuild: clang: Disable 'address-of-packed-member' warning - [arm64] crypto: arm64/sha - avoid non-standard inline asm tricks - [x86] boot: #undef memcpy() et al in string.c - [arm64] efi/libstub/arm64: Use hidden attribute for struct screen_info reference - [arm64] efi/libstub/arm64: Force 'hidden' visibility for section markers - efi/libstub: Preserve .debug sections after absolute relocation check - [arm64] efi/libstub/arm64: Set -fpie when building the EFI stub - [x86] build: Fix stack alignment for CLang - [x86] build: Use cc-option to validate stack alignment parameter - Kbuild: use -fshort-wchar globally - [arm64] uaccess: suppress spurious clang warning - [armel,armhf] add more CPU part numbers for Cortex and Brahma B15 CPUs - [armel,armhf] bugs: prepare processor bug infrastructure - [armel,armhf] bugs: hook processor bug checking into SMP and suspend paths - [armel,armhf] bugs: add support for per-processor bug checking - [armel,armhf] spectre: add Kconfig symbol for CPUs vulnerable to Spectre - [armel,armhf] spectre-v2: harden branch predictor on context switches - [armel,armhf] spectre-v2: add Cortex A8 and A15 validation of the IBE bit - [armel,armhf] spectre-v2: harden user aborts in kernel space - [armel,armhf] spectre-v2: add firmware based hardening - [armel,armhf] spectre-v2: warn about incorrect context switching functions - [armel,armhf] KVM: invalidate BTB on guest exit for Cortex-A12/A17 - [armel,armhf] KVM: invalidate icache on guest exit for Cortex-A15 - [armel,armhf] spectre-v2: KVM: invalidate icache on guest exit for Brahma B15 - [armel,armhf] KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling - [armel,armhf] KVM: report support for SMCCC_ARCH_WORKAROUND_1 - [armel,armhf] spectre-v1: add speculation barrier (csdb) macros - [armel,armhf] spectre-v1: add array_index_mask_nospec() implementation - [armel,armhf] spectre-v1: fix syscall entry - [armel,armhf] signal: copy registers using __copy_from_user() - [armel,armhf] vfp: use __copy_from_user() when restoring VFP state - [armel,armhf] oabi-compat: copy semops using __copy_from_user() - [armel,armhf] use __inttype() in get_user() - [armel,armhf] spectre-v1: use get_user() for __get_user() - [armel,armhf] spectre-v1: mitigate user accesses https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.140 - Revert "x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation" - Revert "ipv6: set rt6i_protocol properly in the route when it is installed" https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.141 - cifs: don't dereference smb_file_target before null check - reiserfs: propagate errors from fill_with_dentries() properly - hfs: prevent btree data loss on root split - hfsplus: prevent btree data loss on root split - drm/edid: Add 6 bpc quirk for BOE panel. - clk: fixed-rate: fix of_node_get-put imbalance - fs/exofs: fix potential memory leak in mount option parsing - [armhf] clk: samsung: exynos5420: Enable PERIS clocks for suspend - [x86] platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 - [arm64] percpu: Initialize ret in the default case - netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net - netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() - netfilter: xt_IDLETIMER: add sysfs filename checking routine - [s390x] qeth: fix HiperSockets sniffer - [ppc64el] hwmon: (ibmpowernv) Remove bogus __init annotations - clk: fixed-factor: fix of_node_get-put imbalance - qed: Fix memory/entry leak in qed_init_sp_request() - qed: Fix blocking/unlimited SPQ entries leak - zram: close udev startup race condition as default groups - SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() - gfs2: Put bitmap buffers in put_super - btrfs: Enhance btrfs_trim_fs function to handle error better - btrfs: Ensure btrfs_trim_fs can trim the whole filesystem - btrfs: fix pinned underflow after transaction aborted - Revert "media: videobuf2-core: don't call memop 'finish' when queueing" - Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV" - media: v4l: event: Add subscription to list before calling "add" operation - uio: Fix an Oops on load - usb: cdc-acm: add entry for Hiro (Conexant) modem - USB: quirks: Add no-lpm quirk for Raydium touchscreens - usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB - USB: misc: appledisplay: add 20" Apple Cinema Display - [x86] ACPI / platform: Add SMB0001 HID to forbidden_id_list - HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges - libceph: fall back to sendmsg for slab pages https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.142 - usb: core: Fix hub port connection events lost - [arm64,armhf] usb: dwc3: core: Clean up ULPI device - usb: xhci: fix timeout for transition from RExit to U0 - MAINTAINERS: Add Sasha as a stable branch maintainer - gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path - iwlwifi: mvm: support sta_statistics() even on older firmware - iwlwifi: mvm: fix regulatory domain update when the firmware starts - brcmfmac: fix reporting support for 160 MHz channels - tools/power/cpupower: fix compilation with STATIC=true - v9fs_dir_readdir: fix double-free on p9stat_read error - selinux: Add __GFP_NOWARN to allocation at str_read() - bfs: add sanity check at bfs_fill_super() - sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer - gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd - llc: do not use sk_eat_skb() - mm: don't warn about large allocations for slab - drm/ast: change resolution may cause screen blurred - drm/ast: fixed cursor may disappear sometimes - drm/ast: Remove existing framebuffers before loading driver - can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() - can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length - can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds - can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb - IB/core: Fix for core panic - [amd64] IB/hfi1: Eliminate races in the SDMA send error path - usb: xhci: Prevent bus suspend if a port connect change or polling state is detected - [arm64] pinctrl: meson: fix pinconf bias disable - [armhf] cpufreq: imx6q: add return value check for voltage scale - floppy: fix race condition in __floppy_read_block_0() - [powerpc*] io: Fix the IO workarounds code to work with Radix - [x86] perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and CoffeeLake CPUs - SUNRPC: Fix a bogus get/put in generic_key_to_expire() - [powerpc*] numa: Suppress "VPHN is not supported" messages - [arm64,armhf] efi/arm: Revert deferred unmap of early memmap mapping - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset - of: add helper to lookup compatible child node - ath10k: fix kernel panic due to race in accessing arvif list - Input: xpad - add product ID for Xbox One S pad - Input: xpad - fix Xbox One rumble stopping after 2.5 secs - Input: xpad - correctly sort vendor id's - Input: xpad - move reporting xbox one home button to common function - Input: xpad - simplify error condition in init_output - Input: xpad - don't depend on endpoint order - Input: xpad - fix stuck mode button on Xbox One S pad - Input: xpad - restore LED state after device resume - Input: xpad - support some quirky Xbox One pads - Input: xpad - sort supported devices by USB ID - Input: xpad - sync supported devices with xboxdrv - Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth - Input: xpad - sync supported devices with 360Controller - Input: xpad - sync supported devices with XBCD - Input: xpad - constify usb_device_id - Input: xpad - fix PowerA init quirk for some gamepad models - Input: xpad - validate USB endpoint type during probe - Input: xpad - add support for PDP Xbox One controllers - Input: xpad - add PDP device id 0x02a4 - Input: xpad - fix some coding style issues - Input: xpad - avoid using __set_bit() for capabilities - Input: xpad - add GPD Win 2 Controller USB IDs - Input: xpad - fix GPD Win 2 controller name - Input: xpad - add support for Xbox1 PDP Camo series gamepad - mwifiex: prevent register accesses after host is sleeping - mwifiex: report error to PCIe for suspend failure - mwifiex: Fix NULL pointer dereference in skb_dequeue() - mwifiex: fix p2p device doesn't find in scan problem - scsi: ufs: fix bugs related to null pointer access and array size - scsi: ufshcd: Fix race between clk scaling and ungate work - scsi: ufs: fix race between clock gating and devfreq scaling work - scsi: ufshcd: release resources if probe fails - tty: wipe buffer. - tty: wipe buffer if not echoing data - usb: xhci: fix uninitialized completion when USB3 port got wrong status - sched/core: Allow __sched_setscheduler() in interrupts when PI is not used - namei: allow restricted O_CREAT of FIFOs and regular files - lan78xx: Read MAC address from DT if present - [s390x] mm: Check for valid vma before zapping in gmap_discard - net: ieee802154: 6lowpan: fix frag reassembly - Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC" - ima: always measure and audit files in policy - ima: re-introduce own integrity cache lock - ima: re-initialize iint->atomic_flags https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.143 - mm/huge_memory: rename freeze_page() to unmap_page() - mm/huge_memory.c: reorder operations in __split_huge_page_tail() - mm/huge_memory: splitting set mapping+index before unfreeze - mm/huge_memory: fix lockdep complaint on 32-bit i_size_read() - mm/khugepaged: collapse_shmem() stop if punched or truncated - shmem: shmem_charge: verify max_block is not exceeded before inode update - shmem: introduce shmem_inode_acct_block - mm/khugepaged: fix crashes due to misaccounted holes - mm/khugepaged: collapse_shmem() remember to clear holes - mm/khugepaged: minor reorderings in collapse_shmem() - mm/khugepaged: collapse_shmem() without freezing new_page - mm/khugepaged: collapse_shmem() do not crash on Compound - media: em28xx: Fix use-after-free when disconnecting - [arm64,armhf] Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()" - net: skb_scrub_packet(): Scrub offload_fwd_mark - [s390x] qeth: fix length check in SNMP processing - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 - [x86] kvm: mmu: Fix race in emulated page table writes - [x86] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb - [x86] KVM: Fix scan ioapic use-before-initialization (CVE-2018-19407) - Btrfs: ensure path name is null terminated at btrfs_control_ioctl - [x86] perf/x86/intel: Move branch tracing setup to the Intel-specific source file - [x86] perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts() - fs: fix lost error code in dio_complete - [i386] ALSA: wss: Fix invalid snd_free_pages() at error path - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write - ALSA: control: Fix race between adding and removing a user element - [sparc] ALSA: sparc: Fix invalid snd_free_pages() at error path - ext2: fix potential use after free - btrfs: release metadata before running delayed refs - USB: usb-storage: Add new IDs to ums-realtek - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series - Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid" - mm: use swp_offset as key in shmem_replace_page() - [x86] Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() - [amd64] misc: mic/scif: fix copy-paste error in scif_create_remote_lookup - [armhf] bus: arm-cci: remove unnecessary unreachable() - [armhf] trusted_foundations: do not use naked function - [x86] efi/libstub: Make file I/O chunking x86-specific https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.144 - kernfs: Replace strncpy with memcpy - ip_tunnel: Fix name string concatenate in __ip_tunnel_create() - scsi: bfa: convert to strlcpy/strlcat - [x86] staging: rts5208: fix gcc-8 logic error warning - [amd64] x86/power/64: Use char arrays for asm function names - iser: set sector for ambiguous mr status errors - uprobes: Fix handle_swbp() vs. unregister() + register() race once more - [mips*] fix mips_get_syscall_arg o32 check - IB/mlx5: Avoid load failure due to unknown link width - drm/ast: Fix incorrect free on ioregs - drm: set is_master to 0 upon drm_new_set_master() failure - scsi: scsi_devinfo: cleanly zero-pad devinfo strings - scsi: csiostor: Avoid content leaks and casts - [x86] svm: Add mutex_lock to protect apic_access_page_done on AMD systems - Input: xpad - quirk all PDP Xbox One gamepads - Input: elan_i2c - add ELAN0620 to the ACPI table - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR - Input: elan_i2c - add support for ELAN0621 touchpad - btrfs: Always try all copies when reading extent buffers - Btrfs: fix use-after-free when dumping free space - udf: Allow mounting volumes with incorrect identification strings - [arm64,armhf] reset: make optional functions really optional - [arm64,armhf] reset: core: fix reset_control_put - reset: fix optional reset_control_get stubs to return NULL - [arm64,armhf] reset: add exported __reset_control_get, return NULL if optional - [arm64,armhf] reset: make device_reset_optional() really optional - reset: remove remaining WARN_ON() in - mm: cleancache: fix corruption on missed inode invalidation (CVE-2018-16862) - net: qed: use correct strncpy() size - tipc: use destination length for copy string - libceph: drop len argument of *verify_authorizer_reply() - libceph: no need to drop con->mutex for ->get_authorizer() - libceph: store ceph_auth_handshake pointer in ceph_connection - libceph: factor out __prepare_write_connect() - libceph: factor out __ceph_x_decrypt() - libceph: factor out encrypt_authorizer() - libceph: add authorizer challenge (CVE-2018-1128) - libceph: implement CEPHX_V2 calculation mode (CVE-2018-1129) - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() - libceph: check authorizer reply/challenge length before reading - bpf: Prevent memory disambiguation attack (CVE-2018-3639) - wil6210: missing length check in wmi_set_ie (CVE-2018-5848) - btrfs: validate type when reading a chunk (CVE-2018-14611) - btrfs: Verify that every chunk has corresponding block group at mount time (CVE-2018-14612) - btrfs: Refactor check_leaf function for later expansion - btrfs: Check if item pointer overlaps with the item itself - btrfs: Add sanity check for EXTENT_DATA when reading out leaf - btrfs: Add checker for EXTENT_CSUM - btrfs: Move leaf and node validation checker to tree-checker.c - btrfs: struct-funcs, constify readers - btrfs: tree-checker: Enhance btrfs_check_node output - btrfs: tree-checker: Fix false panic for sanity test - btrfs: tree-checker: Add checker for dir item - btrfs: tree-checker: use %zu format string for size_t - btrfs: tree-check: reduce stack consumption in check_dir_item - btrfs: tree-checker: Verify block_group_item (CVE-2018-14613) - btrfs: tree-checker: Detect invalid and empty essential trees (CVE-2018-14612) - btrfs: Check that each block group has corresponding chunk at mount time (CVE-2018-14610) - btrfs: tree-checker: Check level for leaves and nodes - btrfs: tree-checker: Fix misleading group system information - f2fs: fix race condition in between free nid allocator/initializer (CVE-2017-18249) - f2fs: detect wrong layout - f2fs: return error during fill_super - f2fs: check blkaddr more accuratly before issue a bio - f2fs: sanity check on sit entry - f2fs: enhance sanity_check_raw_super() to avoid potential overflow - f2fs: clean up with is_valid_blkaddr() - f2fs: introduce and spread verify_blkaddr - f2fs: fix to do sanity check with secs_per_zone (CVE-2018-13100) - f2fs: fix to do sanity check with user_block_count (CVE-2018-13097) - f2fs: Add sanity_check_inode() function - f2fs: fix to do sanity check with node footer and iblocks (CVE-2018-13096) - f2fs: fix to do sanity check with block address in main area - f2fs: fix missing up_read - f2fs: fix to do sanity check with block address in main area v2 (CVE-2018-14616) - f2fs: free meta pages if sanity check for ckpt is failed - f2fs: fix to do sanity check with cp_pack_start_sum (CVE-2018-14614) - xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE (CVE-2018-18690) - hugetlbfs: fix bug in pgoff overflow checking . [ Ben Hutchings ] * drivers/net/ethernet: Ignore ABI changes (fixes FTBFS on arm64; Closes: #914556) * libcpupower: Hide private function and drop it from .symbols file * Revert "elevator: fix truncation of icq_cache_name" to avoid ABI change * reset: Avoid ABI changes in 4.9.144 * esp_scsi: Ignore ABI changes * snd-hda: Ignore ABI changes * posix-timers: Avoid ABI change in 4.9.136 * sched: Avoid ABI change in 4.9.136 * [armel,armhf] Avoid ABI change in 4.9.139 . [ Noah Meyerhans ] * [arm64] PCI: Enable HOTPLUG_PCI and HOTPLUG_PCI_ACPI (Closes: #915231) * drivers/net/ethernet/amazon: Backport ENA 2.0.2 network driver (Closes: #915229) . [ Salvatore Bonaccorso ] * [rt] Refresh 0159-genirq-Allow-disabling-of-softirq-processing-in-irq-.patch for context changes in 4.9.137 * Refresh mips-loongson-3-support-irq_set_affinity-in-i8259-ch.patch for context changes in 4.9.138 * Refresh kbuild-use-nostdinc-in-compile-tests.patch for context changes in 4.9.139 * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes in 4.9.139 * scripts/mod: Update modpost wrapper for 4.9.139. Upstream commit cf0c3e68aa81 "kbuild: fix asm-offset generation to work with clang" changed the macros used by devicetable-offsets.c. Copy the new sed code from upstream scripts/Makefile.lib. Originates from the same change for 4.12 done by Ben Hutchings. * Refresh media-v4l-avoid-abi-change-in-4.9.131.patch for context changes in 4.9.141 * Refresh fs-enable-link-security-restrictions-by-default.patch for context changes in 4.9.142 * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes in 4.9.142 . [ Michal Simek ] * [arm64] Enable Xilinx ZynqMP SoC and drivers linux (4.9.135-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.131 - crypto: skcipher - Fix -Wstringop-truncation warnings - tsl2550: fix lux1_input error in low light - [x86] vmci: type promotion bug in qp_host_get_user_memory() - [amd64] numa_emulation: Fix emulated-to-physical node mapping - [x86] staging: rts5208: fix missing error check on call to rtsx_write_register - uwb: hwa-rc: fix memory leak at probe - [arm64,armhf] power: vexpress: fix corruption in notifier registration - [amd64] iommu/amd: make sure TLB to be flushed before IOVA freed - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 - USB: serial: kobil_sct: fix modem-status error handling - 6lowpan: iphc: reset mac_header after decompress to fix panic - [s390x] mm: correct allocate_pgste proc_handler callback - power: remove possible deadlock when unregistering power_supply - IB/core: type promotion bug in rdma_rw_init_one_mr() - [powerpc*] kdump: Handle crashkernel memory reservation failure - [x86] tsc: Add missing header to tsc_msr.c - [armhf] hwmod: RTC: Don't assume lock/unlock will be called with irq enabled - [x86] entry/64: Add two more instruction suffixes - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size - scsi: klist: Make it safe to use klists in atomic context - [powerpc/powerpc64,ppc64*] scsi: ibmvscsi: Improve strings handling - usb: wusbcore: security: cast sizeof to int for comparison - [ppc64el] powerpc/powernv/ioda2: Reduce upper limit for DMA window size - alarmtimer: Prevent overflow for relative nanosleep (CVE-2018-13053) - [s390x] extmem: fix gcc 8 stringop-overflow warning - [armhf] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data - drivers/tty: add error handling for pcmcia_loop_config - [x86] media: tm6000: add error handling for dvb_register_adapter - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() - [arm64,armhf] wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() - [armhf] mvebu: declare asm symbols as character arrays in pmsu.c - HID: hid-ntrig: add error handling for sysfs_create_group - [x86] perf/x86/intel/lbr: Fix incomplete LBR call stack - scsi: bnx2i: add error handling for ioremap_nocache - scsi: megaraid_sas: Update controller info during resume - [x86] EDAC, i7core: Fix memleaks and use-after-free on probe and remove - ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs - nfsd: fix corrupted reply to badly ordered compound - EDAC: Fix memleak in module init error path - [armhf] dts: dra7: fix DCAN node addresses - [arm64] spi: tegra20-slink: explicitly enable/disable clock - [arm*] regulator: fix crash caused by null driver data - USB: fix error handling in usb_driver_claim_interface() - USB: handle NULL config in usb_find_alt_setting() - slub: make ->cpu_partial unsigned int - media: uvcvideo: Support realtek's UVC 1.5 device - USB: usbdevfs: sanitize flags more - USB: usbdevfs: restore warning for nonsensical flags - Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()" - USB: remove LPM management from usb_driver_claim_interface() - Input: elantech - enable middle button of touchpad on ThinkPad P72 - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop - [amd64] IB/hfi1: Invalid user input can result in crash - [amd64] IB/hfi1: Fix context recovery when PBC has an UnsupportedVL - scsi: target: iscsi: Use bin2hex instead of a re-implementation - [armhf] serial: imx: restore handshaking irq for imx1 - [amd64] IB/hfi1: Fix SL array bounds check - qed: Wait for ready indication before rereading the shmem - qed: Wait for MCP halt and resume commands to take place - [arm*] thermal: of-thermal: disable passive polling when thermal zone is disabled - [arm64] net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES - [arm64] net: hns: fix skb->truesize underestimation - e1000: check on netif_running() before calling e1000_up() - e1000: ensure to free old tx/rx rings in set_ringparam() - hwmon: (adt7475) Make adt7475_read_word() return errors - [x86] drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode - [arm*] smccc-1.1: Make return values unsigned long - [arm*] smccc-1.1: Handle function result as parameters - [x86] i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus - media: v4l: event: Prevent freeing event subscriptions while accessed https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.132 - [arm64] serial: mvebu-uart: Fix reporting of effective CSIZE to userspace - time: Introduce jiffies64_to_nsecs() - mac80211: Run TXQ teardown code before de-registering interfaces - [ppc64el] KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X - mac80211: mesh: fix HWMP sequence numbering to follow standard - [arm64] net: hns: add netif_carrier_off before change speed and duplex - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE - gpio: Fix crash due to registration race - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() - mac80211: fix a race between restart and CSA flows - mac80211: Fix station bandwidth setting after channel switch - mac80211: don't Tx a deauth frame if the AP forbade Tx - mac80211: shorten the IBSS debug messages - mm: madvise(MADV_DODUMP): allow hugetlbfs pages - HID: add support for Apple Magic Keyboards - HID: hid-saitek: Add device ID for RAT 7 Contagion - perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() - [ppc64el] perf probe powerpc: Ignore SyS symbols irrespective of endianness - RDMA/ucma: check fd type in ucma_migrate_id() - USB: yurex: Check for truncation in yurex_read() - nvmet-rdma: fix possible bogus dereference under heavy load - net/mlx5: Consider PCI domain in search for next dev - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS - dm raid: fix rebuild of specific devices by updating superblock - fs/cifs: suppress a string overflow warning - [x86] net: ena: fix driver when PAGE_SIZE == 64kB - [x86] perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs - dm thin metadata: try to avoid ever aborting transactions - [arm64] jump_label.h: use asm_volatile_goto macro instead of "asm goto" - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED - [s390x] qeth: use vzalloc for QUERY OAT buffer - [s390x] qeth: don't dump past end of unknown HW header - cifs: read overflow in is_valid_oplock_break() - xen/manage: don't complain about an empty value in control/sysrq node - xen: avoid crash in disable_hotplug_cpu - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage - sysfs: Do not return POSIX ACL xattrs via listxattr - smb2: fix missing files in root share directory listing - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 - [x86] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() - gpiolib: Free the last requested descriptor - proc: restrict kernel stack dumps to root (CVE-2018-17972) - ocfs2: fix locking for res->tracking and dlm->tracking_list - dm thin metadata: fix __udivdi3 undefined on 32-bit https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.133 - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly - [amd64] x86/vdso: Fix asm constraints on vDSO syscall fallbacks - [amd64] x86/vdso: Fix vDSO syscall fallback asm constraint regression - PCI: Reprogram bridge prefetch registers on resume - mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys - PM / core: Clear the direct_complete flag on errors - dm cache metadata: ignore hints array being too small during resize - dm cache: fix resize crash if user doesn't reload cache table - xhci: Add missing CAS workaround for Intel Sunrise Point xHCI - USB: serial: simple: add Motorola Tetra MTP6550 id - tty: Drop tty->count on tty_reopen() failure - cgroup: Fix deadlock in cpu hotplug path - ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait - ath10k: fix kernel panic issue during pci probe - f2fs: fix invalid memory access - ucma: fix a use-after-free in ucma_resolve_ip() - ubifs: Check for name being NULL while mounting - ath10k: fix scan crash due to incorrect length calculation - ebtables: arpreply: Add the standard target sanity check - [x86] fpu: Remove use_eager_fpu() - [x86] fpu: Remove struct fpu::counter - Revert "perf: sync up x86/.../cpufeatures.h" - [x86] fpu: Finish excising 'eagerfpu' https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.134 - [armhf] mfd: omap-usb-host: Fix dts probe of children - scsi: iscsi: target: Don't use stack buffer for scatterlist - scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted() - sound: enable interrupt after dma buffer initialization - [arm64,armhf] stmmac: fix valid numbers of unicast filter entries - [x86] kvm/lapic: always disable MMIO interface in x2APIC mode - ext4: Fix error code in ext4_xattr_set_entry() - mm/vmstat.c: fix outdated vmstat_text - mach64: detect the dot clock divider correctly on sparc - [x86] i2c: i2c-scmi: fix for i2c_smbus_write_block_data - xhci: Don't print a warning when setting link state for disabled ports - bnxt_en: Fix TX timeout during netpoll. - bonding: avoid possible dead-lock - ip6_tunnel: be careful when accessing the inner header - ip_tunnel: be careful when accessing the inner header - ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() - ipv6: take rcu lock in rawv6_send_hdrinc() - [armhf] net: dsa: bcm_sf2: Call setup during switch resume - ]arm64] net: hns: fix for unmapping problem when SMMU is on - net: ipv4: update fnhe_pmtu when first hop's MTU changes - net/ipv6: Display all addresses in output of /proc/net/if_inet6 - net/usb: cancel pending work when unbinding smsc75xx - qlcnic: fix Tx descriptor corruption on 82xx devices - qmi_wwan: Added support for Gemalto's Cinterion ALASxx WWAN interface - team: Forbid enslaving team device to itself - [armhf] net: dsa: bcm_sf2: Fix unbind ordering - [armhf] net: mvpp2: Extract the correct ethtype from the skb for tx csum offload - rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 - tcp/dccp: fix lockdep issue when SYN is backlogged - inet: make sure to grab rcu_read_lock before using ireq->ireq_opt - inet: frags: change inet_frags_init_net() return value - inet: frags: add a pointer to struct netns_frags - inet: frags: refactor ipfrag_init() - inet: frags: refactor ipv6_frag_init() - inet: frags: refactor lowpan_net_frag_init() - ipv6: export ip6 fragments sysctl to unprivileged users - rhashtable: add schedule points - inet: frags: use rhashtables for reassembly units - inet: frags: remove some helpers - inet: frags: get rif of inet_frag_evicting() - inet: frags: remove inet_frag_maybe_warn_overflow() - inet: frags: do not clone skb in ip_expire() - ipv6: frags: rewrite ip6_expire_frag_queue() - inet: frags: get rid of ipfrag_skb_cb/FRAG_CB - ip: discard IPv4 datagrams with overlapping segments. - net: speed up skb_rbtree_purge() - net: modify skb_rbtree_purge to return the truesize of all purged skbs. - ipv6: defrag: drop non-last frags smaller than min mtu - net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends - net: add rb_to_skb() and other rb tree helpers - ip: use rb trees for IP frag queue. - ip: add helpers to process in-order fragments faster. - ip: process in-order fragments efficiently - ip: frags: fix crash in ip_do_fragment() - ipv4: frags: precedence bug in ip_expire() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135 - media: af9035: prevent buffer overflow on write - batman-adv: Fix segfault when writing to throughput_override - batman-adv: Fix segfault when writing to sysfs elp_interval - batman-adv: Prevent duplicated nc_node entry - batman-adv: Prevent duplicated softif_vlan entry - batman-adv: Prevent duplicated global TT entry - batman-adv: Prevent duplicated tvlv handler - batman-adv: fix backbone_gw refcount on queue_work() failure - batman-adv: fix hardif_neigh refcount on queue_work() failure - [armhf] clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs - [powerpc*/*64*] scsi: ibmvscsis: Fix a stringop-overflow warning - [powerpc*/*64*] scsi: ibmvscsis: Ensure partition name is properly NUL terminated - [arm64] drm: mali-dp: Call drm_crtc_vblank_reset on device init - scsi: sd: don't crash the host on invalid commands - net/mlx4: Use cpumask_available for eq->affinity_mask - [powerpc*] tm: Fix userspace r13 corruption - [powerpc*] tm: Avoid possible userspace r1 corruption on reclaim - [amd64] iommu/amd: Return devid as alias for ACPI HID devices - mremap: properly flush TLB before releasing the page (CVE-2018-18281) - mm: Preserve _PAGE_DEVMAP across mprotect() calls - netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info - HID: quirks: fix support for Apple Magic Keyboards - usb: gadget: serial: fix oops when data rx'd after close - sched/cputime: Convert kcpustat to nsecs - sched/cputime: Increment kcpustat directly on irqtime account - sched/cputime: Fix ksoftirqd cputime accounting regression - [x86] HV: properly delay KVP packets when negotiation is in progress . [ Ben Hutchings ] * Resolve ABI changes caused by upstream fix for CVE-2018-5391: - Revert "inet: frags: fix ip6frag_low_thresh boundary" - Revert "inet: frags: reorganize struct netns_frags" - Revert "rhashtable: reorganize struct rhashtable layout" - Revert "inet: frags: break the 2GB limit for frags storage" - inet: frags: Avoid ABI change in 4.9.134 - sk_buff: Avoid ABI change in 4.9.134 - snmp: Remove the ReasmOverlaps statistic - ipv6: Ignore ABI changes in fragment reassembly functions * [x86] fpu: Avoid ABI change in 4.9.133 * power: Avoid ABI change in 4.9.131 * slub: Avoid ABI change in 4.9.131 * media: v4l: Avoid ABI change in 4.9.131 * netdev: Hide netdev_notifier_info_ext from modules * [x86] Revert "x86/mm: Expand static page table for fixmap space" linux-igd (1.0+cvs20070630-5+deb9u1) stretch; urgency=medium . * QA upload. * Set maintainer to the QA group. * Make the init script require $network; patch by Nye Liu (Closes: #885826) lttng-modules (2.9.0-1+deb9u1) stable; urgency=medium . * [c3d8eab] Stretch gbp branch config * [ee40323] Fix build on linux-rt 4.9 kernels. (Closes: #864404) * [b20f74a] Fix build on >= 4.9.0-3 kernels (Closes: #889901) mistral (3.0.0-4+deb9u1) stretch; urgency=medium . * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files, applied upstream patch: remove extra information from std.ssh action. (Closes: #912714). monkeysign (2.2.3+deb9u1) stretch; urgency=medium . * upload to Debian stable mpqc (2.3.1-18+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport the sc-libtool fix from 2.3.1-19. . [ Michael Banck ] * debian/libsc-dev.install: Install sc-libtool as well, thanks to Hideki Yamane (closes: #873719). mupdf (1.9a+ds1-4+deb9u4) stretch-security; urgency=high . * Fix CVE-2017-17866, CVE-2018-1000037, CVE-2018-1000040, CVE-2018-5686, CVE-2018-6187, and CVE-2018-6192 (Closes: #885120, #887130, #888464, #888487) netatalk (2.2.5-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Unauthenticated remote code execution in Netatalk (CVE-2018-1160) nginx (1.10.3-1+deb9u2) stretch-security; urgency=high . * Backport http2_max_requests directive needed for CVE-2018-16844 mitigation * Backport upstream fixes for 3 CVEs (Closes: #913090) + CVE-2018-16843 Excessive memory usage in HTTP/2 + CVE-2018-16844 Excessive CPU usage in HTTP/2 This change limits the maximum allowed number of idle state switches to 10 * http2_max_requests (i.e., 10000 by default). This limits possible CPU usage in one connection, and also imposes a limit on the maximum lifetime of a connection + CVE-2018-16845 Memory disclosure in the ngx_http_mp4_module nvidia-graphics-drivers (390.87-8~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-graphics-drivers (390.87-8) unstable; urgency=medium . * Tune more package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. . nvidia-graphics-drivers (390.87-7) unstable; urgency=medium . * Updated French (fr) debconf translations by Quentin Lejard. (Closes: #920940) * Use d/control.md5sum to keep track of d/control being up-to-date. * Tune package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. * Drop versioned constraints that are satisfied in wheezy. . nvidia-graphics-drivers (390.87-6) unstable; urgency=medium . [ Luca Boccassi ] * Add ipmi-user.patch and vm-insert-pfn.patch to fix kernel module build for Linux 4.20 and newer. (Closes: #917586) * Update Swedish (sv) debconf translation. Thank you Martin Bagge! (Closes: #918018) . nvidia-graphics-drivers (390.87-5) unstable; urgency=medium . * Prefer KBUILD_LDFLAGS (used since 4.19) over LDFLAGS. (Closes: #916883) * Work around update-alternatives bug #916799 and re-register the alternative to clean-up leftover slaves. * Bump Standards-Version to 4.3.0. No changes needed. * Update lintian overrides. . nvidia-graphics-drivers (390.87-4) unstable; urgency=medium . [ Andreas Beckmann ] * Drop libnvidia-egl-wayland1, nvidia-egl-wayland-{common,icd} packages. These will be provided by src:egl-wayland. (Closes: #915824) * Add more Conflicts between GLVND/non-GLVND packages to smoothen some install paths with --install-recommends enabled. . [ Philipp Kern ] * debian/gen-control.pl: Generate debian/control from debian/control.in. . nvidia-graphics-drivers (390.87-3) unstable; urgency=medium . * Make libgles-nvidia1 a full citizen again, libglvnd now builds libgles1. * libnvidia-fatbinaryloader: Prevent co-installation with the same upstream version of libnvidia-legacy-390xx-fatbinaryloader. * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1. * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere. * Clean up and unify rule style in debian/rules. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. . nvidia-graphics-drivers (390.87-2) unstable; urgency=medium . * Reinstate cc_version_check-gcc5.patch. (Closes: #908568) * nvidia-kernel-dkms.README.Debian: Document that using a mismatching binutils version may result in modules failing to load with errors like "Invalid module format", "Unknown rela relocation: 4". . nvidia-graphics-drivers (390.87-1) unstable; urgency=medium . * New upstream long lived branch release 390.87 (2018-08-27). - Fixed a resource leak introduced in the 390 series of drivers that could lead to reduced performance after starting and stopping several OpenGL and/or Vulkan applications. . [ Luca Boccassi ] * Update nv-readme.ids. * Add drm-mode.patch to fix nvidia-drm build for Linux 4.19. (Closes: #908359) . [ Andreas Beckmann ] * Remove cc_version_check-gcc5.patch and re-enable strict version checks, using mismatching compiler versions may create unloadable modules due to unsupported relocations. * Refresh patches. * Synchronize the module build debhelper sequence with debhelper 10. * Bump Standards-Version to 4.2.1. No changes needed. . nvidia-graphics-drivers (390.77-1) unstable; urgency=medium . * New upstream long lived branch release 390.77 (2018-07-16). - Improved compatibility with recent Linux kernels. - Fixed an intermittent hang of Vulkan applications running fullscreen when flipping is allowed. - Removed informational messages that were printed by nvidia-modeset.ko whenever a GPU device was allocated or freed. - Fixed a bug that caused kwin OpenGL compositing to crash when launching certain OpenGL applications. * New upstream release 367 series. - Updated the OpenGL driver to allow the use of integer format (SINT/UINT) color attachments with depth attachments in Frame Buffer Objects. . nvidia-graphics-drivers (390.67-3) unstable; urgency=medium . [ Luca Boccassi ] * Add drm_control_allow.patch to fix kernel module build for Linux 4.18 and newer. . [ Andreas Beckmann ] * The libGLX_indirect.so.0 alternative is now handled by glx-alternatives. * Bump Standards-Version to 4.1.5. No changes needed. . nvidia-graphics-drivers (390.67-2) unstable; urgency=high . * Add kmem_cache_create_usercopy.patch from Red Hat, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #901919) . nvidia-graphics-drivers (390.67-1) unstable; urgency=medium . * New upstream long lived branch release 390.67 (2018-06-05). - Fixed a bug that could cause kernel panics when using Quadro SDI Capture hardware. - Fixed an intermittent crash when launching Vulkan applications. - Fixed an intermittent crash when launching applications through Wine. - Fixed a bug that caused the driver, in some low bandwidth DisplayPort configurations, to not implicitly enable display dithering. This resulted in visible banding. * (Closes: #884917) . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Update nv-readme.ids. * nvidia-detect: Drop support for wheezy(-lts) (EoL). * Add NEWS entry for using the driver on Linux 4.16.16-1 or newer, which may require the kernel boot option slab_common.usercopy_fallback=y as a workaround. (See #901919 for details.) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. (Closes: #900248, #900264, #900378, #900766) . nvidia-graphics-drivers (390.59-1) unstable; urgency=medium . * New upstream long lived branch release 390.59 (2018-05-16). - Fixed intermittent hangs of fullscreen Vulkan applications when focused away (e.g., by using the alt-tab key combination) on non-composited desktops. - Added support for the following GPUs: GeForce GTX 1050 with Max-Q Design, Tesla V100-FHHL-16GB, Quadro P3200, Quadro P4200. . [ Luca Boccassi ] * Drop swiotlb.patch, fixed upstream. * Update nv-readme.ids. * Update symbols files. * Add xorg-video-abi-24 as alternative dependency. * Bump xserver-xorg-core dependency to << 2:1.20.99 for ABI 24. (Closes: #900112, #902375) . nvidia-graphics-drivers (390.48-3) unstable; urgency=medium . * Prepare nvidia-detect for the upcoming nvidia-legacy-390xx packages. * Prepare for the removal of i386/armhf support in 396.xx. * Support renamed variants of libnvidia-egl-wayland1/nvidia-egl-wayland-icd in legacy drivers. * Restrict watch file to releases from the 390.xx legacy branch. . nvidia-graphics-drivers (390.48-2) unstable; urgency=medium . [ Luca Boccassi ] * Fix loading nvidia kernel module on Linux 4.16 due to missing symbol. (Closes: #895429) . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.4. No changes needed. . nvidia-graphics-drivers (390.48-1) unstable; urgency=medium . * New upstream long lived branch release 390.48 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-6253. (Closes: #894338) https://nvidia.custhelp.com/app/answers/detail/a_id/4649 - Added support for the following GPUs: Quadro GV100, Tesla V100-SXM2-32GB, Tesla V100-PCIE-32GB, Tesla V100-DGXS-32GB. - Updated the driver to prevent G-SYNC from being enabled when a Quadro Sync board is installed. G-SYNC and Quadro Sync were always mutually incompatible features, and this change makes it easier to use G-SYNC capable monitors on Quadro Sync configurations, as it is now no longer necessary to manually disable G-SYNC. - Further improved the fix for occasional flicker when using the X driver's composition pipeline. This was mostly fixed in 390.42, but now the fix should be more complete. . [ Luca Boccassi ] * Update nv-readme.ids. * Drop linux-4.15.patch, merged upstream. . [ Andreas Beckmann ] * Merge changes from 384.130-1 (UNRELEASED). * Update lintian overrides. . nvidia-graphics-drivers (390.42-1) unstable; urgency=medium . * New upstream long lived branch release 390.42 (2018-03-12). - Fixed a regression, introduced in 390.12, that caused occasional flicker when using the X driver's composition pipeline, for example when using screen transformations like rotation, or the "ForceCompositionPipeline" or "ForceFullCompositionPipeline" options." . [ Andreas Beckmann ] * Install the renamed GLVND libraries and add SONAME symlinks. * Update symbols files. * Add linux-4.15 patch from Archlinux. (Closes: #892413) * Remove obsolete bits from README.source. . nvidia-graphics-drivers (390.25-2) unstable; urgency=medium . * Merge changes from 387.34-4. * Upload to unstable. . nvidia-graphics-drivers (390.25-1) experimental; urgency=medium . * New upstream long lived branch release 390.25 (2018-01-29). - Fixed a regression introduced in 390.12 that prevented displays from working normally when running multiple X screens with emulated overlays. - Added support for the following GPUs: GeForce GTX 1060 5GB, Quadro P620. - Fixed a regression introduced in 390.12 that caused occasional hangs and hard lockup messages in the system log when screen transformations are in use. * (Closes: #872988) . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz. . [ Andreas Beckmann ] * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * Merge changes from 384.111-4. * nvidia-detect: Report devices only supported on amd64. * nvidia-detect: Add PCI ID list for 384.111 in stretch. . nvidia-graphics-drivers (390.12-1) experimental; urgency=medium . * New upstream beta 390.12 (2018-01-04). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Added new application profile settings, "EGLVisibleDGPUDevices" and "EGLVisibleTegraDevices", to control which discrete and Tegra GPU devices, respectively, may be enumerated by EGL. See the "Application Profiles" appendix of the driver README for more details. - Corrected the SONAME of the copy of the libnvidia-egl-wayland library included in the .run installer package to libnvidia-egl-wayland.so.1. The SONAME had previously been versioned incorrectly with the full version number of the library. - Updated nvidia.ko to veto the ACPI_VIDEO_NOTIFY_PROBE event on kernels that allow the handler for this event to be overridden, to improve interaction between the NVIDIA driver and acpi_video on display hotplug events. - Fixed a bug that prevented Xinerama Info from being handled properly in SLI or Base Mosaic layouts with more than 24 displays. - Updated the X driver's composition pipeline (used for rotation, warp and blend, transformation matrices, etc) to also support stereo. - Fixed a bug where GetTexSubImage() would read incorrect data into a pixel buffer object when supplied with a target of GL_TEXTURE_1D_ARRAY and a non-zero yoffset value. - Added support for generic active stereo with in-band DisplayPort signaling. The X configuration option "InbandStereoSignaling" is deprecated in favor of this stereo mode. See "Appendix B. X Config Options" in the README for more information. - Modified the driver to avoid restoring framebuffer console modes on virtual reality head-mounted displays. * New upstream release 387 series. - Added support for the following GPUs: TITAN Xp COLLECTORS EDITION, GeForce GTX 1070 Ti, TITAN V [amd64]. - Fixed a bug that could cause a system crash when using the new NVreg_EnableBacklightHandler kernel module parameter on GPUs with no displays connected. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Update lintian overrides. . [ Andreas Beckmann ] * Split nv-readme.ids into nv-readme.ids.common and nv-readme.ids.$ARCH, the Volta GPUs (VDPAU feature set I), e.g. Tesla V100 and Titan V, are only supported on amd64. * Upload to experimental. . nvidia-graphics-drivers (387.34-4) unstable; urgency=medium . * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * nvidia-modprobe.conf: Consistently handle nvidia-modeset. * Merge changes from 384.111-4 (unstable), 384.111-4~deb9u1 (stretch). * Update lintian overrides. * Upload to unstable. . nvidia-graphics-drivers (387.34-3) experimental; urgency=medium . [ Luca Boccassi ] * Add timer.patch to fix kernel module build for Linux 4.15 and newer. . [ Andreas Beckmann ] * Merge changes from 384.111-1. * Restrict watch file to releases from the 387.xx short lived branch. . nvidia-graphics-drivers (387.34-2) experimental; urgency=medium . * Support easier and consistent switching between GLVND/non-GLVND variants. * nvidia-driver-libs{,-i386}: Depend only on the GLVND variants. * nvidia-driver-libs-nonglvnd{,-i386}: New metapackages depending only on the non-GLVND variants. (Closes: #864497) * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir. (Closes: #883615) * Add #tls# substitution for the tls/ source directory. * Bump Standards-Version to 4.1.2. No changes needed. . nvidia-graphics-drivers (387.34-1) experimental; urgency=medium . * New upstream short lived branch release 387.34 (2017-11-24). (Closes: #881164) - Fixed a bug that caused Vulkan X11 swapchains to fail on GPUs without a display engine, such as some Tesla-branded graphics cards and some Optimus laptops. - Fixed a bug that caused fullscreen Vulkan applications to hang on some Kepler GPUs, such as the GeForce GTX 680. - Fixed a bug where the G-SYNC indicator was reporting "normal" instead of "G-SYNC" on Vulkan applications when G-SYNC was enabled. * New upstream short lived branch release 387.22 (2017-10-30). - Fixed a regression that could cause driver errors when setting modes that include DisplayPort Multi-Stream Transport devices. - Added an nvidia.ko kernel module parameter, NVreg_EnableBacklightHandler, which can be used to enable experimental handling of laptop backlight brightness through /sys/class/backlight/. This handler overrides the ACPI-based one provided by the video.ko kernel module. NVreg_EnableBacklightHandler is disabled by default. - Added G-SYNC to all supported Vulkan swapchains for Maxwell and up. G-SYNC is enabled by default when using G-SYNC-ready monitors. For direct-to-display swapchains, an application profile with "GLGSYNCAllowed" setting set to 'false' can be used to disable this feature: { "rules" : [ { "pattern" : [], "profile" : [ "GLGSYNCAllowed", false ] } ] } * New upstream beta 387.12 (2017-10-03). - Fixed a regression that caused some display connectors on some GPUs to not report a connected HDMI or DisplayPort audio device even if the connected monitor supports audio. - Fixed a race condition that could lead to crashes when OpenGL programs manipulated vertex buffer objects from multiple threads simultaneously. - Improved performance of fullscreen Vulkan applications using X11 swapchains. This optimization will cause more events that trigger an out-of-date swapchain, such as when entering or leaving fullscreen mode. (This is commonly encountered when using the alt-tab key combination, for example.) Applications that do not properly respond to the VK_ERROR_OUT_OF_DATE_KHR return code may not function properly when these events occur. See section 30.8 of the Vulkan specification. - Added support for YUV 4:2:0 compression for monitors connected via DisplayPort in configurations where either the display or GPU is incapable of driving the current mode in RGB 4:4:4. See the description in the "Programming Modes" appendix for details. - Added framebuffer console hot plug handling to nvidia-modeset. Note that hot plugging is only handled when nvidia-modeset is initialized; for example, when Xorg or nvidia-persistenced is running or when nvidia-drm is loaded with the "modeset=1" parameter. - Added an "AllowGSYNC" MetaMode attribute that can be used to disable G-SYNC completely. This can be use to allow enabling features that are incompatible with G-SYNC, such as Ultra Low Motion Blur or Frame Lock. - Fixed several problems that prevented the "cc_version_check" sanity test from running correctly when building the NVIDIA kernel modules. As these problems would have masked mismatches between the compiler versions used to build the kernel and the NVIDIA kernel modules for an extended period of time, nvidia-installer has been updated to ignore CC version mismatches by default when they are detected. - Tiled monitors formerly resulted in a separate Xinerama screen being reported for each tile. They will now, by default, be combined into a single large Xinerama screen. - The individual panels in a tiled monitor will now be arranged based on the layout information provided in the monitor's EDID. This can be overridden by either manually specifying offsets or using the "MetaModeOrientation" option. - Disabled interlaced modes over DisplayPort by default due to incomplete support in the GPU. Added "AllowDpInterlaced" mode validation token to override this default behavior and allow interlaced modes over DisplayPort protocol anyway. . [ Luca Boccassi ] * Update d/copyright with new 6.3 paragraph in NVIDIA's license, which warns that the drivers are licensed for usage with NVIDIA hardware. * Drop nvidia-drm-crtc.patch, fixed upstream, and refresh nvidia-drm-master-dev.patch and use-kbuild-compiler.patch to remove fuzz. * Adjust filenames for new minor ABI revision of libnvidia-egl-wayland1 (libnvidia-egl-wayland.so.1.0.1 -> libnvidia-egl-wayland.so.1.0.2). * Update symbols files. * Update nv-readme.ids. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz from 387.22. . [ Andreas Beckmann ] * Update lintian overrides. * Upload to experimental. nvidia-graphics-drivers (390.87-8~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-8) unstable; urgency=medium . * Tune more package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. . nvidia-graphics-drivers (390.87-7) unstable; urgency=medium . * Updated French (fr) debconf translations by Quentin Lejard. (Closes: #920940) * Use d/control.md5sum to keep track of d/control being up-to-date. * Tune package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. * Drop versioned constraints that are satisfied in wheezy. * Drop versioned constraints that are satisfied in jessie. nvidia-graphics-drivers (390.87-7) unstable; urgency=medium . * Updated French (fr) debconf translations by Quentin Lejard. (Closes: #920940) * Use d/control.md5sum to keep track of d/control being up-to-date. * Tune package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. * Drop versioned constraints that are satisfied in wheezy. * Drop versioned constraints that are satisfied in jessie. nvidia-graphics-drivers (390.87-6) unstable; urgency=medium . [ Luca Boccassi ] * Add ipmi-user.patch and vm-insert-pfn.patch to fix kernel module build for Linux 4.20 and newer. (Closes: #917586) * Update Swedish (sv) debconf translation. Thank you Martin Bagge! (Closes: #918018) . [ Andreas Beckmann ] * Switch to debhelper-compat (= 12). nvidia-graphics-drivers (390.87-6~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-6) unstable; urgency=medium . [ Luca Boccassi ] * Add ipmi-user.patch and vm-insert-pfn.patch to fix kernel module build for Linux 4.20 and newer. (Closes: #917586) * Update Swedish (sv) debconf translation. Thank you Martin Bagge! (Closes: #918018) . [ Andreas Beckmann ] * Switch to debhelper-compat (= 12). . nvidia-graphics-drivers (390.87-5) unstable; urgency=medium . * Prefer KBUILD_LDFLAGS (used since 4.19) over LDFLAGS. (Closes: #916883) * Work around update-alternatives bug #916799 and re-register the alternative to clean-up leftover slaves. * Bump Standards-Version to 4.3.0. No changes needed. * Update lintian overrides. nvidia-graphics-drivers (390.87-5) unstable; urgency=medium . * Prefer KBUILD_LDFLAGS (used since 4.19) over LDFLAGS. (Closes: #916883) * Work around update-alternatives bug #916799 and re-register the alternative to clean-up leftover slaves. * Bump Standards-Version to 4.3.0. No changes needed. * Update lintian overrides. nvidia-graphics-drivers (390.87-4) unstable; urgency=medium . [ Andreas Beckmann ] * Drop libnvidia-egl-wayland1, nvidia-egl-wayland-{common,icd} packages. These will be provided by src:egl-wayland. (Closes: #915824) * Add more Conflicts between GLVND/non-GLVND packages to smoothen some install paths with --install-recommends enabled. . [ Philipp Kern ] * debian/gen-control.pl: Generate debian/control from debian/control.in. nvidia-graphics-drivers (390.87-4~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-4) unstable; urgency=medium . [ Andreas Beckmann ] * Drop libnvidia-egl-wayland1, nvidia-egl-wayland-{common,icd} packages. These will be provided by src:egl-wayland. (Closes: #915824) * Add more Conflicts between GLVND/non-GLVND packages to smoothen some install paths with --install-recommends enabled. . [ Philipp Kern ] * debian/gen-control.pl: Generate debian/control from debian/control.in. . nvidia-graphics-drivers (390.87-3) unstable; urgency=medium . * Make libgles-nvidia1 a full citizen again, libglvnd now builds libgles1. * libnvidia-fatbinaryloader: Prevent co-installation with the same upstream version of libnvidia-legacy-390xx-fatbinaryloader. * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1. * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere. * Clean up and unify rule style in debian/rules. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. * Switch to debhelper-compat (= 11). nvidia-graphics-drivers (390.87-3) unstable; urgency=medium . * Make libgles-nvidia1 a full citizen again, libglvnd now builds libgles1. * libnvidia-fatbinaryloader: Prevent co-installation with the same upstream version of libnvidia-legacy-390xx-fatbinaryloader. * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1. * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere. * Clean up and unify rule style in debian/rules. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. * Switch to debhelper-compat (= 11). nvidia-graphics-drivers (390.87-2) unstable; urgency=medium . * Reinstate cc_version_check-gcc5.patch. (Closes: #908568) * nvidia-kernel-dkms.README.Debian: Document that using a mismatching binutils version may result in modules failing to load with errors like "Invalid module format", "Unknown rela relocation: 4". nvidia-graphics-drivers (390.87-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-2) unstable; urgency=medium . * Reinstate cc_version_check-gcc5.patch. (Closes: #908568) * nvidia-kernel-dkms.README.Debian: Document that using a mismatching binutils version may result in modules failing to load with errors like "Invalid module format", "Unknown rela relocation: 4". . nvidia-graphics-drivers (390.87-1) unstable; urgency=medium . * New upstream long lived branch release 390.87 (2018-08-27). - Fixed a resource leak introduced in the 390 series of drivers that could lead to reduced performance after starting and stopping several OpenGL and/or Vulkan applications. . [ Luca Boccassi ] * Update nv-readme.ids. * Add drm-mode.patch to fix nvidia-drm build for Linux 4.19. (Closes: #908359) . [ Andreas Beckmann ] * Remove cc_version_check-gcc5.patch and re-enable strict version checks, using mismatching compiler versions may create unloadable modules due to unsupported relocations. * Refresh patches. * Synchronize the module build debhelper sequence with debhelper 10. * Bump Standards-Version to 4.2.1. No changes needed. nvidia-graphics-drivers (390.87-1) unstable; urgency=medium . * New upstream long lived branch release 390.87 (2018-08-27). - Fixed a resource leak introduced in the 390 series of drivers that could lead to reduced performance after starting and stopping several OpenGL and/or Vulkan applications. . [ Luca Boccassi ] * Update nv-readme.ids. * Add drm-mode.patch to fix nvidia-drm build for Linux 4.19. (Closes: #908359) . [ Andreas Beckmann ] * Remove cc_version_check-gcc5.patch and re-enable strict version checks, using mismatching compiler versions may create unloadable modules due to mismatching symvers. * Refresh patches. * Synchronize the module build debhelper sequence with debhelper 10. * Bump Standards-Version to 4.2.1. No changes needed. nvidia-graphics-drivers (390.77-1) unstable; urgency=medium . * New upstream long lived branch release 390.77 (2018-07-16). - Improved compatibility with recent Linux kernels. - Fixed an intermittent hang of Vulkan applications running fullscreen when flipping is allowed. - Removed informational messages that were printed by nvidia-modeset.ko whenever a GPU device was allocated or freed. * New upstream release 367 series. - Updated the OpenGL driver to allow the use of integer format (SINT/UINT) color attachments with depth attachments in Frame Buffer Objects. nvidia-graphics-drivers (390.77-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. * Use vulkan from stretch-backports. . nvidia-graphics-drivers (390.77-1) unstable; urgency=medium . * New upstream long lived branch release 390.77 (2018-07-16). - Improved compatibility with recent Linux kernels. - Fixed an intermittent hang of Vulkan applications running fullscreen when flipping is allowed. - Removed informational messages that were printed by nvidia-modeset.ko whenever a GPU device was allocated or freed. * New upstream release 367 series. - Updated the OpenGL driver to allow the use of integer format (SINT/UINT) color attachments with depth attachments in Frame Buffer Objects. . nvidia-graphics-drivers (390.67-3) unstable; urgency=medium . [ Luca Boccassi ] * Add drm_control_allow.patch to fix kernel module build for Linux 4.18 and newer. . [ Andreas Beckmann ] * The libGLX_indirect.so.0 alternative is now handled by glx-alternatives. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-graphics-drivers (390.67-3) unstable; urgency=medium . [ Luca Boccassi ] * Add drm_control_allow.patch to fix kernel module build for Linux 4.18 and newer. . [ Andreas Beckmann ] * The libGLX_indirect.so.0 alternative is now handled by glx-alternatives. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-graphics-drivers (390.67-2) unstable; urgency=high . * Add kmem_cache_create_usercopy.patch from Red Hat, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #901919) nvidia-graphics-drivers (390.67-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. * Use libglvnd and MESA from stretch-backports. . nvidia-graphics-drivers (390.67-2) unstable; urgency=high . * Add kmem_cache_create_usercopy.patch from Red Hat, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #901919) . nvidia-graphics-drivers (390.67-1) unstable; urgency=medium . * New upstream long lived branch release 390.67 (2018-06-05). - Fixed a bug that could cause kernel panics when using Quadro SDI Capture hardware. - Fixed an intermittent crash when launching Vulkan applications. - Fixed an intermittent crash when launching applications through Wine. - Fixed a bug that caused the driver, in some low bandwidth DisplayPort configurations, to not implicitly enable display dithering. This resulted in visible banding. . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Update nv-readme.ids. * nvidia-detect: Drop support for wheezy(-lts) (EoL). * Add NEWS entry for using the driver on Linux 4.16.16-1 or newer, which may require the kernel boot option slab_common.usercopy_fallback=y as a workaround. (See #901919 for details.) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. (Closes: #900248, #900264, #900378, #900766) . nvidia-graphics-drivers (390.59-1) unstable; urgency=medium . * New upstream long lived branch release 390.59 (2018-05-16). - Fixed intermittent hangs of fullscreen Vulkan applications when focused away (e.g., by using the alt-tab key combination) on non-composited desktops. - Added support for the following GPUs: GeForce GTX 1050 with Max-Q Design, Tesla V100-FHHL-16GB, Quadro P3200, Quadro P4200. . [ Luca Boccassi ] * Drop swiotlb.patch, fixed upstream. * Update nv-readme.ids. * Update symbols files. * Add xorg-video-abi-24 as alternative dependency. * Bump xserver-xorg-core dependency to << 2:1.20.99 for ABI 24. (Closes: #900112) . nvidia-graphics-drivers (390.48-4) UNRELEASED; urgency=medium . * Stop building lib*-glvnd-nvidia, now built from the 390xx legacy driver. * Switch to debhelper compat level 11. . nvidia-graphics-drivers (390.48-3) unstable; urgency=medium . * Prepare nvidia-detect for the upcoming nvidia-legacy-390xx packages. * Prepare for the removal of i386/armhf support in 396.xx. * Support renamed variants of libnvidia-egl-wayland1/nvidia-egl-wayland-icd in legacy drivers. * Restrict watch file to releases from the 390.xx legacy branch. nvidia-graphics-drivers (390.67-1) unstable; urgency=medium . * New upstream long lived branch release 390.67 (2018-06-05). - Fixed a bug that could cause kernel panics when using Quadro SDI Capture hardware. - Fixed an intermittent crash when launching Vulkan applications. - Fixed an intermittent crash when launching applications through Wine. - Fixed a bug that caused the driver, in some low bandwidth DisplayPort configurations, to not implicitly enable display dithering. This resulted in visible banding. . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Update nv-readme.ids. * nvidia-detect: Drop support for wheezy(-lts) (EoL). * Add NEWS entry for using the driver on Linux 4.16.16-1 or newer, which may require the kernel boot option slab_common.usercopy_fallback=y as a workaround. (See #901919 for details.) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. (Closes: #900248, #900264, #900378, #900766) nvidia-graphics-drivers (390.59-1) unstable; urgency=medium . * New upstream long lived branch release 390.59 (2018-05-16). - Added support for the following GPUs: GeForce GTX 1050 with Max-Q Design, Tesla V100-FHHL-16GB, Quadro P3200, Quadro P4200. . [ Andreas Beckmann ] * Stop building lib*-glvnd-nvidia, now built from the 390xx legacy driver. * Switch to debhelper compat level 11. . [ Luca Boccassi ] * Drop swiotlb.patch, fixed upstream. * Update nv-readme.ids. * Update symbols files. * Add xorg-video-abi-24 as alternative dependency. * Bump xserver-xorg-core dependency to << 2:1.20.99 for ABI 24. (Closes: #900112) nvidia-graphics-drivers (390.48-3) unstable; urgency=medium . * Prepare nvidia-detect for the upcoming nvidia-legacy-390xx packages. * Prepare for the removal of i386/armhf support in 396.xx. * Support renamed variants of libnvidia-egl-wayland1/nvidia-egl-wayland-icd in legacy drivers. * Restrict watch file to releases from the 390.xx legacy branch. nvidia-graphics-drivers (390.48-2) unstable; urgency=medium . [ Luca Boccassi ] * Fix loading nvidia kernel module on Linux 4.16 due to missing symbol. (Closes: #895429) . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.4. No changes needed. nvidia-graphics-drivers (390.48-2~bpo9+3) stretch-backports; urgency=medium . * Add Conflicts against glvnd-aware MESA >= 17 from stretch-backports. * Fix some upgrade issues from older versions in stretch. nvidia-graphics-drivers (390.48-2~bpo9+2) stretch-backports; urgency=medium . * Disable alternative dependencies and add Conflicts against libglvnd from stretch-backports. nvidia-graphics-drivers (390.48-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.48-2) unstable; urgency=medium . [ Luca Boccassi ] * Fix loading nvidia kernel module on Linux 4.16 due to missing symbol. (Closes: #895429) . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.4. No changes needed. . nvidia-graphics-drivers (390.48-1) unstable; urgency=medium . * New upstream long lived branch release 390.48 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-6253. https://nvidia.custhelp.com/app/answers/detail/a_id/4649 (Closes: #894338) - Added support for the following GPUs: Quadro GV100, Tesla V100-SXM2-32GB, Tesla V100-PCIE-32GB, Tesla V100-DGXS-32GB. - Updated the driver to prevent G-SYNC from being enabled when a Quadro Sync board is installed. G-SYNC and Quadro Sync were always mutually incompatible features, and this change makes it easier to use G-SYNC capable monitors on Quadro Sync configurations, as it is now no longer necessary to manually disable G-SYNC. - Further improved the fix for occasional flicker when using the X driver's composition pipeline. This was mostly fixed in 390.42, but now the fix should be more complete. . [ Luca Boccassi ] * Update nv-readme.ids. * Drop linux-4.15.patch, merged upstream. . [ Andreas Beckmann ] * Merge changes from 384.130-1 (UNRELEASED). * Update lintian overrides. . nvidia-graphics-drivers (390.42-1) unstable; urgency=medium . * New upstream long lived branch release 390.42 (2018-03-12). - Fixed a regression, introduced in 390.12, that caused occasional flicker when using the X driver's composition pipeline, for example when using screen transformations like rotation, or the "ForceCompositionPipeline" or "ForceFullCompositionPipeline" options." . [ Andreas Beckmann ] * Install the renamed GLVND libraries and add SONAME symlinks. * Update symbols files. * Add linux-4.15 patch from Archlinux. (Closes: #892413) * Remove obsolete bits from README.source. . nvidia-graphics-drivers (390.25-2) unstable; urgency=medium . * Merge changes from 387.34-4. * Upload to unstable. . nvidia-graphics-drivers (390.25-1) experimental; urgency=medium . * New upstream long lived branch release 390.25 (2018-01-29). - Fixed a regression introduced in 390.12 that prevented displays from working normally when running multiple X screens with emulated overlays. - Added support for the following GPUs: GeForce GTX 1060 5GB, Quadro P620. - Fixed a regression introduced in 390.12 that caused occasional hangs and hard lockup messages in the system log when screen transformations are in use. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz. . [ Andreas Beckmann ] * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * Merge changes from 384.111-4. * nvidia-detect: Report devices only supported on amd64. * nvidia-detect: Add PCI ID list for 384.111 in stretch. . nvidia-graphics-drivers (390.12-1) experimental; urgency=medium . * New upstream beta 390.12 (2018-01-04). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Added new application profile settings, "EGLVisibleDGPUDevices" and "EGLVisibleTegraDevices", to control which discrete and Tegra GPU devices, respectively, may be enumerated by EGL. See the "Application Profiles" appendix of the driver README for more details. - Corrected the SONAME of the copy of the libnvidia-egl-wayland library included in the .run installer package to libnvidia-egl-wayland.so.1. The SONAME had previously been versioned incorrectly with the full version number of the library. - Updated nvidia.ko to veto the ACPI_VIDEO_NOTIFY_PROBE event on kernels that allow the handler for this event to be overridden, to improve interaction between the NVIDIA driver and acpi_video on display hotplug events. - Fixed a bug that prevented Xinerama Info from being handled properly in SLI or Base Mosaic layouts with more than 24 displays. - Updated the X driver's composition pipeline (used for rotation, warp and blend, transformation matrices, etc) to also support stereo. - Fixed a bug where GetTexSubImage() would read incorrect data into a pixel buffer object when supplied with a target of GL_TEXTURE_1D_ARRAY and a non-zero yoffset value. - Added support for generic active stereo with in-band DisplayPort signaling. The X configuration option "InbandStereoSignaling" is deprecated in favor of this stereo mode. See "Appendix B. X Config Options" in the README for more information. - Modified the driver to avoid restoring framebuffer console modes on virtual reality head-mounted displays. * New upstream release 387 series. - Added support for the following GPUs: TITAN Xp COLLECTORS EDITION, GeForce GTX 1070 Ti, TITAN V [amd64]. - Fixed a bug that could cause a system crash when using the new NVreg_EnableBacklightHandler kernel module parameter on GPUs with no displays connected. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Update lintian overrides. . [ Andreas Beckmann ] * Split nv-readme.ids into nv-readme.ids.common and nv-readme.ids.$ARCH, the Volta GPUs (VDPAU feature set I), e.g. Tesla V100 and Titan V, are only supported on amd64. * Upload to experimental. . nvidia-graphics-drivers (387.34-4) unstable; urgency=medium . * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * nvidia-modprobe.conf: Consistently handle nvidia-modeset. * Merge changes from 384.111-4 (unstable), 384.111-4~deb9u1 (stretch). * Update lintian overrides. * Upload to unstable. . nvidia-graphics-drivers (387.34-3) experimental; urgency=medium . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. . [ Andreas Beckmann ] * Merge changes from 384.111-1. * Restrict watch file to releases from the 387.xx short lived branch. . nvidia-graphics-drivers (387.34-2) experimental; urgency=medium . * Support easier and consistent switching between GLVND/non-GLVND variants. * nvidia-driver-libs{,-i386}: Depend only on the GLVND variants. * nvidia-driver-libs-nonglvnd{,-i386}: New metapackages depending only on the non-GLVND variants. (Closes: #864497) * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir. (Closes: #883615) * Add #tls# substitution for the tls/ source directory. * Bump Standards-Version to 4.1.2. No changes needed. . nvidia-graphics-drivers (387.34-1) experimental; urgency=medium . * New upstream short lived branch release 387.34 (2017-11-24). (Closes: #881164) - Fixed a bug that caused Vulkan X11 swapchains to fail on GPUs without a display engine, such as some Tesla-branded graphics cards and some Optimus laptops. - Fixed a bug that caused fullscreen Vulkan applications to hang on some Kepler GPUs, such as the GeForce GTX 680. - Fixed a bug where the G-SYNC indicator was reporting "normal" instead of "G-SYNC" on Vulkan applications when G-SYNC was enabled. * New upstream short lived branch release 387.22 (2017-10-30). - Fixed a regression that could cause driver errors when setting modes that include DisplayPort Multi-Stream Transport devices. - Added an nvidia.ko kernel module parameter, NVreg_EnableBacklightHandler, which can be used to enable experimental handling of laptop backlight brightness through /sys/class/backlight/. This handler overrides the ACPI-based one provided by the video.ko kernel module. NVreg_EnableBacklightHandler is disabled by default. - Added G-SYNC to all supported Vulkan swapchains for Maxwell and up. G-SYNC is enabled by default when using G-SYNC-ready monitors. For direct-to-display swapchains, an application profile with "GLGSYNCAllowed" setting set to 'false' can be used to disable this feature: { "rules" : [ { "pattern" : [], "profile" : [ "GLGSYNCAllowed", false ] } ] } * New upstream beta 387.12 (2017-10-03). - Fixed a regression that caused some display connectors on some GPUs to not report a connected HDMI or DisplayPort audio device even if the connected monitor supports audio. - Fixed a race condition that could lead to crashes when OpenGL programs manipulated vertex buffer objects from multiple threads simultaneously. - Improved performance of fullscreen Vulkan applications using X11 swapchains. This optimization will cause more events that trigger an out-of-date swapchain, such as when entering or leaving fullscreen mode. (This is commonly encountered when using the alt-tab key combination, for example.) Applications that do not properly respond to the VK_ERROR_OUT_OF_DATE_KHR return code may not function properly when these events occur. See section 30.8 of the Vulkan specification. - Added support for YUV 4:2:0 compression for monitors connected via DisplayPort in configurations where either the display or GPU is incapable of driving the current mode in RGB 4:4:4. See the description in the "Programming Modes" appendix for details. - Added framebuffer console hot plug handling to nvidia-modeset. Note that hot plugging is only handled when nvidia-modeset is initialized; for example, when Xorg or nvidia-persistenced is running or when nvidia-drm is loaded with the "modeset=1" parameter. - Added an "AllowGSYNC" MetaMode attribute that can be used to disable G-SYNC completely. This can be use to allow enabling features that are incompatible with G-SYNC, such as Ultra Low Motion Blur or Frame Lock. - Fixed several problems that prevented the "cc_version_check" sanity test from running correctly when building the NVIDIA kernel modules. As these problems would have masked mismatches between the compiler versions used to build the kernel and the NVIDIA kernel modules for an extended period of time, nvidia-installer has been updated to ignore CC version mismatches by default when they are detected. - Tiled monitors formerly resulted in a separate Xinerama screen being reported for each tile. They will now, by default, be combined into a single large Xinerama screen. - The individual panels in a tiled monitor will now be arranged based on the layout information provided in the monitor's EDID. This can be overridden by either manually specifying offsets or using the "MetaModeOrientation" option. - Disabled interlaced modes over DisplayPort by default due to incomplete support in the GPU. Added "AllowDpInterlaced" mode validation token to override this default behavior and allow interlaced modes over DisplayPort protocol anyway. . [ Luca Boccassi ] * Update d/copyright with new 6.3 paragraph in NVIDIA's license, which warns that the drivers are licensed for usage with NVIDIA hardware. * Drop nvidia-drm-crtc.patch, fixed upstream, and refresh nvidia-drm-master-dev.patch and use-kbuild-compiler.patch to remove fuzz. * Adjust filenames for new minor ABI revision of libnvidia-egl-wayland1 (libnvidia-egl-wayland.so.1.0.1 -> libnvidia-egl-wayland.so.1.0.2). * Update symbols files. * Update nv-readme.ids. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz from 387.22. . [ Andreas Beckmann ] * Update lintian overrides. * Upload to experimental. . nvidia-graphics-drivers (384.130-1) stretch; urgency=medium . * New upstream long lived branch release 384.130 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-6253. https://nvidia.custhelp.com/app/answers/detail/a_id/4649 (Closes: #894338) - Improved compatibility with recent Linux kernels. - Fixed a string concatenation bug that caused libGL to accidentally try to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases where /tmp isn't accessible. (Closes: #888028) - Increased the version numbers of the GLVND libGL, libGLESv1_CM, libGLESv2, and libEGL libraries, to prevent concurrently installed non-GLVND libraries from taking precedence in the dynamic linker cache. * New upstream release 340 series. - Fixed a bug which could cause X servers that export a Video Driver ABI earlier than 0.8 to crash when running X11 applications which call XRenderAddTraps(). . [ Luca Boccassi ] * Install the renamed GLVND libraries and add SONAME symlinks. . [ Andreas Beckmann ] * Bump the required glx-diversions/glx-alternative-nvidia version for the renamed GLVND libraries. * Upload to stretch . nvidia-graphics-drivers (384.111-4~deb9u1) stretch; urgency=medium . * Rebuild for stretch. * Relax the libvulkan1 (build-)dependency. * Do not conflict with *-glvnd-nvidia, there is no libglvnd in stretch. * Continue recommending the GLESv1 library for stretch. . nvidia-graphics-drivers (384.111-4) unstable; urgency=medium . * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description. * Use dh_missing --fail-missing. * Update lintian overrides. nvidia-graphics-drivers (390.48-1) unstable; urgency=medium . * New upstream long lived branch release 390.48 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-625. https://nvidia.custhelp.com/app/answers/detail/a_id/4649 (Closes: #894338) - Added support for the following GPUs: Quadro GV100, Tesla V100-SXM2-32GB, Tesla V100-PCIE-32GB, Tesla V100-DGXS-32GB. - Updated the driver to prevent G-SYNC from being enabled when a Quadro Sync board is installed. G-SYNC and Quadro Sync were always mutually incompatible features, and this change makes it easier to use G-SYNC capable monitors on Quadro Sync configurations, as it is now no longer necessary to manually disable G-SYNC. - Further improved the fix for occasional flicker when using the X driver's composition pipeline. This was mostly fixed in 390.42, but now the fix should be more complete. . [ Luca Boccassi ] * Update nv-readme.ids. * Drop linux-4.15.patch, merged upstream. . [ Andreas Beckmann ] * Merge changes from 384.130-1 (UNRELEASED). * Update lintian overrides. nvidia-graphics-drivers (390.42-1) unstable; urgency=medium . * New upstream long lived branch release 390.42 (2018-03-12). - Fixed a regression, introduced in 390.12, that caused occasional flicker when using the X driver's composition pipeline, for example when using screen transformations like rotation, or the "ForceCompositionPipeline" or "ForceFullCompositionPipeline" options." * New upstream release 384 series. - Fixed a string concatenation bug that caused libGL to accidentally try to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases where /tmp isn't accessible. (Closes: #888028) - Increased the version numbers of the GLVND libGL, libGLESv1_CM, libGLESv2, and libEGL libraries, to prevent concurrently installed non-GLVND libraries from taking precedence in the dynamic linker cache. * Install the renamed GLVND libraries and add SONAME symlinks. * Update symbols files. * Add linux-4.15 patch from Archlinux. (Closes: #892413) * Remove obsolete bits from README.source. nvidia-graphics-drivers (390.25-2) unstable; urgency=medium . * Merge changes from 387.34-4. * Upload to unstable. nvidia-graphics-drivers (390.25-1) experimental; urgency=medium . * New upstream long lived branch release 390.25 (2018-01-29). - Fixed a regression introduced in 390.12 that prevented displays from working normally when running multiple X screens with emulated overlays. - Added support for the following GPUs: GeForce GTX 1060 5GB, Quadro P620. - Fixed a regression introduced in 390.12 that caused occasional hangs and hard lockup messages in the system log when screen transformations are in use. * New upstream release 340 series. - Fixed a bug which could cause X servers that export a Video Driver ABI earlier than 0.8 to crash when running X11 applications which call XRenderAddTraps(). . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz. . [ Andreas Beckmann ] * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * Merge changes from 384.111-4. * nvidia-detect: Report devices only supported on amd64. * nvidia-detect: Add PCI ID list for 384.111 in stretch. nvidia-graphics-drivers (390.12-1) experimental; urgency=medium . * New upstream beta 390.12 (2018-01-04). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Added new application profile settings, "EGLVisibleDGPUDevices" and "EGLVisibleTegraDevices", to control which discrete and Tegra GPU devices, respectively, may be enumerated by EGL. See the "Application Profiles" appendix of the driver README for more details. - Corrected the SONAME of the copy of the libnvidia-egl-wayland library included in the .run installer package to libnvidia-egl-wayland.so.1. The SONAME had previously been versioned incorrectly with the full version number of the library. - Updated nvidia.ko to veto the ACPI_VIDEO_NOTIFY_PROBE event on kernels that allow the handler for this event to be overridden, to improve interaction between the NVIDIA driver and acpi_video on display hotplug events. - Fixed a bug that prevented Xinerama Info from being handled properly in SLI or Base Mosaic layouts with more than 24 displays. - Updated the X driver's composition pipeline (used for rotation, warp and blend, transformation matrices, etc) to also support stereo. - Fixed a bug where GetTexSubImage() would read incorrect data into a pixel buffer object when supplied with a target of GL_TEXTURE_1D_ARRAY and a non-zero yoffset value. - Added support for generic active stereo with in-band DisplayPort signaling. The X configuration option "InbandStereoSignaling" is deprecated in favor of this stereo mode. See "Appendix B. X Config Options" in the README for more information. - Modified the driver to avoid restoring framebuffer console modes on virtual reality head-mounted displays. * New upstream release 387 series. - Added support for the following GPUs: TITAN Xp COLLECTORS EDITION, GeForce GTX 1070 Ti, TITAN V [amd64]. - Fixed a bug that could cause a system crash when using the new NVreg_EnableBacklightHandler kernel module parameter on GPUs with no displays connected. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Update lintian overrides. . [ Andreas Beckmann ] * Split nv-readme.ids into nv-readme.ids.common and nv-readme.ids.$ARCH, the GPUs with VDPAU feature set I, e.g. Tesla V100 and Titan V, are only supported on amd64. * Upload to experimental. nvidia-graphics-drivers (387.34-4) unstable; urgency=medium . * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * nvidia-modprobe.conf: Consistently handle nvidia-modeset. * Merge changes from 384.111-4. * Merge changes from 384.111-4~deb9u1 (stretch). * Update lintian overrides. * Upload to unstable. nvidia-graphics-drivers (387.34-3) experimental; urgency=medium . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. . [ Andreas Beckmann ] * Merge changes from 384.111-1. * Restrict watch file to releases from the 387.xx long lived branch. nvidia-graphics-drivers (387.34-2) experimental; urgency=medium . * Support easier and consistent switching between GLVND/non-GLVND variants. * nvidia-driver-libs{,-i386}: Depend only on the GLVND variants. * nvidia-driver-libs-nonglvnd{,-i386}: New metapackages depending only on the non-GLVND variants. (Closes: #864497) * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir. (Closes: #883615) * Add #tls# substitution for the tls/ source directory. * Bump Standards-Version to 4.1.2. No changes needed. nvidia-graphics-drivers (387.34-1) experimental; urgency=medium . * New upstream short lived branch release 387.34 (2017-11-24). - Fixed a bug that caused Vulkan X11 swapchains to fail on GPUs without a display engine, such as some Tesla-branded graphics cards and some Optimus laptops. - Fixed a bug that caused fullscreen Vulkan applications to hang on some Kepler GPUs, such as the GeForce GTX 680. - Fixed a bug where the G-SYNC indicator was reporting "normal" instead of "G-SYNC" on Vulkan applications when G-SYNC was enabled. * New upstream short lived branch release 387.22 (2017-10-30). - Fixed a regression that could cause driver errors when setting modes that include DisplayPort Multi-Stream Transport devices. - Added an nvidia.ko kernel module parameter, NVreg_EnableBacklightHandler, which can be used to enable experimental handling of laptop backlight brightness through /sys/class/backlight/. This handler overrides the ACPI-based one provided by the video.ko kernel module. NVreg_EnableBacklightHandler is disabled by default. - Added G-SYNC to all supported Vulkan swapchains for Maxwell and up. G-SYNC is enabled by default when using G-SYNC-ready monitors. For direct-to-display swapchains, an application profile with "GLGSYNCAllowed" setting set to 'false' can be used to disable this feature: { "rules" : [ { "pattern" : [], "profile" : [ "GLGSYNCAllowed", false ] } ] } * New upstream beta 387.12 (2017-10-03). - Fixed a regression that caused some display connectors on some GPUs to not report a connected HDMI or DisplayPort audio device even if the connected monitor supports audio. - Fixed a race condition that could lead to crashes when OpenGL programs manipulated vertex buffer objects from multiple threads simultaneously. - Improved performance of fullscreen Vulkan applications using X11 swapchains. This optimization will cause more events that trigger an out-of-date swapchain, such as when entering or leaving fullscreen mode. (This is commonly encountered when using the alt-tab key combination, for example.) Applications that do not properly respond to the VK_ERROR_OUT_OF_DATE_KHR return code may not function properly when these events occur. See section 30.8 of the Vulkan specification. - Added support for YUV 4:2:0 compression for monitors connected via DisplayPort in configurations where either the display or GPU is incapable of driving the current mode in RGB 4:4:4. See the description in the "Programming Modes" appendix for details. - Added framebuffer console hot plug handling to nvidia-modeset. Note that hot plugging is only handled when nvidia-modeset is initialized; for example, when Xorg or nvidia-persistenced is running or when nvidia-drm is loaded with the "modeset=1" parameter. - Added an "AllowGSYNC" MetaMode attribute that can be used to disable G-SYNC completely. This can be use to allow enabling features that are incompatible with G-SYNC, such as Ultra Low Motion Blur or Frame Lock. - Fixed several problems that prevented the "cc_version_check" sanity test from running correctly when building the NVIDIA kernel modules. As these problems would have masked mismatches between the compiler versions used to build the kernel and the NVIDIA kernel modules for an extended period of time, nvidia-installer has been updated to ignore CC version mismatches by default when they are detected. - Tiled monitors formerly resulted in a separate Xinerama screen being reported for each tile. They will now, by default, be combined into a single large Xinerama screen. - The individual panels in a tiled monitor will now be arranged based on the layout information provided in the monitor's EDID. This can be overridden by either manually specifying offsets or using the "MetaModeOrientation" option. - Disabled interlaced modes over DisplayPort by default due to incomplete support in the GPU. Added "AllowDpInterlaced" mode validation token to override this default behavior and allow interlaced modes over DisplayPort protocol anyway. * New upstream release 384 series. - Fixed a regression that prevented displays connected via some types of passive adapters (e.g. DMS-59 to VGA or DVI) from working correctly. The regression was introduced with driver version 384.98. - Fixed a bug that caused Quadro M2200 GPUs to enter the lowest available PowerMizer performance level when under load. . [ Luca Boccassi ] * Update d/copyright with new 6.3 paragraph in Nvidia's license, which warns that the drivers are licensed for usage with Nvidia hardware. * Drop nvidia-drm-crtc.patch, fixed upstream, and refresh nvidia-drm-master-dev.patch and use-kbuild-compiler.patch to remove fuzz. * Adjust filenames for new minor ABI revision of libnvidia-egl-wayland1 (libnvidia-egl-wayland.so.1.0.1 -> libnvidia-egl-wayland.so.1.0.2). * Update symbols files. * Update nv-readme.ids. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz from 387.22. . [ Andreas Beckmann ] * Update lintian overrides. * Upload to experimental. nvidia-modprobe (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-modprobe (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-modprobe (390.25-1) unstable; urgency=medium . * New upstream release. nvidia-modprobe (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-modprobe (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-modprobe (390.25-1) unstable; urgency=medium . * New upstream release. . nvidia-modprobe (384.111-2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-modprobe (384.111-2) unstable; urgency=medium . * Add setuid.patch to run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls. Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch! (Closes: #888952) * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-modprobe (390.25-1) unstable; urgency=medium . * New upstream release. nvidia-modprobe (384.111-2) unstable; urgency=medium . * Add setuid.patch to run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls. Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch! (Closes: #888952) * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-persistenced (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-persistenced (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-persistenced (390.25-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-persistenced (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-persistenced (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-persistenced (390.25-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. . nvidia-persistenced (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. nvidia-persistenced (390.25-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-persistenced (384.111-1) unstable; urgency=medium . * New upstream release. * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Bump Standards-Version to 4.1.3. No changes needed. nvidia-settings (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. * Revert to debhelper compat level 10. . nvidia-settings (390.87-1) unstable; urgency=medium . * New upstream release 390.87. * Add Build-Depends-Package field to symbols file. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-settings (390.67-1) unstable; urgency=medium . * New upstream release 390.67. * Use reproducibility patches from upstream. * Bump Standards-Version to 4.1.5. No changes needed. . nvidia-settings (390.48-2) unstable; urgency=medium . * Add Provides+Conflicts: nvidia-settings-gtk-${nvidia:Version} to prevent file conflicts with the legacy package built from the same upstream version. * Use dh_missing --fail-missing. . nvidia-settings (390.48-1) unstable; urgency=medium . * New upstream release 390.48. * Bump Standards-Version to 4.1.4. No changes needed. * Switch to debhelper compat level 11. . nvidia-settings (390.25-1) unstable; urgency=medium . * New upstream release 390.25. * Only build nvidia-settings on platforms where it is going to be used. (Closes: #892184) * Upload to unstable. . nvidia-settings (390.12-1) experimental; urgency=medium . * New upstream release 390.12. - Updated the SLI Mosaic layout page in the nvidia-settings control panel to support topologies with up to 32 displays. - Added an OpenGL stereo preview feature to the screen page in nvidia-settings. * Merge changes from 384.111. * Upload to experimental. . nvidia-settings (387.34-2) unstable; urgency=medium . * Generate the GTK3|GTK2 dependency dynamically. (Closes: #885709) * Merge changes from 384.111-1 (unstable), 384.111-1~deb9u1 (stretch). * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. * Upload to unstable. . nvidia-settings (387.34-1) experimental; urgency=medium . * New upstream release 387.34. * New upstream release 387.12. - Fixed a bug that sometimes prevented the "Reset Default Configuration" button in the nvidia-settings "ECC Settings" page from being available when the ECC configuration is set to a non-default state. - Fixed a bug that caused nvidia-settings to enforce overly aggressive limits on display positions in the "X Server Display Configuration" page under some circumstances. - Fixed a bug that could cause the "Enable Base Mosaic (Surround)" checkbox in nvidia-settings to disappear when an X screen, rather than a display, is selected in the "X Server Display Configuration" page. - Fixed a bug that caused the nvidia-settings control panel to retain some settings that had been applied, but not confirmed. This resulted in unwanted settings being applied to subsequent settings changes. * Refresh patches. * Bump Standards-Version to 4.1.2. No changes needed. * Upload to experimental. nvidia-settings (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-settings (390.87-1) unstable; urgency=medium . * New upstream release 390.87. * Add Build-Depends-Package field to symbols file. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-settings (390.67-1) unstable; urgency=medium . * New upstream release 390.67. * Use reproducibility patches from upstream. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-settings (390.67-1) unstable; urgency=medium . * New upstream release 390.67. * Use reproducibility patches from upstream. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-settings (390.48-2) unstable; urgency=medium . * Add Provides+Conflicts: nvidia-settings-gtk-${nvidia:Version} to prevent file conflicts with the legacy package built from the same upstream version. * Use dh_missing --fail-missing. nvidia-settings (390.48-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-settings (390.48-2) unstable; urgency=medium . * Add Provides+Conflicts: nvidia-settings-gtk-${nvidia:Version} to prevent file conflicts with the legacy package built from the same upstream version. * Use dh_missing --fail-missing. . nvidia-settings (390.48-1) unstable; urgency=medium . * New upstream release 390.48. * Bump Standards-Version to 4.1.4. No changes needed. * Switch to debhelper compat level 11. . nvidia-settings (390.25-1) unstable; urgency=medium . * New upstream release 390.25. * Only build nvidia-settings on platforms where it is going to be used. (Closes: #892184) * Upload to unstable. . nvidia-settings (390.12-1) experimental; urgency=medium . * New upstream release 390.12. - Updated the SLI Mosaic layout page in the nvidia-settings control panel to support topologies with up to 32 displays. - Added an OpenGL stereo preview feature to the screen page in nvidia-settings. * Merge changes from 384.111. * Upload to experimental. . nvidia-settings (387.34-2) unstable; urgency=medium . * Generate the GTK3|GTK2 dependency dynamically. (Closes: #885709) * Merge changes from 384.111-1 (unstable), 384.111-1~deb9u1 (stretch). * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. * Upload to unstable. . nvidia-settings (387.34-1) experimental; urgency=medium . * New upstream release 387.34. * New upstream release 387.12. - Fixed a bug that sometimes prevented the "Reset Default Configuration" button in the nvidia-settings "ECC Settings" page from being available when the ECC configuration is set to a non-default state. - Fixed a bug that caused nvidia-settings to enforce overly aggressive limits on display positions in the "X Server Display Configuration" page under some circumstances. - Fixed a bug that could cause the "Enable Base Mosaic (Surround)" checkbox in nvidia-settings to disappear when an X screen, rather than a display, is selected in the "X Server Display Configuration" page. - Fixed a bug that caused the nvidia-settings control panel to retain some settings that had been applied, but not confirmed. This resulted in unwanted settings being applied to subsequent settings changes. * Refresh patches. * Bump Standards-Version to 4.1.2. No changes needed. * Upload to experimental. . nvidia-settings (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. nvidia-settings (390.48-1) unstable; urgency=medium . * New upstream release 390.48. * Bump Standards-Version to 4.1.4. No changes needed. * Switch to debhelper compat level 11. nvidia-settings (390.25-1) unstable; urgency=medium . * New upstream release 390.25. * Only build nvidia-settings on platforms where it is going to be used. (Closes: #892184) * Upload to unstable. nvidia-settings (390.12-1) experimental; urgency=medium . * New upstream release 390.12. - Updated the SLI Mosaic layout page in the nvidia-settings control panel to support topologies with up to 32 displays. - Added an OpenGL stereo preview feature to the screen page in nvidia-settings. * Merge changes from 384.111. nvidia-settings (387.34-2) unstable; urgency=medium . * Generate the GTK3|GTK2 dependency dynamically. (Closes: #885709) * Merge changes from 384.111-1 (unstable), 384.111-1~deb9u1 (stretch). * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. * Upload to unstable. nvidia-settings (387.34-1) experimental; urgency=medium . * New upstream release 387.34. * New upstream release 387.12. - Fixed a bug that sometimes prevented the "Reset Default Configuration" button in the nvidia-settings "ECC Settings" page from being available when the ECC configuration is set to a non-default state. - Fixed a bug that caused nvidia-settings to enforce overly aggressive limits on display positions in the "X Server Display Configuration" page under some circumstances. - Fixed a bug that could cause the "Enable Base Mosaic (Surround)" checkbox in nvidia-settings to disappear when an X screen, rather than a display, is selected in the "X Server Display Configuration" page. - Fixed a bug that caused the nvidia-settings control panel to retain some settings that had been applied, but not confirmed. This resulted in unwanted settings being applied to subsequent settings changes. * Refresh patches. * Bump Standards-Version to 4.1.2. No changes needed. * Upload to experimental. nvidia-settings (384.111-1) unstable; urgency=medium . * New upstream release 384.111. * Bump Standards-Version to 4.1.3. No changes needed. nvidia-xconfig (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-xconfig (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-xconfig (390.25-1) unstable; urgency=medium . * New upstream release. . nvidia-xconfig (387.34-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-xconfig (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-xconfig (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-xconfig (390.25-1) unstable; urgency=medium . * New upstream release. . nvidia-xconfig (387.34-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. . nvidia-xconfig (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. nvidia-xconfig (390.25-1) unstable; urgency=medium . * New upstream release. nvidia-xconfig (387.34-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-xconfig (384.111-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.1.3. No changes needed. openni2 (2.2.0.33+dfsg-7+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix armhf baseline violation and armel FTBFS caused by NEON usage. (Closes: #874220) openssh (1:7.4p1-10+deb9u5) stretch; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-20685: disallow empty filenames or ones that refer to the current directory (Closes: #919101) * CVE-2019-6109: sanitize scp filenames via snmprintf (Closes: #793412) * CVE-2019-6111: check in scp client that filenames sent during remote->local directory copies satisfy the wildcards specified by the user openssl (1.1.0j-1~deb9u1) stretch-security; urgency=medium . * Import 1.1.0j - CVE-2018-0734 (Timing vulnerability in DSA signature generation) - CVE-2018-0735 (Timing vulnerability in ECDSA signature generation) - add new symbols . openssl (1.1.0i-1~deb9u1) stretch; urgency=medium . * Import 1.1.0i - Fix segfault ERR_clear_error (Closes: #903566) - Fix commandline option for CAengine (Closes: #907457) - CVE-2018-0732 (Client DoS due to large DH parameter) - CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation) * Abort the build if symbols are discovered which are not part of the symbols file. * use signing-key.asc and a https links for downloads openssl (1.1.0h-4) unstable; urgency=medium . * Build the binary in indep mode again, so we can install the documentation again. * Drop @echo in flavour so it builds again on Alpha * Add a 25-test_verify.t for autopkgtest which runs against intalled openssl binary. openssl (1.1.0h-3) unstable; urgency=medium . * Drop afalgeng on kfreebsd-* which go enabled because they inherit from the linux target. * Fix regression with session cache use by clients (See: #895035). * openssl rehash: exit 0 on warnings, same as c_rehash (See: #895473 and #895482). * Fix debian-rules-sets-dpkg-architecture-variable. * Let VCS-* point to salsa.d.o. * Don't build the binary package in binary-indep mode. * Update to policy 4.1.4 - only Suggest: libssl-doc instead Recommends (only documentation and example code is shipped). - drop Priority: important. - use signing-key.asc and a https links for downloads * Use compat 11. - this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it seems to make sense. * Fix CVE-2018-0737 (Closes: #895844). openssl (1.1.0h-2) unstable; urgency=high . * Revert "only quote stuff that actually needs quoting" so c_rehash has the quotes again (Closes: #894282). openssl (1.1.0h-1) unstable; urgency=medium . * Abort the build if symbols are discovered which are not part of the symbols file. * Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007). * Enable afalgeng on Linux targets (Closes: #888305) * Add riscv64 target (Closes: #891797). * New upstream release 1.1.0h - Drop applied patches: aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-binut.patch - Update symbols file. - Fix CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64) - Fix CVE-2018-0733 (Incorrect CRYPTO_memcmp on HP-UX PA-RISC) - Fix CVE-2018-0739 (Constructed ASN.1 types with a recursive definition could exceed the stack) * Correct lhash typo in header file (Closes: #892276). openssl (1.1.0g-2) unstable; urgency=high . * Avoid problems with aes assembler on armhf using binutils 2.29 openssl (1.1.0g-1) unstable; urgency=medium . * New upstream version - Fixes CVE-2017-3735 - Fixes CVE-2017-3736 * Remove patches applied upstream * Temporary enable TLS 1.0 and 1.1 again (#875423) * Attempt to fix testsuite race condition * update no-symbolic.patch to apply openssl (1.1.0f-5) unstable; urgency=medium . * Instead of completly disabling TLS 1.0 and 1.1, just set the minimum version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version(). openssl (1.1.0f-4) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * Add support for arm64ilp32, patch by Wookey (Closes: #867240) . [ Kurt Roeckx ] * Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS version. This will likely break things, but the hope is that by the release of Buster everything will speak at least TLS 1.2. This will be reconsidered before the Buster release. * Fix a race condition in the test suite (Closes: #869856) openssl1.0 (1.0.2q-1~deb9u1) stretch-security; urgency=medium . * use signing-key.asc and a https links for downloads * Import 1.0.2q stable release. - CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation) - CVE-2018-0732 (Client DoS due to large DH parameter) - CVE-2018-0734 (Timing vulnerability in DSA signature generation) - CVE-2018-5407 (Microarchitecture timing vulnerability in ECC scalar multiplication) openssl1.0 (1.0.2o-1) unstable; urgency=medium . * Add riscv64 (Closes: #891799). * New upstream version 1.0.2o: - Fixes CVE-2018-0739 (Constructed ASN.1 types with a recursive definition could exceed the stack) openssl1.0 (1.0.2n-1) unstable; urgency=medium . * New upstream version 1.0.2n - drop patches which applied upstream: - 0001-Fix-no-ssl3-build.patch - 0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch - Fixes CVE-2017-3737 (Read/write after SSL object in error state) - Fixes CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64) * move to gbp * Abort the build if symbols are discovered which are not part of the symbols file. openssl1.0 (1.0.2m-3) unstable; urgency=medium . * Avoid problems with aes and sha256 assembler on armhf using binutils 2.29 openssl1.0 (1.0.2m-2) unstable; urgency=medium . * Fix no-ssl3-method build openssl1.0 (1.0.2m-1) unstable; urgency=high . [ Kurt Roeckx ] * New upstream version - Fixes CVE-2017-3735 - Fixes CVE-2017-3736 . [ Sebastian Andrzej Siewior] * Add support for arm64ilp32, Patch by Wookey (Closes: #874709). openvpn (2.4.0-6+deb9u3) stretch; urgency=medium . * Fix NCP behaviour on TLS reconnect, causing "AEAD Decrypt error: cipher final failed" errors (Closes: #909430, #910937) parsedatetime (2.1-3+deb9u1) stretch; urgency=medium . * Rebuild to add python3 version for certbot stable update. pdns (4.0.3-1+deb9u3) stretch; urgency=medium . * Fix (security) bugs, partially using upstream patches: * CVE-2018-1046 in dnsreplay (Closes: #898255) * CVE-2018-10851 (Closes: #913163) * MySQL queries with stored procedures (Closes: #889798) * ldap, lua, opendbx backend not finding domains (Closes: #911659) pdns-recursor (4.0.4-1+deb9u4) stretch; urgency=high . * Security upload for CVE-2018-10851 CVE-2018-14626 CVE-2018-14644. perl (5.24.1-3+deb9u5) stretch-security; urgency=high . * [SECURITY] CVE-2018-18311: Integer overflow leading to buffer overflow and segmentation fault * [SECURITY] CVE-2018-18312: Heap-buffer-overflow write in S_regatom (regcomp.c) * [SECURITY] CVE-2018-18313: Heap-buffer-overflow read in regcomp.c * [SECURITY] CVE-2018-18314: Heap-based buffer overflow in extended character classes photocollage (1.4.3-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . photocollage (1.4.3-2.1) unstable; urgency=medium . * Non-maintainer upload. * Add the missing dependency on gir1.2-gtk-3.0. (Closes: #914440) php-pear (1:1.10.1+submodules+notgz-9+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Don't allow filenames to start with phar:// (CVE-2018-1000888) (Closes: #919147) php7.0 (7.0.33-0+deb9u1) stretch-security; urgency=high . * New upstream version 7.0.33 * Fixed security bugs: + [CVE-2018-19518]: imap_open() function command injection + [CVE-2018-14851]: heap-buffer-overflow (READ of size 48) while reading exif data + [CVE-2018-14883]: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c + [CVE-2018-17082]: XSS due to the header Transfer-Encoding: chunked php7.0 (7.0.32-1) unstable; urgency=medium . * New upstream version 7.0.32 * Rebase patches for PHP 7.0.32 php7.0 (7.0.31-1) unstable; urgency=medium . [ Ondřej Surý ] * New upstream version 7.0.31 * Fix the Vcs-Browser link php7.0 (7.0.30-2) unstable; urgency=medium . * Update Vcs-* links to salsa.d.o * Update maintainer address to team+pkg-php@tracker.d.o php7.0 (7.0.30-1) unstable; urgency=medium . * New upstream version 7.0.30 * Rebase patches for PHP 7.0.30 policykit-1 (0.105-18+deb9u1) stretch-security; urgency=medium . * CVE-2018-19788 (Closes: #915332) postfix (3.1.9-0+deb9u2) stretch; urgency=medium . * Update debian/watch to point to the 3.1 series used in stretch . postfix (3.1.9-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Unset inet_interfaces in postfix-instance-generator to avoid postconf failures when the generator runs during boot (Thanks to Stefan Anders for the patch). Closes: #896155 * Also fix use of postmulti in debian/configure-instance.sh since postfix-instance-generator uses it before the network is up. Closes: #882141 . [Wietse Venema] . * 3.1.9 - Cleanup: added 21 missing *_maps parameters to the default proxy_read_maps setting. Files: global/mail_params.h. . - Bugfix (introduced: 20120117): postconf should scan only built-in or service-defined parameters for ldap, *sql, etc. database names. Files: postconf/postconf_user.c. . - Bugfix (introduced: 19990302): when luser_relay specifies a non-existent local address, the luser_relay feature becomes a black hole. Reported by Jørgen Thomsen. File: local/unknown.c. . - Bugfix (introduced: Postfix 2.8): missing tls_server_start() error propagation in tlsproxy(8) resulting in segfault after TLS handshake error. Found during code maintenance. File: tlsproxy/tlsproxy.c. postfix (3.1.9-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Unset inet_interfaces in postfix-instance-generator to avoid postconf failures when the generator runs during boot (Thanks to Stefan Anders for the patch). Closes: #896155 * Also fix use of postmulti in debian/configure-instance.sh since postfix-instance-generator uses it before the network is up. Closes: #882141 . [Wietse Venema] . * 3.1.9 - Cleanup: added 21 missing *_maps parameters to the default proxy_read_maps setting. Files: global/mail_params.h. . - Bugfix (introduced: 20120117): postconf should scan only built-in or service-defined parameters for ldap, *sql, etc. database names. Files: postconf/postconf_user.c. . - Bugfix (introduced: 19990302): when luser_relay specifies a non-existent local address, the luser_relay feature becomes a black hole. Reported by Jørgen Thomsen. File: local/unknown.c. . - Bugfix (introduced: Postfix 2.8): missing tls_server_start() error propagation in tlsproxy(8) resulting in segfault after TLS handshake error. Found during code maintenance. File: tlsproxy/tlsproxy.c. postgresql-9.6 (9.6.11-0+deb9u1) stretch; urgency=medium . * New upstream version. postgrey (1.36-3+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Revert the 1.36-3+deb9u1 change due to regression. (see #880047) . postgrey (1.36-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * debian/postgrey.init: create /var/run/postgrey if it does not exist, patch provided by Laurent Bigonville . (Closes: 756813, 880047) postgrey (1.36-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * debian/postgrey.init: create /var/run/postgrey if it does not exist, patch provided by Laurent Bigonville . (Closes: 756813, 880047) pylint-django (0.7.2-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix the python3-pylint-django dependencies. (Closes: #867413) python-acme (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. * Pull in unreleased version bump of josepy to fix deprecation warnings. * Pull in two patches to help fix josepy compatibility problems. * Pull in a Breaks to require upgrade in a single move. python-acme (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. * Pull in unreleased version bump of josepy to fix deprecation warnings. python-acme (0.27.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. python-acme (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump S-V; add Rules-Require-Root: no python-acme (0.25.1-1) unstable; urgency=medium . * New upstream version 0.25.1 python-acme (0.25.1-1~bpo9+1) stretch-backports; urgency=high . * Rebuild for stretch-backports. . python-acme (0.25.1-1) unstable; urgency=medium . * New upstream version 0.25.1 . python-acme (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Add new dependency on requests-toolbelt * Drop unnecessary X-Python-Version fields * Add pytest as build-time dep only. . python-acme (0.24.0-2) unstable; urgency=medium . * Update team email address. (Closes: #895863) . python-acme (0.24.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. python-acme (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Add new dependency on requests-toolbelt * Drop unnecessary X-Python-Version fields * Add pytest as build-time dep only. python-acme (0.24.0-2) unstable; urgency=medium . * Update team email address. (Closes: #895863) python-acme (0.24.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. python-acme (0.22.2-1) unstable; urgency=medium . * New upstream release. python-acme (0.22.2-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-acme (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! python-acme (0.21.1-1) unstable; urgency=high . * New upstream release. * Cleanup from josepy separation. python-acme (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-acme (0.20.0-1) unstable; urgency=low . * New upstream release. * Add new dependencies introduced upstream. * Bump S-V, debhelper versions. * Move doc-base ref to package instead of package-doc. python-acme (0.19.0-1) unstable; urgency=medium . * New upstream release. python-acme (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-acme (0.19.0-1) unstable; urgency=medium . * New upstream release. . python-acme (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch to python3-sphinx for docs. . python-acme (0.17.0-1) unstable; urgency=medium . * New upstream release. * Reduce dependency on python-requests, following upstream. * Increase priority to optional to comply with Policy v4.0.1.0 * Declare Testsuite using simple autopkgtest. * Bump S-V to 4.0.1. . python-acme (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. . python-acme (0.12.0-1) experimental; urgency=medium . * New upstream release. . python-acme (0.11.1-1) unstable; urgency=medium . * New upstream release. * Drop dep on python3?-dnspython removed upstream python-acme (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch to python3-sphinx for docs. python-acme (0.17.0-1) unstable; urgency=medium . * New upstream release. * Reduce dependency on python-requests, following upstream. * Increase priority to optional to comply with Policy v4.0.1.0 * Declare Testsuite using simple autopkgtest. * Bump S-V to 4.0.1. python-acme (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. python-acme (0.12.0-1) experimental; urgency=medium . * New upstream release. python-acme (0.11.1-1) unstable; urgency=medium . * New upstream release. * Drop dep on python3?-dnspython removed upstream python-arpy (1.1.1-3~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . python-arpy (1.1.1-3) unstable; urgency=low . * Team upload. . [ Christoph Egger ] * Add VCS-* headers . [ Ondřej Nový ] * Fixed homepage (https) * Fixed VCS URL (https) . [ Scott Kitterman ] * Correct substitution variable for python3 interpreter depends (Closes: #867418) * Remove unneeded python:Provides * Update homepage for move to github * Add debian/watch python-certbot (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. (Closes: #887399) python-certbot (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot (0.27.0-1) unstable; urgency=medium . * New upstream version 0.27.0 * Refresh patch after upstream migration to codecov * Bump python-sphinx requirement defensively; bump S-V with no changes * Bump dep on python-acme to 0.26.0~ python-certbot (0.26.1-1) unstable; urgency=medium . * New upstream release. python-certbot (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump S-V; add R-R-R: no python-certbot (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Bump python-acme dep version. python-certbot (0.25.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot (0.24.0-2) unstable; urgency=medium . * Update team email address. (Closes: #899858) python-certbot (0.24.0-1) unstable; urgency=medium . * Add OR to dep on python-distutils for stretch-bpo * New upstream version 0.24.0 * Bump version dep on python3-acme python-certbot (0.23.0-1) unstable; urgency=medium . * New upstream release. * Add testdata back in to prevent test failure in RDeps. (Closes: #894025) * Bump S-V; no changes needed. python-certbot (0.23.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot (0.22.2-2) unstable; urgency=medium . * Change the way we remove testdata for better downstream support * Add dep on python3-distutils (Closes: #893775) python-certbot (0.22.2-1) unstable; urgency=medium . * New upstream release. python-certbot (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! * Break the strict dependency relationship between certbot packages. python-certbot (0.21.1-1) unstable; urgency=high . * New upstream release. * Move d/copyright format to HTTPS python-certbot (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot (0.21.1-1) unstable; urgency=high . * New upstream release. * Move d/copyright format to HTTPS . python-certbot (0.20.0-3) unstable; urgency=medium . * Setup logrotation for certbot log files. (Closes: #873581, #881176) . python-certbot (0.20.0-2) unstable; urgency=low . * Add additional Breaks on py2 variants of libs. . python-certbot (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. . python-certbot (0.19.0-1) unstable; urgency=medium . * New upstream release. (Closes: #838548) python-certbot (0.20.0-3) unstable; urgency=medium . * Setup logrotation for certbot log files. (Closes: #873581, #881176) python-certbot (0.20.0-2) unstable; urgency=low . * Add additional Breaks on py2 variants of libs. python-certbot (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. python-certbot (0.19.0-1) unstable; urgency=medium . * New upstream release. (Closes: #838548) python-certbot (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot (0.19.0-1) unstable; urgency=medium . * New upstream release. (Closes: #838548) . python-certbot (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch from python-sphinx to python3-sphinx . python-certbot (0.17.0-2) unstable; urgency=high . * Revert d/rules for systemd cleanup. (Closes: #872090) . python-certbot (0.17.0-1) unstable; urgency=medium . [ Mattia Rizzolo ] * d/control: rename git repository to python-certbot too . [ Harlan Lieberman-Berg ] * New upstream version 0.17.0 * Bump S-V to 4.0.1, changing Priority to optional. * Bump B-D on python-cryptography * Add very basic autopkgtest. * Refresh patches. * Fix merge failure. * Tweak d/rules for systemd cleanup, raise compat to 10. . python-certbot (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. . python-certbot (0.12.0-1) experimental; urgency=medium . * New upstream release. * Add python-ipdb as build dependency. * Drop unnecessary dependency on dh-systemd (Closes: #856239) . python-certbot (0.11.1-1) unstable; urgency=medium . * New upstream release. * Add .pc to gitignore * Drop python-psutil dep no longer needed python-certbot (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch from python-sphinx to python3-sphinx python-certbot (0.17.0-2) unstable; urgency=high . * Revert d/rules for systemd cleanup. (Closes: #872090) python-certbot (0.17.0-1) unstable; urgency=medium . [ Mattia Rizzolo ] * d/control: rename git repository to python-certbot too . [ Harlan Lieberman-Berg ] * New upstream version 0.17.0 * Bump S-V to 4.0.1, changing Priority to optional. * Bump B-D on python-cryptography * Add very basic autopkgtest. * Refresh patches. * Fix merge failure. * Tweak d/rules for systemd cleanup, raise compat to 10. python-certbot (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. python-certbot (0.12.0-1) experimental; urgency=medium . * New upstream release. * Add python-ipdb as build dependency. python-certbot (0.11.1-1) unstable; urgency=medium . * New upstream release. * Add .pc to gitignore * Drop python-psutil dep no longer needed python-certbot-apache (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. python-certbot-apache (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-apache (0.27.1-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.27.0-1) unstable; urgency=medium . * New upstream version 0.27.0 * Bump S-V; no changes needed * Add lintian-override for cross-python version dep. python-certbot-apache (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump deps on certbot, add acme dep explicitly * Bump S-V with R-R-R: no python-certbot-apache (0.25.0-2) unstable; urgency=medium . * Fix incorrect version dependency. python-certbot-apache (0.25.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-apache (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Bump dep on certbot python-certbot-apache (0.24.0-2) unstable; urgency=medium . * Update team email address to tracker.d.o. (Closes: #899667) python-certbot-apache (0.24.0-1) unstable; urgency=medium . * New upstream version 0.24.0 * Bump S-V; no changes needed. python-certbot-apache (0.23.0-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.23.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-apache (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! * Break strict dependency requirements. * Drop patches applied upstream. python-certbot-apache (0.21.1-1) unstable; urgency=high . * New upstream release. * Update Vcs-Git URL to be HTTPS. * Switch d/copyright URL to HTTPS. python-certbot-apache (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-apache (0.21.1-1) unstable; urgency=high . * New upstream release. * Update Vcs-Git URL to be HTTPS. * Switch d/copyright URL to HTTPS. . python-certbot-apache (0.20.0-3) unstable; urgency=medium . * Add version restriction on the Breaks of the dummy. . python-certbot-apache (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. . python-certbot-apache (0.20.0-1) unstable; urgency=low . * New upstream release. * Convert to python3! * Upgrade to debhelper 11. . python-certbot-apache (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.20.0-3) unstable; urgency=medium . * Add version restriction on the Breaks of the dummy. python-certbot-apache (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. python-certbot-apache (0.20.0-1) unstable; urgency=low . * New upstream release. * Convert to python3! * Upgrade to debhelper 11. python-certbot-apache (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-apache (0.19.0-1) unstable; urgency=medium . * New upstream release. . python-certbot-apache (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx. * Bump S-V; no changes needed. * Drop unnecessary Testsuite header. . python-certbot-apache (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move experimental to unstable now that the freeze is over. * Upgrade to v4.0.1 of Debian policy . python-certbot-apache (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. . python-certbot-apache (0.12.0-1) experimental; urgency=medium . * New usptream release. . python-certbot-apache (0.11.1-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx. * Bump S-V; no changes needed. * Drop unnecessary Testsuite header. python-certbot-apache (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move experimental to unstable now that the freeze is over. * Upgrade to v4.0.1 of Debian policy python-certbot-apache (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. python-certbot-apache (0.12.0-1) experimental; urgency=medium . * New usptream release. python-certbot-apache (0.11.1-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. python-certbot-nginx (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-nginx (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump dependencies to match setup.py * Bump S-V; add R-R-R: no python-certbot-nginx (0.25.0-2) unstable; urgency=medium . * Bump version requirement for acme and release -2 python-certbot-nginx (0.25.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-nginx (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 python-certbot-nginx (0.23.0-2) unstable; urgency=medium . * Switch maintainer email to tracker.d.o (Closes: #899674) python-certbot-nginx (0.23.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no chnages needed. python-certbot-nginx (0.23.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-nginx (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! * Break strict dependency requirement. python-certbot-nginx (0.21.1-1) unstable; urgency=high . * New upstream release. * Change Vcs-Git to use HTTPS. * Change d/copyright to use HTTPS python-certbot-nginx (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-nginx (0.21.1-1) unstable; urgency=high . * New upstream release. * Change Vcs-Git to use HTTPS. * Change d/copyright to use HTTPS . python-certbot-nginx (0.20.0-3) unstable; urgency=medium . * Add version restriction to Breaks/Replaces for dummy. (Closes: #886954) . python-certbot-nginx (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. . python-certbot-nginx (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. . python-certbot-nginx (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.20.0-3) unstable; urgency=medium . * Add version restriction to Breaks/Replaces for dummy. (Closes: #886954) python-certbot-nginx (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. python-certbot-nginx (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. python-certbot-nginx (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-nginx (0.19.0-1) unstable; urgency=medium . * New upstream release. . python-certbot-nginx (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx; bump S-V without changes. * Drop unnecessary Testsuite. . python-certbot-nginx (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move to unstable from experimental, now that the freeze is over. * Update to latest Debian policy. . python-certbot-nginx (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. . python-certbot-nginx (0.12.0-1) experimental; urgency=medium . * New upstream release. . python-certbot-nginx (0.11.1-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx; bump S-V without changes. * Drop unnecessary Testsuite. python-certbot-nginx (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move to unstable from experimental, now that the freeze is over. * Update to latest Debian policy. python-certbot-nginx (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. python-certbot-nginx (0.12.0-1) experimental; urgency=medium . * New upstream release. python-certbot-nginx (0.11.1-1) unstable; urgency=medium . * New upstream release. python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high . * CVE-2019-3498: Prevent a content-spoofing vulnerability in the default 404 page. (Closes: #918230) python-hypothesis (3.6.1-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport fix from 3.12.0-1 to stretch. . [ Tristan Seligmann ] * Fix permuted python3-hypothesis and python-hypothesis-doc Depends stanzas (closes: #867435). python-josepy (1.1.0-2~deb9u1) stretch; urgency=medium . * Backport to stable as a dependency for python-acme. python-josepy (1.1.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-josepy (1.1.0-1) unstable; urgency=medium . * New upstream release. python-josepy (1.0.1-1) unstable; urgency=medium . * Initial release. (Closes: #888624) * To prevent breaking downstream libs that may be using python-acme, we also have to build the Python 2 version. python-josepy (1.0.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. pyzo (4.3.1-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann] * Non-maintainer upload. * Backport dependency fix from 4.4.3-1.2. . [ Adrian Bunk ] * Add the missing dependency on python3-pkg-resources, thanks to Julien Cervelle. (Closes: #917085) qemu (1:2.8+dfsg-6+deb9u5) stretch-security; urgency=medium . * Backport SSBD support (Closes: #908682) * CVE-2018-10839 (Closes: #910431) * CVE-2018-17962 (Closes: #911468) * CVE-2018-17963 (Closes: #911469) r-cran-readxl (0.1.1-1+deb9u2) stretch; urgency=high . * src/libxls/ole.h: Updated from readxl upstream (Closes: #920804) * libxls/xlstool.h: Idem * ole.c: Idem * xls.c: Idem * xlstool.c: Idem . * This addresses CVE-2018-20450 CVE-2018-20452 with corresponding upstream patch in libxls and readxl roundcube (1.2.3+dfsg.1-4+deb9u3) stretch-security; urgency=high . * Backport fix for CVE-2018-19206: XSS vulnerability via crafted use of